This new chip card technology — called EMV, which is short for Europay, MasterCard and Visa —sends a one-time code to process payments, rending duplication efforts useless and thereby increasing payment security.
Unlike credit cards using a magnetic strip to store payment processing information that does not change, chip-enabled cards are difficult to counterfeit. They use a unique code that can’t be used more than once. If a hacker steals credit card information from a chip-enabled card, it’ll be denied at the point of sale. The change is designed to reduce counterfeit card fraud, which makes up 37% of all credit card fraud in the U.S.
Oct. 1, 2015, marked the deadline for these changes to take place. On that date, the liability for counterfeit credit card fraud switched from card issuers to merchants. (The one exception is gas stations, which won’t become liable until 2017 because their payment collection is typically built in to the gas pumps.)
The switch from magnetic to chip cards wasn’t a quick and easy transition for merchants to make.
To begin accepting chip-enabled credit cards, merchants had to start using new point-of-sale credit card terminals, which range in price from $600 to $1,000 each. This, coupled with training employees, became a considerable burden for many small businesses right before the busy holiday shopping season. Combine that with the fact that at the end of 2015, only 25% of debit cards were chip-enabled, and you’ll see that this is proving to be a much slower transition than originally anticipated.
However, one aspect of this transition is rushing full speed at merchants, and it’s a question that they must understand and address: the question of liability for credit card fraud.
Continue reading ...
In order to accept chip-enabled cards, merchants had to replace their card terminals. (Photo: iStock)
During this transition period, many consumers still don’t have new chip-enabled cards, and some merchants have not implemented new point-of-sale terminals or, for various reasons, are not yet asking customers to dip instead of swipe their cards. This makes it difficult to determine where liability falls. However, generally speaking credit card issuers have been liable for chargebacks in the magnetic stripe era, and that liability will now shift largely to merchants.
There are several scenarios in which the merchant will now be liable:
- A merchant does not update POS terminals to EMV chip-enabled technology. Merchants that doesn’t take the necessary steps to accept chip-enabled cards are going to be held liable when they conducts what turns out to be a fraudulent transaction using magnetic strip technology.
- When the merchant conducts “fallback transactions.” A fallback transaction is one that is initiated between a chip card and a chip terminal but, for whatever reason, chip technology is not used and the transaction is completed via magnetic strip. In this scenario, the merchant is not liable as long as they identify the transaction as fallback to the card issuer, and if the issuer approves the fallback transaction. In this case, the credit card company is liable.
- When a merchant accepts a counterfeit magnetic strip card. Specifically, merchants may be liable if the card has been counterfeited with track data copied from a chip card, and the card is subsequently swiped at a device that is not chip-enabled.
- When a merchant accepts a lost or stolen card. If a chip card that has been stolen is used for a magnetic strip transaction, the merchant is liable for any chargeback.
From an insurance perspective, merchants should speak with their brokers on their current cyber liability exposures and controls, including the scope of coverage their current policy provides. For example, the mandated use of EMV technology is expected to increase the amount of card not present (CNP) fraud. A sound risk management program for CNP merchants includes:
- Data protection, which limits the number of entities that can see customer data.
- Tokenization, replacing sensitive user data with a reversible benign substitute.
- End-to-end encryption, where the transaction card number is separated from sales information and replaced with a token. The transaction is processed independently from the retailer via controls in the front-end and back-end processes. This helps keep sensitive information from potential thieves, who cannot commit fraud with meaningless token information.
While not all of the newly presented credit card liabilities may be insurable, it is a given that carriers will evaluate the retailer’s risk management practices. Compliance with EMV requirements, and the use of state-of-the art controls, will reflect well on the retailer, possibly leading to broader coverage grants and favorable pricing.
James W. Gow Jr. is senior vice president of the property and casualty practice for Mount Laurel, N.J.-based Corporate Synergies, an employee benefits and property and casualty insurance brokerage and consulting company.
Have you Liked us on Facebook?