It’s been talked about since August 2011, when Visa, followed shortly by other card brands, announced it was accelerating the migration to EMV chip cards by shifting the liability for fraudulent cards at the point of sale to the party that does not support EMV.
On Oct. 1, 2015, the shift went into effect. Although the majority of large merchants have upgraded POS terminals to accept EMV chip cards, there are a number of smaller businesses that are either unaware of the shift or have determined the cost to upgrade terminals is not worth the potential liability.
Will the EMV liability shift have a significant impact on merchants that choose not to upgrade? What role do banks play in educating merchants about the pros and cons of upgrading their POS terminals to accept EMV chip cards?
Small businesses lag
According to the most recent Wells Fargo/Gallup Small Business Index, slightly less than half (49%) of small businesses are aware of the liability shift.
“It’s no secret that the communication to the smaller merchants about EMV liability shift hasn’t gotten through,” notes Nick Holland, Javelin’s head of mobile.
And even if merchants are aware, they don’t have a vested interest in upgrading their POS terminals, he says. However, Holland predicts that smaller merchants will be in for “quite a surprise” as fraudsters shift their focus from larger merchants to smaller merchants.
“We expect fraudsters to shift to the weakest link, which will be those merchants that have not yet adopted EMV and only accept magnetic stripe cards,” agrees Deanna Karhuniemi, vice-president of EMV Strategy for Chase Commerce Solutions.
“There will be some horror stories from smaller merchants,” says Holland. “Not only will they be hit with increased fraud, but they will be liable for it.” In some cases, he adds, smaller merchants could be put out of business.
Some merchants, such as groceries and electronic retailers that traditionally experience higher fraud rates, may be especially hard hit, explains Karhuniemi.
She also notes that not all large merchants will decide to install EMV POS terminals right away. In Canada, the liability shift occurred in spring 2011, and even now, not all large merchants have installed EMV-supported POS terminals, although the gap is closing. “We are still not at 100% acceptance in Canada.”
Stress the benefits
Financial institutions—along with all entities in the payments ecosystem—have a responsibility to educate merchants about the EMV liability shift, notes Holland. However, he says that a different set of communications tactics is required. Rather than warning about fraud and the liability shift, financial institutions also should highlight the benefits of upgrading POS terminals, such as the ability to accept new payment types, such as Apple Pay.
Karhuniemi agrees that acquirers, payment processors, issuers, and financial institutions should educate merchants and that education should extend to a holistic approach to fraud.
Even merchants that do install POS terminals to support EMV chip cards are not in the clear, she says. While EMV chip cards eliminate counterfeit card fraud at the POS by creating dynamic data that is authenticated for each transaction, merchants need complimentary security technology, like point-to-point encryption, to protect data in transit. Merchants that retain cardholder data for recurring payments need to consider tokenization that protects data at rest.
Impact on CNP fraud
As merchants shift to EMV-enabled POS terminals, fraudsters may move to online fraud. Although statistics show a rise of card-not-present fraud in the United Kingdom once the shift took effect in 2005, Holland says the increase is because of more e-commerce.
“Increases in card-not-present fraud due to EMV adoption is an urban legend,” says Holland. “Fraudsters won’t flock to card-not-present fraud because of EMV. They will flock to card-not-present transactions because that’s where the volume growth is.”