October 1, 2015 has come and gone, which means if you're a merchant who can't process chip card payments, you could shoulder consumer fraud costs if an incident occurs and you're not "EMV-ready."
If that sentence made you panic, confused or mad, you've got company. The nationwide adoption of EMV chip cards and processing technology is not a small undertaking for anyone involved -- merchants and cardholders alike.
"It's a significant change in a pattern of life that we've had for a long time with mag stripe cards," said Gregg Smith, North American sales manager for Cardtek, an international payment processing company.
Fret no more. Whether you are a frazzled business owner or just an inquisitive consumer, CreditCards.com has outlined exactly last fall's EMV fraud liability shift means for all parties involved:
1. The liability shift changes who may shoulder fraud chargeback costs.
After Oct. 1, in-store counterfeit fraud liability shifted to the party -- either the card issuing financial institution or the merchant -- that has not yet adopted chip technology.
"The liability shift protects the entity who offers the greater level of security by holding the other entity with less secure systems responsible for fraud," said Carolyn Balfany, safety and security expert at MasterCard. "For example, if fraud occurs when a chip card is inserted into a terminal that hasn't been upgraded, the merchant is responsible for the fraud."
Prior to this shift, credit card issuers were primarily responsible for covering fraud affecting consumer accounts, reimbursing cardholders for lost funds as a result of counterfeit (or other) fraud. As of October 1, 2015, financial institutions will still cover cardholders' accounts as before, but in some cases the institutions may be able to seek reimbursement from the merchant or merchant acquirer (a bank or company that processes payments on behalf of a merchant) if the retailer was not prepared to accept EMV payment technology.
"Whoever has the lowest level of security essentially is now responsible for that unauthorized transaction," said Doug Johnson, president of American Bankers Association.
However, the change doesn't necessarily mean merchants will be bearing the brunt of fraud charges. There are still a greater number of situations in which the card issuer would continue to shoulder fraud chargeback costs just as they do now. "If both parties have upgraded security, then the environment remains precisely as it is now. The bank would reimburse the customer just as they do now," Johnson added
It's important to note that the liability shift only pertains to counterfeit fraud tied to EMV chip cards, as they will still have magnetic stripes that could be hijacked. The liability shift will not apply to large scale data breaches or consumer payment card data stolen prior to October 1.
"There is a lot of counterfeit card data out there from past data breaches and what not that could show up at a merchant store at any time, but the merchants will only be liable is if fraud came from a counterfeited mag stripe card that originated from a card issued with a chip on it," explained Randy Vanderhoof, executive director of the Smart Card Alliance.
Here are some more examples of who may handle fraud costs based on the situation, post-October 1, 2015:
2. The shift is intended to help parties deal with counterfeit fraud more equally.
The EMV fraud liability shift was implemented by major U.S. payment card networks (nine to be exact: Accel, American Express, China UnionPay, Discover, MasterCard, NYCE Payments Network, SHAZAM Network, STAR Network and Visa) to combat counterfeit fraud.
Since the U.S. is the only country in which counterfeit card fraud is consistently growing, the shift was put in place to encourage faster adoption of EMV payment technology, according to Stephanie Ericksen, vice president of Risk Products for Visa.
"The way that the liability shift works is to set a structure in place to incentivize the protection of chip," she said. "Merchants get protection against liability as soon as they get a terminal and enable chip acceptance, and vice versa for issuers."
The U.S. accounts for 25 percent of the world's card transactions but 47 percent of the world's counterfeit fraud, according to Nilson Report . Counterfeit fraud cost card-issuing banks $3.4 billion and merchants another $1.9 billion in 2012.
Although there may be hesitation from all parties involved to make the switch to EMV payment technology, the migration is a crucial step in combating the fraud that typically occurs at in-store payment terminals.
"We are trying to reduce the opportunities fraudsters will have to take advantage of vulnerabilities in our system as a whole," said Seth Ruden, senior fraud consultant at ACI Worldwide, a global banking and payment processing company. "Unfortunately, we can only do that by changing who has what kind of terminals and the liability must shift so we can push all merchants in the same direction and toward the same future."
3. Stolen/lost card fraud liability may depend on the card and network.
If chip cards can be dipped and signed for, but not easily counterfeited, wouldn't it be easy for fraudsters to just steal the chip cards themselves?
Potentially, but the liability shift details how stolen card fraud will be handled if criminals are willing to take such chances. For the most part, issuers will handle fraud resulting from a lost or stolen card situation just as they do now.
"There's no lost and stolen liability shift for Visa," Ericksen explained. "The issuer would still be liable for lost and stolen fraud, just like today." Accel, China UnionPay, NYCE and STAR Network are also not changing existing lost and stolen fraud liability policies.
However, a few major networks have one exception.
If the card used to commit fraud is a MasterCard, American Express or Discover card, the chargeback liability still remains with the issuer unless the card is a PIN credit or debit card and the accepting merchant was unable to process the card as a chip card and had to swipe the mag stripe instead. If the merchant had been able to process the card's chip, the PIN feature may have stopped the fraud but because the merchant wasn't prepared, they are the liable party.
Even in that instance, cardholders will not be held responsible for unauthorized transactions if they have used "reasonable care in protecting the card from loss or theft" and "promptly contacted their financial institution when they knew that their MasterCard was lost or stolen," according to Balfany.
Merchants who are prepared to accept EMV cards won't have to worry about these situational differences -- or any resulting fraud chargeback costs.
"So as long as a merchant has the ability to process that kind of card, they will never be liable for a lost and stolen card, regardless of the card type," Vanderhoof added.
4. The liability shift does not apply to card-not-present fraud.
Merchants who make sales online instead of in-store don't have to worry about today's liability shift because it doesn't affect them.
For starters, EMV chip technology does not work online, as card chips need to be physically read by a payment terminal during the card-dipping process in order to produce the unique transaction code. Chip card holders making online payments will continue to type in card numbers as usual and if card-not-present fraud occurs today, it would be handled just like before the October 2015 liability shift, typically by the card issuers based on their existing fraud liability guidelines.
Upgrading to chip cards and point-of-sale terminals will help address card-present fraud, and the liability shift pertains only to that scenario. Tackling fraud that occurs in other areas will be an ongoing project. The migration to EMV is expected to help reduce fraud, but it's not the be-all-end-all answer to payment fraud in the U.S.
"The card-not-present channel has its own set of controls and we are working on a solution for those independently and with different elements than the card-present problem," Ruden said. "In the next year we should see some new schemes materialize that will add controls in the card-not-present space. And that will provide us with another layer of control just like the chip cards are doing."
5. All brick-and-mortar merchants are affected by the EMV shift, except gas stations.
Even if you only handle a couple of in-store payments a week and the rest is done online, you are still liable for the in-store payments -- unless you own a gas station.
Gas stations and ATMs have until October 1, 2017 to make the shift to EMV payment technology before the liability shift occurs in those sectors.
Don't have a traditional cash register and payment terminal? The liability shift still affects you. "If you are a merchant who uses a device that has mobile card acceptance technology (like Square), you have the same liability as any other merchant," Vanderhoof said.
Square is offering two EMV-compliant payment readers that merchants can purchase online right now: One is $29 and accepts dipped chip card payments. The other is $49 and accepts both dipped chip cards and contactless payments such as Apple Pay.
If you're a more traditional business owner who works with a payment processing company that supplies your point-of-sale terminals, but you have not received EMV-compliant devices, you need to reach out to that company directly. If your payment processor is behind, fraud liability costs may still fall on you if you're not prepared and an incident occurs.
"I've heard no news that there is an availability problem with the new terminals," Cardtek's Smith said. "I suspect that there has been some procrastination on the payment processors' part, as they may have been expecting a deadline extension, but clearly that didn't happen. If you are a small- or medium-sized business, you need to keep the pressure on who supplies your software and devices. The longer you wait to go to your equipment supplier the longer it will take for you to get enabled."
6. If you're partially transitioned to EMV, you're partially liable.
By now it's evident that the nationwide shift to EMV payment technology isn't happening overnight. A report released by The Strawhecker Group, a global payment industry consulting company, said that only 37 percent of merchants are EMV-ready today. That number is only expected to rise to 50 percent by June and 72 percent by the end of the year.
Not all card issuers are 100 percent EMV-ready, either. According to CreditCards.com research, 70 percent of consumers have a chip card in their wallet these days. Visa estimates that about one-third of all U.S. Visa cards have been issued with chips as of February 29, 2016. MasterCard estimates its chip card penetration rate a bit higher, as 67 percent of its cards bear EMV chips as of March 20, 2016.
Fortunately, the gradual transition doesn't overly complicate the fraud liability shift. Overall, the more complete your EMV migration is today, the less liable you are for potential fraud chargebacks.
"It's based on the individual terminal and the individual card level," Ericksen said. "If an issuer has issued a certain percentage of their cards as chip but the fraud occurs with a card that doesn't have chip yet, the liability will fall back on the issuer. And the same thing applies to different merchant locations. If a retailer has EMV payment terminals at one location, but not another where fraud occurs, the liability would be terminal-specific and the merchant would be responsible."
7. October 1 was not a mandatory EMV deadline, per se.
If you're a merchant who still isn't ready for this new payment landscape, it's OK. October 1 was the official date of the liability shift, which will come into play if fraud occurs, but if you have yet to make the transition to EMV, you can decide when it's right for you to do so.
Merchants who don't experience a high rate of counterfeit fraud, such as coffee shops, mom-and-pop restaurants or other small, often local, stores, may not need to worry about the shift as much just yet. If the risk for counterfeit fraud is low, then the risk of being liable for fraud chargebacks under the new liability shift is low, so such merchants may be able to delay the investment in EMV upgrades with few consequences.
"We certainly want everyone to make the transition to EMV, but smaller businesses may not have to rush quite as much," Ericksen said. "The liability shift is an incentive to make the switch to EMV, not a mandate."
Before paying for new chip card-processing terminals, merchants should do some research to find out what options their business may have and compare them to fraud protection needs. "That way they have an understanding of the time and cost it will take for them to be compliant," Vanderhoof said. "Once they have that information, they can decide whether that added protection that the time and cost investment is worth it."
If a merchant decides the cost is not worth the risk, that's their decision but the potential fraud risk should still be thoroughly considered. "The magnitude can be so great for small businesses," Smith said. "If a small store that does $2,500 a month in sales then has to pay about $900 for fraud that same month because they were found liable, that could be really tough."
Change of any kind can be overwhelming, time consuming and costly, but it may be beneficial in the long run. Don't rule out EMV technology too fast. "I know it's an additional consider to think about during a busy day but from the standpoint of protecting customers and your business, it's an important thing to consider," Johnson said.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.