Vending machine owners face a small liability risk if their card-accepting machines are not EMV compatible
Dear Your Business Credit,
I have a vending machine with a credit card reader. A third party handles the service. Does the new law of having a reader able to read chips apply to vending machines? — Roy
It’s a good thing you asked. As you are aware, a shift in liability for card-related consumer fraud kicked in Oct. 1, 2015. It’s not a law, but it is substantial, industrywide change in how payments are accepted in the United States. As of that date, merchants — not banks — became liable for consumer fraud involving credit cards that contain EMV chips if they have not installed an EMV-compliant credit card reader. Cards with the chips are more secure than magnetic stripes against counterfeit card fraud.
“This means vending machine operators without EMV-capable hardware should contact their vending supplier and processor to ask about an upgrade,” Helgeson said in an email. “The only exception to this are self-service gas pumps — what the card brands call automated fuel dispensers. Gas stations have two additional years, until October 1, 2017, to upgrade to EMV.”
Paul Bridgewater, CEO of Sage Payment Solutions at payment processing firm Sage North America in Atlanta, noted that since the liability shift covers kiosk acceptance, merchants who own vending machines but don’t upgrade are at risk of paying for chargebacks in fraud-related situations. “If EMV technology isn’t used and an EMV-related chargeback is initiated, the merchant would be liable,” he said in an email. “This is only for chargebacks related to card fraud or the use of replicated cards.”
As more consumers receive EMV cards to replace those with magnetic stripes, this risk could conceivably increase over time. “What the liability shift does mean for vending machine operators is that if they have a mag stripe point-of-sale reader and an EMV card is used, the operator will bear the cost of any fraud that occurs, since the card could have been processed as an EMV transaction,” Jack Jania, senior vice president of strategic alliances at digital security company Gemalto, said in an email.
However, Bridgewater pointed out that the risk of vending machine fraud is very low. He cited an article in trade publication Vending Today that quotes Brendan Kehoe, vice president of Streamware at Crane Merchandising Systems, who estimated this risk at about 0.16 percent. (In some cases, the article notes, vending machine operators may have an agreement with the provider of the machine that migrates the responsibility to the provider.)
Jania had a similar perspective. “Fraudsters most likely won’t go through the trouble of cloning credit cards just to use them at a soda machine, so ultimately the risk is very minimal,” he said in his email. “It really comes down to being a business decision for vending machine operators. They will need to determine the amount of fraud they are willing to risk and make their decision to implement chip readers or not based on that assessment.”
Although the risk vending machine operators face is low, this is a good time to point out the risk of credit card fraud is higher in many industries where small businesses operate.Many business owners have not upgraded their credit card processing machines, which means they now face what could be steep liability for fraud. According to research from TD Bank, as of early October 2015 only 41 percent of small businesses had installed EMV chip-enabled payment terminals. Many were planning to do so but hadn’t gotten around to it yet. The bank found that 40 percent plan to install chip-enabled payment terminals but have run into obstacles or have concerns about making the conversion.
Some small-business owners believe making the shift will be expensive, the bank found, and that’s a legitimate concern. While it isn’t cheap, especially if you run multiple terminals, the average cost among survey respondents who made the conversion — $450 — is probably less than many would anticipate. (In an earlier “EMV terminal recommendations for small businesses,” I looked at some lower-cost options for merchants). When you consider that bearing the cost of a single fraud could potentially put you out of business, this expense may not seem to be great.
Unfortunately, it seems many owners are taking the ostrich approach. Among small-business owners, 73 percent who responded to the survey said they are not very concerned about fraud or not concerned about it at all. Taking that approach can land you in unexpected trouble. First Data found that the cost of a data breach for a merchant with less than $1 million card transactions annually averages $36,000. While EMV won’t prevent data breaches, it will make breaches harder to pull off and less attractive to thieves because the stolen data would be much less useful.
If you find you’re overwhelmed by the requirements of the new law, I would recommend talking with your bank or credit card processor for advice. It may not be fun to comply with the liability shift, but it’s not going to go away. Credit card fraudsters are getting more creative by the day, and small businesses are an easy target.