EMV, NFC, Mobile Wallets and Credit Card Fraud Liability
Beginning in October 2015, merchants who have not upgraded to EMV-compliant point-of-sale (POS) terminals, will be liable for the full amount of any fraud losses incurred at their stores. That requirement is, of course, a big part of the push towards adoption of EMV (also known as chip-and-PIN) cards that the credit card networks have undertaken. And there is a good reason for it: EMV cards are much more secure than the magnetic-stripe-based ones that we have here in the States.
Incidentally, as NYT’s Joshua Brustein reminds us, this requirement is also a boon for mobile wallet operators like Google and Isis who have been “severely limited by a lack of N.F.C.-enabled merchants and phones.” The idea is that merchants are upgraded to new POS terminals that are both EMV- and NFC-compliant. Point-of-sale equipment manufacturers like VeriFone also stand to benefit in a huge way from the shift to new equipment and, of course, proponents of competing mobile payments technologies like Square and PayPal are telling everyone who would listen just how senseless this whole NFC thing is. But I’d like to add a couple of things that are missing from Brustein’s piece which, I think, will help you better understand exactly what is being done by the credit card networks and why.
Merchants to be Held Liable for Fraudulent Transactions
First, let’s see what Visa has decided on the fraud liability issue:
Visa intends to institute a U.S. liability shift for domestic and cross-border counterfeit card-present point-of-sale (POS) transactions, effective October 1, 2015. Fuel-selling merchants will have an additional two years, until October 1, 2017 before a liability shift takes effect for transactions generated from automated fuel dispensers. Currently, POS counterfeit fraud is largely absorbed by card issuers. With the liability shift, if a contact chip card is presented to a merchant that has not adopted, at minimum, contact chip terminals, liability for counterfeit fraud may shift to the merchant’s acquirer. The liability shift encourages chip adoption since any chip-on-chip transaction (chip card read by a chip terminal) provides the dynamic authentication data that helps to better protect all parties. The U.S. is the only country in the world that has not committed to either a domestic or cross-border liability shift associated with chip payments.
So the fraud liability will be shifting to the merchant’s acquirer (processor), not directly to the merchant. The processor may then pass it on to the merchant (it probably will), but that is a matter to be settled between the two parties.
Who Pays for Credit Card Fraud
Then there is the issue of paying for fraudulent transactions. Brustein makes it sound as if the merchants have so far been spared from fraud losses. Moreover, in the above statement Visa tells us that “POS counterfeit fraud is largely absorbed by card issuers.” In reality, however, merchants have been absorbing a quite substantial portion of all fraud losses incurred in the U.S., to the tune of 41 percent in 2006, according to Kansas City Fed economist Richard J. Sullivan.
As you see in the table above, most of the merchants’ fraud losses (59 percent) have come from POS transactions, which are the ones that are affected by Visa’s “liability shift” decision. So, while making non-EMV-compliant merchants liable for all fraudulent transactions does give them a huge push to adopt the new technology, it has to be kept in mind that merchants have not exactly been immune to fraud losses. The only participant in a bank card transaction that is fully protected against fraud losses is the cardholder.
The Takeaway
The bottom line is that a full-scale EMV adoption will take place in the next two to three years. Keep in mind that Visa has also mandated that all U.S. processors support merchant acceptance of chip transactions by April 1, 2013, less than a year from now. The big merchants will be the first to upgrade their terminals, most likely long before the deadline. By the time October 1, 2015 comes around the only stores that won’t be able to take a wave of your phone for payment will be small mom-and-pop operations whose owners will have not yet heard the news.
And yes, the mobile wallet operators do owe Visa and MasterCard a huge “thank you.”
Image credit: Clearpayfs.com.
How to Manage Chargeback Reason Code 41
Merchant Account Reserve
In all countries that have switched to EMV, credit card fraud has declined, while the opposite is happening in the U.S. with our mag-stripe cards. So I think it is clear what we should do and if it benefits someone else along the way, so much the better.
Fraud losses on credit and debit in the U.S. have increased by 70% since 2004, because we are still using an old card technology. We should have moved to chip-and-PIN long time ago and Visa and MasterCard should have forced the merchants and the banks to do that.
Chip cards are also less vulnerable to skimming, which is a big problem here. Every week I read somewhere about yet another gas station where a skimming device had been collecting credit card information for who knows how long and this can be easily taken care of.
It looks like Google will get a big break just when it needs it the most. Its wallet has been having real trouble getting traction and forcing the merchants to buy terminals that will be compatible with the mobile wallets is just what the doctor prescribed.
While what you are saying is true and this is a lucky break for Google, it may end up coming a bit too late. There are still 3.5 years left until the new mandate is enforced and Google needs help right now, especially with Isis breathing down its neck.
The US seems to be the last industrialized country not to have adopted chip-and-PIN and that just isn’t right. It’s about time we did it.
Well, the US is the only industrialized country to have not done many other things people in Europe take for granted, so that shouldn’t come as a surprise.
I’ve been waiting for chip-and-PIN for a long time. As everyone who travels regularly to Europe will tell you, most of the time our cards just don’t work with their terminals. Hopefully our standards will be compatible.
I couldn’t agree more, this switch would be a huge relief. Although sometimes I feel that the problem in Europe is not the technology, but that the retailers just didn’t want to take our cards. I don’t know if it was because they didn’t want to pay the transaction fees or whatever, but that’s how it felt.
I think merchants should be responsible for a higher share of the fraud losses, because they are the first line of defense. They should have some incentive to help prevent fraudulent transactions, which would be missing if the issuers took the whole hit.
Well, you do have a point there, but the merchants need to have the tools to fight fraud. It is very difficult to recognize a counterfeit card that is using skimmed information. So EMV will go some way toward achieving that goal.
I wouldn’t sign up for Google Wallet or Isis until they can prove that NFC is secure and that nobody will pass by me and read all of my credit card information. So whether the merchants can accept the mobile wallets or not, security is still an issue.