The United States is nearing the second anniversary of the nationwide liability shift for card-present fraud for merchants not having the capability to accept payment cards with EMV chip technology. Even though most retailers are converting or have already converted to support EMV chip technology, POS malware-based breaches are still happening. After the recent POS breaches at EMV-capable retailers Kmart and Buckle, many are left wondering how exactly EMV technology will reduce fraud, who is responsible when breaches do occur, and what other protections still need to be put in place.
In October of 2015 the EMV liability shift for counterfeit and lost/stolen card transactions went into effect for retailers’ in-store point of sale (POS) payment devices. Hence forth, any counterfeit and lost/stolen card fraud that could have been prevented through the use of an EMV-capable device becomes the responsibility of the party who did not have the EMV technology in place. Below are a few scenarios to help clarify who would be responsible for chargebacks related to counterfeit and lost/stolen card transactions:
- If the card issuer provided the consumer a chip card and the merchant did not have an EMV- enabled device, the merchant is responsible for the fraud liability.
- If the card issuer did not provide the consumer a chip card and the merchant had an EMV reader, the issuer is responsible for the fraud liability.
- If the card issuer did not provide the consumer a chip card and the merchant also did not have an EMV reader, the issuer is responsible the fraud liability.
Merchants continue to have the same responsibility for all other types of chargebacks as before the liability shift for counterfeit and lost/stolen card transactions including potentially being responsible for reimbursing the consumer for any fraudulent transactions, paying the costs associated with notifying the cardholders, making new cards, mailing the cards to the cardholders, etc.
While EMV technology can dramatically reduce card-present counterfeit and lost/stolen card fraud, it will not have any impact on preventing data breaches. A hacker can still steal cardholder data from the integrated POS systems if additional controls are not maintained by the merchant with regards to those systems. That compromised data can then be used for e-commerce or other card not present fraudulent transactions. What we are now seeing globally as a result of the shift to EMV for face-to-face transactions is a shift to, and an increase in, card not present fraud.
Criminals are quick to find ways around the protections EMV technology provides and those methods are not always technical. One example of this would be a criminal deliberately removing their fraudulent card from the reader before the transaction completes. This can cause the device to indicate a chip failure and require that the card be swiped. The transaction with the counterfeit card would likely complete successfully when, had the chip been used for validation, the card would have failed in the device. When the transaction is later identified as fraudulent, the merchant, having accepted payment using the card swipe from a chip-enabled card, is now liable for the costs.
During the time between October 2015 and June 2016, the increase in the fines and fees borne by the merchant community became an issue. Merchants encountered unexpected delays when attempting to get their new terminals certified for EMV, leaving them liable for the costs of fraudulent transactions instead of the liability going back to the issuer. In June 2016, Visa announced a modified approach to the EMV rollout that would attempt to allow more time for the whole payment community to get on track with EMV. The announcement included the following four elements:
- Reduced and streamlined requirements for testing
- Simplifying the certification process
- Providing additional support (e.g. technical expertise, funding) for acquirers and VARs
- Adjustments to the chargeback rules for not-yet-ready merchants
By modifying their chargeback rules, Visa (and subsequently American Express) limited the negative impact of these transactions on the merchants until April 2018. Beginning on July 22, 2016, all domestic counterfeit fraud that results in a chargeback under $25 are not the responsibility of the merchant; these will be blocked by Visa. Visa went on to limit the number of fraudulent transactions that can be charged back to a single account to just ten. After October 2016, the issuer is now liable for any additional chargebacks on that account beginning with the eleventh counterfeit transaction. Early estimates from Visa suggested that merchants would see a 40% reduction in the number of these chargeback transactions, with an estimated 15% reduction in the amounts being charged back.
What Merchants Should Do
As criminals continue to evolve their techniques, it is important for merchants to also evolve their fraud- prevention strategies. Review your departmental payment card procedures and ensure all staff understand your procedures and are following them. Below are a few questions that should be asked:
- Are you having employees compare consumer IDs to the payment card?
- Are they comparing signatures on the receipt to the card?
- Would address verification be able to help in your environment?
- Are employees participating in security awareness training?
- Do employees know how to report and respond to potential fraud?
- Do your payment card procedures and departmental procedures outline how the EMV terminals are to be configured and utilized?
- How are you identifying and preventing fraud online? Can you limit quantities, implement a delay when ordering, etc.?
It is critical to weigh the consumer experience/convenience with the potential for risk when defining your payment card procedures. Depending on your environment and risk tolerance, choosing to implement EMV is a merchant or organization-based decision. As an example, at the time of Chipotle’s decision to decline EMV technology, they were more concerned with the potential delays that occur during the EMV authentication process and the negative impact on their fast-paced food service environment. With the fines they are likely to face now, a few extra seconds for processing probably doesn’t sound so bad. As you look to make changes in your environment, for example rolling out a PCI listed P2PE solution, then including an EMV-enabled option at that same time will increase your security profile with a relatively small increase in cost.
Please reach out to us if you have questions about EMV technology or strategies for reducing payment card fraud within your organization.
Some additional guidance from our Security Advisor team below:
[Stelly]: Well that’s a lot to digest, isn’t it? Deciding what should be done if your organization still has swipe-exclusive point-of-sale hardware should be based on your own risk analysis. Whether you opt to upgrade to EMV hardware now or wait until later, there will be a cost, and waiting could mean a much more significant one. Fortunately, PCI DSS Requirement 12.2 can help you decide the right time to switch with the help of your own empirical data. Start by including devices that are not EMV-enabled in your annual risk assessment. Use the results of the assessment for further cost/benefit analysis to get a clearer view of the meal that would be served if you were to opt for a hearty risk appetite. Consider factors such as your swipe devices’ locations, current book value, remaining depreciation, PTS validation lifespan, average transaction dollar amounts, chargebacks or other fraud experienced over the past year from in- person transactions associated with the device’s merchant ID, etc., and compare real dollar
amounts against the cost of new devices so that decisions about replacement are based on known environmental variables rather than speculated fear.