Missing the EMV Liability Shift Bears a Huge Cost

Register now

Even though the adoption of the EMV initiative is voluntary, you don’t want to be the one looking for a chair when the music stops. Missing the October 2015 deadline for implementing Chip and PIN could come with a costly price tag for banks and merchants.

That date denotes what is commonly called “the liability shift.” After that date, when credit card fraud takes place, liability for the costs will fall on the entity using the lesser technology. In 2015, that liability in the United States is estimated to total more than $10 billion.

After the liability shift, if a merchant is still using the “swipe and signature” methodology and the customer has a smartcard, the merchant is liable. If the merchant has the new Chip and PIN technology but the bank hasn’t issued the customer a Chip and PIN card, the bank is liable. If the merchant uses Chip and PIN technology on a customer’s smartcard and fraud still takes place, the credit card company bears the liability, as is the case today.

Many merchants and banks simply aren’t aware of this potential storm cloud on the horizon.  For those unprepared, this shift will have organizations scrambling to acquire and deploy smartcard technology before the deadline.  Merchants with readers integrated with their POS will be trying to acquire the right readers, update their applications, and deploy the technology in an orderly fashion. Banks in the U.S. have to replace more than 800 million credit and debit cards.  Without planning, the logistics of converting cards and recording PIN data will be a nightmare.  The banks also have to worry about providing devices directly to merchants whose readers aren’t POS system-integrated.  Apart from a few companies who have made recent announcements—Target, Walmart, and Sam’s Club– there’s a disturbing lack of urgency.

The EMV initiative expressed as Chip and PIN has been widely adopted elsewhere in the world.  It’s driven credit card fraud down to admirably low levels—France claims an 80% reduction, for example.  Because the chip embedded in a smartcard generates a different, single-use code for every transaction, hacking to acquire card data is futile.  The technology’s proven success at reducing fraud is driving this deadline.

Although meeting the October, 2015 deadline for Chip and PIN deployment will be challenging—it's doable. There are a number of issues banks and financial institutions need to address.

As you would with any other technology deployment, start with a plan. A plan will help you think through the individual components of the transition. The plan should be detailed addressing such items as implementation schedules, pilot testing, customer education, etc.

The adoption will likely change fraud behavior as criminals, like electricity, will follow the path of least resistance. Assess other ways of reducing fraud leveraging the Chip and PIN technology as a starting point (i.e., two factor authentication).

Look to what the European banks have done as they’ve had years of experience.

Evaluate improvements to transaction monitoring practices. Look at methods to identify high- risk transactions.

Reach out to educate and collaborate with merchant accounts. They need to understand best practices and risks.

Consider joining and participating in organizations such as the EMV Migration Forum to stay current and affect emerging policies.

To better control the conversion, look at prioritizing the deployment of smartcards to customers: first to international travelers, then to affluent customers, etc.

Communicate throughout the process with all those involved or affected by the transition.

Invest in measures to mitigate the Card-Not-Present (CNP) fraud.  This category includes online transactions. CNP has been the fastest growing form of fraud in EMV countries.

Perhaps the most important piece of advice is—don't  wait, start your transition now. The nearer the deadline becomes, the greater the pressure on you and your staff. Don’t run the risk of delays caused by forces outside your control—such as device manufacturers’ equipment inventory or delivery schedules, software compatibility, or outside consultants’ availability.

The October 2015 deadline will mark an important step in securing millions of transactions in the U.S. By acting on these 10 steps, you and your organization will be well-positioned for a successful Chip and PIN transition.

Dick Mitchell is a Solutions Director in the Technology Deployment Services (TDS) Practice of Randstad Technologies.

For reprint and licensing requests for this article, click here.
Data security Analytics