EMV Liability ShiftThe Current State of Merchant Fraud Fault Judgements, In-Store & Online

Ten Years Later, How Has EMV Liability Changed the Game for Merchants?

The EMV liability shift went into effect on October 1, 2015. That means we’re coming up on the ten-year anniversary here in a couple of months.

Introduced by card networks, the fraud liability shift was intended to encourage merchants, banks, and consumers to make EMV “chip” cards their preferred type of payment card transaction.

There was a lot of confusion going around in those first months. In the end, though, much of the liability for chargebacks that once fell on the shoulders of card issuers was shifted to acquirers. In turn, acquirers off-loaded the responsibility to merchants.

Responsibility could be shifted back to issuers under the conditions of the new mandates. However, this would only happen once a merchant became compliant with the new regulations.

But, even a decade later, some merchants are still unsure of where that “liability line” gets drawn.

Others are still unaware that they may be held fully liable for fraudulent transactions if they aren’t in compliance with later rule updates. To clear things up, we’ll take a closer look at the EMV liability shift. We’ll explore what was accomplished, and where merchants need to go from here.

What is EMV? How Does it Work?

Before we get into it, let’s offer a little background info.

EMV stands for “Europay, Mastercard, and Visa.” These are the three card networks that created the payment standard on which EMV technology works. The standard is now owned and managed by EMVCo, a consortium made up of Visa, Mastercard, JCB, American Express, China UnionPay, and Discover.

The program is most often associated with electronic chip-enabled cards. These chip cards have all but replaced legacy magnetic stripe cards as the aforementioned companies’ preferred payment method.

The electronic chip embedded into an EMV card contains encrypted customer data. But, unlike traditional magnetic stripe cards, the data stored is never actually transmitted. Instead, when a customer “dips” their card into an EMV card reader, the chip translates the user’s data into a one-time-use token that stands in for the data in question. This is a practice called tokenization.

Learn more about EMV technology

What Was the EMV Liability Shift?

The EMV liability shift of 2015 was implemented by the major card networks in an effort to relieve issuers’ liability for fraud. The initiative aimed to mandate fraud protections for merchants and consumers and shift liability for fraudulent transactions to the least compliant party.

For consumers, EMV cards must be inserted (rather than swiped) to be eligible for fraud protection. For merchants, they must prove they are compliant with regulations at all times (this includes the application of fraud prevention tools). In most cases, merchants and acquirers are generally held liable for fraud. 

According to financial service Square, chip cards are the norm in almost all major economic regions, including the United States. However, getting to this point was a long road. Despite their proven superiority in terms of security, the acceptance of EMV cards was a slow process in the US.

Despite these changes, US consumers often worried that the process of “dipping” a card would take longer and be more involved than swiping. Many merchants also dragged their feet about adopting the new system, arguing that customers weren’t interested and that the change was costly, confusing, and too complicated.

To encourage more merchants — and, by default, more consumers — to get on board, the card networks collectively updated the EMV liability shift regulations in 2018 and again in 2021. The more recent (and harsher) penalties from the EMV mandate made older processing methods less appealing for merchants.

How EMV Liability is Assigned

Under the old system, issuing banks were responsible for reimbursing their customers in fraud cases involving a counterfeit or stolen card. As of October 2015, however, merchants who allow a chip card to be swiped are now considered liable if the transaction turns out to be fraudulent.

Now, if an EMV card is used at a POS terminal that is not EMV compatible, the liability for any acts of fraud resulting from that transaction will shift to the acquiring bank. The bank will shift responsibility to the merchant, since they are assumed to be responsible for the security breach. So basically, if a merchant accepts a fraudulent transaction due to failure to deploy EMV technology, they must also accept liability for the financial loss.

This wasn’t intended to be a “punishment” for merchants. However, it is meant to force merchants to update and modernize their POS hardware. They also must remain compliant with current fraud prevention standards.

Now that we’re past the 2018 and 2021 updates, here’s a final tally of who’s liable and for fraud, and when:

Counterfeit Card Liability

Lost or Stolen Card Liability

The tables above are generally accurate, though there are a few exceptions. Purchases that don’t require a PIN, signature or another verification method, transactions at an ATM, and cross-border transactions are subject to different liability shift guidelines.

Did the EMV Liability Shift Work?

EMV has been a mostly global standard since 2004. In fact, 94.76% of global transactions are made using EMV chip cards as of 2023.

EMV chip transactions have been very effective at preventing in-person card fraud. Although credit card transaction volumes grew by 40% in the US between 2019 and 2023, card-present fraud losses declined from $3.80 billion in 2019 to $3.51 billion in 2023.

In other words, card-present fraud in the US declined by roughly one-third within five years on a transaction volume-adjusted basis.

That’s all great news. But, while the EMV liability shift has been a game-changer in the fight against in-person fraud, it’s no help when it comes to card-not-present fraud, as we’ll see below.

The Pros & Cons of EMV 

Regardless of which party bears responsibility for fraudulent EMV transactions, the technology itself has proven to be extremely helpful against in-person fraud. But, as we mentioned above, it has a lot of shortcomings. 

So, on that note, let’s go over a few pros and cons associated with EMV technology:

Remember, not all card-present merchants migrated to EMV technology at once. For instance, gas stations and convenience stores took significantly longer to adapt. Because of this, incidents of fraud and chargebacks remained significantly higher in this industry compared to other verticals. Even though the deadline to adhere to federal EMV mandates went into effect in April of 2021, many of these businesses are still not 100% compliant.

As we’ve mentioned, EMV technology is an excellent deterrent against in-person and card-present fraud. However, it offers little to no real protection against card-not-present fraud outside of mobile wallet apps. It provides even less protection against chargebacks.

CNP Fraud: Where EMV Liability Fails

If your business mainly focuses on in-store sales, the adoption of EMV chip cards will definitely lower your risk and liability for fraud. This is because the tokenization technology we mentioned above is very difficult for fraudsters to hack or spoof. Even if the fraudster is in possession of the physical card, without a PIN code, it’s all but useless to them. 

eCommerce merchants, on the other hand, have had to brace themselves for an increase in fraud.

Card-not-present fraud losses more than doubled between 2019 and 2024, from $5.04 billion to $10.16 billion. Some of this growth in fraud can be attributed to the corresponding rise in transaction volume. But others claim that the EMV liability shift really just pushed fraud online, rather than eliminating it.

Today, CNP fraud accounts for 74% of US payment card fraud by volume, up 17 percentage points from 2019. Making matters worse is the fact that CNP fraud is harder to trace, more difficult to prevent, and more likely to be the result of friendly fraud than third-party card-present scams like counterfeits or theft.

If eCommerce transaction volume continues to compound at double-digit rates in the coming years, CNP fraud trends could follow suit. Friendly fraud now accounts for over 70% percent of all chargebacks filed against merchants… partially thanks, in a very roundabout way, to the EMV liability shift.

CNP Best Practices in a Post-EMV Liability World

Online fraud is going to be a problem for the foreseeable future. This is why it is so important for online merchants to take a long hard look at their internal particles now before an issue arises. 

A few best practices to consider include:

That last point is especially important. As we addressed earlier, friendly fraud is a fast-growing problem; one that EMV fraud protections are useless to prevent. So, how can merchants use EMV to combat CNP and friendly fraud? The solution is to implement a strategy that combines every fraud prevention method possible.

A Multi-Layered Strategy is Needed

The EMV liability shift “worked” well against in-person fraud.But, it has been demonstrably ineffective against CNP fraud and all first-party fraud. 

Any merchants in the card-not-present space must be conscious of increased exposure to fraud, and should adopt a plan to deal with it. A comprehensive risk mitigation strategy must be able to anticipate and prevent criminal fraud, as well as respond to illegitimate chargebacks stemming from friendly fraud.

That said, fraudsters typically change their tactics faster than in-house fraud detection teams can respond. Professional solutions that are specifically designed to stay one step ahead can significantly enhance a business’s bottom line.

Chargebacks911® is ready and able to help merchants combat all types of chargebacks and recover revenue. Contact us today for a free chargeback analysis to diagnose your business’s risk level.