With the October 1, 2015 liability shift deadline looming, merchants who have not yet made the change continue to evaluate the cost of accepting EMV cards versus the liability that will shift from the issuer to the merchant if they do not. The costs of implementation are fairly straightforward—buy EMV-enabled terminals and work with the terminal vendor, payment application vendor, and processor to implement and certify. It has been much more difficult to determine the type and amount of liability that will shift. First, if you read the card network operating regulations, EMV FAQs, or attend payment industry events, you can come away with two competing answers on what liability shifts—either all counterfeit fraud liability (regardless of card type) will shift or only fraud that occurs when the magnetic stripe data of an EMV card is used to make a counterfeit card. Second, pre-shift, there is no source of data accessible to a merchant to determine the dollar amount of fraudulent transactions that occur at the merchant using a counterfeit card.
In a May 18, 2015, blog, I answered 18 common questions about EMV, including the following that highlighted the confusion about what fraud the shift applied to:
Does the liability shift apply to card-present counterfeit fraud on just EMV cards or on all cards? Most believe that the liability shift applies to counterfeit fraud on both magnetic stripe and EMV cards, not just EMV cards. However, there are confusing statements and FAQs issued by acquiring processors as to what transactions the shift applies to. On its face, Visa’s rule indicates that it applies to all transactions. For American Express, its press release states: “American Express will institute a Fraud Liability Shift (FLS) policy that will transfer liability for certain types of fraudulent transactions away from the party that has the most secure form of EMV technology.” Discover has similar language to American Express regarding a hierarchy of liability shifting.
Later that month, the EMV Migration Forum (an independent group whose members include the card networks) issued a white paper that clarified what specific fraudulent transactions the liability shift will apply to. According to the white paper, the liability shift only applies: “… when a merchant accepts a magnetic stripe card that was counterfeited with track data copied from an EMV chip card, and the card is subsequently swiped at a POS device/application that is not EMV chip-enabled, and the transaction is successfully processed, the acquirer/merchant may be liable for the chargeback resulting from the fraud.” This indicates a narrower version of the liability shift. Indeed, under this approach (see the table below), liability for counterfeit fraud on magnetic stripe cards remains with the issuer after October 1, 2015, even if the merchant where the counterfeit card was accepted does not have EMV terminals.
This narrower liability shift is consistent with the EMV navigation guide recently released by Vantiv. The guide includes a high-level flowchart to identify when liability shifts as well as more specific charts that identify when liability shifts based on transaction type (Chip & Signature or Chip & PIN), broken down by network as well as for fallback transactions.
Even after knowing what liability shifts, to determine whether the costs of moving to EMV will provide a return on investment, the question remains for merchants—what dollar amount of fraudulent transactions will be made in their stores by counterfeit cards made from magnetic stripe data stolen from an EMV card after October 1? There is no ready source of historical data for merchants to analyze—at the end of 2014, less than 1 percent of the payment card transactions in the U.S. were on EMV cards. However, the Aite Group continues to predict that 70 percent of credit cards and 41 percent of debit cards will be EMV-capable by the end of 2015. Merchants who sell items that criminals like to use counterfeit cards to buy (e.g., prepaid cards) are obviously at a higher risk of incurring shifted liability if they do not move to EMV. And with continuing disclosures of new payment card breaches and updates from the Nilson Report regarding the increase in counterfeit fraud in the U.S. (as well as the U.S. accounting for almost 50 percent of payment card fraud with only 20 percent of the card sales volume), merchants should not count on the card networks delaying the liability shift.
Craig Hoffman Discusses Data Security and the Retail Industry