As I sit down to write this post on September 30, the unfolding EMV initiative (Europay, MasterCard, and Visa, the companies that originated EMV) is less than one day away from a major milestone in the US; liability shift.
Most of us are at least aware of the new cards we’ve been receiving with integrated circuits or chips sometimes referred to as “smart cards.” While I don’t intend to present myself as a subject matter expert on EMV or payment processing, I want to share some basic information on EMV and what the liability shift means to merchants.
Some of the information may be interesting to cardholders, but the liability shift is between card issuers and merchants. Cardholders are not directly affected.
What is EMV?
EMV goes far beyond the chip in the card, it’s a wholesale change in the payment transaction process. The current magstripe card technology is 40 years old.
The data on all magstripes is static and consistent across cards. Once that data is stolen, it’s fairly trivial to rewrite onto blank cards or even overwrite it onto cards that previously contained legitimate data. EMV technology includes private encrypted keys in the card chip itself, as well as the ability to write data to the chip both from the local payment terminal as well as from the host system maintained by the card issuer that ultimately authorizes payment.
The technology also allows initial risk assessment logic to begin at the point of sale between the payment terminal and the chip on the card that actually runs tiny applications before data is even sent upstream to the host.
It’s not a perfect system, but it’s substantially more secure than magstripe transaction processing.
What is transaction liability?
In the event of successful credit card fraud, someone assumes the loss and becomes the victim of that fraud. That party is either the merchant or the card issuer.
The cardholder doesn’t pay and Visa or MasterCard don’t pay.
Discover and American Express are a bit different, in that most of their cards are issued by those companies directly. They own their own payment networks, so in most cases they are the payment system provider and card issuer.
In a “card present” transaction, which historically meant a card was physically swiped (magstripe) and read by a payment terminal, the liability fell on the card issuer. These are companies like Citigroup, Bank of America, Capital One, etc. As long as the card was physically read by the machine and not keyed in, the merchant was paid for the transaction.
What is the liability shift?
Beginning in October 2015, the liability for fraudulent credit card transactions falls upon the party unable to meet EMV transaction requirements, which will inevitably be the merchant. If the merchant is EMV ready, including their merchant services provider and payment terminals, card issuers will still be liable for fraudulent transactions.
If they are not, and the account used has been issued an EMV capable card the merchant will be will assume the loss for the transaction and will not be paid for it. I’m curious – does anyone reading this still have an active card without an EMV chip? Comment below.
What about online or phone orders?
Transactions that don’t include physical interaction with the card, known as CNP, or “card not present” transactions, are not affected by the EMV liability shift but there are a couple of important things to note here. CNP transactions have always held a high risk of liability for the merchant. As card present transactions become more difficult, CNP merchants should be even more diligent as they (we) increasingly become the lowest hanging fruit.
It will be interesting to see how this all plays out over the coming months. Here’s hoping it will be a smooth transition.
About the Author:
Jason Culliton is a member of L-Tron’s Sales Team specializing in law enforcement and government data collection solutions. In his spare time, Jason likes to smoke meat and go scuba diving. Jason can be reached at info@L-Tron.com or at (800) 830-9523