27 Sep

2016

Dear Merchant, can you afford to be a victim of credit card fraud?

posted by: William White

If you are a merchant who takes credit cards, not knowing the answer to those questions means that you could be footing the bill for credit card fraud that takes place in your establishment.

Behold the EMV Chip!

If you are a merchant who takes credit cards...you could be footing the bill for credit card fraud that takes place in your establishment.

October 1st, 2016 is fast approaching and that means our lil’ EMV Liability Shift is turning ONE!

“What does EMV stand for”, you ask?  Why should you care that the Liability Shift has orbited the sun for 12 whole months?  Uh oh. If you are a merchant who takes credit cards, not knowing the answer to those questions means that you could be footing the bill for credit card fraud that takes place in your establishment.

Just the facts

EMV stands for Europay, MasterCard and Visa.  It is a global standard for credit and debit payment cards.  EMV is based on a chip that generates a unique code each time the payment card is placed into a point-of-sale (POS) terminal.  It turns out that the chip, and the dynamic codes they produce, make the physical counterfeiting of payment cards a really tough job. Counterfeiting those old fashioned cards with magnetic strips and their static data, however?  Well, as Lionel Richie once put it, counterfeiting those is “Easy like Sunday morning.”  Furthermore, the EMV standard also calls for a PIN or signature to provide another layer of protection. So, in theory, using EMV payment cards with the chip embedded will drastically cut down on credit card fraud.

But does EMV work in the real world?  Yes…. And No.

You see, EMV is fantastic at preventing fraud in transactions where a physical card is needed to make a purchase (ex. at a POS terminal).  Think paying for your mocha-acai mega sized latte at your coffee bar.

In fact, according to FFA UK, it works so well that from 2004 to 2012 brick-and-mortar retailers in the UK reported a 75% reduction in credit card fraud.

Sounds great, right?  Not so fast. This protection only works when a physical card is placed in a physical card reader- “card-present transactions”.  In other words, fraudsters and thieves simply have to turn their attention away from the brick-and-mortars and focus instead on online transactions (aka “card-not-present transactions”).  The bad guys can also spend more time going after unsuspecting credit card users in other countries that haven’t adopted EMV yet (or are slow in adopting EMV like the US). I should also mention a possible uptick in application fraud and account takeovers after EMV rides into town.

But, as you can see, steps must be taken to cut down on the costs associated with POS credit card fraud. And that’s where EMV becomes a necessity.  It is a way to protect cardholder.  It might even protect the merchant.

Bill, what do you mean by “MIGHT” protect the merchant?

Looks like it is time to mention the Liability Shift part.

Remember, we are celebrating a birthday here. October 1st, 2016 marks the 1 year anniversary of the day that liability for fraudulent transactions could be placed squarely on the shoulders of the merchant. To put it another way, starting a year ago, the burden to pay fraudulent in-store credit card charges could shift from card companies (like Visa) to the merchant in some instances.

This is best explained through this easy to follow scenario:

After October 1st, 2015 a credit card is used to fraudulently purchase a $150, mint condition “Wham! Make It Big” album from Vinny’s Valuable Vinyls store downtown. Who is responsible for the $150 charge? Let’s look at the “Table of Responsibility” for the answer:

Type of card used EMV Chip EMV Chip
Type of POS terminal used EMV Chip Card Enabled Magnetic Stripe Only
Party Liable for $150 fraudulent charge Credit Card Issuer Merchant

The “Table of Responsibility” shows that the merchant is responsible for the fraudulent charges when they are the party with least amount of the EMV technology enabled. If the credit card issuer is using EMV technology, and you (the merchant) are not, then the charges are yours to cover.

If this information is “news to you”, it’s time you start looking into upgrading those old fashioned magnetic stripe only terminals to shiny, new EMV Chip Enabled models.  You can bet that credit card issuers are in a hurry to get the chip cards into the hands of their customers. As a merchant, the longer you wait to adopt the EMV standard, the longer you are at risk for being liable for any fraudulent charges made using a chip card. There are some exceptions to that rule of course- like ATMs and gas pumps- but, they will be going away soon as well.

Moral of the story

You are overdue for adopting the EMV technology by almost a year. Do it now, or you will be making a Wham! loving fraudster very happy.

More to the story

It is very important to realize that, as a merchant using a POS terminal, there is much more you can do to protect your customers and your business from fraud and cybercrime.  We at Ultimate Risk Solutions can help you build a layered defense to keep the bad guys out.  Want some recommendations on what to do to address the vulnerabilities EMV doesn’t cover?  Here you go:

  • Encrypt your data (in transit, in use and at rest)
  • 24/7 monitoring of your devices and networks
  • Inventory your digital assets
  • Identify your digital assets’ vulnerabilities
  • Make sure your breach and cyber liability insurance are properly fit to your business needs and risks
  • Contact Ultimate Risk Solutions for more help or info: info@ultimateriskslutions.com or 800.55.HELPS

PREVIOUS

Physician, heal thyself.

NEXT

NFPA Sounds Alarm for Fire Prevention Week 2016