EMV transfers fraud liability from card issuer to merchant

The US is finally deciding to play catch-up with the rest of the world and begin working towards the adoption of EMV.

The US is finally deciding to play catch-up with the rest of the world and begin working towards the adoption of the Europay, MasterCard, and Visa standard for secure payments (EMV). With the October 2015 liability shift looming and the devastating fallout from Target’s data security breach in 2013, the rollout of chip and pin securitization has shifted from neutral into drive, writes Vincent Forte.

Debit and credit card payments in the US today leave the card issuer liable for fraud related to in-person or ‘card present’ transactions. Should the charges be disputed by the customer and a chargeback occurs, then the merchant would suffer as they would bear the costs of items purchased using the fraudulent card. However, as of October 2015, the official US transition date, the transfer of card fraud liability will shift from the card issuer to merchant.

American citizens who travel regularly to other countries have long been familiar with the concept and ease of chip and pin. For those who have not experienced using a card with chip and pin, your time is coming! While most adaptors of this new technology will incorporate a pin requirement at the point of sale, others will continue with the signature option. EMV cards carry security credentials encoded by the card issuer during personalization. These credentials, or keys, are stored securely within the EMV card’s chip and are impenetrable to unauthorized parties seeking access. The secure credentials help prevent so-called card skimming and cloning, one of the common ways magnetic stripe cards become compromised and can be used fraudulently.

HOW THE MARKET IS REACTING

Certain technology experts dismiss further EMV investment as a dead end. They argue that there are more secure options available; options that are better able to deal with the multiple card security scenarios – particularly online and mobile payment options – that are fast emerging. Without a doubt, mobile payment options are becoming more and more viable. The question now becomes do we wait for mobile to take over card payments completely or do we act now and accept that banks must move from swipe to chip to mobile?

While experts continue to debate the details of future security technology choices, the issue is certainly not reducing in prominence. Card security matters and catastrophic breaches could drastically affect corporate reputation as seen in May 2014 with the resignation of Target Corp CEO, Gregg Steinhafel, a 35-year company veteran. The signal is loud and clear to C-suite executives everywhere; what happens next will undoubtedly be played out under the watchful eyes of corporate boards, as well as technology specialists, legislators and consumers.

Consumers have become nervous, and rightfully so. The more they get wind of EMV and its shield against fraud, the more banks begin to hear them clamor for adoption in the US. At the same time, equally vocal experts raise the notion that EMV is not the cure-all against fraud. Nonetheless, the legislative program to bring the US through the transition from mag-stripe to EMV is moving forward. Any previous complacency or “blame shift” from other parties toward issuers will end in October of 2015. From that day on, merchants—as opposed to card issuers—will carry any financial burden that arises out of fraudulent use of counterfeit, lost and stolen cards.

Whisperings of EMV have been floating around the US for some time now without real urgency or forward motion but, it is here and it looks very unlikely to do anything other than spread. Low-key adoption by some of the highest profile financial institutions has already begun.

EMV helps – measurably and significantly – to solve counterfeit fraud at the point of sale and ATM. It will not and cannot eradicate all fraudulent activity, but it remains as an important layer in a multi-layered approach to mitigating fraud in the payments system. Combining EMV over time with Payment Card Industry Data Security Standards, data encryption and tokenization will help to further secure and protect payment data throughout the process. This will provide additional and scalable fraud protection in a fast evolving environment.

Capco has already begun working with high profile financial institutions to guide them on the transition journey. As automated and quick as a transition like this may seem, don’t be fooled. Issuers don’t appreciate the fact that there is well over a year until the shift and are underestimating the time it will take to roll out. The time is now to begin discussions around preparation and next steps for rollout in 2015.