If you’ve heard anything about the payments industry lately, you’ve probably heard something about “chip” or “EMV” credit cards. (If not, go back and read my first post on the subject for an introduction). You may have also heard about an upcoming “deadline” for accepting these cards. There is a lot of misinformation and confusion out there about what this supposed deadline is and what it means for business owners, so in this post I’m going to give you the facts.
Here’s the simple version: on October 1st 2015, Visa, MasterCard, Discover and American Express are changing how they handle certain types of fraud. Starting on that date, if a merchant is not accepting chip cards and PINs at the point of sale, some fraud costs that used to be paid by banks will be the merchant’s responsibility instead. The common term for this rule change is the “liability shift,” because the liability for some fraud costs is shifting from banks to merchants who don’t accept chip cards.
Fraud Costs Today, and Fraud Costs After the Shift
To make the liability shift clearer, here’s an example of how fraud costs work today. Say your personal Visa card information is stolen by a criminal. The criminal makes a counterfeit copy of your card and uses it to buy a nice jacket for $300. You notice the $300 charge on your statement and tell your bank that you didn’t make that purchase. Your bank refunds you the $300 out of their own pocket. The store that sold the jacket doesn’t even realize that fraud has taken place.
Now imagine the same situation, except it’s after the liability shift and your bank has issued you a Visa card with a chip. The criminal can’t counterfeit the chip itself, but he can still make a counterfeit of your card’s magnetic stripe (remember that all chip cards are still being issued with magnetic stripes for the time being). The criminal swipes his counterfeit card at a store that isn’t accepting chip cards yet, and the transaction works. You notify your bank, as before, and the bank reimburses you. Here’s the big difference: instead of the bank absorbing the $300 loss as before, the bank can come after the store for that money because of the liability shift. Since the fraudulent transaction would have been impossible if the store accepted chip cards, the store is responsible for paying the $300 to reimburse the cardholder.
Details Differ Across Brands
The general effect of the new rules coming into effect on October 1st say that the least secure party to a transaction must foot the bill for fraudulent purchases. If your business isn’t accepting chip transactions and PINs by October 1st, you will be considered less secure than a bank that is issuing chip cards.
The specific rules for Visa and MasterCard vary slightly. Visa’s liability shift only applies to counterfeit fraud, and merchants only need to be able to accept chip cards to be protected. The liability shift for MasterCard also applies to counterfeit fraud. However, MasterCard’s liability shift also includes lost and stolen card fraud when the MasterCard chip card presented requires the user to enter a PIN.
The bottom line is that you can protect your business from fraud liability by getting set up to accept chip cards and PINs before October 1st.
Does this Change Affect Me?
Many business owners don’t feel threatened by the rule change, because they believe that fraud doesn’t occur at their business. Under the current fraud rules, many businesses are taking fraudulent transactions and never hearing about it, because the fraud costs are quietly handled by the banks. Your business may have fraud and you wouldn’t even know about it, but some industries have much more fraud than others. Criminals with stolen cards tend to visit jewelry stores, electronics stores, and other businesses where they can get luxury items. If you run a service business, it’s less likely that your store will be targeted by credit card thieves, but you should still consider protecting yourself by taking chip cards and PINs.
What if I Do Nothing?
If you take no action in response to the liability shift, you will still be able to accept credit cards the old way, by swiping the magnetic strip through a reader. Depending on your industry, you’ll also be unnecessarily risking financial loss with each swipe of the card. Finally, not taking advantage of safer credit card standards sends a message to your customers that their data security is secondary to you. Wind River recommends that merchants who swipe cards today get ready to take chip cards and PINs before October 1st, because for most businesses the risks will outweigh the costs.