EMV Chips & Liability Shift
Table of Contents
- What Are EMV Chips?
- How Do EMV Chips Work?
- What Is the EMV Liability Shift?
- Who Is Liable for Fraudulent Fallback Transactions?
- A Brief History of EMV Technology
- EMV Prevents Chargebacks
- What Does EMV Stand For?
- Can EMV Cards Be Skimmed?
- Can EMV Cards Be Cloned?
Whenever a payment is in dispute, whether through the chargeback process or through the dispute process of a particular payment platform, the fundamental question that must be resolved is as follows: Which party should be held financially liable for the transaction?
In some cases, the answer is clear. For example, if the merchant failed to deliver what the customer paid for, the merchant is liable. Other situations are more complex. The cost of e-commerce fraud usually falls on the merchant, but the cost of card-present fraud usually falls on the bank. However, there are exceptions to both of these rules.
For card-present merchants, the biggest exception is the EMV liability shift, which can result in the merchant being held liable by default for claims of fraud. EMV chips are an excellent fraud-prevention tool for card-present merchants, but the liability shift can make them a double-edged sword in some situations. Let's take a look at what EMV chips are, how they work, and what the EMV liability shift means for merchants.
What Are EMV Chips?
Prior to EMV chips, all card-present transactions were processed by swiping the card's magnetic stripe and (ideally) getting a signature from the customer. There were obviously some significant security problems with this approach. Many cardholders wouldn't bother to sign the back of their cards, and even if they did, many merchants wouldn't bother to actually check these signatures.
In addition, the simple magnetic stripe contained unencrypted card information that could be easily read and copied. Fraudsters could even take an old credit card and overwrite the magnetic strip data with stolen data from another card.
With fraud on the rise, Europay, Mastercard, and Visa decided to work together to develop a new standard for credit cards that would address these security issues.
The solution they came up with was to integrate a computer chip into the card that can be inserted into a scanner. As you might imagine, inserting the card to read a chip instead of swiping it makes card skimmers like those often discovered at gas stations massively harder to implement, but the EMV chip does so much more than that.
How Do EMV Chips Work?
This code is sent to the issuing bank for confirmation before the transaction can be processed, which is why EMV cards must stay inserted for a second or two.
In many countries, the customer also needs to type in a PIN to confirm their identity, providing further security against stolen cards.
The chip itself is much more difficult to clone than a magnetic stripe, and PIN verification is a much more reliable way to confirm identity than a signature. (Although many EMV cards in the United States and elsewhere still use the chip in combination with a signature instead of a PIN).
While these features alone made a compelling case for customers to upgrade their credit cards, people often resist giving up the things they’re used to. EMV chip transactions take longer than simply swiping the cards through a magnetic stripe reader, which made the new cards feel annoyingly slow and inconvenient compared to the old ones.
What Is the EMV Liability Shift?
Before we get too deep into the specifics of the EMV liability shift, let’s make sure we define precisely what we’re talking about. For a long time, liability for fraudulent card-present transactions fell upon the issuing bank.
Cardholders want to know that they won't be on the hook for potentially thousands of dollars of charges if their credit card is stolen, and issuing banks want customers to feel safe using their credit cards. Therefore, they took on the financial responsibility of paying for any fraud that took place due to a lost or stolen card.
As time went on, new methods of credit card fraud were developed. Fraud became more common than ever, and banks and card networks started looking for a way to make card payments more secure. Eventually, the EMV chip was born.
One of the problems facing the adoption of EMV chips was that there are over a million retail establishments in the U.S. alone that would have to upgrade their payment terminals, and many would be reluctant to spend the money necessary to do so.
In order to incentivize merchants to upgrade to terminals that could read EMV chips, thereby reducing fraud, the card networks decided there would be a change in how liability was assigned for fraud committed with counterfeit, lost, or stolen cards in card-present transactions.
Under the new rules, if the counterfeit or stolen card has an EMV chip and the merchant can't or doesn't scan it, the acquiring bank will be held liable for the fraud instead of the issuing bank. The acquiring bank will then usually pass the cost onto the merchant as part of their agreement. Merchants therefore have a financial incentive to upgrade their payment terminals.
The first liability shift went into effect in October 2015 and covered almost all card-present transactions except for those that take place at ATMs and gas pumps. In 2021, the last parts of the EMV liability shift finally rolled out, removing the exception for self-service fuel pumps that had been in place since the beginning of the shift.
Here’s a breakdown of liability assignment under specific conditions:
- Acquirer is liable for counterfeit card transactions only if the counterfeit is a magnetic stripe card with track data copied from a chip card and the POS terminal does not have chip-reading capability
- Issuer is liable for all other counterfeit card transactions, regardless of POS terminal capability
- Acquirer is liable for lost or stolen card transactions if the payment card has an EMV chip and a preference for signature verification and the POS terminal does not have chip-reading capability
- Acquirer is liable for lost or stolen card transactions if the payment card has an EMV chip and a preference for PIN verification and the POS terminal does not have PIN verification enabled
- Issuer is liable for all other lost or stolen card transactions, regardless of POS terminal capability
While certain scenarios now shift the responsibility to the acquirer, and therefore the merchant, the issuer is liable for the widest range of fraudulent transactions.
Who Is Liable for Fraudulent Fallback Transactions?
Sometimes, when a customer is having a hard time getting the POS terminal to read their EMV chip, they can simply swipe the magnetic stripe instead, since most EMV cards still have this feature for backward compatibility. This is a so-called “fallback” transaction, since the cardholder is permitted to “fall back” to the old way of authorizing the card transaction.
Some banks and payment processors have fallback thresholds that merchants are supposed to stay under. The merchant may incur other penalties for exceeding these thresholds, but they don’t have to worry about exposing themselves to chargeback liability that they otherwise would have had.
A Brief History of EMV Technology
If you’re wondering where the EMV chip came from and why the payment card industry has rearranged itself to accommodate this new technology, read on for a quick rundown.
In the not-so-distant past, store clerks had to take physical imprints of credit cards in order to process them later—electronically verifying cards while the customer was waiting wasn’t initially feasible. In order to prevent fraud, merchants were supposed to check the card numbers they were about to process against a physical, printed list of compromised card numbers.
Needless to say, these were not particularly safe or secure practices. Even when instant electronic processing became available, it was easy to steal card information by surreptitiously copying the numbers down. Customers were justifiably worried about rampant credit card fraud.
In the early 1990s, a consortium of payment card companies including Europay, Mastercard, and Visa created the EMV standards in order to improve card security. Other card networks were brought on board later. The consortium became EMVCo LLC, a privately held company owned equally by the major card networks. EMVCo now controls and manages the EMV standard, overseeing the documentation and compliance testing that governs all EMV-enabled technology.
More than 63% of all card transactions worldwide use EMV technology now, according to EMVCo. EMV technology has been proven successful at preventing card-present fraud, reducing it by two-thirds within the span of two years, but the side effect has been to push more and more fraud into the card-not-present environment.
EMV Prevents Chargebacks
EMV technology is a vitally important tool for merchants in the fight against friendly fraud chargebacks and other winnable disputes. One of the first things we advise any card-present merchant to do is upgrade to EMV-enabled POS terminals, if they haven't already, and follow all the recommended procedures for processing and authorization.
By doing so, you will be in compliance with a framework designed to prevent fraud and ensure that banks, not merchants, are held liable for true fraud transactions that slip past the protections you have in place.
It’s always better to prevent disputes and block problematic transactions than it is to be stuck fighting them after the fact through the chargeback representment process. The less time you spend dealing with chargebacks that you could have avoided in the first place, the more time you can spend putting together the evidence and arguments you need to strike down the more complex, gray-area chargebacks that result from friendly fraud and subjective disagreements.