• Change is Coming: Migration to EMV Chip Technology and the Fraudulent Purchase Liability Shift to Merchants
  • December 10, 2014
  • Law Firm: Varner Brandt LLP - Riverside Office
  • American Express, Discover, MasterCard and Visa have all announced their plans to move to a chip-based payments infrastructure (known as “EMV”) in the United States. Effective October 2015, merchants, card issuers and payment processors must comply with new technical requirements set forth in the EMV standard for debit and credit cards, and the accompanying point of sale (“POS”) infrastructure, or risk being held responsible for the cost of fraudulent card-present transactions.

    What Is EMV Technology?

    Named after its original developers (Europay, MasterCard and Visa), EMV is a technology standard utilizing smart cards to increase the security and global compatibility of credit and debit card transactions. With EMV, a customer’s payment card information is transmitted to a business’s payment processing machine via a small microchip embedded within the customer’s payment card ("smartcard"). In contrast, traditional technology reads the customer’s credit card information from a magnetic stripe. Thus, the new standard requires a payment card equipped with a smartcard, and also requires new POS devices capable of communicating with the smartcard technology. Depending on the requirements set by the card issuer, some of the new EMV payment cards also require a personal identification number ("PIN"), in place of a signature, to process the transaction.

    Where is EMV Currently in Use?

    The United States is the last major world economy to adopt EMV technology. According to EMVCo, a company owned by American Express, Discover, MasterCard, Visa, JCP and UnionPay that manages and maintains EMV specifications, eighty countries are in various stages of EMV chip migration. As of December 2013:

    1. 2.37 billion chip payment cards are in use;
    2. 99.9% of terminals in Europe are chip-enabled;
    3. 84.7% of terminals in Canada, Latin America, and the Caribbean are chip-enabled;
    4. 86.3% of terminals in Africa and the Middle East are chip-enabled; and
    5. 71.7% of terminals in Asia Pacific are chip-enabled.

    Why Is EMV the More Secure Technology?

    EMV enabled payment cards are much more secure than traditional payment cards. Traditional payment cards use a magnetic stripe to transmit cardholder data at the POS. The magnetic stripe is only capable of housing and transmitting static information, making the data housed easy to copy and the technology unable to verify the authenticity of the card. In contrast, the smartcard utilized in EMV technology has an embedded microchip with memory and, often, micro processing functionality. Unlike the static information stored on the magnetic stripe, the microchip adds dynamic data to each individual transaction - encrypting every transaction differently and making it significantly more difficult to copy the data for reuse. In addition, a cryptogram housed on the chip verifies the authenticity of the card itself, confirming it is the original card and not a fraudulent copy. Although not all EMV payment cards require a PIN for POS purchases, those that do add an additional layer of security - instantly validating the
    person presenting the card as the true card owner.

    Why May EMV Increase Merchant Liability?

    Effective October 2015 (October 2017 for automated fuel dispensers), American Express, Discover, MasterCard and Visa have all announced a “fraud liability shift” that may result in those merchants not carrying POS equipment meeting EMV standards to assume liability for certain fraudulent purchases. Today, payment card issuers ultimately bear 100% of the liability for card-present payment card transactions. Under the terms of the “fraud liability shift,” liability for fraudulent transactions will shift to the “weakest link” in the transaction.

    Determining the “weakest link”: If a fraudulent transaction results from a consumer using a magnetic stripe-based card in an EMV capable POS device, the card issuer is liable. However, if a fraudulent transaction results from a consumer using an EMV enabled card at a POS device not compatible with EMV technology, the merchant is liable. If a fraudulent transaction results from a consumer using a magnetic stripe-based card at a POS device not compatible with EMV technology, fraud liability remains the same as it is today with liability resting with the card issuer.

    What Does This New POS Technology Mean for Merchants?

    The 70 million Target credit card breach may be the first time most merchants learned of EMV technology. While more secure cards would not have averted the breach, it would have limited the value of the stored data - thus, signifying the value that drives the heightened intensity of discussions related to payment data security.

    While a merchant may decide to delay its migration to POS equipment meeting the EMV standard, merchants should nonetheless start planning and preparing for the EMV transition now. POS equipment upgrades can be expensive, cumbersome and time-consuming because of the need to figure out how much the transition will cost, how long it will take, and then to plan accordingly.

    Merchants should note, however, that EMV is not the end all solution. EMV does not protect against fraudulent transactions stemming from situations where a consumer makes a payment without the payment card being present (e.g., payments made via web or phone). Therefore, merchants need to keep aware of maintaining and updating other methods for securing payment transactions.

    Are There Additional Benefits to the EMV Transition?

    Several card associations are relaxing their requirements related to Payment Card Industry Data Security Standard (PCI DSS) compliance validation. For example, VISA’s Technology Innovation Program ("TIP"), effective October 2012, eliminates the requirement that eligible merchants validate their compliance with PCI DSS for any year in which at least seventy-five percent (75%) of the merchant’s VISA transactions originate from a device capable of transacting both contact and contactless EMV (i.e., card taps or card waives in front of POS machine) and Near Field Communication ("NFC") (i.e., mobile contactless payments) transactions.

    What Is the Future of Point of Sale Technology?

    The advent of the cutting-edge technology of NFC, increased use of mobile phones and tablets by consumers and increased activity in the mobile application development world hints to “pay by phone” being the next big thing. Google Wallet and Isis Wallet ™ are two such mobile applications currently offering in-store “pay by phone” technology. Therefore, when planning an upgrade of POS equipment, merchants should consider opting for a device capable of transacting not only contact and contactless EMV, but also NFC transactions and capable of upgrades accommodating the evolving payment landscape. In addition, merchants should keep aware of contractual provisions obligating its POS software issuer to also accommodate the evolving payment landscape.