More than 575 million chip-cards have been issued by financial institutions to consumers, and you’ve probably been walking around with one in your pocket since June of last year. Since October 2015, merchants may have requested you begin to ‘dip’ rather than ‘swipe’ your card. Why? Although the transition to chip-card technology may be confusing at first, it’s ultimately a benefit to privacy and security.
For merchants, however, the transition to accepting chip-card technology is essential to avoiding what the industry is calling the EMV ‘liability shift.’
What is EMV?
EMV is a global standard for secure credit card transactions utilizing microchip technology embedded in debit and credit cards. The name derives from EuroPay, MasterCard and Visa (EMB), the companies that originally developed the technology.
Although Europe adopted the practice long ago, the United States was late in transitioning to the EMV technology standard. By the end of 2015, 70% of U.S. credit cards were issued as EMV cards, but only 59% of retail locations were expected to be EMV-compliant.
What is the EMV “liability shift”?
As of Oct. 1, 2015 (2017 for fuel-pump stations), many card brands have instituted a “liability shift” policy to incentivize both merchants and card issuers (banks and credit unions) to transition to EMV technology, which has shown to increase card security and reduce counterfeit fraud. The liability shift means that between merchant and card issuers, liability for counterfeit card-present transactions resides with the party using the least secure EMV-related technology.
In other words, prior to Oct. 1, 2015, the liability for fraudulent transactions largely fell upon the card issuer. Now, non-EMV compliant merchants could be liable for the costs associated with any chargebacks.
What does EMV mean for merchants?
Consumers were provided their new chip-cards by card issuers, but what are the next steps for merchants? Although 78,000 merchants have already installed EMV chip-activated technology, tens of thousands are still risking exorbitant costs due to fraudulent charges and the ‘liability shift.’
The average cost of an EMV-compliant point-of-sale terminal is around $500. Chip-reading mobile devices such as Square can be purchased for $29-$39. While the initial costs of EMV technology may appear large for some merchants, ultimately merchants will pay far less than the potential fines, penalties and assessments levied by major card brands against non-compliant merchants.
Under Visa’s Global Compromised Account Recovery process (GCAR), for example, Visa can levy an assessment against a non-PCI compliant merchant that suffers a breach, that includes fraud recovery (an amount to reimburse issuing banks for fraud perpetrated on cards subject to a data breach) and operating expense recovery amounts (such as an amount to reimburse issuing banks for the costs to reissue payment cards subject to a data breach). The contractual clauses governing this exposure are generally found in the Merchant Services Agreement (MSA). This portion of a merchant’s exposure is insurable, but not all cyber liability policies respond the same way. It is important to note any breach of contract exclusions or sub-limits pertaining to both PCI Fines/Penalties and PCI Assessments.
Mitigate the risk
The first step to mitigating the risk is to become EMV compliant. While each of the card brand’s EMV-compliance certification program may vary, in general, merchants must apply for and receive certification through its acquiring bank to become EMV-compliant, which entails three phases:
- Hardware Certification: installing EMV-enabled terminals that are certified by EMVCo to process payments.
- Software Certification: implementing payment application software.
- End-to-end Certification: holistic testing and approval of point-of-sale configuration, where the card brands check and confirm the integrity of the payment chain as a whole.
The certification process and level of involvement will vary across merchants, depending largely upon the size and complexity of the merchant’s business; the timeframe to completion can take anywhere from a few weeks to several months.