What’s the EMV liability shift, and what does it mean for my business?

The move to the new Europay, MasterCard, Visa (EMV) standard (chip and sign/ chip and pin) is well underway. It’s important to know what this credit card chip technology is, key dates and how the change can impact your operation.

How an in-person credit card transaction works

In a traditional face-to-face credit card purchase, the customer hands a credit card to the merchant, who then swipes the card through a magnetic strip reader at a point-of-sale (POS) terminal.

The magnetic strip or magstrip contains information, including your name, type of card (Visa, MasterCard, American Express, etc.), account number and expiration date. The terminal communicates the transaction to the appropriate merchant bank, which then contacts the card issuing bank for payment.

The POS terminal then prints a receipt which the purchaser signs. Verification that the credit card is valid and that the person using it is the authorized user, is weak in a swipe and sign transaction, which contributes to a high rate of fraud.

Online credit card transactions work similarly but are not affected by the chip technology.

Magnetic strip cards are susceptible to several types of fraud:

  • Cards can be counterfeited easily using devices widely available through the Internet.
  • Cards stolen from the mail before the card owner ever receives it can be activated and used by the thief.
  • Lost and stolen cards can be used to make purchases unless the card holder reports the card as missing to the card issuer and the card is cancelled.

A new standard emerges

Payment networks have adopted a standard that requires new cards be issued with a microprocessor chip that changes the way in-person transactions are authorized.

“EMV” stands for Europay, MasterCard and Visa, who were the first payment networks to develop security technology that uses a smart chip containing a small microprocessor embedded in the card.

The chip communicates with the chip reader, card issuer and merchant bank to authenticate the card and complete the transaction. The chip can log transactions and may require a pin as a second stage of authentication for a purchase.

Because the chip is a microprocessor, its memory can store several different EMV profiles. For instance, on the same card it’s possible to have both credit, debit and accounts from different payment networks, such as MasterCard and Visa.

How EMV works

Purchases conducted using the embedded chip require that the cardholder or merchant either inserts or taps the card against a reader. When a card holder inserts or taps a chipped card into a reader, it will prompt the customer to enter a pin, if required.

The reader then communicates with the card issuer to authenticate the card and verifies there are sufficient funds available for the transaction. The card issuer sends a message back to the card reader approving the transaction and a unique code is generated for the sale.

Once this process is completed, the transaction is communicated to the merchant’s bank, which completes the transaction by deducting the sale amount from the card issuer.

Currently, a purchase using an EMV card may be exactly the same as a traditional purchase, because the cards are issued with both embedded chips and magstrips. Card issuers continue to provide magnetic strips on the cards to facilitate transactions by point of sale terminals that have not been upgraded to the newer technology.

In the future, after chip technology has been completely adopted, magnetic strips will no longer be printed on the back of credit cards. While pins are considered to be more secure, several card issuers don’t require them, reasoning that a pin may be too cumbersome for customers.

Reducing fraud

EMV has been used in Europe for several years. The United States is gradually moving to adopt the technology, with a roll-out that began in October 2015 and full implementation set for 2017.

Proponents of EMV technology claim the embedded chips are virtually impossible to counterfeit and that by requiring a combination of a chipped card and pin number, fraud and counterfeiting are substantially reduced.

The use of both chip and pin in the United Kingdom has brought some forms of credit card fraud down to their lowest level in 20 years. In Canada, “The spread of chipped cards brought losses from skimming from C$142m ($129m) in 2009 to C$38.5m in 2012.”

Vulnerabilities

However, vulnerabilities have been identified in chip and pin security. Placing tape over the chip can prevent terminals from reading its data, forcing a swipe and signature transaction. Researchers have found a weakness that enables transactions to be conducted using an invalid pin by tricking the terminal into treating the transaction as a chip and signature transaction but confirming it as a chip and pin transaction.

The same researchers identified compromised EMV cryptography. The number generated by the chip reader may not be random, or unpredictable, and if the numbers can be predicted, compromised terminals can be exploited to authorize fraudulent transactions.

While card issuers report that fraud has decreased substantially, the numbers should be viewed cautiously. There have been a number of complaints by card holders in Europe that their cards were used fraudulently, but their claims were denied by the card issuer. Card issuers in the United Kingdom, in particular, have denied claims of fraud by card holders when it appears that a pin was used.

Research and supporting evidence has shown that this type of fraud is possible, and occurring. Credit card holders point to purchase dates, times and locations that are impossible for the physical card and card holder to have conducted.

For a transaction to be considered fraudulent and counted among statistics, it must be reported as such by the card issuer. If the card issuer doesn’t report a loss, the loss to the card holder who has to pay for the unauthorized purchases isn’t included in the statistics.

The cost of upgrading POS terminals from swipe to chip can range from $29 (Square EMV reader on Amazon) to $1,000 per terminal. It’s estimated there are 15 million point of sale terminals in the United States, to date.

What is the “shift,” and who will be responsible?

While the EMV standard is not mandated by law, it’s a modification of the contract between merchants who accept credit cards and the payment processor or network. Failing to convert to the EMV standard can result in the merchant being liable for fraudulent credit card transactions and potentially fined or sanctioned by the PCI (Payment Card Industry) for failing to follow its security protocols.

Merchants that accept credit cards in person must comply with the EMV standards or may be held liable for fraudulent transactions. Previously, the card issuer bore responsibility for fraudulent purchases. It is important to remember that the shift of responsibility only applies to card-present purchases, not transactions conducted online or via phone.

Liability for fraudulent card-present purchases will be assigned to the party—card issuer or merchant—who utilized the lower level of security and compliance with the EMV standard.

For example, if a merchant is required to comply with EMV and an embedded chip card is presented to complete a card-present transaction, the merchant’s failure to use a chip reader will shift liability to the merchant in the event of fraud.

Similarly, if the merchant has a chip reader and is prepared to process embedded chip cards but the card issuer has not issued chip embedded cards, the card issuer will be liable in the event of fraud.

The PCI Security Standards Council has standards for transaction security. Failing to properly secure the transaction by using an outdated POS terminal or unencrypted, unsecured Internet connection can be violations of its security standards.

PCI can impose sanctions on merchants, such as suspending the ability to process credit cards and fining those who don’t comply with their standards. PCI fines can range from $5,000 to $500,000.

Liability of card holders is not affected by the move to the EMV standard. Card holders are liable for up to $50 per fraudulent transaction or up to $500 if they fail to report the loss or theft of the credit card in a timely fashion.

Key dates

  • Retail operations were required to implement EMV by October 1, 2015
  • ATMs must comply by October 1, 2016
  • Automated fuel dispensers must be EMV compliant by October 1, 2017

To date, compliance has been slow for both merchants and credit card issuers. It’s estimated that only 27% of merchants were ready for the October 1, 2015 retail merchant deadline.

Early adopters include Walmart and Costco, which suffered a data breach July 2015, and Target, which suffered a data breach in 2013 that resulted in a $67 million settlement to reimburse financial institutions and $10 million settlement of a class action lawsuit by customers.

How will the transaction experience be different for my customers?

It takes a bit longer to process chip and pin transactions, but it isn’t likely to be more than an additional 30 seconds or so, which may or may not improve over time.

Restaurant credit card transactions may change. With a magstrip card, diners paid by giving their card to a server, who swiped it and presented a receipt for signature, which the diner entered along with the server’s tip. There are many possibilities such as mobile chip reading terminals, but chip transactions will require that the tip is entered prior to the transaction at the POS terminal.

Again, only in-person, card-present transactions are affected by the EMV standard, so only those purchases will be affected.

Will my current business general liability or cyber insurance cover any losses I may incur?

Whether your current insurance will cover merchant liability for fraud due to not complying with EMV depends on your policy and the circumstances of the fraudulent transaction.

It is possible that insurers will offer a “gap” policy, providing coverage if you are trying to comply with the standard, but for some reason cannot. Merchant liability for fraud may be covered under a crime insurance policy.

Merchants who are unable to comply with the EMV standard should contact their insurance agent to explore their potential liability and available coverage.

How can Hartford Steam Boiler help me?

Hartford Steam Boiler offers a variety of equipment and cyber-insurance products to protect merchants. You can take a look at our coverages here.

However, in the case of EMV, avoiding liability can be as simple as upgrading your technology. In fact, that’s what we recommend to reduce your risk.

 

© 2015 The Hartford Steam Boiler Inspection and Insurance Company. All rights reserved. This article is for informational purposes only and does not modify or invalidate any of the provisions, exclusions, terms or conditions of the applicable policy and endorsements. For specific terms and conditions, please refer to the applicable coverage form.

Monique Ferraro

Monique is counsel in Munich Re’s US Cyber Practice at HSB. Previously, she was principal at a digital forensics, e-discovery and information security consulting firm and owner of a law firm. Ms. Ferraro is a Certified Information Systems Security Professional.

One comment

Submit a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s