Commentary Addressing Risks and Opportunities Through the Lifecycle of Data, Technology, Advertising and Innovation

Data Counsel

Home | Data Counsel

<img class="alignright wp-image-3939 size-medium" src="http://dataprivacymonitor.bakerhostetlerblogs.com/wp-content/uploads/sites/5/2015/05/Credit-Card-Smart-Chip_4817968671-300x200.jpg" alt="Credit Card Smart Chip_481796867" width="300" height="200" />The EMV liability shift is coming. Sounds ominous, but what does it really mean? And how can retailers and merchants determine the potential impact of the shift on their business? Like many issues in the payment card industry, there is confusion and misunderstanding. Through an FAQ format, we cover the basics and address some of the common misperceptions.
<ul>
	<li>What is EMV? EMV is a smart-chip technology for payment cards—EMV cards have an embedded microprocessor chip that creates a dynamic authentication code for each transaction. It can be used with a PIN or just with the cardholder’s signature.</li>
	<li>Why the push for EMV? The primary benefit of using an EMV card is the prevention of counterfeit card-present fraud. If someone steals the data contained in the magnetic stripe of a payment card, that person can embed the stolen data in a different magnetic stripe, apply it to the back of a plastic card, and then use the counterfeit card to make a purchase in a store. Because the embedded chip in an EMV creates a dynamic authorization code for each transaction, even if the card number and other sensitive authentication data from the magnetic stripe is stolen from a merchant, the thief will not be able to replicate the dynamic code generated by the chip.</li>
	<li>What is the EMV liability shift? As of October 1, 2015, if a merchant has not been certified through its acquirer as EMV-compliant, then the merchant will be responsible for all card-present counterfeit fraud losses. Currently, under the card networks’ zero-liability regulations, issuers are responsible for card-present counterfeit fraud losses.</li>
	<li>What does it take to become EMV-compliant? Becoming EMV-compliant is not plug-and-play—it requires more than just buying EMV-enabled terminals. In addition to the certification requirements specific to the terminals, a merchant needs to ensure that its payment application is certified for EMV and obtain certification through its acquiring bank for each card network. This may involve more than 250 different tests. Acquirers expect to see a backlog of certification requests caused by merchants who have waited to start the process.</li>
	<li>How can a merchant determine what its liability will be if it is not EMV-compliant? Most in the industry will say that there is not a reliable way to project the potential liability a merchant may face for card-present counterfeit fraud if it does not move to EMV. Under the preliability shift framework, issuing banks are responsible for card-present counterfeit fraud. Thus, merchants and their acquiring processors do not have access to reliable, historical card-present counterfeit fraud amounts (i.e., merchants cannot look at their monthly statements from their processors and project liability). Some acquiring processors have indicated that large retailers could face millions in liability if they do not move to EMV and that fraud will migrate to those retailers who do not implement EMV, while others have suggested that the cost of moving to EMV will likely not be justified solely by the potential elimination of fraud liability. Many predict that the retailers that are more likely to face a higher amount of liability for counterfeit fraud if they do not move to EMV are those that sell high-value items that are easy to resell (e.g., jewelry, electronics, prepaid cards, money orders, and wire transfers).</li>
	<li>Does a merchant have to become EMV-compliant? No—the card networks implemented a carrot and stick approach. There are no current card network regulations that require a merchant to move to EMV. Merchants that are not EMV-compliant become responsible for card-present counterfeit fraud, but there are PCI DSS-validation waivers and account data compromise liability assessment safe harbors for merchants that become EMV-compliant.</li>
	<li>Does the liability shift apply to card-present counterfeit fraud on just EMV cards or on all cards? Most believe that the liability shift applies to counterfeit fraud on both magnetic stripe and EMV cards, not just EMV cards. However, there are confusing statements and FAQs issued by acquiring processors as to what transactions the shift applies to. On its face, Visa’s rule indicates that it applies to all transactions.<a href="#_ftn1" name="_ftnref1">[1]</a> For American Express, its press release states: “American Express will institute a Fraud Liability Shift (FLS) policy that will transfer liability for certain types of fraudulent transactions away from the party that has the most secure form of EMV technology.” Discover has similar language to American Express regarding a hierarchy of liability shifting.</li>
	<li>Do all EMV cards have to be used with a PIN? There is no mandate from the card networks as to whether it is Chip &amp; Signature or Chip &amp; PIN. Each issuing bank gets to decide whether it will issue an EMV card as Chip &amp; Signature or Chip &amp; PIN. If a merchant’s system does not support Chip &amp; PIN, the transaction may not be able to be completed, and there may be additional fraud liability shift implications (e.g., if the system only supports Chip &amp; Signature, under one network’s rules there may be a liability shift for lost or stolen card fraud).</li>
	<li>So is the magnetic stripe gone? First, the EMV cards that are being issued still have a magnetic stripe so that they can be used at merchants that have not installed EMV-enabled terminals. Second, it will be years before all cardholders have an EMV card, so most merchants will have hybrid terminals that accept EMV and magnetic stripe cards.</li>
	<li>When will everyone have EMV cards? Several payment industry commentators have predicted that it will be 2020 before more than 90 percent of cardholders are using an EMV card.</li>
	<li>Is EMV a security solution? Some refer to EMV as a security solution. While EMV cards are good at preventing counterfeit fraud, they are not equivalent to a firewall or intrusion prevention system. Indeed, installing EMV-enabled terminals does not stop an unauthorized person from hacking into a merchant’s cardholder data environment. Given the projections on the timeline to exceed more than 90 percent usage of EMV cards, unless other technology solutions are used, merchants will still have plain text magnetic stripe data in their network (albeit in decreasing volume). The theft of magnetic stripe data subjects merchants to liability for reimbursing banks that issued cards affected by the breach for their costs associated with reissuing new cards and counterfeit fraud. Thus, card networks are encouraging merchants that are moving to EMV to also implement point-to-point encryption (P2PE).</li>
	<li>Is there an impact on customer confidence? While moving to EMV is not required and the overall financial impact on merchants is unknown, one factor some merchants consider when deciding to implement EMV is the concern that customers will equate being able to pay with an EMV card with security and think poorly of those companies that are not EMV-compliant.</li>
	<li>Does EMV work with contactless payments and NFC? Yes, most EMV-enabled terminals also facilitate acceptance of contactless and NFC payments.</li>
	<li>Does moving to EMV lessen the cost of card acceptance? Accepting EMV cards, at the present, does not affect interchange rates (thus no cost savings or increase). There are still issues associated with the impact of the Durbin Amendment on EMV debit transactions, though.</li>
	<li>Is there a PCI validation waiver? If 75 percent of transactions are routed through EMV-enabled terminals, the card networks waive the requirement of an annual obligation to revalidate PCI DSS- compliance using a QSA. There are some conditions on this waiver and merchants have to submit an application for it to apply.</li>
	<li>Is there a safe harbor from post-breach liability for merchants who move to EMV? For account data compromise events where the at-risk data is magnetic stripe data (data from a card-present transaction—a card swipe in a store), merchants have historically faced assessments designed to reimburse banks that issued the affected cards for their costs of issuing new cards and the counterfeit fraud on the cards. As part of the incentive for merchants to support EMV, card networks will provide a safe harbor from those assessments if the merchant meets certain criteria. For example, Visa’s safe harbor criteria is below:
<ul>
	<li>Visa GCAR Liability safe harbor—“To encourage EMV chip implementation, Visa will provide an acquirer with safe harbor from GCAR liability if its merchant generates more than 95 percent of its card-present transactions from EMV chip-enabled terminals 30 days before the start of an account data compromise event. The 95 percent card-present threshold only applies to point-of-sale terminals, excludes card-not-present transactions, and does not require a chip card or a chip-on-chip transaction.”</li>
</ul>
</li>
	<li>Does EMV work for e-commerce (card-not-present) transactions? No, because the chip is not being read by a terminal in an e-commerce transaction. In other countries, issuing banks have provided devices that cardholders can connect to their computers to use their EMV cards for payment, but they have not been widely used.</li>
	<li>Do the criminals just go away or does the fraud migrate to e-commerce? Based on EMV migration data from other countries, it is expected that increased use of EMV cards will result in a reduction in card-present counterfeit fraud and a simultaneous (and, perhaps, dramatic) increase in card-not-present fraud. Merchants with a card-not-present system have been advised to increase their fraud monitoring and detection capabilities.</li>
</ul>
Additional EMV resources: 

For some basic information, go to <a href="http://www.gochipcard.com">http://www.gochipcard.com</a>.

For technical specifications, visit the site of the EMVCo, which manages the specifications and related testing processes for EMV card and terminal evaluation, security evaluation, and management of interoperability issues at <a href="https://www.emvco.com">https://www.emvco.com</a>.

The Visa U.S. Merchant EMV Chip Acceptance Readiness Guide can be found at <a href="http://usa.visa.com/download/merchants/visa-merchant-chip-acceptance-readiness-guide.pdf">http://usa.visa.com/download/merchants/visa-merchant-chip-acceptance-readiness-guide.pdf</a>.

The Smart Card Alliance also has EMV FAQs at <a href="http://www.smartcardalliance.org">http://www.smartcardalliance.org</a>.

For resources from a payment processor, including merchant FAQs, go to <a href="http://info.vantiv.com/emv">http://info.vantiv.com/emv</a>.

For information for all industry stakeholders, go to <a href="http://www.emv-connection.com">http://www.emv-connection.com</a>.

[1] Visa Core Rules 1.11.1.3 (p. 84) (“All domestic, intraregional, and interregional counterfeit POS Transactions, except Domestic Transactions in China.”) For Visa, the liability shift does not apply to fraud from lost or stolen cards—it only applies to counterfeit fraud. For other networks for Chip &amp; PIN cards, liability for lost, stolen, or NRI (not received as issued fraud) will shift to the party that has not made the investment in EMV PIN-preferring chip cards (issuers) or PIN-preferring terminals (merchants' acquirers).

Explaining the Implications for Merchants of EMV and the Liability Shift