The truth in this case is EMV compliance. No, that is not a new social media acronym or shorthand for something. EMV stands for Europay, MasterCard and Visa, also known as chip cards or integrated chip cards. As of October 1st, 2015, if you process Point of Sale (POS) transactions (typically, face to face, card present, brick and mortar), you will need to have an EMV compliant terminal to avoid the liability shift for counterfeit transactions.
EMV cards have been the global standard for at least 10 years. Rather than just having the magnetic stripe with the cardholders information, EMV cards have an embedded chip which offers additional security to prevent counterfeit transactions. With EMV compliant POS terminals, the cardholders inserts or dips their card, vs swiping, in the device. There is a whole lot of technical ‘stuff’ regarding tokenization and encryption that provides the heightened security as the bad guys haven’t (dare I say yet?) broken the code to capture and counterfeit EMV cards.
To help the conversion from magstripe technology to EMV, the payments processing industry created a roadmap for merchants.
The first phase of the implementation timeline was October 2012. Phase One: PCI Relief for Early Conversions was also known as the Technology Innovation Program. It granted relief from reporting compliance validation with the PCI Data Security Standard if 75% of their POS transactions were processed on EMV compliant terminals.
Phase 2, Merchant Acquirer Requirement, triggered on April 2013 (and no, it was not an April Fool’s joke). The merchant processors had to be able to support merchant acceptance of chip-enabled transactions. In order for chip-enabled cards to be processed according to the EMV standards, the merchant did need to have an EMV compliant device. The biggest change under this phase is that the processor sends the same card identifying data for magstripe payments or the unique data with dynamic credentials for smart card transactions, depending on the terminal.
The third phase, and the subject of this article, occurs in a scant 2 weeks time, October 1, 2015. Coined the “Merchant Fraud Liability Shift”, this phase is the one with potentially dire consequences for POS/face-to-face/card present transactions. After 10/1/15, if a cardholder makes a transaction with an EMV card on a non-compliant terminal, the merchant is then held responsible for any counterfeit fraud associated with that transaction. The only POS-related exception to this phase is gasoline retailers.
But the gasoline retailers are not safe for very long – the 4th phase of the roadmap shifts this same fraud liability to gasoline retailers in October of 2017. And we all thought we were already paying too much at the pump.
Where EMV processing standards have been implemented, POS counterfeit fraud has been greatly reduced. The industry has been quick to point out that some merchants are much more at risk than others for counterfeit fraud. Merchants who operate in industries where the item purchased can be quickly turned into cash, such as jewelry, electronics, firearms, furs, for example.
Consequence 1: Liability shifts to the merchant acquirer/merchant for counterfeit fraud if not using EMV compliant terminals.
But what about online, e-Commerce, Card Not Present (CNP) transactions, the fastest growing segment of purchases? Once EMV standards are implemented (and the US is lagging the rest of the world), those perpetrating fraud are likely to shift their focus to CNP transactions. Recent history has seen a 40% increase in online fraud as a result. Well this is where there is a ton of misinformation. In a 9/10/15 webinar, the industry expert who spoke stated that the liability shift does not apply to CNP transactions. An online discussion board contributor tried to make a case for the need to be equipped with EMV compliant terminals (probably had a quota to make) and yet another talked about using multi-factor, single use PIN authentication which could negatively impact the user’s purchase experience. In another industry whitepaper, the author stated: “Online and omni-channel merchants can experience huge fraud losses as EMV cards roll out in the US.1” It was further stated that “EMV cards can mean trouble because they provide no protection for online transactions.2”
What does this mean for CNP merchants? It is likely that the liability for fraud (at least until there are other protections) may not shift but what will shift is where the fraud will occur; from face-to-face, POS to online, CNP transactions. Either way, there is a cost to be borne by all.
Consequence 2: Fraud will still be perpetrated by the bad guys, but rather than look you in the eye, they will do it over the phone or via the internet. Merchants need to be diligent about educating themselves on the best practices available in the industry and work closely with reputable, ethical payment processing providers for the solutions, including tools and practices to mitigate risk that best fit their situation.
To quote Sgt Phil Esterhaus from Hill Street Blues: “And hey, let’s be careful out there”.
1, 2Cardinal Commerce, EMV Roadmap for Omni-Channel Merchants