Things are a-changin' in the credit card world. Gone are the days of relying on the old magnetic stripe to transmit transaction information to the card issuer. As we discussed in "The October 1 Card Reader Update Deadline Nobody's Talking About," banks and credit card companies are rolling out the EMV – Europay, MasterCard, and Visa – chip to replace the magnetic stripes on credit cards.
That's not to say that new credit cards won't have the stripes anymore. They will. But scanning the chip for transaction information is the safer option if you're a merchant.
Why? Simply put, once the October 1, 2015 deadline hits, the party that doesn't have EMV card readers takes the liability when card-present fraud happens. Card-present fraud happens when…
- Thieves steal information from magnetic stripe cards and use it to create counterfeit credit cards attached to the real people's accounts.
- Thieves use those counterfeit cards for in-store transactions.
Here's where EMV comes into play: it's much harder for criminals to steal data from chip-enabled cards because EMV cards produce a one-time code for each transaction that can't be replicated, according to Magento. Moreover, it's incredibly hard for crooks to make counterfeit chip cards.
But the big change for you is this: the switch to EMV chip cards and readers means that if you don't hop on the bandwagon, you are liable for fraudulent in-store transactions. Here are three things that must be true for you to be on the hook for counterfeit and fraud under this new standard.
1. You don't have a fancy new EMV card reading system.
To incentivize merchants to make the shift from magnetic stripe card readers to EMV card readers, card issuers will no longer be liable for card-present fraud made possible by swiped or keyed-in transactions.
In other words, say you haven't updated your card reader and you still swipe credit cards. One day, a smooth criminal pays for their merchandise with a counterfeit credit card. You swipe it just like you would any card. Lo and behold, the customer whose data the counterfeit card is attached to wants their money back for the fraudulent charge.
In the past, the card issuer would have been responsible for reimbursing the customer for their stolen money. With the advent of EMV cards, you are responsible for that lost money if:
- You don't have a chip card reader.
- You have a chip card reader, but still swipe or key in cards.
But wait! There's more.
2. You processed the payment in person.
Plenty of data breaches happen via ecommerce hacks or phishing attacks over the phone. (Proof: "Hello? It's Me. I'm Hacking You.")
However, the EMV switch only makes you liable for fraudulent payments that happen in person. It's still a liability free-for-all when hacks happen online thanks to compromised transactions. You can learn more about all that in our infographic "The Small Business Guide to the Credit Card Data Breach Liability Shift" [PDF].
3. The victim's card has a chip in it.
Lastly, in order for your business to be liable for the credit card fraud, the victim must have a chip-enabled card. The assumption is the criminal got this customer's information because you swiped the chip card's magnetic stripe rather than using the more secure option: the chip-reading well.
In short, it's pretty easy to meet these three criteria for liability if you don't have an EMV card reader. Make the switch by October this year to reduce the risk of being held responsible for card-present fraud. To see how other small businesses have handled the transition, read "Small-Business Owners: How to Make the Transition to EMV Cards Quick and Painless."
And to learn more about online data breaches, read "Bleep Bleep, Bloop Bloop. You Just Got Hacked Again."