In a matter of days, the EMV liability shift goes into effect.
Just tuning in? This will bring you up to speed. Simply put, from here on, if a customer uses a counterfeit card in a store, the party (merchant or card issuer) responsible for a transaction NOT going through as a secure EMV chip transaction will be held financially liable by the card networks (Visa, MasterCard, etc.) for fraudulent charges. Previously, that liability rested with the issuer.
EMV transactions are certainly more secure than magnetic-stripe transactions. But that doesn’t mean every place you shop will upgrade in lock step. In fact, for many small merchants, upgrading may not seem worth the cost – and may not even be immediately possible for some types of businesses.
Some merchants question what’s in it for them
Prior to Oct. 1, 2015, if a customer paid for goods and signed the slip (with the same name as the one printed on the card), the merchant wouldn’t be held liable if the cardholder later said the purchase was fraudulent, explains Mark Verrico, president of Strategic Payment Systems Austin, a payment processing provider located in Austin, Texas.
Post-liability shift, however, merchants will automatically be liable in this situation, if their equipment isn’t capable of running EMV transactions and therefore requires the magnetic stripe to be used.
This change has obvious benefits for issuers, Verrico says, as upgrading their cards reduces their liability — and looks good to stockholders. For merchants, however, upgrading and buying new equipment merely gets them back to the pre-liability shift status quo.
“With regards to your business’s liability, if you [as a merchant] upgrade, you don’t get anything better, you don’t get anything worse. You just stay exactly the same,” Verrico says.
There’s another issue, too, that gives some merchants pause: The way EMV is being implemented in the U.S. Across the rest of the world, EMV has been implemented as “chip and PIN” – a PIN is programmed into the card’s computer chip and is required for transactions. Stateside, however, the PIN part isn’t mandatory, so many issuers (most, in fact) are issuing “chip and signature” cards. Instead of a PIN, only a signature is required for the purchase.
“It’s really unfortunate that that’s the case,” says Andrew Goetz, co-founder of Malin + Goetz, a beauty supply company with stores in New York and Los Angeles. “Obviously, chip and PIN is a much more secure format than chip and signature. Anyone can sign a name.”
True, EMV makes cards extremely difficult to clone from data swiped during breaches (such as the Target and Home Depot breaches), and fewer cloned cards floating around is a good thing for all parties (except data thieves). But it does nothing to protect merchants from thieves who steal physical cards and can then use them (without a PIN) until the theft is reported. When this happens, merchants get dragged into the time-consuming and costly chargeback process.
“Out of the fraud that we encounter, [cloned cards] is not the fraud we encounter,” Goetz says. “We encounter stolen credit cards.”
For some merchants, upgrading goes smoothly
While the form EMV is taking in the U.S. is “unfortunately too little,” according to Goetz, he says his stores upgraded as soon as they possibly could (a few months before the shift) – and would have done so years ago, had the technology been available. The cost wasn’t prohibitive, Goetz says, and today, about 70 percent of Malin + Goetz store transactions are run as EMV, he estimates.
For other merchants, upgrading happened in the natural progression of replacing old equipment. Javier Odom, operations manager of Walt’s Jewelers in Gilbert, Arizona, says the store converted to EMV several months before the shift when it switched from a cellular-based card processing machine to an Internet- and landline-based one. Its processing provider recommended getting equipment that also supported EMV.
After pricing out various choices, Odom says they chose equipment with the most options, including contactless NFC and compatibility with gift cards. Equipment costs were a couple hundred dollars. After plugging in the new device and making some technical adjustments, “we were done,” Odom says.
The biggest challenge, according to Odom, has been getting employees up to speed on the new equipment.
“Most of the employee training issues we had related to our new machine were not related to EMV,” Odom says, “But rather to NFC issues and day-to-day operations, such as how to do a refund, how to reprint a receipt, and so forth.”
As of September 2015, Odom estimates, about 75 percent of customers were paying via contact EMV (under 5 percent with contactless NFC).
Merchants don’t always have control over upgrading
Other merchants who want to upgrade in time for the shift, however, may not be able to do so for the following reasons:
- Dependence on a third-party point-of-sale system provider: Some merchants rely on custom software tailored to their business – and that company’s software needs to be EMV-compliant as well. It’s not just a matter of the merchant plugging in a new, EMV-capable terminal, Verrico says; if the third-party provider hasn’t upgraded, the merchant can’t either.
“There’s going to be a long period of time when some merchants can’t upgrade,” Verrico says. “They either have to find a new solution or eat the liability.”
- Practical concerns: Today, when you eat at a restaurant, the bill is brought to you, the server runs your card, and the tip is added later (after you write it on the sales ticket).
“They can’t do that with EMV,” Verrico says. “EMV is a live transaction the entire time the card is in place.”
Throughout the rest of the world, card readers are brought table-side at restaurants, so that the entire transaction can be completed in one go.
“So, if restaurants want to take advantage of EMV, they have to change the entire flow of the transaction,” Verrico says. “They need to get technology that works table-side.”
- Reliance on mobile card-readers: Many small merchants rely on mobile readers from companies like Square and PayPal. The question is, when will merchants who have requested the newest readers) from these providers receive them?
According to PayPal’s website, its $149 reader ($49 with rebate, after $3,000 in payments have been processed within the first three months) will be ready to go in October 2015. Square offers two options. The first, a $29 reader that accepts magnetic stripe cards and chip cards, is available for immediate shipping, according to a Square spokesperson. Square is also offering a new reader that accepts magnetic stripe cards, chip cards AND contactless NFC payments. That one doesn’t have a ship date yet, but Square’s spokesperson confirmed it will be ready to ship this fall.
For merchants waiting on the newest Square reader (who don’t already have the $29 version) or on the PayPal EMV reader, there will be a delay on EMV compliance. Included in this group is Becky Sturm, founder and president of StormSister Spatique, an online beauty boutique that works with small Minnesota businesses that do pop-up shops.
“Both Square and PayPal have been great about sending out information about the new technology,” Sturm says. “But, I know I’m not the only one has been wondering why the readers are not ready when the October date goes into effect.”
For merchants who have reserved its new reader, Square has promised liability shift protection (see terms and conditions). That means it will cover the costs of fraudulent non-EMV swipes in the gap between reserving the reader and receiving it.
Some merchants may not feel the need to immediately upgrade
Wells Fargo performed a survey in August 2015 that found that 21 percent of small-business owners have no plans to upgrade for EMV. It may actually make sense that some businesses aren’t in a hurry, Verrico says, if they’re not exactly a target for fraudulent purchases.
“I’ve got merchants that sell cupcakes,” Verrico says. “[One of them asked], ‘Mark, do I need to get a new terminal?’ I asked how many chargebacks he’s had to manage in the past five years, and he said zero.”
Meanwhile, merchants who sell expensive, re-sellable items or who operate in high-risk situations (at bazaars and fairs, for example), may have a more immediate interest in upgrading, Verrico says.
“They have to look at the risk and compare it to the cost of new equipment,” Verrico says. “It’s their liability and their decision.”
Updated Sept. 29, 2015