The EMV Liability Shift: Now What?
After four years in the making, the national EMV (Europay, Mastercard, and Visa) liability shift has finally come to pass. Starting today – on October 1st, 2015 – merchants with out-of-date credit card readers can now be held liable for certain types of fraud, specifically the types of fraud which could have been avoided by using a fancy new EMV credit card terminal capable of processing chipped credit and debit cards. It’s a sobering prospect, but if you are one of those who’s still behind the times, don’t panic yet: we at Merchant Maverick are here to help.
Wait, what’s the big deal again?
Here’s the tl;dr version: if your business processes a fraudulent card when you could have (theoretically) avoided the issue with a chip card reader, it’s up to you to foot the bill. If you made a $500 sale using outdated equipment and later find out that the card was a fake, you’re out $500, but if you’re using the correct equipment and process a bad card, the issuer has to cover the fraudulent costs. Basically, the liability lands on the person who is “least equipped” to handle the change. If the onus was on the issuer for not sending out chipped cards, then they are to blame. If you’re the one with the out-of-date tech, then it’s on you.
But most people don’t have chipped cards anyway. Why does it matter?
That may be true now, but the times, they are a-changin’, and everybody’s changing with them. It’s estimated that by the end of 2015, 25% of debit cards and 70% of credit cards issued will be chipped, and those numbers are just going to keep getting bigger.
I’m not convinced yet. What exactly am I liable for?
Although it might vary a bit depending upon the issuer, the merchant can be held responsible in three situations:
- A counterfeit chip card (both chip and signature or chip and PIN) is used with a non-EMV terminal
- A lost or stolen chip and PIN card is used with a non-EMV terminal
- A lost or stolen chip and PIN card is used with a chip and signature EMV terminal
All three situations can be avoided by upgrading to a new EMV card reader (possibly with the exception of the last scenario–more on this in a minute).
You might luck out though; in some cases, the issuer is still responsible for the fraud despite any outdated technology on your part. Generally this has to do with the fact that not all cards are chipped yet, which really isn’t your fault.
These are the types of fraud you are NOT responsible for, even if you don’t have an EMV terminal:
- A counterfeit magnetic stripe (non-chipped) card
- A lost or stolen magnetic stripe (non-chipped) card
- A lost or stolen chip and signature card
Last thing: if, in some nightmarish scenario, you finally get an EMV terminal, but the chip reader fails and you have to fall back on swiping cards, you will not be liable for any fraud. There are a few caveats: you must identify it as a “fallback transaction,” and you cannot do it too much (issuers might begin to suspect foul play). Again, equipment failure is not your fault. The whole idea is to make fraud more difficult, not to make merchant’s lives more difficult.
Hang on: why do you keep talking about chip and signature cards?
Chip and signature cards are being used by issuers to make the transition easier. It’s less confusing for the general public to transition from magstripe and signature to a chip and signature card. Who knows what kind of mass-chaos we’d be talking about if we went straight from magstripe and signature to chip and PIN?
Don’t worry–if your EMV machine can’t do PINs, like many readers that connect to an iPhone (Square’s, for example), you can still process chip and PIN cards; the machine will just default to a signature instead. It isn’t necessary to get a chip and PIN reader yet because most customers won’t have one for a while. Just keep in mind that the issuer’s end goal is chip and PIN cards, and that you might have to upgrade again in a few years.
Here’s the deal: you’re going to have to spend the money on new terminals eventually; you might as well do it before you lose money on a fraudulent purchase.
Okay, fine – I’m convinced! Now what do I do?
It’s pretty simple. Any provider of magstripe-only terminals should also be selling some shiny new EMV terminals. Your job is to go forth and buy some! Check out our FAQ on purchasing a new terminal and our favorite merchant service providers to make sure you’re getting the best deals.
Any questions? Concerns? Leave them in the comments!