Payments

EMV Credit Cards, Part 1: Who Is Responsible for Losses?

Editor’s Note: This is “Part 1” of a 2-part series.

This article is mainly for brick-and-mortar retailers. The upcoming October 2015 rule changes regarding EMV-enabled credit cards are specific to card-present merchants. But ecommerce merchants should understand what EMV entails, as some merchant account salespeople have tried to apply EMV to card-not-present accounts, such as ecommerce transactions.

I’m writing this because I mentioned EMV cards in “B2B Merchants Often Overpay for Card Processing,” my November 2014 article. That generated questions and concerns from brick-and-mortar retailers about the EMV misinformation being distributed by some processors and salespeople.

Therefore, the aim of this article is to clarify how acceptance of EMV cards and the upcoming rule changes will impact card-present retailers and the decisions they will have to make before October 2015. (For a background on EMV, read “Credit Card Processing: October 2013 Rate Changes, EMV Terminals,” my article from 2013.)

What Is ‘EMV’?

You may have noticed that a high percentage of newly issued credit and debit cards in the U.S. now have a microchip embedded in the plastic. While this chip is new to the U.S., cards issued in many other countries have had an embedded microchip for years. The purpose of the microchip is to reduce the value of stolen card data and the ease of conducting counterfeit transactions.

EMV-enabled credit cards have a microchip inserted in the plastic.  Source: Visa.

EMV-enabled credit cards have a microchip inserted in the plastic. Source: Visa.

EMV stands for “EuroPay, MasterCard, Visa,” which are the three companies that originally developed the standards for chip card processing. In the credit card industry EMV is synonymous with the rules governing acceptance of chip card transactions. These rules make chip cards and point-of-sale devices compatible around the world.

The card companies realize that the magnetic stripe technology used on U.S. credit cards for the last few decades no longer has adequate security. To conduct a fraudulent transaction, criminals need only the information found on the magnetic strip. This information can be skimmed off an individual card with a basic device or it can be obtained in mass quantities by hacking into merchant and provider databases. This is why merchant adherence to PCI DSS — Payment Card Industry Data Security Standards — is so important for the card companies.

Embedding a microchip on the card provides an important extra level of protection to reduce the value of stolen card data. The chip enables cryptographic processing. whereby each transaction has dynamic, unique authentication. This reduces the possibility of a fraudulent transaction. But it means that U.S. merchants will have to have point-of-sale devices that can process the encrypted information for this extra level of security to work.

EMV: What U.S. Merchants Need to Know

There is a lot misinformation from some merchant account providers about EMV. Unfortunately, some merchants that do not even process EMV cards are now buying and leasing equipment from these providers. Here is the information merchants need to know about EMV and the October 2015 rule changes that affect card-present merchants.

Currently, most card-present counterfeit card losses are the responsibility of the bank that issued the card. However, on October 1, 2015 the card companies are changing the rules. As of that date, the entity responsible for the EMV information will be held financially responsible for certain card-present counterfeit losses. That means that if the bank issued a card without the microchip, it may be responsible for any card-present fraudulent card losses. However, if the card had the microchip and the provider did not process the information, then the provider may be responsible for any losses.

What merchants need to understand is that the provider will pass any such loss onto the merchant if the merchant did not have equipment capable of processing the EMV information.

Also, understand that chip cards will still have the magnetic stripe on the back of the card, so merchants without the EMV POS devices can still process transactions. The card companies are not forcing merchants to invest in POS devices that can process an EMV transaction. However, they are using a pretty big stick via the counterfeit fraud loss rule changes to encourage merchants to invest in POS devices that can process EMV transactions.

Accept Financial Responsibility, or Not?

Therefore, every card-present merchant needs to make a decision: Does it want to take on the responsibility for counterfeit card losses or does it want to invest in equipment that can process EMV transactions? Businesses should make this decision well ahead of the October 2015 deadline, to ensure they can obtain the needed equipment if necessary.

However, there are more decisions each merchant will need to make should it invest in the EMV equipment. Merchants need to decide if they want to incorporate NFC (near field communication) or Apple Pay and other such programs that allow the customer to place the card or cell phone near a receiving device to obtain the chip card information, versus inserting the card in the POS device. Merchants also need to understand that some card issuers may require cardholders to key-in a PIN number with the chip card transaction and some issuers may only require the signature. This means that a merchant may need to invest in an EMV PIN pad due to the location of the POS device so the customer has some privacy when inserting her PIN number.

I’ll address this and other decisions merchants need to make in next month’s article — see “EMV Credit Cards, Part 2: Point-of-sale Devices, Alternatives.”

Phil Hinke
Phil Hinke
Bio


x