During the holiday season, stores throughout the United States process millions of credit card transactions per day. Although this flurry of sales activity is good for business, it also comes with a potential risk of liability if the credit cards used in those transactions are equipped with the chip-card technology that the merchants’ payment processing machines are not capable of handling.
During the past year, credit card issuers have been transitioning to the Europay, Mastercard, Visa (“EMV”) chip cards, which contain smart microprocessor chip technology. Using the chip reader in the credit card payment terminal, the chip serves as the communication conduit between the card issuer and the merchant’s bank to authenticate the card and complete the sales transaction. Unlike magnetic stripe credit cards, chip cards generate a unique transaction code that cannot be reused. This “dynamic” data technology helps to guard against credit card fraud arising out of data or security breaches where the credit card information is compromised. For some chip cards, the users may also be required to enter a PIN. This new chip card technology requires new payment processing terminals that many merchants have not yet implemented.
Although the card issuers themselves have not completed their issuance of EMV chip cards to replace existing magnetic stripe cards, the issuers imposed an October 2015 deadline on merchants and card payment processors to become EMV-ready. After October 2015, under the modified terms of their agreements with the credit card payment processors or networks (e.g., VISA, MasterCard, American Express, Discover), merchants who accept credit cards and who are not EMV-ready may be liable for any fraudulent transactions and possibly fined and/or sanctioned by the Payment Card Industry Security Standards Council, an industry organization that promulgates data and cybersecurity standards for the credit card sector. Liability will be shifted to the party who used the lower level of security and compliance with the EMV standards. This means that, for example, a merchant may be assigned liability for the fraudulent transaction if the purchase was made with a chip card but the merchant was not capable of processing the chip card payment, using instead the magnetic stripe method. Conversely, the card issuer may be assigned liability if the merchant was EMV-capable but the card issuer has not issued a chip card to the consumer.
Notably, the EMV standards do not apply to purchases where the cards are not physically presented, including online and telephone transactions.
Although they impose increased liability and breed disputes between potentially liable parties, EMV chip cards and their attendant standards and rules are intended to provide more consumer protection and create an incentive for merchants, card issuers, and payment processors alike to conform with best practices in an ever-evolving world of data and cybersecurity challenges.