The EMV October 2015 Liability Shift: Are You Ready?
By Mukesh Patel
For years, credit card issuers assumed liability for fraudulent transactions. But, as global losses in card-related fraud mounted and credit card companies were saddled with those rising costs, card titans Europay, Mastercard and Visa began coordinating efforts a decade ago to find solutions.
The result was a roadmap to move the world away from magnetic strip cards and toward “EMV” (Europay, Mastercard and Visa) cards. Magnetic strip cards carry account information that remains static from purchase to purchase, but EMV cards are embedded with microprocessor chips that generate one-time authentication codes for each transaction, making them more difficult to counterfeit.
While EMV cards have become the standard in much of the world, the United States has been slow to adopt them. To accelerate U.S. migration to an EMV-based payments infrastructure, the major card companies announced that, as of Oct. 1, 2015, liability for a fraudulent point-of-sale transaction could shift to any merchant who had not upgraded its technology to accept EMV cards.
City and county governments have several options for how they respond to the October deadline.
Deadline is not a mandate
Although the deadline shifts responsibility for fraudulent credit card charges from the card issuer to merchants that haven’t begun accepting chip cards, state and municipal governments are not required to have EMV-capable point-of-purchase terminals installed by Oct. 1.
Credit card companies’ switch to microchipped cards will be only about 70 percent complete by year-end, according to CreditCard.com, and the new cards will include magnetic strips as well as chips, so agencies’ existing point-of-sale terminals will remain viable for the foreseeable future. There is still plenty of time for city and county governments to research the issue and determine what timing is best for them to convert to new EMV card devices.
Cost could be an issue
In part, that decision involves evaluating how quickly budgets allow for an equipment upgrade. Basic EMV-capable pay terminals start at around $200 each and go up from there, so purchasing and installing new equipment can represent a substantial capital expense. Further, EMV conversion is more complex than simply unplugging a current card reader and replacing it with a new one. The transition requires new back-end code and a certification process that can take several months.
Chip cards may not fulfill their promise
While EMV card adoption may reduce card-present counterfeiting, it will have little impact on reducing online fraud. This is because the added benefit of one-time authentication codes of chip cards only apply to in-person, card-present transactions. Online transactions provide essentially the same levels of protection for both magnetic strip and EMV cards. This makes strong network security measures just as imperative for EMV cards as for magnetic strip cards in order to prevent online card transaction information from being breached while in process or in the government agency’s system.
One way EMV cards could reduce both in-person and online fraud is to require a cardholder to enter a PIN verification with each transaction. However, the U.S. EMV specification only requires a signature as the primary form of card authentication, so the promise of chip cards to reduce fraud may not be fully realized in this country.
Even without accepting chip cards, city and county government agencies’ incidence of counterfeit transactions tends to be relatively low. This makes sense. Consider: Would a fraudster be more likely to use a counterfeit card to renew a driver’s license or to purchase a large-screen TV?
Taking all of these factors into consideration, cities and counties have time to develop a well-thought-out plan and budget before migrating to EMV card readers. They may wish to spread out upgrade costs by keeping their existing equipment in place for now, accepting liability for the few fraudulent transactions they experience, beginning the process of developing new code and installing the new chip card infrastructure over time
As President of NIC Services, LLC, a wholly-owned subsidiary of NIC Inc., Mukesh Patel is responsible for NIC’s payment processing and financial management platforms. He speaks on payment processing best practices and trends in eGovernment services.