If you’re a merchant that has been accepting credit cards for a while, you’ve probably heard about the EMV liability shift and wondered how and if it affected you. If you’re fairly new to accepting credit card payments for your business, you may not even know it was a thing that caused a lot of issues for some people.
EMV is a global security standard that was created by credit card issuers Europay, Mastercard, and Visa in the early 1990s, and it uses chips inside the cards that are inserted or “dipped” into the front of a credit card reader. The first EMV readers were released in Europe in 1994, and the United States card issuers (Visa, Mastercard, American Express, and Discover) adopted it in 2012, and set a deadline for compliance for October 2015.
The EMV chip cards were adopted in the U.S. after several large-scale data breaches, as well as the use of counterfeit card fraud. It basically took the widespread data theft at Target, Home Depot, and other major retailers worth hundreds of millions of dollars for the card companies to finally adopt EMV in the United States.
What Does EMV Do?
The EMV chip-and-PIN procedure helps protect against fraud better than magnetic stripe transactions that use the card holder’s signature and visual verification of the card holder’s signature. It works on the 3DS2 security principle of “something you have, something you are, something you know; pick 2.” The chip-and-pin are the have/know part of 3DS2, and are required for debit card purchases.
The EMV was promoted as a new security method that would significantly cut down on credit card fraud, which it has done. In May 2019, Visa reported that chip cards reduced fraud by 76 percent from the date of compliance in 2015. Prior to that, merchants typically did not bear those costs of fraud, the credit card issuers did. Frequently, the consumers might bear those costs as well.
To encourage rapid adoption, the EMV consortium — which now also includes JCB and China UnionPay — made a promise to cover any fraud costs that made it through the EMV security system, as long as the merchant was using the correct EMV equipment. But if the merchant did not participate, the EMV consortium would shift all liability and costs back to the merchants.
They declared that as of October 1, 2015, they would no longer bear the liability for the fraud if merchants did not follow the security procedures they had created.
Basically, the credit card companies said, “Look, we came up with the secure standard to reduce fraud. And we invented all this equipment to accept these special new cards. But if you won’t use the methods we have created, then we will no longer pay for any fraud that gets perpetrated on your outdated payment machines.”
In other words, if you’re a merchant that uses a point-of-sale (POS) system with an EMV reader, you are responsible for ensuring that all chip cards are dipped. However, keep in mind that this is not a law, just a strongly-worded suggestion from the credit card networks. You can always skip it and keep using your magnetic stripe machine. Just be aware that you’re responsible for the cost of any fraud if you don’t upgrade.
The only two types of merchants who are exempt from the shift are ATM owners and gas stations, where they decided the cost of upgrading to EMV readers was too high for them to comply.
But Don’t Fuel Merchants Have to Comply Now?
Not yet. They almost did, but they got a deadline extension.
U.S. fuel merchants were supposed to install EMV compliant machines on their outside gas stations as of October 2017, two years after everyone else, but that got pushed out to October 2020. And then, it got pushed out again to April 2021.
While the pandemic is partly to blame, there are several other factors involved. For one thing, it’s a huge expense to swap out all the credit card readers on outside gas stations. Since many of these gas stations are mom-and-pop independents, and because the reduced travel has put a crimp in their revenue, it’s hard to come up with the cash to survive, let alone change out the credit card readers.
So Who Exactly is Liable for What?
There are a few different scenarios where the merchant is financially responsible for the fraud, and a few where the card issuer is responsible.
The merchant is responsible if:
- a crook uses a counterfeit card with stolen chip card data and the merchant was not EMV-compliant already.
- they encourage the customers to swipe the magnetic stripe instead of using the chip.
- mag stripe data from a chip card is copied and used to swipe at a non-EMV merchant.
The credit card issuer is responsible if:
- someone tries to dip the card, but it malfunctions so they have to swipe the card instead.
- someone successfully uses a stolen chip card in an EMV-compliant reader.
- a chip card-less cardholder is a victim of fraud after they’re forced to swipe at an EMV-compliant retailer
- a stolen card is used online.
To learn more about how to protect yourself against fraud and chargebacks, especially with EMV-compliant equipment, CB-Alert can help, Please visit the CB Alert website.
Photo credit: PXHere.com (Creative Commons 0)