EMV Smart Cards are an inevitability. They are coming, they will be standard, and the United States is going to have to adjust. The major credit card companies, in preparation for changing the standard have instituted a shift in liability. The fraud liability shift goes into effect on October 1, 2015 for Visa, MasterCard, American Express, and Discover. The shift is what’s key here as the credit card issues announced that on October 1, 2015 counterfeit fraud liability — which has traditionally been assumed by the card issuer — will be absorbed by the party that does not enable EMV during the fraudulent transaction.
By liability shift the payment networks mean that a non-EMV compliant party will be liable in the event that an EMV chip card is used at a non-EMV-capable terminal, and the resulting transaction is determined to be counterfeit fraud. In layman’s terms, this is going to affect chargebacks and fraud situations and has the chance to be bounced back onto the merchant.
Each acquirer must assess their situation to determine if and when it makes sense for them to migrate their customers to EMV. If, for example, cross-border transactions are an extremely small percentage of an ATM acquirer’s transaction volume, the acquirer may decide to defer upgrading their ATMs until a later date; they therefore accept the risk that they may accept a transaction initiated by a counterfeit EMV chip card and as a result they may be liable for that counterfeit fraud.
The Straw the Stirs the Drink
This has been in the works for quite some time now, but the issue is heating up in the U.S. media because of a recent spate of data breaches. The major hack of discount retailer of Target reported that hackers stole credit and debit card data from 40 million accounts right smack dab in the middle of the holiday shopping season. After that, more hacks came trickling in, including lodgers at Mariott hotels and customers of the Los Angeles DMV’s credit card processing services. Add this recent spate of data breaches to the larger historic ones, such as The Global Data Breach the Official Merchant Services Blog thoroughly covered, or in April of 2011, when the Playstation Network was hacked, compromising the vital information of 77 million accounts, and 24.5 million Sony Online Entertainment accounts. This has been touted as one of the largest personal data heists recorded in history, and prompted Sony to shut down its services for a month. And let’s not forget that in 2009, credit card processor Heartland Payment Systems disclosed that thieves had broken into is internal card processing network, and installed malicious software that allowed them to steal track data on more than 130 million cards.
Needless to say, the data breaches are pushing lawmakers, banks, acquirers and merchants to find safer transaction protocols — and EMV is the leading candidate.
What is EMV?
EMV is a worldwide standard for credit and debit card payments based around the use of chip card technology. The acronym stands for Europay, MasterCard, and Visa, who collaborated to create the technology. The goal of this project was to create a card that worked based off of a microprocessor chip that is read by the payment terminal. Because the U.S. has yet to widely deploy embedded chip technology, the nation has increasingly become the focus of hackers seeking to steal such information. The stolen data can easily be turned into phony credit cards that are sold on black markets around the world.
The transaction has a built in verification system that requires both the chip in the card and a PIN number the customer enters. This extra step verifies that the person with the card is in fact authorized to use it. This is just the first facet that makes these transactions more secure. Each chip contained in the card generates an original and unique code for each transaction. This unique identifier makes it easier to track transactions and identify fraud.
Here’s a brief overview of the changes that are coming to prepare for EMV adoption in the United States:
- April 13, 2013: Visa, MasterCard, Amex, and Discover have mandated that acquirers and processors must be able to send and receive the additional data that is included in EMV transactions. This does not mean that all ATM and POS terminals must be upgraded to support EMV by April of 2013. It does mean that the payment networks expect any acquirer or processor that connects to their network to certify that they can send and receive EMV data in online transactions by that date. This mandate focuses on POS. In addition to the network readiness mandate, MasterCard also introduced aliability shift for cross-border Maestro ATM transactions: starting in April of 2013, if a transaction is initiated by an EMV chip card at a non-EMV U.S. ATM, and the transaction is later deemed to be counterfeit fraud, the non-EMV compliant party is liable for that fraud. This does not mean that all U.S. ATMs that accept cross-border Maestro transactions must be upgraded to support EMV by April 2013; however, acquirers must be aware that they may now be liable for counterfeit fraud in the scenario described above.
- October 3, 2013: Various waivers are in effect for qualifying merchants. MasterCard begins to offer Account Data Compromise (ADC) relief, American Express offers PCI DSS reporting requirements relief, and Discover will grant annual PCI audit waivers.
- April 1, 2015: Visa institutes a liability shift whereby U.S. third party ATM acquirer processors and sub-processors must be able to support EMV data.
- October 1, 2015: Visa, MasterCard, Amex, and Discover institute a liability shift for all POS devices, excluding fuel pumps. A waiver by MasterCard extends ADC relief on this date.
- October 1, 2016: MasterCard institutes a liability shift for all ATM transactions in the U.S. (all MasterCard-branded products).
- October 1, 2017: Visa, MasterCard, Amex, and Discover institute a liability shift for fuel pumps. In addition, Visa institutes a liability shift for all U.S. ATM transactions across all Visa and/or PLUS-branded products.