Breaking down EMV and the “Liability Shift”


visa-957187_1280

There has been a lot of talk relating to EMV as well as some confusion as to how it impacts on merchants. As we have reached the magic date of 10/1/15 when the “Liability Shift” is to occur; let’s decipher what this all means:

BACKGROUND:

The acronym EMV actually stands for Europay, MasterCard and Visa.  EMV is a global standard for credit cards equipped with computer chips and the technology used to authenticate chip-card transactions.   Don’t be confused if you also hear EMV referred to as Smart Card, Chip Card, Smart-chip Card, Chip-enabled Smart Card, or Chip-and-Choice Card (PIN or signature).

The problem with traditional credit and debit cards pertain to the “magnetic stripes” on the cards which store unchanging data.  This means that whoever accesses the data gains the sensitive cardholder information necessary to make purchases.  This is why traditional cards are targets of counterfeiters who are able to easily convert stolen card data to cash.  If someone copies a mag stripe, they are able to replicate that data over and over again because of the static nature of the mag strip.  
 
In contrast to traditional cards, if a hacker steals a EMV card a typical card duplication would not be effective because the stolen transaction number created in that instance wouldn’t be usable again and the card would simply be denied.   The bottom line is that EMV technology would not prevent data breaches from occurring, but this dynamic data approach will make it much more difficult for fraudsters to profit from what they steal.  
 
PIN & CHIP vs CHIP & SIGNATURE:
 
The U.S. credit market has been criticized for being the last major market still using the magnetic-stipe card system.  In contrast, many European countries moved to EMV technology years ago to combat high fraud rates.   When EMV cards were introduced in Europe and other parts of the world, POS fraud was greatly reduced as expected.  However, fraudsters followed the path of least resistance and focused more on online fraud where EMV’s security features do not apply.  As a result online fraud spiked.
 
There remains a primary distinction between EMV as introduced in the U.S. to that utilized throughout Europe.  In Europe, EMV is often referred to as “Chip-and-Pin” cards and operate just like the type of checking account debit cards that Americans have used for years.  Entering a PIN connects the payment terminal to the payment processor for real time transaction verification and approval.  This additional verification process provides an additional level of protection.  
 
In contrast to Europe’s Chip-and-Pin cards, the U.S. form of EMV is characterized as a “Chip-and-Signature” card transaction.   As with the traditional magnetic stripe credit cards, Americans consumers, with rare exception,  will continue to sign on the point-of-sale terminal to take responsibility for the payment when making a chip-and signature card transaction.  Some commentators have projected that it may take two to three years to fully convert to an EMV “Chip-and-Pin” format once the transition to EMV is fully under way in the U.S.   Others see signs that the direction is to move away from “plastic” towards contactless payments.
 
EMV’S LIMITATIONS:
 
EMV is not helpful for e-commerce transactions as it only applies for “Card Present” Transactions.
 
As EMV is not encryption since it does not encrypt the Primary Account Number (PAN), the card data must still be protected according to PCI guidelines.  Simply put, EMV technology does not override PCI obligations nor does it satisfy PCI requirements.
 
Merchants are advised to consider EMV as a valuable weapon against fraud while recognizing that it should be implemented in a layered manner along with validated point-to-point encryption (P2PE) to reduce PCI scope and protect data.  Additionally, using tokens (tokenization) after authorization can prevent the card data from being used in the event that it is stolen.
 
HOW DOES THE LIABILITY SHIFT WORK?
 
In today’s card processing environment, if an in-store transaction is conducted using a counterfeit, stolen or otherwise compromised card, consumer losses from that transaction routinely fall back on the payment processor or issuing bank.  (Of course, the Issuing Bank or Card processor routinely holds the Merchant contractually liable should they find that there were any PCI infractions associated with a fraudulent transaction).
 
After the October 1, 2015 deadline created by the major U.S. credit card issuers, the liability for card-present fraud will shift to whichever party is the least EMV-compliant in a fraudulent transaction.   For example, let’s take the example of a financial institution that issues a chip card that is used at a Merchant’s store that has not made the investment to change its system to accept chip technology.   Should a counterfeit card be successfully used by a fraudster in such a case, the Merchant would face the liability since it failed to upgrade its POS in order to utilize the chip card.
 
The major credit card issuers have each published detailed schedules pertaining to the shift in liability.  Obviously, the “Shift” is intended to help bring the entire payment industry on board with EMV by encouraging compliance to avoid liability costs.  In fact, most Merchants that were not EMV-ready by October 2015 may expect much higher costs in the event of a large data breach.  (Automated fuel dispensers will have until 2017 to make the shift to EMV).   Given the massive U.S. market, it remains to be seen as to the percentages of banks and retailers that will be EMV-ready.
 
COSTS OF BEING EMV-READY:
 
According to Javelin Research & Strategy, the average cost for a bank to issue a new EMV card is $3.50, and the average cost of an EMV-compliant POS terminal is $500.  Retailers using mobile payment devices such as Square will also have to purchase new equipment to read the chips on EMV cards.  EMV debit cards may be issued to consumers at an even slower pace as banks have to prep their software to accept those cards as few POS systems were equipped in the past to accept debit cards in the U.S.  The overall price tag for retailers to upgrade payment systems to accept new cards is estimated to be more than $8 billion.
 
HOW MANY MERCHANTS ARE PRESENTLY EMV READY:
 
Given the massive U.S. market, it remains to be seen as to the percentages of banks and retailers/merchants that will be EMV-ready in the foreseeable future.  The percentages for businesses that have missed the 10/1 date are quite high.  According to the National Processing Solutions, 73% of businesses remain non-EMV compliant as of 10/1.  This same source reports that only 25% of consumers have received chip enhanced cards and that only 27% of merchants are EMV compliant.  No matter how you do the math, clearly the U.S. market is not uniformly prepared for EMV.