- Merchants Beware: You Could Be on the Hook for the Next Data Breach
- August 12, 2015 | Authors: Richard W. Cline; Dominic A. Paluzzi; Adam C. Smith
- Law Firms: McDonald Hopkins LLC - Cleveland Office ; McDonald Hopkins LLC - Bloomfield Hills Office ; McDonald Hopkins LLC - Cleveland Office
Starting Oct. 1, 2015, credit card companies and banks will enforce new terms in their acceptance guidelines, commonly known as liability shift provisions. These provisions are based on the rollout of Europay, MasterCard and Visa (EMV) technology. If there is an incident of fraud after October 1, the entity, either merchant or card issuer, utilizing inferior non-EMV technology will be held liable.
EMV is overseen by American Express, Discover, JCB, MasterCard, UnionPay, and Visa. EMV operates through the use of card dipping. A consumer dips his or her card into the bottom portion of a terminal, leaves the card in place, and removes the card when prompted. During that process, an imbedded chip communicates with the terminal by sending a unique transaction code. The EMV chip is the reason credit card companies and banks are sending out new cards. Utilizing EMV technology requires customers to have an EMV credit card and merchants to have EMV card terminals available.
Card dipping is different from swiping a credit or debit card; the EMV unique code can be used only once, whereas the account number transmitted when swiping a credit or debit card is used for every transaction. The obsolescence of the unique EMV code will theoretically prevent hackers from obtaining card account numbers because that unique code, not an account number, is being transmitted.
How does the fraud liability shift after October 1? If credit card fraud occurs and a customer is using an EMV credit card but the merchant failed to obtain an EMV terminal for the customer to use, the merchant will be liable. If credit card fraud occurs in one of the following circumstances, the credit card company or bank will be liable:
- The customer and the merchant are utilizing EMV technology.
- Neither the customer nor the merchant are utilizing EMV technology.
- The merchant has an EMV terminal available, but the customer is not using an EMV card.
What you should know
If you are a merchant, you should begin the process of obtaining EMV card terminals now, and have them available for your customers to use by October 1. If you don’t, you take the considerable risk of incurring liability for credit card fraud, as some courts have held that customers affected by data breaches have standing to bring class action lawsuits based only on the threat of future harm, without any actual loss. Many cardholders already have an EMV chip card, which means if you have EMV technology you should start training employees on the new card dipping process.
Though EMV technology likely will stifle or frustrate point-of-sale credit card fraud, card-not-present fraud will likely increase dramatically. If you allow such transactions, recognize the propensity of such increased fraud and implement all possible fraud prevention measures to curb those risks.