By Maura Keller
Historically, credit card fraud has been a huge problem facing retailers, consumers and card-issuing banks alike. For decades, consumers have had limited liability on fraudulent credit card purchases—by law. Rather, the card-issuing bank has been required to absorb the cost of fraud. But that’s about to change. In October, the U.S. will be embracing EMV credit cards. As such, there will be a liability shift—resulting in retailers being responsible for fraudulent credit card transactions when the transaction is not performed using EMV. Retailers are readying themselves for this big change, while getting a better understanding of what steps they need to take to protect themselves and their bottom line.
Changes Ahead
The changes in liability relative to EMV as it relates to fuel marketers in the store (as of 2015) and at the pump (as of 2017), are significant.
Visa, MasterCard, Discover and American Express have mandated that liability for fraudulent cards will shift to the issuer or merchant/acquirer on Oct. 1, 2015, whichever one is not accepting EMV transactions and using strong customer verification methods.
According to Michael English, executive director, product development, at Heartland Payment Systems, this liability is for fraudulent transactions committed with a counterfeit EMV card at the point of sale.
The majority of the liability resulting from credit card fraud is currently the responsibility of the card issuer. Following the EMV deadlines, if the card issuer has issued an EMV card and the retailer has not upgraded the site technologies to support EMV transactions, the liability will become the responsibility of the retailer.
When referring to EMV liability, the general rule of thumb is that liability falls to the party, issuer or merchant that is either not using EMV or is using the weakest customer verification method or CVM. “Chip & PIN” is the most secure of all CVMs, followed by “chip & signature.”
Additionally, MasterCard, Discover and American Express have announced a shift as it relates to lost and stolen chip cards.
“For the petroleum industry, different major oil brands and their acquirers may handle the liability shift differently,” said Tom Cerovski, vice president, products and technology services for Wayne Fueling Systems. “Some may pass it along to their retailers while others may shield the retailers from the liability.”
The EMV liability shift is focused on directing liability for fraudulent transactions, attributable to the use of counterfeit cards, to the party that prevented the EMV transaction from taking place.
As Cerovski explained, an EMV “chip on chip” transaction requires that both the card and the terminal support the chip technology. So if a chip-enabled card is used in a terminal not supporting EMV that results in a counterfeit fraudulent transaction, then the liability may go to the retailer if they have not implemented approved chip-enabled terminals at the point of purchase.
“Conversely, if a non-chip card—magstripe only—is used in a chip-enabled terminal, the liability for any resulting counterfeit card transactions goes to the card issuer,” Cerovski said.
English added that liability falls to the party that supports the less secure form of cardholder verification. “PIN is the highest form of cardholder verification,” English said. “Recently, Visa has announced a shift of lost/stolen liability to the issuer for chip card transactions completed at unattended chip-capable terminals that support no cardholder verification. This is to encourage merchants that deploy unattended chip terminals to support no verification for Visa in addition to PIN for the other brands.”
After each liability shift date, whatever party is responsible for an EMV transaction not taking place, will be responsible for the counterfeit card fraud. If the mandated dates hold, retailers could now be liable for counterfeit card fraud for all credit cards.
So what is the relationship between the implementation of EMV and the PCI standards recently met by the industry? James Hervey, director of product management for petro for Verifone, noted that EMV and PCI are separate standards that are not related to each other.
“EMV is a global standard for the implementation for chip cards, whereas PCI standards are focused on overall security of the cardholder data environment and overall security of applications that process cardholder data,” Hervey said. “They work together with each other to secure electronic payments, but they are not related.”
Cerovski said PCI has been largely focused on PIN security and now card data security, whereas EMV is focused on migrating to chip-based technology and reducing counterfeit card fraud.
“EMV compliance complements the PCI security measures by increasing the security on the payment cards themselves—moving away from the vulnerable magstripe to more secure ‘chips’ that include cryptography to protect the card data and authentication to defend against counterfeit card fraud,” Cerovski said.
Top of Mind Concerns
As the October deadline looms, the costs of the required EMV implementation is top of mind for businesses. However, the cost to retailers will vary significantly based on the equipment that they are currently using.
“One thing is for sure: with increasing cyber-crime, the costs associated with non-compliance can soar into the millions of dollars,” said Paul Kleinschnitz, senior vice president of cybersecurity at First Data, a global leader in payments technology. “And, not only will there be a monetary loss, but retailers will face significant risk regarding customer loyalty and reputational damage.”
According to Parker Burke, director of payment and media at Gilbarco Veeder-Root, while the upgrade costs depend on the hardware currently at the site, Gilbarco helps to manage the investment through options that increase site profitability—as well as competitive financing programs through its partner Patriot Capital.
