The EMV liability shift refers to the 2015 transfer of responsibility for fraudulent losses from the card brands to businesses in cases when the fraud occurred on an incorrectly processed chip card.
There is an entire underground economy powered by stolen credit cards. With traditional magnetic stripe cards, a fraudster could simply obtain one, make copies using a cheap machine and hire people to go shopping. The credit card issuers (MasterCard, Discover, Amex and Visa) were liable for these unauthorized transactions, resulting in losses that exceeded $16 billion in 2014, according to WalletHub.
The staggering losses encouraged the card issuers to adopt new technology to fight fraud. Enter EMV.
The U.S. was not a trailblazer when it adopted EMV (Europay, MasterCard and Visa) chip cards. EMV cards have been the standard across much of the world and are proven to reduce fraudulent activity, according to Gemalto. For instance:
Why is this the case? EMV security simply boils down to technology.
EMV cards are equipped with computer chips for transaction authentication. When a chip card is inserted into a terminal, a unique code is created that can only be used once. The code is sent to the cardholder’s bank, which authenticates the transaction. In contrast, when a traditional magnetic stripe card is swiped, the same data is used each time, making card duplication possible.
Traditionally, fraud losses were passed onto the banks that issued the credit cards. But, with the introduction of this new chip card technology, card issuers took the opportunity to incentivize credit card terminal upgrades and reduce their fraud burden.
Starting in October 2015, card issuers declared that businesses would be responsible for fraudulent losses from EMV chip cards that were stolen or counterfeited. EMV-ready terminals would flag these transactions as such.
EMV adoption has been slow among merchants for two reasons. First, EMV-ready terminals are expensive, costing anywhere from $500 to $1,000 according to CreditCards.com. Second, many businesses that have EMV-ready terminals still can’t accept these payments because their Merchant Account Providers aren’t EMV certified.
Merchants that are slow to upgrade make themselves vulnerable to two types of chargebacks: bank initiated and customer initiated.
Cardholders’ banks are automatically issuing chargebacks for transactions when a chip card is swiped instead of inserted. These bank-initiated chargebacks are issued without the cardholder's knowledge, even if the transaction is approved, so businesses are at risk of chargebacks every time they swipe chip cards.
Fraudsters are targeting businesses that have yet to make the switch to EMV-ready terminals because they don’t have the technology to detect a counterfeit chip card. The longer that businesses wait to adopt EMV technology, the higher the chance they’ll be targeted.
To protect your business from the consequences of the liability shift, we recommend partnering with a provider that can equip you with EMV Level 3 certified equipment. Additionally, cloud-controlled equipment that doesn't require the installation of native software to connect the terminal to your computer is recommended to reduce your PCI scope and ensure that no cardholder data is transmitted, stored or processed through your computer or network.
Has your business been hit by a bank-initiated chargeback? Are you currently able to accept EMV chip card transactions? Let us know about your experiences with this new technology in the comments section below.
Editor's Note: This post was originally published in November 2016 and has been updated for comprehensiveness and accuracy.