Credit card fraud/theft liability soon shifts to merchants — like body shops — who swipe stripe instead of chip
By onBusiness Practices | Legal | Market Trends | Technology
Though an identity thief is more likely to go on a retail shopping spree than seek professional services, collision repairers should still take note of some major new credit card rules launching in October.
Starting Oct. 1, any merchant who swipes a traditional credit card stripe instead of a more secure EMV chip could be liable for any charges racked up on a counterfeit, lost or stolen card by someone other than the cardholder, according to Jerry Smith, who runs the Arizona payment office of First Data subsidiary Ignite Payments.
“This is a very big transition,” Smith said during a BizUnite webinar last week for merchants. (See his slides here.)
EMV stands for “Europay, MasterCard and Visa,” but associations like Discover and American Express are on board with the technology too. It’s set to affect 1.2 billion U.S. cards and 8 million point-of-sale terminals and cost merchants and issuers $6.8 billion, according to Smith.
Liability
Technically, the cost falls to whichever party between the card issuer (for example, Chase) and the merchant (for example, Walmart) failed to update their technology to handle the new standard.
If a card issuer hasn’t replaced their customers’ cards with chipped ones, the liability is theirs. If the card has been upgraded but the merchant swipes the stripe instead of the chip — whether because they forgot or don’t have the proper equipment — the costs are the merchant’s, according to Smith.
If the terminal can’t read the chip for some reason, a merchant can use the stripe and avoid liability, according to Smith. (This is known in the credit card services industry as a “fallback” situation.)
The terminals must be certified, not merely “capable,” or you could still be stuck with the bill even if the chip is used, Smith said.
Though “a lot of processors are selling fear in response to the EMV launch,” according to Smith, the truly certified machines have been subjected to a stringent process which can take between four to six months for their manufacturers to get the nod.
“It is not a point-and-click process,”he said.
Some EMV cards are “chip and signature;” others are “chip and PIN” like a debit card. The U.S. still isn’t fully chip-and-PIN, which Smith said surprised him as it’s the most secure. (It was unclear who is liable for the costs if a fraudulent, lost or stolen chip-and-PIN card is processed with a signature instead.)
What about those card readers which plug into a smartphone? EMV-ready options do exist, including from the commonly used manufacturer Square. However, Smith took a jab at Square’s sale of customer details to telemarketers and promoted First Data’s competing “Clover” technology.
Customers
“EMV is going to impact all of us in one way, shape, or form,” Smith said, and customers can also be held responsible for some of the costs. However, it shouldn’t be much different from what’s going on today.
A customer can be liable for up to $50 on a credit card, zero if the card was already reported lost or stolen. There is no liability for a cardholder if their plastic is used in a “card not present” transaction — such as buying stuff online.
Chipped debit cards also carry no liability for a cardholder if they’re reported lost or stolen first. Otherwise, you’re on the hook for $50 if you report it within two business days. That amount increases to $500 if you report the loss/theft after two business days but less than 60 calendar days. If by Day 60 or beyond you haven’t reported the card’s absence — which Smith called highly unlikely — you’re liable for any costs incurred by whoever has it.
Why the switch?
A staple in Europe for a while, the EMV chips are “virtually impossible to duplicate” compared to the fixed, 16-digit numbers in the 45-year-old magnetic strip technology.
The codes transmitted verify not only the card but the terminal’s certification. Unlike your “static” credit card number sent with every traditional purchase, the EMV chip’s codes are unique to each transaction, according to Smith. (We were reminded of the “one-time pads” everyone’s always using in spy novels.)
“I’m surprised it’s taken this long to make it to the states,” he said.
The impetus for the switch is clear, according to Smith. Fraud from counterfeit cards is projected to rise to $3.6 billion this year from $2.1 billion in 2012, he said, citing Aite Group statistics. Following the 2015 conversion to EMV, counterfeit card losses are expected to fall to $3.1 billion in 2016 and $1.8 billion by 2018, as you won’t be able to clone them as easily. (For example, by hiding a “skimmer” atop a real card reader to steal the magnetic strip information.)
On the flip side, “card not present” (think online transactions, for example) fraud is expected to rise from $3.1 billion in 2015 to $6.4 billion in 2018, as thieves move to the “path of least resistance,” according to Smith.
Smith recommended the 3D Secure option — also known as “Verified by Visa” and “MasterCard SecureCode” — for online transaction protection to avoid liability there (Which in that space always rested with the merchant, Smith said.)
“That is a very, very nice safety net,” Smith said.
Further advice
Smith, whose parent company processes 70 percent of all credit card transactions in the U.S. — think of it as the step below the credit card companies themselves — said that service businesses like body shops aren’t as great a target as retailers.
Still, we thought it was important to remind shops of the change and encourage them to contact their processor for more information about what’s best for their business.
You can also contact First Data. The Society of Collision Repair Specialists has a program which would earn a $200 credit and offers a dedicated account rep for members.
Details: Members can call Ken Keifer at 424-903-6877 or email ken.keifer@firstdata.com for more information.
Further reading: www.emvco.com; www.firstdata.com/emv; www.emv-connection.com
More information:
“EMV – The New Landscape: 21 Days & 12 Hours” webinar
Ignite Payments presentation via BizUnite, Sept. 9-10, 2015
“EMV – The New Landscape: 21 Days & 12 Hours” slides
Ignite Payments presentation via BizUnite, Sept. 9-10, 2015
Featured image: Starting Oct. 1, any merchant who swipes a traditional credit card stripe instead of a more secure EMV chip could be liable for any charges racked up on a counterfeit, lost or stolen card by someone other than the cardholder, according to Jerry Smith, who runs the Arizona payment office of First Data subsidiary Ignite Payments. (Suzana Profeta/iStock/Thinkstock)