As of October 1, 2015, the liability for credit card fraud shifted to the merchants who have yet to update their card reader technology. It isn’t a mandated deadline; it is technically voluntary for you to replace old card scanners with new EMV technology. In fact, leading up to the October 1st deadline, only about 5% of all merchants were compliant. But if you have yet to become EMV-compliant, you are exposing your organization to risks.
The Technology
Over recent months financial institutions have been issuing new credit cards to all their users – credit cards equipped with microchips. The chip is known as EMV, or Europay MasterCard Visa. It is a global standard for credit cards that provides increased security and helps reduce fraud for physical, point-of-sale transactions.
Traditional cards use magnetic stripes, but in that format the data does not change, making it easier for fraudsters to replicate. On the other hand, cards equipped with EMV use a new transaction code with every purchase. This makes it much more difficult for someone to use a duplicated card.
But this new technology requires a new type of card reader, and potentially new software. Merchants have been gradually updating their point-of-sale technology, but many have yet to begin the transition. Yes, there is a cost to becoming EMV-compliant. But the liability shift can put your company at risk of even greater costs.
The Liability Shift
According to the "2014 Identity Fraud Report" by Javelin Strategy & Research, the cost of credit and debit card fraud was $8 billion in 2012, and increased to $11 billion in 2013. Experts expect fraud numbers to continue to grow until card issuers and merchants embrace the EMV cards and systems.
Prior to October 1st, if credit card fraud occurred from point-of-sale transactions, much of the liability was placed on the credit card company. But since October 1, 2015, a greater amount of liability is put on the merchants – exposing you to the growing costs of card fraud. Simply put, here is how the liability works now:
- If a merchant is still using the old swipe technology for a customer with a chip card and a fraud takes place, the liability falls on the merchant.
- If the merchant has chip readers, but the bank has yet to issue the customer with a new EMV-compliant card, the liability would fall on the bank.
- If the merchant has chip readers, the customer is using an EMV card, and a fraud still occurs, the liability would fall on the credit card company.
Please note that this conversation applies to in-person point-of-sale transactions, where the card is present.
Becoming EMV-Compliant
The most obvious step is to update your card readers. But there is more to EMV compliance than just installing EMV-enabled terminals, especially depending on the size of your company.
It starts with assessing your current point-of-sale system. You may be required to update the system’s software, hardware, or just replace your card terminals. Your credit card processor has likely already reached out to you with information about making the transition. If they have not, then it is highly advised that you contact them for assistance.
If you use mobile card readers like Square, you also need to make sure they can accept EMV cards.
And it doesn’t stop when the new system is installed – you also have to train your employees on how to use it, as well as consider alternative options in the event that your EMV-compliant technology temporarily breaks down.
For larger companies, your process is likely to be more extensive – but it is still good practice to begin by assessing your current point-of-sale system to determine scale of your required updates.
Even though there is not a mandate to update to EMV technology at this time, not doing so exposes your organization to the risks of being liable for card fraud.
