Writes regularly about personal finance and health
Two years after the rollout of EMV chip cards, one thing is clear: EMV has not signaled the end of fraud. However, for some small retailers, the biggest threat may not be the fraudsters, but rather revised liability rules causing merchants to foot the bill.
The EMV liability shift was a change in who was deemed responsible for credit card fraud. After Oct. 1, 2015, retailers who could not process chip card payments could be held liable for fraud costs since they were not EMV-ready.
For retailers, the costs associated with fraud can be devastating. In 2017, merchants reported that every dollar of fraud actually costs them $2.77, says Kim Sutherland, senior director of fraud and identity strategy at LexisNexis. Those costs could rise dramatically if retailers must shoulder the entire bill.
In fact, a 2017 National Retail Federation survey found that 63 percent of small brick-and-mortar retailers said they could not afford to risk the increased liability that comes with EMV.
If you’re a merchant looking to keep fraud costs down, understanding how the liability shift works is only half the battle. Here’s how retailers can avoid being on the hook for credit card fraud.
Know the rules
There are two types of credit card fraud: counterfeit card fraud and stolen card fraud. With a counterfeit card, a fraudster creates a new card with a stolen card number. With stolen card fraud, a card is physically taken and used by someone without permission. The liability shift applies to those two types of fraud differently.
With counterfeit cards, the EMV chip is critical to preventing fraud.
- If the counterfeit card is not a chip card, the retailer can do nothing to prevent the fraud so the card issuer is liable whether the retailer is EMV-compliant or not.
- If the counterfeit card is a chip card and the retailer has an EMV-ready terminal, the card issuer is liable for the fraud because the retailer has done all that he or she can do to prevent the fraud.
- If the counterfeit card is a chip card and the retailer does not have an EMV-ready terminal, the retailer is liable for the fraud because had they upgraded their equipment they may have prevented the fraud.
There could be instances where there is a technology malfunction and an EMV-ready terminal is unable to read the chip. If that happens, the terminal may prompt the retailer to use the magnetic stripe as a backup. In that case, the card issuer will be liable for any fraud.
When a stolen card is used, an EMV chip by itself can’t prevent the fraud. The only way to prevent stolen card fraud is to request a PIN if that card is PIN-enabled. While most credit cards in the U.S. use chip-and-signature technology, some are chip-and-PIN enabled, making them safer because a thief would not readily know the PIN number. If a fraudster uses a stolen card that is chip-and-PIN enabled, a retailer can be held liable if they don’t have a chip-and-PIN enabled terminal.
- If the stolen credit card is not a chip-and-PIN card, the card issuer is liable for the fraud whether the retailer is EMV-compliant or not because the retailer could do nothing to stop the fraud.
- If the stolen credit card is a chip-and-signature card, the card issuer is liable for the fraud whether the retailer is EMV-compliant or not, since an EMV chip can’t prevent stolen credit card fraud.
- If the stolen credit card is a chip-and-PIN-enabled card and the retailer is EMV-ready but doesn’t support the PIN, the retailer could be held liable. This is because the retailer could have prevented the fraud if they had the equipment to ask for a PIN.
The best protection that retailers can have from liability is a payment terminal that can process chip-and-PIN-enabled credit cards, says Patty Walters, senior leader, payment terminals, security and EMV at credit card processing company Vantiv.
Questions of liability
Once you know the rules, you must make sure they are applied correctly. There have been instances of retailers complaining they have been unfairly held liable for fraud, says J. Craig Shearman, vice president for government affairs public relations for the National Retail Federation.
Typically, when a customer disputes a charge, the retailer is given the ability to respond and show that the customer actually did make the purchase. For example, the customer may have forgotten about the purchase or could be disputing the charge without realizing that his or her spouse bought the item.
“What we were hearing a lot from retailers, particularly retailers who didn’t have chip readers, was that if a customer called the bank and disputed a charge, some of the banks were automatically issuing chargebacks without bothering to investigate whether any fraud had occurred or not,” Shearman says.
If you’re a retailer being charged for fraud you don’t believe you should be liable for under the rules of the liability shift, ask the bank or payment processing company to explain. If you don’t agree, you may be able to sue, but it may not be worth it since the costs of taking legal action could easily outweigh the cost of the fraud itself.
The better solution might be to take your business elsewhere. “The ultimate recourse is to change processors or change banks,” Shearman says.
Though some retailers have complained about the liability shift, others say the move to EMV has calmed much of their anxiety about fraud. Emory’s on Silver Lake, a restaurant in Everett, Washington, is upgrading to an EMV-certified pay-at-the-table solution for restaurants called Rail.
The move has made Rob Frost, director of operations, less apprehensive about the risk of fraud. “You hear about breaches all over the place, but this is one more step to make sure that we’re as safe as we can be,” Frost says.
For retailers who haven’t yet upgraded for EMV, there are some obvious signs that a credit card may be counterfeit, according to the American Institute of Professional Bookkeepers:
- The signature panel where the customer signs his or her name should not be plain white.
- The account numbers on the front of the card should not be different from those on the back.
- Credit card networks have standard numbers that appear on every card. American Express card account numbers start with 34 or 37; Visa card account numbers start with 4, MasterCard credit cards start with a 5 and Discover cards start with 6011. If a card starts with a different number, it’s likely counterfeit.
If any of these signs are evident, do not swipe the card.
Upgrading your equipment to support EMV cards is the most surefire way to avoid liability. While a payment terminal that can process EMV chip-and-signature cards will cut down on your liability risk, equipment that supports EMV chip-and-PIN cards ensures that you won’t be liable for stolen card fraud and offers the greatest protection retailers can get.
“EMV has made a very positive impact in trying to reduce the counterfeit card fraud and point of sale fraud, which is what it was intended to do,” Sutherland says.