EMV Chips & Liability Shift
At the heart of every payment dispute is a simple question. When a transaction goes wrong in some way, who is ultimately going to be held financially responsible? It makes sense to hold the merchant liable when they use deceptive marketing or sell shoddy products, it’s reasonable for cardholders to remain liable when they have a problem with purchase terms that they agreed to without bothering to read, and it’s understandable when banks take on liability for fraud in order to protect their customers and keep them happy. This kind of logic undergirds the entire chargeback process, but these rules aren’t set in stone. The introduction of the EMV chip several years ago has been a major catalyst for change in this area. How has EMV technology caused liability to shift among the various players in the payment card industry?
Before we get too deep into the specifics of the EMV liability shift, let’s make sure we define precisely what we’re talking about. For a long time, liability for fraudulent card-present transactions fell upon the issuing bank. The idea behind this was that banks should stand up for their customers and take financial responsibility for fraud perpetrated with their payment cards in order to keep their customers happy and ensure that they would feel secure and confident using their payment cards without fear that they’d be on the hook for thousands of dollars if a fraudster ever got ahold of their account number.
What Purpose Do EMV Chips Serve?
Back before the EMV chip was introduced, card-present fraud was a lot easier to perpetrate. Fraudsters could “clone” cards by copying the magnetic stripe, they could copy down card numbers and expiration dates for later use, they could use lost or stolen credit cards knowing that store clerks would rarely bother to look closely at the signature.
The EMV chip made card-present transactions much more secure through the use of personal identification numbers and encrypted electronic communications. The chip itself is much more difficult to clone than a magnetic stripe, and the PIN verification is a much more reliable way to confirm identity than a signature (although many EMV cards in the United States and elsewhere still use the chip in combination with a signature instead of a PIN).
While these features alone made a compelling reason for consumers to upgrade their credit cards, people often resist giving up the things they’re used to. EMV cards have to be inserted into terminals so their chips can be read, which takes longer than simply swiping the cards through a magnetic stripe reader. For many consumers, their initial reaction to EMV cards were that they were slower and less convenient than their old credit cards.
What is EMV Liability Shift?
In order to incentivize consumers, merchants, and banks to upgrade to EMV cards, thereby reducing fraud, the card networks decreed that after a certain date, the liability for fraudulent card-present transactions would shift from the issuer to the acquirer (who is typically able, per their contractual agreements, to pass that liability on to the merchant) in scenarios where the parties are using EMV technology to interdict lost, stolen, cloned, or counterfeit cards.
The first liability shift went into effect in October 2015 and covered almost all card-present transactions except for those that take place at ATMs and gas pumps. Previously, if a merchant accepted a swiped card transaction and the cardholder later disputed it as fraud and received a chargeback, the acquirer (and by extension, the merchant) would be liable.
As of October 2015, the liability in that situation would shift to the issuing bank if the merchant was using an EMV-enabled point-of-sale terminal. The only scenarios in which the acquirer would still be liable are ones where the customer is using an EMV chip card and the POS terminal either doesn’t have or isn’t using chip-facilitated verification.
In this way, the liability shift created compelling reasons for both acquirers and issuers to encourage (or require) the use of EMV cards and readers. Without EMV technology, both sides would expose themselves to avoidable risk under certain fraud scenarios.
Here’s a breakdown of liability assignment under specific conditions:
- Acquirer is liable for counterfeit card transactions only if the counterfeit is a magnetic stripe card with track data copied from a chip card and the POS terminal does not have chip-reading capability
- Issuer is liable for all other counterfeit card transactions, regardless of POS terminal capability
- Acquirer is liable for lost or stolen card transactions if the payment card has an EMV chip and a preference for signature verification and the POS terminal does not have chip-reading capability
- Acquirer is liable for lost or stolen card transactions if the payment card has an EMV chip and a preference for PIN verification and the POS terminal does not have PIN verification enabled
- Issuer is liable for all other lost or stolen card transactions, regardless of POS terminal capability
While the acquirer and its merchants aren’t completely off the hook, the issuer is liable for the widest range of fraudulent transactions.
What about Fallback Transactions?
Sometimes, when a customer is having a hard time getting the POS terminal to read their EMV chip, they can simply swipe the magnetic stripe instead, since most EMV cards still have this feature for backwards compatibility. This is a so-called “fallback” transaction, since the cardholder is permitted to “fall back” to the old way of authorizing the card transaction.
As long as the merchant sends the appropriate indicators with the transaction, identifying it as a fallback, and the issuer approves it, nothing changes with respect to the assignment of liability. However, some banks and payment processors have fallback thresholds that merchants are supposed to stay under. The merchant may incur other penalties for exceeding these thresholds, but they don’t have to worry about exposing themselves to chargeback liability that they otherwise would have had.
When is the Next Liability Shift Coming?
The next scheduled liability shift will take place on October 1, 2020. That’s the date when the earlier liability shift will extend to cover “outdoor” POS transactions, specifically ones placed at automated teller machines and the card readers at fuel pumps.
Right now, most gas stations have magnetic stripe readers at their pumps. This is a fast and convenient way for their customers to pay, but it is highly vulnerable to fraudsters, specifically with respect to “skimmers.” These are small electronic devices that fraudsters install in the card readers themselves. When the customer swipes their card, the skimmer reads the information off the magnetic stripe and stores it for later retrieval. The fraudster can collect their skimmer and use the stored data to create counterfeit cards. Skimmers can be installed in some ATMs as well.
When this next liability shift takes effect, gas station operators will have a big incentive to upgrade their gas pump card readers, even if their customers complain about having to wait a few seconds longer to pay. Skimmers can’t easily copy EMV chips, so the liability shift should cause a sharp decline in skimmer-related fraud at gas pumps and ATMs.
A Brief History of EMV Technology
If you’re wondering where the EMV chip came from and why the payment card industry has rearranged itself to accommodate this new technology, read on for a quick rundown.
In the not-so-distant past, store clerks had to take physical imprints of credit cards in order to process them later—electronically verifying cards while the customer was waiting wasn’t initially feasible. In order to prevent fraud, merchants were supposed to check the card numbers they were about to process against a physical, printed list of compromised card numbers.
Needless to say, these were not particularly safe or secure practices. Even when instant electronic processing became available, it was easy to steal card information by surreptitiously copying the numbers down. Consumers were justifiably worried about rampant credit card fraud.
In the early 1990s, a consortium of payment card companies including Europay, Mastercard, and Visa (E, M, and V) created the EMV standards in order to improve card security. Other card networks were brought on board later. The consortium became EMVCo LLC, a privately held company owned equally by the major card networks. EMVCo now controls and manages the EMV standard, overseeing the documentation and compliance testing that governs all EMV-enabled technology.
More than 63% of all card transactions worldwide use EMV technology now, according to EMVCo. EMV technology has been proven successful at preventing card-present fraud, reducing it by two-thirds within the span of two years, but the side effect has been to push more and more fraud into the card-not-present environment.
EMV technology is a vitally important tool for merchants in the fight against friendly fraud chargebacks and other winnable disputes. One of the first things we would advise any card-present merchant to do is upgrade to EMV-enabled POS terminals and follow all the recommended procedures for processing and authorization. By doing so, you will be in compliance with a framework designed to prevent friendly fraud and ensure that banks, not merchants, are held liable for true fraud transactions that slip past the protections you have in place.
It’s always better to prevent disputes and block problematic transactions than it is to be stuck fighting them after the fact through the chargeback representment process. The less time you spend dealing with chargebacks that you could have avoided in the first place, the more time you can spend putting together the evidence and arguments you need to strike down the more complex, gray-area chargebacks that result from friendly fraud and subjective disagreements.