Jump to Navigation | Jump to Content
American Bar Association

Commercial & Business Litigation

Understanding the Payment Card Fraud Liability Shift

By Edward A. Marshall and Maayan Lattin – November 3, 2015


Identity theft and payment fraud are at historically high levels in the United States. Countless data breaches have affected millions of cardholders, and in recent years, billions of dollars have been spent annually to protect against payment fraud and to absorb the costs of such fraud across the payments ecosystem.

 

In an effort to reduce incidents of payment fraud and mitigate the resultant costs, the payments industry is in the process of replacing the decades-old magnetic stripe technology (the same technology once used in eight-track tapes) currently used in payment cards and devices with more secure “EMV” technology. It has also instituted a new set of liability rules for “card-present” fraudulent transactions, which became effective October 1, 2015.

 

In brief, this counterfeit fraud liability shift means that as of October 1, both card issuers and businesses that accept payment cards (merchants) that have not updated their payment cards and terminals became potentially liable for fraudulent card-present payment transactions. To be clear, old magnetic stripe cards still work, and EMV-enabled point-of-sale (POS) terminals will continue to accept them, but if a noncompliant merchant is confronted with a fraudulent transaction, the financial consequences of continuing to use old magnetic stripe technology could be steep.

 

Background on EMV Chip Technology
EMV-enabled systems are the payment industry’s answer to card-present payment fraud. Card-present fraud, or fraud that occurs when a card is physically presented to the merchant (usually as a stolen or counterfeit card), is the most common payment fraud in the United States today. EMV smart chips, embedded in cards and devices, provide an extra shield of protection from vulnerabilities in the historical payments ecosystem and can effectively reduce fraud.

 

EMV microchips, which have become ubiquitous in markets outside the United States, can be found in a variety of chip-enabled payment debit or credit cards, as well as in personal devices like cell phones that offer mobile payment options like Apple Pay. In a nutshell, a chip-embedded payment occurs when any EMV chip card or device connects to an EMV-enabled POS terminal (usually by physically inserting a card into a terminal at the register). As the transaction processes, the microchip generates a one-time code, known as a cryptogram, which authenticates the transaction. This authorization data can only be used for a single transaction, and the data becomes unusable for future counterfeit use. In contrast, authentication data for a magnetic stripe transaction—once obtained by bad actors—can be used to generate a counterfeit card that functions identically to the original, legitimate card. EMV solves that problem because the payment information lifted from an EMV transaction is all but useless for purposes of engaging in future transactions or manufacturing a counterfeit card.

 

The Payments Liability Shift
There is no doubt the EMV chip system presents significant benefits. Nonetheless, transitioning an entire payment ecosystem is costly and requires a great deal of coordination from all parties. In order to incentivize card issuers and merchants to switch over holistically to the new EMV system, a global POS counterfeit fraud liability shift went into effect in the United States as of October 1, 2015.

 

Before October 1, the financial responsibility for most counterfeit card fraud was borne by the card issuer, usually under the card networks’ zero-liability regulations. Merchants who accepted counterfeit cards were generally insulated from liability; liability assessments to reimburse the issuing banks for their losses were typically borne, if at all, by the merchant from which the card information was extracted or that merchant’s processor. Now, however, whichever party in the payments chain lacks EMV chip technology will be held liable for the expense of any card-present fraud. In other words, the liability now falls on the entity that uses the least up-to-date payments technology.

 

Now that the liability shift has gone into effect, every time a fraudulent card-present, or “contact,” transaction takes place, there will be a determination of which party—the card issuer or the merchant—should be held responsible for the fraud. The pendulum of fraud liability will swing something like this:

 

  • If the merchant is not EMV certified with a chip-enabled POS terminal and a customer pays with a chip-enabled card, the merchant (or its acquirer) bears the liability for any resulting fraud.
  • If the merchant is EMV ready but the financial institution card issuer has not supplied the customer with a chip-enabled card, the card issuer is held liable for the costs of the fraudulent transaction.
  • If the merchant is EMV certified with a chip-enabled POS terminal, the customer pays with a chip-enabled card, and fraud still takes place, the card issuer is liable, much like today.

 

Payment brands, like Visa and MasterCard, have issued some additional brand-specific guidance for the liability shift. Some liability shifts, such as counterfeit fraud liability, lost or stolen liability, and liability for cross-border transactions, apply only to specific payment networks. For instance, Visa, MasterCard, and American Express have all announced that they will not cover counterfeit fraud costs for merchants that are not prepared to process chip cards under the new EMV technology. Of those three companies, Visa is the only brand that will cover lost or stolen card fraud under the same circumstances. That means if a chip card has been stolen and later used and processed as a magnetic stripe transaction or a chip-and-signature transaction (as opposed to a transaction in which the consumer enters a numeric PIN), MasterCard and American Express will not cover any associated costs from that fraudulent transaction.

 

Merchants are also advised to review each payment brand’s additional information requirements and guidance because some brands have offered additional incentives to merchants to upgrade their POS terminals to EMV-compliant systems. For example, Visa, through its Technology Innovation Program (TIP), has offered eligible merchants PCI DSS validation waivers if they process 75 percent of their transactions on EMV terminals. Visa has also developed a “safe harbor” for its Global Compromised Account Recovery (GCAR) process, which eliminates certain merchant liability when an eligible merchant suffers a security breach.

 

The most substantial change flowing from the recent liability shift affects merchants—which have not previously faced the potentially significant costs of payment fraud. Banks and other financial institutions have been issuing new EMV chip cards in droves, and millions of Americans already have them in hand. Consequently, as of October 1, many merchants that have not converted to EMV chip POS terminals are exposed to considerable new financial risk.

 

Preparing for this liability shift has taken, and will continue to take, time and planning. For card issuers, EMV compliance means continuing to move EMV chip credit and debit cards into the hands of all consumers. Practically, this means not only producing and sending EMV cards out to each customer but also providing user-friendly informational materials to educate consumers on the importance of activating and using their new cards. Entities within the payments ecosystem will also need to continue fielding questions and supporting merchants seeking to fulfill their EMV requirements.

 

For merchants, EMV compliance requires purchasing and installing EMV-enabled POS terminals and meeting the certification requirements for the specific terminal, which may include getting individual approvals from the payment applications and the acquiring bank of each card network. However, once a merchant fulfills these requirements, it is not only EMV compliant but also stands to reap other benefits, such as incentives offered by many payment brands. Merchants will also certainly gain peace of mind from a more secure payment environment.

 

Of course, although EMV technology is a robust security solution, it will not prevent all data breaches from occurring, nor will it end all counterfeit fraud. EMV will also not have any effect on e-commerce, or “card-not-present,” transactions. While EMV payment systems will make it more difficult for criminals to profit from the information they steal, the technology will not resolve all payment-related fraud. Therefore, in addition to upgrading to EMV technologies, merchants should consider implementing point-to-point encryption in their systems and exploring the benefits of tokenization.

 

Most importantly, however, EMV cards and POS terminals cannot stop the fraud the technology was intended to prevent if updated cards and terminals are not universally implemented throughout the U.S. marketplace. The liability shift was not designed just to move the responsibility around but rather to coordinate and encourage all payment players to make the change to EMV systems.

 

Notably, despite the significant exposure non-EMV-ready merchants now face, fewer than half of all U.S. merchants—particularly small and medium-sized merchants—are aware of the new technology or the implications of the liability shift. Some 600 million EMV chip cards will have been issued by the end of 2015, yet many consumers still know little about the new cards and payments system. Thus, merchants and the players in the payments ecosystem, as well as their counsel, have work to do to continue educating the market about EMV and the liability shift. Ignorance is not an option, and those who fail to implement EMV technology now could face an unwelcome surprise in the months ahead.

 

Keywords: litigation, commercial, business, payment systems, credit card fraud, EMV, chip card technology

 

Edward A. Marshall and Maayan Lattin are with Arnall Golden Gregory LLP in Atlanta, Georgia, and Washington, D.C., respectively.

 


 
Copyright © 2017, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).