Tag Archives: EMV

Immediate Vault Immediate Access

Dip, Don’t Swipe: How the EMV Liability Shift Impacts Merchants

Posted on by

shutterstock_287890574

More than 575 million chip-cards have been issued by financial institutions to consumers, and you’ve probably been walking around with one in your pocket since June of last year. Since October 2015, merchants may have requested you begin to ‘dip’ rather than ‘swipe’ your card. Why? Although the transition to chip-card technology may be confusing at first, it’s ultimately a benefit to privacy and security.

For merchants, however, the transition to accepting chip-card technology is essential to avoiding what the industry is calling the EMV ‘liability shift.’

What is EMV?

EMV is a global standard for secure credit card transactions utilizing microchip technology embedded in debit and credit cards. The name derives from EuroPay, MasterCard and Visa (EMB), the companies that originally developed the technology.

Although Europe adopted the practice long ago, the United States was late in transitioning to the EMV technology standard. By the end of 2015, 70% of U.S. credit cards were issued as EMV cards, but only 59% of retail locations were expected to be EMV-compliant.

What is the EMV “liability shift”?

As of Oct. 1, 2015 (2017 for fuel-pump stations), many card brands have instituted a “liability shift” policy to incentivize both merchants and card issuers (banks and credit unions) to transition to EMV technology, which has shown to increase card security and reduce counterfeit fraud. The liability shift means that between merchant and card issuers, liability for counterfeit card-present transactions resides with the party using the least secure EMV-related technology.

In other words, prior to Oct. 1, 2015, the liability for fraudulent transactions largely fell upon the card issuer. Now, non-EMV compliant merchants could be liable for the costs associated with any chargebacks.

What does EMV mean for merchants?

Consumers were provided their new chip-cards by card issuers, but what are the next steps for merchants? Although 78,000 merchants have already installed EMV chip-activated technology, tens of thousands are still risking exorbitant costs due to fraudulent charges and the ‘liability shift.’

The average cost of an EMV-compliant point-of-sale terminal is around $500. Chip-reading mobile devices such as Square can be purchased for $29-$39. While the initial costs of EMV technology may appear large for some merchants, ultimately merchants will pay far less than the potential fines, penalties and assessments levied by major card brands against non-compliant merchants.

Under Visa’s Global Compromised Account Recovery process (GCAR), for example, Visa can levy an assessment against a non-PCI compliant merchant that suffers a breach, that includes fraud recovery (an amount to reimburse issuing banks for fraud perpetrated on cards subject to a data breach) and operating expense recovery amounts (such as an amount to reimburse issuing banks for the costs to reissue payment cards subject to a data breach). The contractual clauses governing this exposure are generally found in the Merchant Services Agreement (MSA). This portion of a merchant’s exposure is insurable, but not all cyber liability policies respond the same way. It is important to note any breach of contract exclusions or sub-limits pertaining to both PCI Fines/Penalties and PCI Assessments.

Mitigate the risk

The first step to mitigating the risk is to become EMV compliant. While each of the card brand’s EMV-compliance certification program may vary, in general, merchants must apply for and receive certification through its acquiring bank to become EMV-compliant, which entails three phases:

  • Hardware Certification: installing EMV-enabled terminals that are certified by EMVCo to process payments.
  • Software Certification: implementing payment application software.
  • End-to-end Certification: holistic testing and approval of point-of-sale configuration, where the card brands check and confirm the integrity of the payment chain as a whole.

The certification process and level of involvement will vary across merchants, depending largely upon the size and complexity of the merchant’s business; the timeframe to completion can take anywhere from a few weeks to several months.

Home Depot Confirms Massive Data Breach

Posted on by

Home Depot Data Breach

On Monday, Home Depot confirmed that a breach of its payment data systems may have exposed customer card data across the United States and Canada. The breach appears to have begun in April, allowing hackers to steal an untold amount of shopper information including credit card numbers.

online pharmacy ocuflox with best prices today in the USA

The home improvement giant disclosed on Sept. 2 that it was investigating reports of “unusual activity” and, a week later, determined that any customers who used a card in the U.S. or Canada is at risk, though the breach does not appear to impact shoppers online or at retail stores in Mexico. In an official statement, the company assured that no one would be held responsible for fraudulent charges and offered free identity protection services, including credit monitoring, to anyone who has shopped at one of its locations since April.

As with the massive Target data breach, the Home Depot news was first broken by cybersecurity journalist Brian Krebs. The data went up for sale on rescator. So, the same underground store that sold credit card information from the Target and P.

online pharmacy zoloft with best prices today in the USA

F. Chang’s breaches, and may have been stolen by the same group of hackers. Krebs reported, “In what can only be interpreted as intended retribution for U.S. and European sanctions against Russia for its aggressive actions in Ukraine, this crime shop has named its newest batch of cards ‘American Sanctions.’ Stolen cards issued by European banks that were used in compromised U.S. store locations are being sold under a new batch of cards labeled ‘European Sanctions.'”

Given the five-month duration, this breach may be many times larger than the Target attack, which exposed 40 million credit and debit cards and the personal data of 70 million customers in three weeks. The Target breach led to the resignation of its CEO and cost the company almost $150 million in the second quarter alone, according to the New York Times. In fact, the toll may reach ever higher. “I don’t see how they’re getting out of this for under a billion, over time,” John Kindervag, the vice president and principal analyst with Forrester Research, told the Times, adding, “$150 million in a quarter seems almost like a bargain.” Beyond the company itself, Javelin Strategy and Research reported at the time that total damage to banks and retailers could surpass billion, and consumers could be liable for more than billion in uncovered losses and other costs.

online pharmacy clomid with best prices today in the USA

One of the most promising ways to increase point-of-sale security is through the adaptation of EMV chip technology, as discussed in the March issue of Risk Management. In Europe, 81% of cards have EMV chips, and countries that have adopted the technology saw sharp declines in credit card fraud. In England, for example, the amount of fraud per transaction has dropped 57% since 2002, while it has risen almost 70% in the United States over the same period, according to consulting firm Celent. As part of its breach response, Home Depot announced plans to escalate adoption of EMV, installing “chip and PIN” checkout terminals throughout its U.S. stores by the end of the year. Target made a similar move in April, saying that it will issue its branded REDcard credit, debit and co-branded credit cards with MasterCard chip technology beginning next year.