Understanding the EMV Liability Shift for Merchants
Retail merchants have undoubtedly heard about the EMV liability shift and how it can affect them. But if you’re a new merchant or new to accepting credit cards, you may not be aware of what it means or how it came about.
EMV is a security standard developed by Europay, Mastercard, and Visa in the 1990s, and it was used with debit cards in Europe; it now includes credit cards in Europe as well. The EMV group now also includes American Express, Discover, JCB, and China UnionPay, and they have made this a global security standard.
When EMV first launched, the big four card networks set a deadline for compliance for October 2015, which is when they shifted the liability of fraud from the networks to the merchants. That meant that if a merchant used an EMV-compliant card reader and followed all proper procedures, but a fraudulent transaction still got through, the merchant would not have to bear the cost.
How Does EMV Work?
EMV card readers use chips inside the cards (commonly known as “chip cards”), and you either have to insert the card into the reader (called “dipping”) or tap it on its top/front. EMV readers were available in Europe around 1994, but we didn’t get them in the United States until 2012 when “the big four” — American Express, Discover, Mastercard, and Visa — adopted the standard, but only for debit cards.
Before EMV, customers would just swipe the magnetic stripe on their card through the reader. We don’t do that for debit cards anymore, although we still do for credit cards. Then, the debit card holders would enter their pin number, and credit card users would sign a receipt confirming their purchase. Some merchants might even check the customer’s signature, although many didn’t.
There’s a push for the U.S. to start requiring PIN authentication for credit cards like Europe currently does, but we’re still a long way off from that.
The EMV chip-and-pin standard even follows the EU’s 3DS2 security standard of “something you have, something you know, something you are.”
That is, you have the debit card, you know the pin, or you “are” your fingerprint, if you’re using your mobile phone to make a payment.
And the EMV is having great results. Last year, Visa reported a 76 percent total reduction in fraud after the 2015 compliance date.
(Just one more reason why we think the U.S. should require PIN authentication for credit cards.)
So What is the EMV Liability Shift?
To encourage rapid adoption, the EMV consortium said they would cover the costs of any fraudulent transactions that made it through their system, as long as the merchant was using the correct EMV equipment.
They set a deadline of October 1, 2015, and said they would no longer bear the liability for the fraud if merchants were not using the new EMV-compliant equipment.
Since the credit card companies came up with the standard and procedure to reduce fraud and created the necessary equipment to make it work, they figured it was their right to refuse to pay for any fraud that was done using non-compliant payment machines.
That means that merchants that won’t use EMV-compliant systems are the ones responsible for allowing fraud to happen. They can take all the steps they want to prevent it, but if someone still manages to slip one past them, they bear all costs related to it. That means the cost of the sale, the original cost of the merchandise, plus any penalties and fees that are incurred.
Right now, the only merchants that are not included in the liability shift are fuel merchants. They have until October 2021 to comply, after several deadline extensions.
So Who Exactly is Liable for What?
Depending on the situation and the type of merchant, there are a few times where the merchant bears the cost of the fraud versus the credit card network.
- If a counterfeit card is used with stolen chip card and data, and the merchant was not EMV-compliant, the merchant is responsible.
- If a merchant encourages the customer to swipe instead of dip, the merchant is responsible.
- If mag stripe data from a chip card is copied and used to swipe at a non-EMV merchant, the merchant is responsible.
- If someone tries to insert the chip card, but the reader malfunctions, and they have to swipe instead, the credit card issuer is responsible.
- If someone uses a stolen chip card in an EMV reader, the credit card issuer is responsible.
- If a stolen card is used online or for a CNP purchase, the credit card issuer is responsible.
In the end, the EMV Liability Shift ultimately shifted the liability back to the merchants and made it very expensive for merchants to not safeguard their own credit card processing systems.
To learn more about the EMV security standard and how you can use it to protect your own business, whether brick-and-mortar or online, Corepay can help. To learn more, please visit our website or call us at (866) 987-1969.
Photo credit: AhmadArdity (Pixabay, Creative Commons 0)
We appreciate you following Corepay’s blog. Let’s collaborate, send us your article suggestions, questions, and/or feedback to: [email protected].