What the upcoming EMV liability shift means for your business

posted in: Security | 0

Will you be ready next October?

October 2015 is the deadline imposed by Visa and MasterCard for all U.S. merchants to be capable of accepting EMV cards, also known as “chip-and-PIN” cards. These cards, which have already been in use in Europe for over a decade, store the cardholder’s information in a computer chip rather than a magnetic strip. These computer chips can only be read with specialized terminals that allow a customer to insert the end of the card into a reader and then enter a PIN on an attached PIN pad. Visa and MasterCard have instituted this policy shift because the EMV payment method is perceived to be more resistant to fraud than magnetic strip cards (a stance that is contested).

This means that if your current credit card terminal only accepts swiped magnetic strip cards, you will need to eventually buy new equipment to meet the upcoming standards. But credit card terminals can be expensive—usually a few hundred dollars to purchase and even more to lease. So what if you don’t want to pay for new equipment?

An offer you can’t refuse

It’s simple: if you fail to install EMV-compatible equipment at your location before October 2015, then you’ll be liable for the cost of any fraudulent transactions that you process at that location after October 1, 2015. So if a thief successfully buys $500 worth of items in your store using a fraudulent card, you will be on the hook for that $500. This is in contrast to the current system, in which the card networks and the banks manage this type of fraud.

To be clear: this is not a risk worth taking. Sure, there is no reason to believe that you’ll be any more susceptible to card fraud after the shift than you currently are. But if EMV truly is more secure than magnetic strip cards, then scammers will turn their full attention to whichever method is more easily hacked. This means that outdated equipment like yours will become a more attractive target.

If you have obtained the appropriate EMV equipment by October 2015, then Visa, MasterCard, and the card-issuing banks will continue to assume the liability for fraudulent transactions to their customers’ cards. It is important to note that you will still be held accountable for chargebacks, as these are direct disputes between you and the customer. You will not, however, be responsible for transactions at your location that are flagged by either the cardholder or the issuing bank as fraudulent.

Aside from avoiding the threat of fraud liability, there may be one positive incentive to switching to EMV that has gone widely underreported. MasterCard has announced that merchants who adopt EMV technology by certain dates will enjoy reduced liability for data breaches at their locations. Termed “Account Data Compromise (ADC) Relief,” this program differs from the October 2015 fraud liability shift in that it protects merchants from data theft rather than from fraudulent transactions. So, for example, if your business is the victim of a hack that results in the loss of sensitive customer data (think the Target or Home Depot hacks), MasterCard will shoulder some of the liability for the breach. For merchants who accepted at least 75% of in-store payments through EMV-capable terminals by October 2013, MasterCard offered to pay 50% of any penalties arising from a data breach. Next year, if a merchant is processing at least 95% of in-store payments through EMV-compliant terminals by October 2015, then that merchant will be relieved of 100% of data breach penalties.

Where should you buy your EMV equipment?

Merchant account providers are currently touting EMV-compatible terminals as a future-proof investment that protects you from fraud, but the truth is that you’ll eventually need to buy this equipment no matter what. This means that the sooner you start looking around, the less pressure you’ll face next fall to find an EMV processing solution that works for you.

If you’re happy with your current processor, get in touch and ask about a potential equipment upgrade. EMV-compatible terminals have been on the industry’s radar for a long time now, and it’s very likely that your processor has an offering that will work for you. As a general rule, it’s better to purchase equipment outright rather than lease it over time, so be sure to calculate the long-term costs of any lease agreements your provider proposes. Also be sure to obtain a PIN pad for chip-and-PIN transactions. Chip-and-PIN transactions are generally seen as more secure than chip-and-signature transactions, and you may therefore end up saving money on processing fees in the future as providers retool their pricing for EMV. As a final consideration, you might want to consider whether you’d like to add additional point-of-sale capabilities in this upgrade, like NFC, Bluetooth, or advanced POS features.

If you are unhappy with your current processor, find a better one! Look for a processor with interchange-plus pricing, fair monthly costs, month-to-month contracts, highly rated customer support, and no termination fees. And, of course, be sure to check out each processor’s EMV equipment offerings while you’re at it. But when the discussion turns to pricing for that new EMV equipment, there’s a little secret you should keep in mind.

Yet again, costs are being passed down to you.

Here’s an interesting fact about the upcoming liability shift: it technically has nothing to do with merchants. Here’s the exact language from Visa’s announcement, with emphasis added in bold:

With this type of liability shift, the party that is the cause of a chip-on-chip transaction not occurring (i.e., either the issuer or the merchant’s acquirer) will be financially liable for any resulting card-present counterfeit fraud losses. When a transaction occurs using chip technology, any liability for counterfeit fraud, though unlikely, would follow current Visa Operating Regulations.

In other words, there are two potentially liable parties. The first is the card-issuing bank, which would be responsible for a fraudulent transaction if it provided the cardholder with a card incapable of making EMV payments. The other party is the merchant’s acquirer—better known as your credit card processor—who would be responsible for the fraudulent transaction if it has not made the necessary investment in EMV-compatible technology.

You might have noticed that there’s nothing in this announcement that refers directly to business owners. So how does this liability shift possibly apply to you? Well, quite simply, merchant account providers will make you reimburse them for any of their losses related to card fraud through non-EMV terminals. And the only way for you to avoid paying these costs is to buy their EMV-capable equipment before the deadline—essentially footing the bill for their mandatory security upgrade.

It’s just another frustrating decision by an industry that largely makes its own rules. But it doesn’t mean that you have to cough up whatever they ask.

Shop competitively for new point-of-sale equipment, and make sure you understand where your responsibility for fraud begins and ends. Many providers will take advantage of this liability shift to upsell you into unnecessarily complex machines or lock you into processing agreements that you don’t really need. Here’s the bottom line: if your business is able to accept EMV payments by October 2015, then your liability will remain the same as it is now. If you aren’t able to accept EMV payments by next October, then you will be running extra risk with each card swipe. That’s all there is to it.

Yes, having to upgrade your credit card processing equipment is a major pain. But it’s better to make the investment now, when you can plan for it, than to cross your fingers and hope that your business isn’t victimized by scammers to the tune of hundreds or thousands of dollars.

How are you preparing for the liability shift? Let us know in the comment section below:

Leave a Reply

Your email address will not be published. Required fields are marked *