On October 1, 2015, if your business accepts credit cards at the point of sale, you must have terminals that process an EMV* chip card (sometimes called “smartcard”) or your company will be liable for most fraudulent point-of-sale card transactions. The card issuing companies use the term “liability shift” to describe what will take place on October 1. The U.S. is one of the last countries in the world to migrate to EMV and it has been more than three years since the major card issuers announced the “roadmap” to the liability shift. Despite the roadmap plans, a survey conducted in July revealed that most small businesses that accept point-of-sale credit and debit card transactions have not transitioned their terminals to EMV—and many aren’t convinced it matters. It does, however.
Background
To combat fraudulent use of point-of-sale credit card transactions, during the mid-1990s the world’s major card-issuing companies jointly developed a computer chip protocol called EMV to augment the security measures present on the magnetic stripe of the cards. (At this point, EMV does not replace magnetic stripes. The chip is embedded in the card in addition to the stripe.) In the 1990s, most credit card fraudulent use was found in developing countries, so that’s where where EMV cards were rolled out first. However, as EMV became more widely used in others countries, criminal “fraudsters” moved their efforts to the U.S..
Today, the U.S. is where the majority of counterfeit and fraudulent credit card use takes place.
25% | Percentage of the world’s credit card transactions that take place in the U.S.
50% | Percentage of the world’s credit card fraud that happens in the U.S. (via)
Small merchants are unaware, unimpressed or unalarmed by the October liability shift.
According to July research conducted by Gallup on behalf of Wells Fargo, among small businesses that accept point-of-sale card payments, only 31 percent have upgraded their credit card terminals to accept chip-enabled cards.
31% | Percentage of small businesses that accept point-of-sale card payments that have upgraded to EMV chip cards
When asked if they plan to upgrade their point-of-sale credit card terminals to accept EMV chip cards, those that had not yet upgraded gave the following reasons:
29% | Intend to make the change before the October 1 deadline.
34% | Will change at some point in the future after October
21% | Never plan to upgrade
Reasons given for not upgrading (respondent could chose more than one):
48% | Believe there’s no harm in not upgrading
46% | Don’t want to incur the costs
41% | Not concerned with liability shift to retailer are not concerned about the liability shift in the case of fraud.
How the ‘liability shift’ will work in various scenarios beginning in October, 2015
Scenario One: A traditional magnetic stripe card (one without an EMV chip) is swiped by the customer at a magnetic stripe terminal.
If the purchase is a counterfeit transaction made with a card that has no chip, the merchant is generally not liable, just like before October, 2015. Why? The card issuer has not yet provided the user an EMV card.
Scenario Two: A chip card is used at a magnetic stripe-only terminal.
If the purchase is a counterfeit transaction made with a card that has an EMV chip, the merchant will be held liable in most cases. Why? According to the card issuers, their logic is this: They have made huge investments in chip technology designed to make transactions more secure, including re-issuing new cards to millions of cardholders, while the merchant has not invested in upgrading to a chip card reader. Additionally, they have provided the merchants more than three years to make the upgrade.
Scenario Three: A chip card is used at a chip-enabled terminal that has been activated by the merchant.
The merchant is not liable, and the issuer will continue to bear the responsibility of the counterfeit or fraudulent activity.
Exceptions: In the following cases, the liability shift takes place in October 2017, rather than 2015.
• Automated fuel pumps
• ATMs
Exceptions: Liability remains with card issuer beyond 2017.
• Card-not-present transactions (example: charge made via phone)
• Lost or stolen card fraud
• Processing that uses wireless technology like RFID (radio frequency identification) or NFC (near field communications). This type of usage ranges from Apple Pay to the fast-pay wands used at gas pumps.
How to upgrade your point-of-sale terminal to read EMV chip cards, NFC cards and NFC devices.
Contact the company that provides you your “merchant account.”
This can be confusing because in some cases, it is your bank that appears to be providing the service. And in other cases, the service may appear to be from providers who are “authorized agents” of banks. These can be called “independent sales organizations” or “member service providers.” However, the service may be provided by a large company that you’ve never heard of. No matter who is actually providing you the merchant account, the company whose name you see on billing or on the hardware should be able to explain how the liability shift and terminal upgrade works.
If the service provider tries to talk you out of an upgrade, ask for specific reasons why. But make sure the provider has your best interest in mind, not their own. For instance, the provider may not have fully depreciated the cost of the device they are currently providing you (despite knowing three years ago of the change). But the bottom line is this: The liability is shifting to you, not the provider.
Need more information?
Helpful sources of information about smartcards, chipcards and related technology from the cross-industry Smartcard Alliance:
A Q&A about EMV from a consumer’s perspective can be found on CreditCard.com.
*EMV stands for Europay, MasterCard, and Visa, the three companies which originally created the standard. The standard is now managed by EMVCo, a consortium with control split equally among Visa, Mastercard, JCB, American Express, China UnionPay and Discover.
(Illustration: Photo by Ciaran McGuiggan via Flickr, CC by 2.0)