Seven Years Later, How Has EMV Liability Changed the Game for Merchants?
The EMV liability shift introduced by the major credit card networks went into effect in October 2015. It was designed to encourage merchants, banks, and consumers to make EMV “chip” cards their preferred type of payment card transaction.
There was a lot of confusion going around in those first months. In the end, though, much of the liability for chargebacks that once fell on the shoulders of card issuers was shifted to acquirers. In turn, acquirers off-loaded the responsibility to merchants.
Responsibility could be shifted back to issuers under the conditions of the new mandates. However, this would only happen once a merchant became compliant with the new regulations.
Even seven years later, some merchants are still unsure of where that “liability line” should be drawn. So, let’s take a closer look at the EMV liability shift. We’ll explore what was accomplished, and where merchants need to go from here.
Recommended reading
- What is EMV Bypass Cloning? Are Chip Cards Still Secure?
- Dispute Apple Pay Transaction: How Does The Process Work?
- Terminal ID Number (TID): What is it? What Does it Do?
- How Do Credit Card Numbers Work? What do the Numbers Mean?
- What is PSD2? How it Impacts Banks, Businesses & Consumers
- P2P Payment Use in eCommerce Jumps 66% in 2024
What is EMV? How Does it Work?
Firstly, EMV stands for “Europay, Mastercard, and Visa.” These are the three card networks that created the payment standard on which EMV technology works. The standard is now owned and managed by EMVCo, a consortium made up of Visa, Mastercard, JCB, American Express, China UnionPay, and Discover.
The program is most often associated with electronic chip-enabled cards. These chip cards have all but replaced legacy magnetic stripe cards as the aforementioned companies’ preferred payment method.
The electronic chip embedded into an EMV card contains encrypted customer data. But, unlike traditional magnetic stripe cards, the data stored is never actually transmitted. Instead, when a customer “dips” their card into an EMV card reader, the chip translates the user’s data into a one-time-use token that stands in for the data in question. This is a practice called tokenization.
EMV Chip Cards are More Secure
EMV is a more sophisticated form of payment technology than legacy magnetic stripe cards.
Magnetic stripe technology stores only static information that can be easily stored, copied, and ‘hacked’ by fraudsters. New data sets are created for every transaction because of secure EMV tokenization technology. This data is not stored by merchant POS systems, so even if the system is compromised, the data would be useless to a hacker.
What Was the EMV Liability Shift?
The EMV liability shift of 2015 was implemented by the major card networks in an effort to relieve issuers’ liability for fraud. The initiative aimed to mandate fraud protections for merchants and consumers and shift liability for fraudulent transactions to the least compliant party.
For consumers, EMV cards must be inserted (rather than swiped) to be eligible for fraud protection. For merchants, they must prove they are compliant with regulations at all times (this includes the application of fraud prevention tools). In most cases, merchants and acquirers are generally held liable for fraud.
According to financial service Square, chip cards are the norm in almost all major economic regions, including the United States. However, getting to this point was a long road. Despite their proven superiority in terms of security, the acceptance of EMV cards was a slow process in the US.
Despite these changes, US consumers often worried that the process of “dipping” a card would take longer and be more involved than swiping. Many merchants also dragged their feet about adopting the new system, arguing that customers weren’t interested and that the change was costly, confusing, and too complicated.
To encourage more merchants—and, by default, more consumers—to get on board, the card networks collectively updated the EMV liability shift regulations in 2018 and again in 2021. The more recent (and harsher) penalties from the EMV mandate made older processing methods less appealing for merchants.
How EMV Liability is Assigned
Under the old system, issuing banks were responsible for reimbursing their customers in fraud cases involving a counterfeit or stolen card. As of October 2015, however, merchants who allow a chip card to be swiped are now considered liable if the transaction turns out to be fraudulent.
Now, if an EMV card is used at a POS terminal that is not EMV compatible, the liability for any acts of fraud resulting from that transaction will shift to the acquiring bank. The bank will shift responsibility to the merchant, since they are assumed to be responsible for the security breach. So basically, if a merchant accepts a fraudulent transaction due to failure to deploy EMV technology, they must also accept liability for the financial loss.
This wasn’t intended to be a “punishment” for merchants. However, it is meant to force merchants to update and modernize their POS hardware. They also must remain compliant with current fraud prevention standards.
Did the EMV Liability Shift Work?
EMV has been a mostly global standard since 2004. In fact, 91.4% of all transactions worldwide are made with EMV chip cards, which has led to a precipitous drop in card-present fraud.
The number of in-person fraud attacks attempted in the UK has dropped by 69% since 2004. France saw a drop of roughly 50% during the same period. The benefits are undeniable here.
The US was slow to adopt EMV chip cards until the last possible moment. However, even US merchants have seen a significant drop in card-present fraud due to the standardization of EMV chip cards and readers. In fact, for EMV-ready merchants, counterfeit fraud losses decreased by 87% in March 2019, as compared to September 2015 (the month before the liability shift).
So, although many merchants and consumers in the US balked at EMV standardization for global card networks, the need for the measure is obvious. But, while the EMV liability shift has been a game-changer in the fight against in-person fraud, it’s no help when it comes to card-not-present fraud, as we’ll see below.
The Pros & Cons of EMV
Regardless of which party bears responsibility for fraudulent EMV transactions, the technology itself has proven to be extremely helpful against in-person fraud. But, as we mentioned above, it has a lot of shortcomings.
So, on that note, let’s go over a few pros and cons associated with EMV technology:
EMV Technology Can:
- Make it harder for fraudsters to counterfeit cardholder data.
- Make in-person fraud and card theft nearly impossible.
- Prevent user data from being stored in terminals and processors.
- Identify stolen or counterfeit cards.
EMV Technology CAN’T:
- Stop the online theft or sale of credit and debit cards online.
- Protect user data from unauthorized wifi access.
- Protect data stored in merchant systems from online breaches.
- Verify credentials for online purchases.
Remember, not all card-present merchants migrated to EMV technology at once. For instance, gas stations and convenience stores took significantly longer to adapt. Because of this, incidents of fraud and chargebacks remained significantly higher in this industry compared to other verticals. Even though the deadline to adhere to federal EMV mandates went into effect in April of 2021, many of these businesses are still not 100% compliant.
As we’ve mentioned, EMV technology is an excellent deterrent against in-person and card-present fraud. However, it offers little to no real protection against card-not-present fraud outside of mobile wallet apps. It provides even less protection against chargebacks.
CNP Fraud: Where EMV Liability Fails
If your business mainly focuses on in-store sales, the adoption of EMV chip cards will definitely lower your risk and liability for fraud. This is because the tokenization technology we mentioned above is very difficult for fraudsters to hack or spoof. Even if the fraudster is in possession of the physical card, without a PIN code, it’s all but useless to them.
eCommerce merchants, on the other hand, aren’t as lucky. According to the Federal Trade Commission, while EMV adoption had a significantly positive effect on cases of in-person fraud, the opposite was true for eCommerce. Since EMV mandates took hold, reports of online credit card fraud more than doubled between 2019 and 2020. Fraud basically moved online where there are fewer safeguards in place to prevent it.
CNP fraud is now the leading form of credit card fraud online. It accounts for nearly 75% of all acts of online fraud, and is one of the fastest-growing fraud categories to boot. But CNP fraud also has side effects, and for merchants, these can be devastating. A link between CNP fraud and friendly fraud, for example, can be drawn as a result of increased consumer alarm over fraudulent online activity… and this is a link that is also growing worse every year.
Ultimately, criminal fraud incidents may become more common, but friendly fraud grows at an even faster rate. Our data suggests that six out of every ten chargebacks filed by 2023 will be cases of friendly fraud. EMV fraud prevention technology didn’t “cause” this problem… but it has accelerated it.
CNP Best Practices in a Post-EMV Liability World
Online fraud is going to be a problem for the foreseeable future. This is why it is so important for online merchants to take a long hard look at their internal particles now before an issue arises.
A few best practices to consider include:
That last point is especially important. As we addressed earlier, friendly fraud is a fast-growing problem; one that EMV fraud protections are useless to prevent. So, how can merchants use EMV to combat CNP and friendly fraud? The solution is to implement a strategy that combines every fraud prevention method possible.
A Multi-Layered Strategy is Needed
The EMV liability shift “worked” well against in-person fraud.But, it has been demonstrably ineffective against CNP fraud and all first-party fraud.
Any merchants in the card-not-present space must be conscious of increased exposure to fraud, and should adopt a plan to deal with it. A comprehensive risk mitigation strategy must be able to anticipate and prevent criminal fraud, as well as respond to illegitimate chargebacks stemming from friendly fraud.
That said, fraudsters typically change their tactics faster than in-house fraud detection teams can respond. Professional solutions that are specifically designed to stay one step ahead can significantly enhance a business’s bottom line.
Chargebacks911® is ready and able to help merchants combat all types of chargebacks and recover revenue. Contact us today for a free chargeback analysis to diagnose your business’s risk level.
FAQs
What is EMV?
EMV stands for “Europay, Mastercard, and Visa.” These are the three card networks that created the payment standard on which EMV technology works.
The program is most often associated with electronic chip-enabled cards. These chip cards have all but replaced legacy magnetic stripe cards as the aforementioned companies’ preferred payment method.
The electronic chip embedded into an EMV card contains encrypted customer data. But, unlike traditional magnetic stripe cards, the data stored is never actually transmitted. Istead, when a customer “dips” their card into an EMV card reader, the chip translates the user’s data into a one-time-use token that stands in for the data in question. This is a practice called tokenization.
How Do EMV Cards Work?
EMV cards are inserted into an EMV reader rather than swiped. While inserted, the customer will be required to enter a PIN and/or signature to process payment. Card insertion generates dynamic tokenization data to transmit the cardholder’s verification details.
EMV cards can now use the same tokenization technology to pay via contactless readers. To process payment, all a customer needs to do is hold or tap their card over the reader, and the transaction is complete.
What was the EMV liability shift?
The EMV (Europay, Mastercard, and Visa) liability shift of 2015 was implemented by the major card networks in an effort to relieve the issuer’s liability for fraud. The initiative aimed to mandate fraud protections for merchants and consumers and shift liability for fraudulent transactions to the least compliant party. For consumers, EMV cards must be inserted, rather than swiped, to be eligible for fraud protection. For merchants, they must prove they are compliant with regulations at all times (this includes the application of fraud prevention tools). In most cases, merchants and acquirers are generally held liable for fraud.
When was the EMV liability shift?
The EMV shift originated in October of 2015, and was updated in 2018. The final EMV standardization went into effect in April 2021.
Is EMV compliance mandatory?
Voluntary compliance began in 2015. In 2018, harsh penalties and fines for non-compliance with EMV standards were implemented in the US in order to drive widespread merchant adoption. As of April 2021, any merchant that fails to utilize EMV chip technology is held solely liable for acts of credit and debit card fraud.
Did the EMV liability shift help stop fraud?
Yes… and no.
If a business mainly focuses on in-store sales, the adoption of EMV chip cars will definitely lower one’s risk and liability for fraud. This is because tokenization technology is very difficult for fraudsters to hack or spoof.
eCommerce merchants, on the other hand, aren’t as lucky. According to the Federal Trade Commission, reports of online credit card fraud more than doubled between 2019 and 2020. This is because fraud moved online where there are fewer safeguards in place to prevent it.