Practical Ecommerce

EMV Credit Cards, Part 1: Who Is Responsible for Losses?

Editor’s Note: This is “Part 1” of a 2-part series.

This article is mainly for brick-and-mortar retailers. The upcoming October 2015 rule changes regarding EMV-enabled credit cards are specific to card-present merchants. But ecommerce merchants should understand what EMV entails, as some merchant account salespeople have tried to apply EMV to card-not-present accounts, such as ecommerce transactions.

I’m writing this because I mentioned EMV cards in “B2B Merchants Often Overpay for Card Processing,” my November 2014 article. That generated questions and concerns from brick-and-mortar retailers about the EMV misinformation being distributed by some processors and salespeople.

Therefore, the aim of this article is to clarify how acceptance of EMV cards and the upcoming rule changes will impact card-present retailers and the decisions they will have to make before October 2015. (For a background on EMV, read “Credit Card Processing: October 2013 Rate Changes, EMV Terminals,” my article from 2013.)

What Is ‘EMV’?

You may have noticed that a high percentage of newly issued credit and debit cards in the U.S. now have a microchip embedded in the plastic. While this chip is new to the U.S., cards issued in many other countries have had an embedded microchip for years. The purpose of the microchip is to reduce the value of stolen card data and the ease of conducting counterfeit transactions.

EMV-enabled credit cards have a microchip inserted in the plastic.  Source: Visa.

EMV-enabled credit cards have a microchip inserted in the plastic. Source: Visa.

EMV stands for “EuroPay, MasterCard, Visa,” which are the three companies that originally developed the standards for chip card processing. In the credit card industry EMV is synonymous with the rules governing acceptance of chip card transactions. These rules make chip cards and point-of-sale devices compatible around the world.

The card companies realize that the magnetic stripe technology used on U.S. credit cards for the last few decades no longer has adequate security. To conduct a fraudulent transaction, criminals need only the information found on the magnetic strip. This information can be skimmed off an individual card with a basic device or it can be obtained in mass quantities by hacking into merchant and provider databases. This is why merchant adherence to PCI DSS — Payment Card Industry Data Security Standards — is so important for the card companies.

Embedding a microchip on the card provides an important extra level of protection to reduce the value of stolen card data. The chip enables cryptographic processing. whereby each transaction has dynamic, unique authentication. This reduces the possibility of a fraudulent transaction. But it means that U.S. merchants will have to have point-of-sale devices that can process the encrypted information for this extra level of security to work.

EMV: What U.S. Merchants Need to Know

There is a lot misinformation from some merchant account providers about EMV. Unfortunately, some merchants that do not even process EMV cards are now buying and leasing equipment from these providers. Here is the information merchants need to know about EMV and the October 2015 rule changes that affect card-present merchants.

Currently, most card-present counterfeit card losses are the responsibility of the bank that issued the card. However, on October 1, 2015 the card companies are changing the rules. As of that date, the entity responsible for the EMV information will be held financially responsible for certain card-present counterfeit losses. That means that if the bank issued a card without the microchip, it may be responsible for any card-present fraudulent card losses. However, if the card had the microchip and the provider did not process the information, then the provider may be responsible for any losses.

What merchants need to understand is that the provider will pass any such loss onto the merchant if the merchant did not have equipment capable of processing the EMV information.

Also, understand that chip cards will still have the magnetic stripe on the back of the card, so merchants without the EMV POS devices can still process transactions. The card companies are not forcing merchants to invest in POS devices that can process an EMV transaction. However, they are using a pretty big stick via the counterfeit fraud loss rule changes to encourage merchants to invest in POS devices that can process EMV transactions.

Accept Financial Responsibility, or Not?

Therefore, every card-present merchant needs to make a decision: Does it want to take on the responsibility for counterfeit card losses or does it want to invest in equipment that can process EMV transactions? Businesses should make this decision well ahead of the October 2015 deadline, to ensure they can obtain the needed equipment if necessary.

However, there are more decisions each merchant will need to make should it invest in the EMV equipment. Merchants need to decide if they want to incorporate NFC (near field communication) or Apple Pay and other such programs that allow the customer to place the card or cell phone near a receiving device to obtain the chip card information, versus inserting the card in the POS device. Merchants also need to understand that some card issuers may require cardholders to key-in a PIN number with the chip card transaction and some issuers may only require the signature. This means that a merchant may need to invest in an EMV PIN pad due to the location of the POS device so the customer has some privacy when inserting her PIN number.

I’ll address this and other decisions merchants need to make in next month’s article — see “EMV Credit Cards, Part 2: Point-of-sale Devices, Alternatives.”

Phil Hinke

Phil Hinke

Bio   •   RSS Feed


email-news-env

Sign up for our email newsletter

Comments ( 6 )

  1. Jeff January 13, 2015 Reply

    What happens when a fraudster skims and duplicates the magnetic stripe, then uses that clone for a transaction? The cloned card won’t have a chip, so the merchant won’t be able to accept anything but the magnetic stripe. Who’s liable in that instance?

    • Denny khav January 13, 2015 Reply

      The new chip cards have a service code in the magnetic stripe. Trying to use it, will result in an “Use chip slot” message and there’s no chip to insert because it’s a cloned card. The merchant then rejects the card and/or call police.

      • Jeff January 13, 2015 Reply

        So what counterfeit situations will the merchant actually be liable for? If it’s just a regular magstripe card that’s been cloned, isn’t it still the issuing bank’s problem? I just don’t see where the merchant could get in trouble if they don’t have the proper equipment.

    • Janice January 13, 2015 Reply

      I would assume that the cardholder is still considered liable. There are many resources (white papers, articles, even blog pieces) that discuss the importance of being proactive in keeping your data safe. Even while using the “safest” method of electronic payment, it’s still one’s personal responsibility to check their statements regularly, and immediately report any suspicious activity to the proper authorities. So in a nutshell, until EMV card acceptance is MANDATED by law, it’s a business’ responsibility only to be PCI compliant, whether they accept EMV chips or not. But it’s an individual’s responsibility (now, and always will be) to stay on top of their finances.

    • Marty January 14, 2015 Reply

      The merchant isn’t liable if the card has no chip. The cardholder is liable unless the card was reported stolen. If reported stolen in a timely fashion, it’s then up to the card’s issuing bank to shut off the card to prevent it’s use. The liability is then the card issuers.

  2. karen Fulbright-Anderson October 1, 2015 Reply

    My husband and I own a Bed and Breakfast establishment. There are no credit card companies that provide the new upgraded equipment for the hospitality industry. Who set the rule that retailers who do not have the upgraded equipment are responsible for losses incurred when there is fraudulent use of the new credit cards? It is unfair that those in the hospitality industry will be punished when the equipment is not available.