EMV Chips & Liability Shift
Table of Contents
- What are EMV Chips?
- How do EMV chips work?
- What is the EMV liability shift?
- Who is liable for fraudulent fallback transactions?
- A brief history of EMV technology
- EMV prevents chargebacks
- What does EMV stand for?
- Can EMV cards be skimmed?
- Can EMV cards be cloned?
At the heart of every payment dispute is a simple question. When a transaction goes wrong in some way, who is ultimately going to be held financially responsible?
It makes sense to hold the merchant liable when they use deceptive marketing or sell shoddy products, it’s reasonable for cardholders to remain liable when they have a problem with purchase terms that they agreed to without bothering to read, and it’s understandable when banks take on liability for fraud in order to protect their customers and keep them happy.
This kind of logic underlies the entire chargeback process, but these rules aren’t set in stone. The introduction of the EMV chip several years ago has been a major catalyst for change in this area. How has EMV technology caused liability to shift among the various players in the payment card industry?
What are EMV Chips?
Before we get too deep into the specifics of the EMV liability shift, let’s make sure we define precisely what we’re talking about. For a long time, liability for fraudulent card-present transactions fell upon the issuing bank.
Cardholders want to know that they won't be on the hook for potentially thousands of dollars of charges if their credit card is stolen, and issuing banks want customers to feel safe using their credit cards. Therefore, they took on the financial responsibility of paying for any fraud that took place due to a lost or stolen card.
Unfortunately, it quickly became clear that credit cards had some major vulnerabilities that made things far too easy for thieves and fraudsters.
Prior to EMV chips, all card-present transactions were processed by swiping the card's magnetic stripe and (ideally) getting a signature from the customer. There were obviously some significant security problems with this approach. Many cardholders wouldn't bother to sign the back of their cards, and even if they did, many merchants wouldn't bother to actually check these signatures.
In addition, the simple magnetic stripe contained unencrypted card information that could be easily read and copied. Fraudsters could even take an old credit card and overwrite the magnetic strip data with stolen data from another card.
With fraud on the rise, Europay, Mastercard, and Visa decided to work together to develop a new standard for credit cards that would address these security issues.
The solution they came up with was to integrate a computer chip into the card that can be inserted into a scanner. As you might imagine, inserting the card to read a chip instead of swiping it makes card skimmers like those often discovered at gas stations massively harder to implement, but the EMV chip does so much more than that.
How do EMV chips work?
Unlike the old-fashioned magnetic stripe with its easily readable card information, an EMV chip contains a secure algorithm that generates a new authentication code for each transaction. This code is sent to the issuing bank for confirmation before the transaction can be processed, which is why EMV cards must stay inserted for a second or two. In many countries, the customer also needs to type in a PIN to confirm their identity, providing further security against stolen cards.
The chip itself is much more difficult to clone than a magnetic stripe, and PIN verification is a much more reliable way to confirm identity than a signature. (Although many EMV cards in the United States and elsewhere still use the chip in combination with a signature instead of a PIN).
While these features alone made a compelling case for customers to upgrade their credit cards, people often resist giving up the things they’re used to. EMV chip transactions take longer than simply swiping the cards through a magnetic stripe reader, which made the new cards feel annoyingly slow and inconvenient compared to the old ones.
What is the EMV liability shift?
One of the problems facing the adoption of EMV cards was that there are over a million retail establishments in the U.S. alone that would have to upgrade their payment terminals, and many would be reluctant to spend the money necessary to do so.
In order to incentivize merchants to upgrade to terminals that could read EMV chips, thereby reducing fraud, the card networks decided there would be a change in how liability was assigned for fraud committed with counterfeit, lost, or stolen cards in card-present transactions.
Under the new rules, if the counterfeit or stolen card has an EMV chip and the merchant can't or doesn't scan it, the acquiring bank will be held liable for the fraud instead of the issuing bank.
The acquiring bank will then usually pass the cost onto the merchant as part of their agreement. Merchants therefore have a financial incentive to upgrade their payment terminals.
The first liability shift went into effect in October 2015 and covered almost all card-present transactions except for those that take place at ATMs and gas pumps. A second liability shift eliminating those exceptions occurred in April 2021.
Here’s a breakdown of liability assignment under specific conditions:
- Acquirer is liable for counterfeit card transactions only if the counterfeit is a magnetic stripe card with track data copied from a chip card and the POS terminal does not have chip-reading capability
- Issuer is liable for all other counterfeit card transactions, regardless of POS terminal capability
- Acquirer is liable for lost or stolen card transactions if the payment card has an EMV chip and a preference for signature verification and the POS terminal does not have chip-reading capability
- Acquirer is liable for lost or stolen card transactions if the payment card has an EMV chip and a preference for PIN verification and the POS terminal does not have PIN verification enabled
- Issuer is liable for all other lost or stolen card transactions, regardless of POS terminal capability
While certain scenarios now shift the responsibility to the acquirer, and therefore the merchant, the issuer is liable for the widest range of fraudulent transactions.
Who is liable for fraudulent fallback transactions?
Sometimes, when a customer is having a hard time getting the POS terminal to read their EMV chip, they can simply swipe the magnetic stripe instead, since most EMV cards still have this feature for backward compatibility. This is a so-called “fallback” transaction, since the cardholder is permitted to “fall back” to the old way of authorizing the card transaction.
As long as the merchant sends the appropriate indicators with the transaction, identifying it as a fallback, and the issuer approves it, nothing changes with respect to the assignment of liability.
However, some banks and payment processors have fallback thresholds that merchants are supposed to stay under. The merchant may incur other penalties for exceeding these thresholds, but they don’t have to worry about exposing themselves to chargeback liability that they otherwise would have had.
A brief history of EMV technology
In the not-so-distant past, store clerks had to take physical imprints of credit cards in order to process them later—electronically verifying cards while the customer was waiting wasn’t initially feasible. In order to prevent fraud, merchants were supposed to check the card numbers they were about to process against a physical, printed list of compromised card numbers.
Needless to say, these were not particularly safe or secure practices. Even when instant electronic processing became available, it was easy to steal card information by surreptitiously copying the numbers down. Customers were justifiably worried about rampant credit card fraud.
In the early 1990s, a consortium of payment card companies including Europay, Mastercard, and Visa created the EMV standards in order to improve card security. Other card networks were brought on board later. The consortium became EMVCo LLC, a privately held company owned equally by the major card networks. EMVCo now controls and manages the EMV standard, overseeing the documentation and compliance testing that governs all EMV-enabled technology.
More than 63% of all card transactions worldwide use EMV technology now, according to EMVCo. EMV technology has been proven successful at preventing card-present fraud, reducing it by two-thirds within the span of two years, but the side effect has been to push more and more fraud into the card-not-present environment.
EMV prevents chargebacks
EMV technology is a vitally important tool for merchants in the fight against friendly fraud chargebacks and other winnable disputes. One of the first things we advise any card-present merchant to do is upgrade to EMV-enabled POS terminals, if they haven't already, and follow all the recommended procedures for processing and authorization.
By doing so, you will be in compliance with a framework designed to prevent fraud and ensure that banks, not merchants, are held liable for true fraud transactions that slip past the protections you have in place.
It’s always better to prevent disputes and block problematic transactions than it is to be stuck fighting them after the fact through the chargeback representment process. The less time you spend dealing with chargebacks that you could have avoided in the first place, the more time you can spend putting together the evidence and arguments you need to strike down the more complex, gray-area chargebacks that result from friendly fraud and subjective disagreements.
What does EMV stand for?
Can EMV cards be skimmed?
Can EMV cards be cloned?