Saturday, October 3, 2015

EMV Cards | October 1, 2015 | Merchants Now Responsible for Fraud

I think we just crossed over a big change in the credit card world which I wish I more fully understood.  We're moving finally away from the weak security of credit cards with magnetic stripes and towards a pin and chip system.

Traditionally, if someone buys something at a retailer with a fraudulent credit card,  the merchant  was in no way responsible for the loss. I guess the issuing bank was responsible for the losses.

Also traditionally, in the US, our credit cards are based on a simple magnetic stripe on the back.  Even though the rest of the world has switched decades ago to a chip with pin system, the US has not.  It's one of the weird things about the US over the last 50 years.  While other countries have gone shooting ahead with innovations that improve the economy for everyone but require investment and some adjustment and some collective planning, the US seems a little too....something... to move forward. Lazy? Complacent? Disorganized? Examples...

Time to go metric which is better for industry and education? England and India and Brazil and China can do it.  But not the US.

Time to teach kids to read properly which means starting with the sounds (not the names) of letters? The UK and France have switched but we, being far more traditional, have not (yes, our rate of illiteracy is much higher than those two countries combined).

Time to move to an all digital cellular phone system?  Most of the world made the switch about 10-15 years ahead of the US.

Time to move from a ridiculously insecure system of credit cards where no pin is required and a fake card can easily be made since it's just a magnetic band on the back?  The rest of world did it decades ago but the US is only switching now and we're not really bothering with the pin part since it's a little inconvenient and it's hard for our highly competitive (with each other) credit card players to make the switch so we're only going to try adding a chip at this time.

OK, I've had my rant, now back to a description of the new system.  Going forward, if a retailer only uses the magnetic stripe reader and hasn't upgraded to or started using the chip system, the retailer will take responsibility for the losses if the card is fraudulent.

For merchants and financial institutions, the switch to EMV means adding new in-store technology and internal processing systems, and complying with new liability rules. For consumers, it means activating new cards and learning new payment processes.
Most of all, it means greater protection against fraud. Quoted from which has a great article on the topic.  It continues to explain liability....
Today, if an in-store transaction is conducted using a counterfeit, stolen or otherwise compromised card, consumer losses from that transaction fall back on the payment processor or issuing bank, depending on the card's terms and conditions.
After an Oct. 1, 2015, deadline created by major U.S. credit card issuers MasterCard, Visa, Discover and American Express, the liability for card-present fraud will shift to whichever party is the least EMV-compliant in a fraudulent transaction.
Consider the example of a financial institution that issues a chip card used at a merchant that has not changed its system to accept chip technology. This allows a counterfeit card to be successfully used.
"The cost of the fraud will fall back on the merchant," Ferenczi says.
However, what the article does not cover and what I'm seeking to understand is what has changed for us Card Not Present merchants? In a separate article, says the problem of fraud for online transactions is going to get worse.  More quoting....
Sophisticated online fraud rings are expected to flourish in the next few years, even as the U.S. switches to credit cards embedded with anti-fraud computer chips.
Following the lead of most other developed countries, card issuers in the United States have begun phasing out credit cards with only the traditional magnetic stripe and replacing them with cards that also contain a newer technology known as an EMV chip, which makes the cards nearly impossible to counterfeit.
However, as the ability to use counterfeit cards in stores dries up, fraudsters are expected to turn to other forms of fraud that prey on different vulnerabilities. At the top of the list, payment security experts say, is using stolen card numbers to buy stuff from the Internet.

And that might be only the beginning. "As long as we innovate and develop new financial services, there will always be some exploit that will be created and someone seeking to take advantage of a poorly executed or nonexistent control," says Seth Ruden, senior fraud consultant with ACI Worldwide.
In every country that has switched to EMV cards -- and the United States is the last developed country to do so -- online fraud has jumped, says online fraud expert Brian Krebs. "Fraud doesn't go away, it just goes somewhere else, and that somewhere else is always online," he says. "The thieves can still steal the card number and expiration date, which still can be used online. So that's generally what will happen. We'll see a pretty big uptick in card-not-present fraud."

1 comment:

Jestep said...

The article is incorrect, or at the very least, deliberately ambiguous. There's also a number of processors using fear tactics to entice businesses to upgrade their equipment which we've seen markups as much as 3 or 4 times the normal amount that terminals sell for.

The only shift in liability is for cards that have been copied. This would occur when a card is skimmed or stolen online and copied onto a real physical card.

Stolen or lost cards and situations where the customer simply decides to request a chargeback are unaffected.

For most small and medium merchants, the actual effect is going to be negligible. Certain types of businesses such as gas stations, who still have 2 years until their liability shift occurs, account for the vast majority of this type of fraud. Online should also expect to see an increase in fraud as retail EMV adoption increases.