Our Blog

100 days to EMV fraud liability shift: report states majority of U.S. merchants ‘not ready’

With less than 100 days before the EMV fraud liability shift in the US some 75% of merchants are predicted to miss the October 1 deadline.

EMV Fraud Liability Shift

This was a figure released this week by  Javelin Strategy & Research in a report titled ‘State of EMV Cardholders: Opportunities to Capitalize on the Halo Effect’ (report available here).

The Javelin report – compiled from November 2014 data – is based on a study of 8,500+ U.S. retail bank customers. It assesses the level of EMV card penetration among major U.S. financial institutions; as well as cardholder awareness, education, and the methods adopted in educating customers on EMV. The report revealed that there was a clear education gap where EMV was concerned and that smaller merchants are simply not ready for the fraud liability shift.

“The smaller merchants are clearly not ready, not by a longshot,” said Nick Holland, Javelin’s payments director. “The majority of small merchants are not only not ready for EMV, they are not even aware of EMV.”

First, a recap.

The key driver for the introduction of this liability shift is growing card-present fraud  in the U.S. via mag stripe payment cards and mature terminals. Annual costs of card fraud in the U.S. alone are estimated at $8.6 billion per year and tipped to top $10 billion in 2015.

The big sell from those pushing the EMV standard (the major card issuers) is in convincing U.S. merchants that the change is worth it.

According to the Congressional Research Service, a U.S. Congress think-tank, the cost of this migration to the EMV standard is expected to be between $6 billion and $8 billion. Significantly 75% of the cost will be borne by merchants. This expense makes the transition to  EMV three times more expensive for them as for the issuers. Despite the fact that this is the brainchild of issuers. Retailers are making the significant investment here.

So, what does the EMV chip do?

It is more secure. Visa’s EMV chip cards, for example, will protect in-store payments by generating a unique, one-time code needed for the card-present transaction to be approved. This feature makes it very difficult to counterfeit and skim cards, and will help tackle card present fraud at the point of sale and at ATMs.

This is the primary aim of the liability shift. It is a risk management exercise from the major credit card companies that make up the EMV association (EMV stands for Europay, MasterCard, and Visa).

The EMV fraud liability shift: what happens on October 1?

On October 1 the fraud liability for card transactions at the point-of-sale (POS) terminal will be borne by the least compliant stakeholder in the payment process. As the fraud liability shift is the creation of, and has been driven by, the large credit card companies it is obvious that the weakest section of the payments chain will be the merchant that accepts a card payment.

The fraud liability will shift to the non-chip owner of the transaction, the stakeholder that does not adopt the EMV chip technology.

It is crucial to understand that this is not a legal mandate. This is a deadline for readiness created by EMVCo, an alliance of the major card companies.

Merchants need to understand that there are ways and means to meet this requirement at a cost and timescale that suits them.

And, after October 1 – what’s the lie of the land?

When payment fraud occurs from a card-present transaction, e.g. at the POS, then the costs will be borne by the weakest link in the payment process.

Merchants will have to ensure that their POS terminals are secure and EMV-compliant, manufacturers of the terminals will have to do likewise. The credit card companies are a step ahead given that it is they who have created this fraud liability shift. They did so as card-present fraud was spiralling out of control. Terminals in the U.S. were seen as easy targets and – in recent months – that contention has proved to be correct.

As of now issuers are on the hook for any card fraud that occurs at the POS, that will change on October 1. By 2017 this policy will extend to ATMs and gas stations in the U.S.

For example, if a customer purchases a $150 suit at a store on October 1, or after, and that transaction is subsequently confirmed as fraudulent then it will be the store that will take the $150 hit, not the issuer.

However, post-October 1, if a mag stripe card is used at a mag stripe terminal and fraud is later detected then this will still be borne by the issuer. This is because this transaction maintains the status quo neither stakeholder has invested in an EMV upgrade so the issuer is still liable for any fraud that occurs.

If an EMV-enabled card is used at a mag-stripe terminal and fraud is later detected then the merchant is on the hook. Why? Well, the merchant has not invested any capital in upgrading their system to the EMV standard and therefore will be the least compliant element in this payment.

What happens with fraud when both the merchant and the issuer have upgraded to EMV? If fraud is detected after the use of an EMV chip card at an EMV-enabled terminal then the issuer will still bear the brunt of any fraud that occurs.

Bottom line is: retailer beware, back to that risk management we mentioned earlier.

How can Aviso help?

Earlier we stated that there are ways and means for merchants to meet this fraud liability shift requirement at a cost and within a timescale that suits.

This is where we can help. We can help save time and money.

Aviso has developed a product that will allow organisations to comply with the EMV fraud liability shift without a significant impact on time or costs. Our EMV Wrapper allows players to upgrade their internal systems and meet the EMV standard in less than 80% of the time required by other means.

EMV Fraud Liability Shift

Our EMV Wrapper sits between external entities and the merchant’s existing systems and intercepts the incoming payment message.

It goes to work by stripping out the EMV data and passing the transaction to internal systems as a mag stripe transaction. The outbound message is subsequently rebuilt with the correct EMV data and the message is routed to the correct destination – typically the card processor.

The EMV payment data is processed and an authorisation is returned to the payment switch. Our EMV Wrapper once again extricates the EMV payment data as the message passes through the switch. This EMV payment data is reattached as the authorisation message that is passed back to the terminal.

Benefits to the merchant:

  • No risk to existing systems, no requirement for re-engineering
  • Our EMV Wrapper is 80% faster to implement when compared to changing existing systems and switches
  • It is a more cost-effective solution for retailers facing the October 1 EMV deadline

Our EMV Wrapper also delivers a service that can exploited in other ways:

  • Provide access to new interfaces and new services
  • Act as an integration tool for system components
  • Support migration towards a service oriented architecture and cloud-based application

For more check out our YouTube channel:

Fast tracking EMV compliance for acquirers:

https://www.youtube.com/watch?v=rZtzc8IYtao

And for retailers:

https://www.youtube.com/watch?v=moolKyunaHg

Contact us

For more information on our products and services contact us at info@aviso.io, or follow us on Twitter and LinkedIn.

Related posts