On October 1, 2015, a substantial portion of the liability associated with in-store fraudulent credit card purchases will shift from credit card issuers, such as banks or credit unions, to retail merchants. Credit card companies instituted the shift in a push to force retailers to adopt new EMV (EuroPay, MasterCard, and Visa) chip technology over the traditional magnetic strip readers prevalent in the United States.
EMV chip technology is considered a more secure payment system than traditional credit card magnetic strips. Magnetic strips contain a single set of unchanging data that can be replicated and used repeatedly for fraudulent purchases until the card is cancelled. In contrast, a card with an EMV chip generates a one-time transaction code that cannot be used for any other in-store transaction, limiting the utility of the stolen data. According to the credit card industry, the adoption of EMV chip technology will also limit fallout from significant company-wide data breaches as the breach would yield less profitable information for hackers.
Credit card companies hope to expedite the new technology rollout through the pending change in liability rules. Under current rules, the card issuer assumes all the liability for counterfeit or stolen credit card transactions. Under the new rules, retailers who choose to accept payments via a credit card’s magnetic strip will be able to do so but may be liable for fraudulent purchases resulting from the use of the magnetic strip on EMV chip enabled cards. Generally speaking, if the card does not contain an EMV chip, the card issuer can be held liable. If the card contains an EMV chip but the merchant has not adopted EMV chip technology, the merchant can be held liable. As between the two parties, the party with the least EMV-compliant transaction network will be responsible for the fraudulent transaction.
The new rules will likely generate some confusion over who is liable for specific transactions, as each instance of fraud requires the following factual determinations, among others:what type of card was used in the fraudulent transaction (counterfeit magnetic strip card with data copied from another magnetic strip card, or counterfeit magnetic strip card with data copied from a chip card) whether the card was EMV chip-enabled; whether the point-of-sale (POS) terminal was EMV chip compliant, and if the POS terminal and the card were both EMV chip enabled, whether the transaction was a “fallback” transaction in which the magnetic strip was used despite the EMV chip capability of both the card and POS system.
Depending on the answers to each inquiry, either the retail merchant or the issuer will be liable for the fraudulent transaction. The liability analysis becomes even more complex if chip and pin technology is part of the transaction.
In order to be deemed EMV-compliant, retailers need to upgrade their POS terminals and review their software to ensure both can process the new technology. Cost estimates for converting the entire U.S. network range from 8.5 billion dollars to in excess of 30 billion dollars. Advocacy groups for the retail industry have asked for an extension of the October deadline because some retailers are experiencing delays in procuring the new technology ahead of the looming deadline. Additionally, the new liability standard calls for the installation of chip and signature technology as opposed to the more secure chip and pin technology. Chip and signature cards require the customer to sign for each credit card transaction. Chip and pin cards require the customer to memorize a numerical pin to authorize the transaction and offer an additional layer of security. Many retailers are concerned that the failure to convert to chip and pin technology as part of the EMV transition will place an undue share of fraud liability on the retail merchant handling the in-store transaction. Credit card companies have responded that the conversion to chip and pin will be phased in over a period of years to give the U.S. consumer time to adjust.
After October 1, 2015, retailers may continue to use the old magnetic strip technology but will be subject to the new liability-shifting rules. Although the cost of switching to the new technology may be high, the potential liability of failing to make the switch is significant under the new rules. Card issuers are well on their way to full EMV chip compliance and estimate that two-thirds of U.S. credit cards will contain an EMV chip by the end of 2015, placing the burden of compliance squarely on the shoulders of retail merchants. Retailers contemplating converting their networks will need to weigh the cost of adopting the new technology against their potential liability exposure once the new rules go into effect.