If you’ve been paying attention to the news (or to this blog), you may already know that, on October 1, the way liability is allocated for card-related data breaches changes. In the infographic below, you can see a visual representation of what this means for your business. The short version is this: if you accept in-person credit card payments, you must have payment terminals that are EMV- (aka chip-card-) enabled by October 1.
Background: Too Many Data Breaches
Whether or not you’ve heard about the liability shift (which we wrote about last month on our blog), you’ve definitely heard about the rash of data breaches that have affected retailers in the last two years. Target, Home Depot, Neiman Marcus – the list goes on. Millions of Americans have had their personal information exposed by data breaches, and card issuers have had to reissue compromised cards.
What you may not have known is that this isn’t the data breach landscape everywhere in the world. While the United States has about 25 percent of credit card transactions, it actually accounts for almost half of all data breaches. Why? Because most US cards use magnetic stripe technology – the black strip on the back of your card that the reader processes when you swipe. This stripe technology…
- Is more than 40 years old.
- Lets payment processors store your data.
- Is incredibly susceptible to data breaches.
In Europe, most cards use EMV or "chip" technology, which is much more secure. Because of that, European retailers experience far fewer breaches than those in the U.S. of A.
Why the Liability Shift?
Now that massive data breaches have become the norm, the parties that have seen the biggest losses (including large retailers and banks that issue credit cards) have essentially said, "Enough is enough. We have access to better technology; let’s use it."
And so the powers that be agreed to make EMV chip cards the new standard.
Starting October 1, whichever party (or parties) is not EMV-enabled will have liability for a card-present data breach. That could mean…
- A card issuer (bank or credit card company) has liability if it hasn’t sent its customers updated chip cards.
- A retailer has liability if it hasn’t updated its in-store payment processing terminal.
- A payment processing firm that hasn’t updated its technology may have liability, depending on the terms of the card being used.
What Do Small Businesses Need to Do?
To avoid taking on more liability than is necessary, small-business owners that accept in-store card payments need to upgrade to EMV-enabled payment processing systems by October 1. If you miss the deadline, it’s still important to upgrade ASAP for two reasons:
- Data breach liability is a real and present danger. The average small data breach cost more than $20,000 in 2014. That’s a lot of money for most business owners.
- In 2018, magnetic stripes will be completely phased out. Banks will no longer issue them, customers will no longer hold them, and businesses that can only process this type of card will have no way to accept credit or debit payments.
One final note: we’ve mentioned in this post that “in-person” or “in-store” card transactions will be affected by the October 1 liability shift. Card-not-present (CNP) transactions (including those made when a customer purchases something from an e-commerce website) will not have the same liability burden. However, it’s important to note that as in-store transactions become more secure, many analysts are expecting an uptick in fraud for less-secure transactions, including CNPs. For more on what that might mean for your e-commerce business, check out Chase Bank’s Chip-Enabled Card Acceptance FAQ.