Credit cards, EMV, and the 10/1/2015 “Liability Shift”

Increasingly, data breaches have been making headlines. An important shift in security – and liability – for credit card breaches is taking place this year in the US. Consumers and business owners who accept credit cards should familiarize themselves with these changes.

The problems with magnetic stripes on credit cards
To understand the security problems associated with traditional credit cards, one only needs to think of their own house key.

We lock our houses to protect what is inside, using the same key over and over at our front door. If our house key is lost, anybody could have it, and they could make any number of copies. Any number of people may now gain entry to our house, any number of times. The only way to restore security is to rekey the locks.

Think of the magnetic stripes on traditional credit cards the same way you think of your house key. The magnetic stripe on a credit card stores sensitive data that never changes. No matter how many times you use your credit card, the data never changes – just like the pattern on your house key never changes no matter how many times you unlock your front door. Once stolen, the information from a traditional credit card with a magnetic stripe can be copied, traded and reused endlessly. Lost or stolen credit cards must be cancelled and reissued with new information on the magnetic stripe to restore security – just like rekeying the locks at your home.

What is EMV?
EMV stands for Europay, Mastercard and Visa. EMV, widely used in other countries, is a credit card technology standard that utilizes a computer chip rather than a magnetic stripe.

EMV credit cards are embedded with a computer chip. The technology combats fraud through encrypted information and a unique verification process with every transaction, making cards difficult to counterfeit.

What is the “Fraud Liability Shift” taking place on 10/1/15?
Today, for the most part, credit card fraud is absorbed by card issuers – banks and other financial institutions that provide their customers with credit or debit cards. “Fraud Liability Shift” changes this dynamic, as merchants who have not implemented EMV technology can become liable for the costs associated with fraudulent transactions.

Mastercard, Visa, American Express and Discover will implement “Fraud Liability Shift” effective October 1st, 2015 at point-of-sale terminals and October 1st, 2017 at automated fuel dispensers. In anticipation of this shift, card issuers have already begun to issue cards that are EMV compliant. As the transition to the new technology will take place over time, these cards typically contain the EMV chip and the traditional magnetic strip.

The fraud liability shift affects merchants who process “card-present” transactions, where the credit card is physically presented to the merchant at the time of the sale. For example, paying by credit card at a restaurant.

What does this mean for consumers?
Consumers should continue to check credit card statements for accuracy, and report any fraudulent charges immediately. Additionally, consumers should seek out EMV-enabled credit cards. Consumers might also think twice about using credit cards when merchants are not EMV-compliant, as it may be difficult or impossible to recover from the merchant if the merchant is liable for fraud.

What does this mean for businesses?
After 10/1/2015, merchants will still be able to process transactions with magnetic stripes. However, if a customer presents an EMV credit card and the merchant processes the transaction using the magnetic card technology, then the merchant will become liable for any fraudulent charges.

Businesses who handle card-present transactions should consult with their credit card processor and make every effort to convert to EMV-compliant technology by October 1st, 2015.

Insurance products are also available to help protect businesses from these new exposures – consult with your insurance professional or risk manager for more information.