Merchants: “Chip” In or Prepare to Shell Out
On October 1, 2015, a game-changing deadline will hit brick-and-mortar retailers, restauranteurs, and service providers that take credit cards. It is the EMV liability shift date.
If you are wondering, “What is that?” you are not alone. According to the latest Wells Fargo/Gallup Small Business Index, more than half of merchants were unaware that as of October 1, liability for fraudulent use of a credit card will shift from the card-issuers to the merchants are EMV card compliant.
EMV cards (named for the companies driving the technology—Europay, MasterCard and Visa) are credit cards with a microprocessor chip embedded in them. Widely used in Europe, these cards have substantially reduced credit card fraud in the bricks-and-mortar world. But, until recently nearly all U.S. issued magnetic strip credit cards.
Magnetic strip cards imbed static authorization in the strip on the back of the card. Because it is static, the information can readily be reused, making life easier for those seeking to commit credit card fraud. In contrast, the microprocessor chip in the EMV card dynamically generates a unique transaction authentication each time it is used. An additional level of security can be provided by requiring the user to enter the PIN number he or she selected before the authorization is complete. (This is common in European countries.)
High-profile data breaches at major retailers finally prompted the U.S. to join Europe, Canada and many Asian countries on the chip-card bandwagon. Earlier this year, credit card companies began issuing EMV chip cards to their cardholders. And, to encourage merchants to invest in the equipment and training necessary to accept those cards, the major companies established October 1 as the liability-shift date.
Bear in mind this deadline is not mandatory—your credit card payment processor will not cut you off if you still accept the old-fashioned magnetic card payments after September 30. However, if you do so, you will expose yourself to liability for fraudulent purchases.
Today, if a transaction is fraudulent, the card-issuer (Visa or MasterCard, for example) bears the full financial responsibility for the loss. Absent extraordinary circumstances, the retailer still gets paid. However, after September 30, the card-issuer will be liable only for transactions made at a chip-enabled card terminal or if they have failed to issue EMV cards to their cardholders.
Despite the shift in the risk of liability for fraud, the recent Wells Fargo/Gallup Small Business Index found that 21 percent of small business owners never plan to upgrade and another 34 percent indicated that they did not plan to upgrade before the October 1 deadline. In addition to shifting liability to the individual business owner, the liability-shift deadline may shift fraudulent purchasing away from larger merchants, who are more likely to be compliant, to smaller businesses. (It will also shift fraudulent purchasing toward online merchants whose customers don’t present physical cards to scan.)
In many cases, smaller businesses will find the upgrades relatively inexpensive and straightforward. For example, if you use Square for payment processing, then the upgrade is as simply as acquiring a new dongle for your phone. And, Square is currently offering these $49 readers for free. Other POS providers also offer straightforward solutions and upgrades—many of which are plug-and-play. HIf your hardware and software is several years old, you may need additional upgrades. Contact your POS providers for more information.
In order to protect your business, the best policy is to upgrade to chip-compliant terminals, rather than hope no fraudulent payments are made at your business.