This new chip card technology — called EMV, which is short forEuropay, MasterCard and Visa —sends a one-time code to processpayments, rending duplication efforts useless and therebyincreasing payment security.

|

Unlike credit cards using a magnetic strip to store paymentprocessing information that does not change, chip-enabled cards aredifficult to counterfeit. They use a unique code that can’t be usedmore than once. If a hacker steals credit card information from achip-enabled card, it’ll be denied at the point of sale. The changeis designed to reduce counterfeit card fraud, which makes up 37% ofall credit card fraud in the U.S.

|

Oct. 1, 2015, marked the deadline for these changes to takeplace. On that date, the liability for counterfeit credit cardfraud switched from card issuers to merchants. (The one exceptionis gas stations, which won’t become liable until 2017 because theirpayment collection is typically built in to the gas pumps.)

|

Related: Cyber attacks drive insurance purchases in early2015

|

The switch from magnetic to chip cards wasn’t a quick and easytransition for merchants to make.

|

To begin accepting chip-enabled credit cards, merchants had tostart using new point-of-sale credit card terminals, which range inprice from $600 to $1,000 each. This, coupled with trainingemployees, became a considerable burden for many small businessesright before the busy holiday shopping season. Combine that withthe fact that at the end of 2015, only 25% of debit cards werechip-enabled, and you’ll see that this is proving to be a muchslower transition than originally anticipated.

|

However, one aspect of this transition is rushing full speed atmerchants, and it’s a question that they must understand andaddress: the question of liability for credit card fraud.

|

Continue reading ...

|

|

Chip card reader

|

In order to accept chip-enabled cards, merchants had toreplace their card terminals. (Photo: iStock)

|

During this transition period, many consumers still don’t havenew chip-enabled cards, and some merchants have not implemented newpoint-of-sale terminals or, for various reasons, are not yet askingcustomers to dip instead of swipe their cards. This makes itdifficult to determine where liability falls. However, generallyspeaking credit card issuers have been liable for chargebacks inthe magnetic stripe era, and that liability will now shift largelyto merchants.

|

There are several scenarios in which the merchant will now beliable:

  • A merchant does not update POS terminals to EMVchip-enabled technology. Merchants that doesn’t take thenecessary steps to accept chip-enabled cards are going to be heldliable when they conducts what turns out to be a fraudulenttransaction using magnetic strip technology.
  • When the merchant conducts “fallbacktransactions.” A fallback transaction is one that isinitiated between a chip card and a chip terminal but, for whateverreason, chip technology is not used and the transaction iscompleted via magnetic strip. In this scenario, the merchant is notliable as long as they identify the transaction as fallback to thecard issuer, and if the issuer approves the fallback transaction.In this case, the credit card company is liable.
  • When a merchant accepts a counterfeit magnetic stripcard. Specifically, merchants may be liable if the cardhas been counterfeited with track data copied from a chip card, andthe card is subsequently swiped at a device that is notchip-enabled.
  • When a merchant accepts a lost or stolen card.If a chip card that has been stolen is used for a magnetic striptransaction, the merchant is liable for any chargeback.

From an insurance perspective, merchants should speak with theirbrokers on their current cyber liability exposures and controls,including the scope of coverage their current policy provides. Forexample, the mandated use of EMV technology is expected to increasethe amount of card not present (CNP) fraud. A sound risk managementprogram for CNP merchants includes:

  • Data protection, which limits the number of entities that cansee customer data.
  • Tokenization, replacing sensitive user data with a reversiblebenign substitute.
  • End-to-end encryption, where the transaction card number isseparated from sales information and replaced with a token. Thetransaction is processed independently from the retailer viacontrols in the front-end and back-end processes. This helps keepsensitive information from potential thieves, who cannot commitfraud with meaningless token information.

While not all of the newly presented credit card liabilities maybe insurable, it is a given that carriers will evaluate theretailer’s risk management practices. Compliance with EMVrequirements, and the use of state-of-the art controls, willreflect well on the retailer, possibly leading to broader coveragegrants and favorable pricing.

|

James W. Gow Jr. is senior vice president of the propertyand casualty practice for Mount Laurel, N.J.-based CorporateSynergies, an employee benefits and property and casualty insurancebrokerage and consulting company.

|

Related: 15 states and metro areas most vulnerable to IDtheft and credit card fraud

|

Have you Liked us on Facebook?

Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader

  • All PropertyCasualty360.com news coverage, best practices, and in-depth analysis.
  • Educational webcasts, resources from industry leaders, and informative newsletters.
  • Other award-winning websites including BenefitsPRO.com and ThinkAdvisor.com.
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.