October 1, 2015 has come and gone, which means if you're a
merchant who can't process chip card payments, you could shoulder
consumer fraud costs if an incident occurs and you're not
If that sentence made you panic, confused or mad, you've got
company. The nationwide adoption of
EMV chip cards
and processing technology is not a small undertaking for anyone
involved -- merchants and cardholders alike.
"It's a significant change in a pattern of life that we've had
for a long time with mag stripe cards," said Gregg Smith, North
American sales manager for Cardtek, an international payment
Fret no more. Whether you are a frazzled business owner or just
an inquisitive consumer, CreditCards.com has outlined exactly last
fall's EMV fraud liability shift means for all parties
1. The liability shift changes who may shoulder fraud
After Oct. 1, in-store counterfeit fraud liability shifted to the
party -- either the card issuing financial institution or the
merchant -- that has not yet adopted chip technology.
"The liability shift protects the entity who offers the greater
level of security by holding the other entity with less secure
systems responsible for fraud," said Carolyn Balfany, safety and
security expert at MasterCard. "For example, if fraud occurs when a
chip card is inserted into a terminal that hasn't been upgraded,
the merchant is responsible for the fraud."
Prior to this shift, credit card issuers were primarily
responsible for covering fraud affecting consumer accounts,
reimbursing cardholders for lost funds as a result of counterfeit
(or other) fraud. As of October 1, 2015, financial institutions
will still cover cardholders' accounts as before, but in some cases
the institutions may be able to seek reimbursement from the
merchant or merchant acquirer (a bank or company that processes
payments on behalf of a merchant) if the retailer was not prepared
to accept EMV payment technology.
"Whoever has the lowest level of security essentially is now
responsible for that unauthorized transaction," said Doug Johnson,
president of American Bankers Association.
However, the change doesn't necessarily mean merchants will be
bearing the brunt of fraud charges. There are still a greater
number of situations in which the card issuer would continue to
shoulder fraud chargeback costs just as they do now. "If both
parties have upgraded security, then the environment remains
precisely as it is now. The bank would reimburse the customer just
as they do now," Johnson added
It's important to note that the liability shift only pertains to
counterfeit fraud tied to EMV chip cards, as they will still have
magnetic stripes that could be hijacked. The liability shift will
not apply to large scale data breaches or consumer payment card
data stolen prior to October 1.
"There is a lot of counterfeit card data out there from past
data breaches and what not that could show up at a merchant store
at any time, but the merchants will only be liable is if fraud came
from a counterfeited mag stripe card that originated from a card
issued with a chip on it," explained Randy Vanderhoof, executive
director of the Smart Card Alliance.
Here are some more examples of who may handle fraud costs based
on the situation, post-October 1, 2015:
2. The shift is intended to help parties deal with
counterfeit fraud more equally.
The EMV fraud liability shift was implemented by major U.S. payment
card networks (nine to be exact: Accel, American Express, China
UnionPay, Discover, MasterCard, NYCE Payments Network, SHAZAM
Network, STAR Network and Visa) to combat counterfeit fraud.
Since the U.S. is the only country in which counterfeit card
fraud is consistently growing, the shift was put in place to
encourage faster adoption of EMV payment technology, according to
Stephanie Ericksen, vice president of Risk Products for Visa.
"The way that the liability shift works is to set a structure in
place to incentivize the protection of chip," she said. "Merchants
get protection against liability as soon as they get a terminal and
enable chip acceptance, and vice versa for issuers."
The U.S. accounts for 25 percent of the world's card
transactions but 47 percent of the world's counterfeit fraud,
according to Nilson Report
. Counterfeit fraud cost card-issuing banks $3.4 billion and
merchants another $1.9 billion in 2012.
Although there may be hesitation from all parties involved to
make the switch to EMV payment technology, the migration is a
crucial step in combating the fraud that typically occurs at
in-store payment terminals.
"We are trying to reduce the opportunities fraudsters will have
to take advantage of vulnerabilities in our system as a whole,"
said Seth Ruden, senior fraud consultant at ACI Worldwide, a global
banking and payment processing company. "Unfortunately, we can only
do that by changing who has what kind of terminals and the
liability must shift so we can push all merchants in the same
direction and toward the same future."
3. Stolen/lost card fraud liability may depend on the card
If chip cards can be dipped and signed for, but not easily
counterfeited, wouldn't it be easy for fraudsters to just steal the
chip cards themselves?
Potentially, but the liability shift details how stolen card
fraud will be handled if criminals are willing to take such
chances. For the most part, issuers will handle fraud resulting
from a lost or stolen card situation just as they do now.
"There's no lost and stolen liability shift for Visa," Ericksen
explained. "The issuer would still be liable for lost and stolen
fraud, just like today." Accel, China UnionPay, NYCE and STAR
Network are also not changing existing lost and stolen fraud
However, a few major networks have one exception.
If the card used to commit fraud is a MasterCard, American
Express or Discover card, the chargeback liability still remains
with the issuer unless the card is a PIN credit or debit card and
the accepting merchant was unable to process the card as a chip
card and had to swipe the mag stripe instead. If the merchant had
been able to process the card's chip, the PIN feature may have
stopped the fraud but because the merchant wasn't prepared, they
are the liable party.
Even in that instance, cardholders will not be held responsible
for unauthorized transactions if they have used "reasonable care in
protecting the card from loss or theft" and "promptly contacted
their financial institution when they knew that their MasterCard
was lost or stolen," according to Balfany.
Merchants who are prepared to accept EMV cards won't have to
worry about these situational differences -- or any resulting fraud
"So as long as a merchant has the ability to process that kind
of card, they will never be liable for a lost and stolen card,
regardless of the card type," Vanderhoof added.
4. The liability shift does not apply to card-not-present
Merchants who make sales online instead of in-store don't have to
worry about today's liability shift because it doesn't affect
For starters, EMV chip technology does not work online, as card
chips need to be physically read by a payment terminal during the
card-dipping process in order to produce the unique transaction
code. Chip card holders making online payments will continue to
type in card numbers as usual and if
occurs today, it would be handled just like before the October 2015
liability shift, typically by the card issuers based on their
existing fraud liability guidelines.
Upgrading to chip cards and point-of-sale terminals will help
address card-present fraud, and the liability shift pertains only
to that scenario. Tackling fraud that occurs in other areas will be
an ongoing project. The migration to EMV is expected to help reduce
fraud, but it's not the be-all-end-all answer to payment fraud in
"The card-not-present channel has its own set of controls and we
are working on a solution for those independently and with
different elements than the card-present problem," Ruden said. "In
the next year we should see some new schemes materialize that will
add controls in the card-not-present space. And that will provide
us with another layer of control just like the chip cards are
5. All brick-and-mortar merchants are affected by the EMV
shift, except gas stations.
Even if you only handle a couple of in-store payments a week and
the rest is done online, you are still liable for the in-store
payments -- unless you own a gas station.
Gas stations and ATMs have until October 1, 2017 to make the
shift to EMV payment technology before the liability shift occurs
in those sectors.
Don't have a traditional cash register and payment terminal? The
liability shift still affects you. "If you are a merchant who uses
a device that has mobile card acceptance technology (like Square),
you have the same liability as any other merchant," Vanderhoof
Square is offering two EMV-compliant payment readers that
merchants can purchase online right now: One is $29 and accepts
dipped chip card payments. The other is $49 and accepts both dipped
chip cards and contactless payments such as Apple Pay.
If you're a more traditional business owner who works with a
payment processing company that supplies your point-of-sale
terminals, but you have not received EMV-compliant devices, you
need to reach out to that company directly. If your payment
processor is behind, fraud liability costs may still fall on you if
you're not prepared and an incident occurs.
"I've heard no news that there is an availability problem with
the new terminals," Cardtek's Smith said. "I suspect that there has
been some procrastination on the payment processors' part, as they
may have been expecting a deadline extension, but clearly that
didn't happen. If you are a small- or medium-sized business, you
need to keep the pressure on who supplies your software and
devices. The longer you wait to go to your equipment supplier the
longer it will take for you to get enabled."
6. If you're partially transitioned to EMV, you're
By now it's evident that the nationwide shift to EMV payment
technology isn't happening overnight. A
released by The Strawhecker Group, a global payment industry
consulting company, said that only 37 percent of merchants are
EMV-ready today. That number is only expected to rise to 50 percent
by June and 72 percent by the end of the year.
Not all card issuers are 100 percent EMV-ready, either.
According to CreditCards.com research,
70 percent of consumers have a chip card in their
these days. Visa estimates that about one-third of all U.S. Visa
cards have been issued with chips as of February 29, 2016.
MasterCard estimates its chip card penetration rate a bit higher,
as 67 percent of its cards bear EMV chips as of March 20, 2016.
Fortunately, the gradual transition doesn't overly complicate
the fraud liability shift. Overall, the more complete your EMV
migration is today, the less liable you are for potential fraud
"It's based on the individual terminal and the individual card
level," Ericksen said. "If an issuer has issued a certain
percentage of their cards as chip but the fraud occurs with a card
that doesn't have chip yet, the liability will fall back on the
issuer. And the same thing applies to different merchant locations.
If a retailer has EMV payment terminals at one location, but not
another where fraud occurs, the liability would be
terminal-specific and the merchant would be responsible."
7. October 1 was not a mandatory EMV deadline, per
If you're a merchant who still isn't ready for this new payment
landscape, it's OK. October 1 was the official date of the
liability shift, which will come into play if fraud occurs, but if
you have yet to make the transition to EMV, you can decide when
it's right for you to do so.
Merchants who don't experience a high rate of counterfeit fraud,
such as coffee shops, mom-and-pop restaurants or other small, often
local, stores, may not need to worry about the shift as much just
yet. If the risk for counterfeit fraud is low, then the risk of
being liable for fraud chargebacks under the new liability shift is
low, so such merchants may be able to delay the investment in EMV
upgrades with few consequences.
"We certainly want everyone to make the transition to EMV, but
smaller businesses may not have to rush quite as much," Ericksen
said. "The liability shift is an incentive to make the switch to
EMV, not a mandate."
Before paying for new chip card-processing terminals, merchants
should do some research to find out what options their business may
have and compare them to fraud protection needs. "That way they
have an understanding of the time and cost it will take for them to
be compliant," Vanderhoof said. "Once they have that information,
they can decide whether that added protection that the time and
cost investment is worth it."
If a merchant decides the cost is not worth the risk, that's
their decision but the potential fraud risk should still be
thoroughly considered. "The magnitude can be so great for small
businesses," Smith said. "If a small store that does $2,500 a month
in sales then has to pay about $900 for fraud that same month
because they were found liable, that could be really tough."
Change of any kind can be overwhelming, time consuming and
costly, but it may be beneficial in the long run. Don't rule out
EMV technology too fast. "I know it's an additional consider to
think about during a busy day but from the standpoint of protecting
customers and your business, it's an important thing to consider,"
8 FAQs about EMV credit cards
EMV holdouts: Why merchants are slow to make
With chip card switch upon us, who do I call about