Currently, almost half of the world’s credit card fraud happens in the U.S where magnetic stripe technology is the standard. Outside the U.S., an estimated 40% of the world’s cards and 70% of the terminals already use the EMV technology. These countries are reporting significantly lower counterfeit fraud levels with EMV cards than with the magnetic stripe cards.
By October 1, 2015, many people in the U.S. who use credit cards will likely notice changes when they pay for purchases at retail stores. The reason for the change is the “EMV liability shift” scheduled to occur on October 1 (EMV is an acronym for EuroPay, MasterCard, and Visa). As described in more detail below, the “liability shift” is an incentive for both merchants and card issuers to increase card security and reduce counterfeit fraud.
This post provides some background on EMV technology and describes the liability-related incentives the card brands are providing to encourage quicker adoption of EMV.
The EMV technology includes a computer chip embedded in each credit card. Unlike current payment terminals that many retailers use—where a customer “swipes” the credit card through the device that reads cardholder data off the magnetic stripe—the new technology will require the customer to insert the card so the chip can be read during the transaction. The chip provides dynamic authentication information that changes for each transaction, unlike the current magnetic stripe method with static data embedded in the stripe. As a result, cards with embedded EMV technology are much more difficult to counterfeit. The goal of the EMV technology is to decrease the amount of card-present credit card fraud due to counterfeit cards.
The EMV technology will likely require merchants to obtain new devices to read customers’ credit cards (note that automatic fuel pay merchants have an additional two years to move to the new technology before the “liability shift” takes effect). In addition, card issuers will have to issue new cards with embedded EMV chips.
Merchants using the EMV technology can offer customers a variety of ways to pay:
- First, and the most secure, is having the customer use the computer chip in the card and enter a PIN in the merchant’s device, so-called “Chip & PIN” security. This method may remind customers of ATM transactions, because a customer will insert the card, enter the PIN, and not remove the card until the transaction is complete.
- Second, and less secure, is having the customer use the computer chip but sign the receipt rather than use a PIN (“Chip & Signature”). This method is a combination of the current signature authentication with the security of the chip.
- Third, and less secure, is the current method of “swiping” the card with a signature authentication. The new EMV cards will still enable this method of credit card payment.
The EMV Liability Shift
The “liability shift” means that, as between merchants and card issuers (banks, credit unions, etc.), liability for counterfeit card-present transactions will shift away from the issuer (where it normally resides under the card brands’ zero liability provisions in their operating regulations), to the merchant if is not EMV-compliant (e.g. having implemented payment terminals that can read EMV-enabled cards and taking other compliance steps). The party that does not offer EMV-compliant devices (the merchant) or cards (the issuer) will face liability for counterfeit card transactions.
The payment brands, such as Visa and MasterCard, have issued additional requirements and guidance. For example, Visa has stated that the “liability shift” affects liability for counterfeit cards, but not for lost or stolen cards; whereas MasterCard has extended the “liability shift” to ATM counterfeit cards for all MasterCard-branded products as of October 2016. Merchants may wish to visit the website of each payment brand they accept for additional information.
Card Brand Frand and Operating Expense Assessment EMV Safe Harbor
In addition, some card brands may provide another liability-based incentive for merchants. Currently, merchants that suffer security breaches involving payment card data can be liable for significant fraud and operating expense recovery assessments. However, VISA has created a safe harbor in its Global Compromise Recovery Process (GCAR) that eliminates a merchant’s liability for liability GCAR assessments if the merchant generated more than 95% of their card-present transactions from EMV-enabled payment terminals at least thirty days before the data breach.
Impact on PCI-DSS Compliance
Notably, the new EMV technology is NOT required by the new PCI DSS v3.1, which we had previously described here, but is supported by that standard. However, some card brands are offering PCI-related incentives for merchants that adopt EMV and meet certain requirements. For example, if an eligible merchant processes at least 75% of its transactions through EMV-enabled terminals, under Visa’s Technology Innovation Program (TIP), Visa will waive the requirement for an annual obligation to validate PCI-DSS compliance.
Overall the switch to EMV will be a postive factor in reducing payment card fraud. However, online transactions—frequently referred to as “card not present” transactions—are not directly affected by the new EMV technology. If experience in other countries is a predictor of the effects in the U.S., merchants should anticipate an increase in online fraud. Merchants may wish to take additional security precautions for high-value or high-risk online transactions, such as using two-factor authentication.
Finally, if they have not already done so, merchants should consider switching to the new EMV technology now, in order to have the devices and systems tested and in place prior to the October 1, 2015 “liability shift.”