Table of contents
Intro
Intro to the Liability Shift
On October 1, 2015, the way banks and processing networks handle certain types of fraud changed. In something called ‘the liability shift,’ the onus for some types of fraudulent charges can now fall on your business if you don’t use an EMV (chip card) processing device when buyers present a chip card. Understandably, this all sounds a little scary, but not to worry. We’ll walk you through what you should know about the liability shift in this guide—as well as what easy steps you can take to help protect your business.
This article does not constitute legal advice. Be sure to talk with your lawyer and/or financial advisor to learn more about the liability shift and how it affects your business.
FAQ
Eight Frequently Asked Questions About the Liability Shift
What is the liability shift?
The liability shift is a change in how banks and processing networks handle certain types of credit card fraud. As of October 1, 2015, businesses that aren’t set up to accept chip cards could now be on the hook for certain types of fraudulent transactions.
What type of fraudulent transactions are no longer covered?
If a fraudster pays with a counterfeit EMV card, and you don’t have an EMV card reader (so you swipe the mag stripe versus insert the EMV chip), you could be on the hook for that charge.
What was the reason for the liability shift?
The liability shift is an effort to accelerate the adoption of EMV, which is a much more secure way to pay and to process payments.
When did the liability shift go into effect?
October 01, 2015
What do I need to do to protect my business from charges related to the EMV liability shift?
You need to get set up to properly accept chip cards (EMV) at your business.
Does the liability shift apply to online fraud?
No, the liability shift only applies to in-person fraud with an EMV card on a non-EMV card reader.
When you take a charge over the phone, does the liability shift apply to it?
If the payment is processed on the POS app — which is designated for in-person transactions — it can be held liable for the EMV Liability Shift, whether swiped or keyed in. Payments processed through Invoices or Virtual Terminal are not liable for EMV disputes.
Deep Dive
Why we need to phase out magnetic-stripe cards
To explain why the liability shift happened in October, we need to back up even further and talk about magnetic-stripe cards. As you’ve probably noticed, cards with only a magnetic stripe are being phased out. They’re being replaced by chip cards (aka EMV cards), which are a lot more secure. The banks and processing networks have been rolling out these new cards for the past few years or so (chances are you’ve probably received a new card equipped with chip technology in the mail).
What’s so wrong with magnetic-stripe cards and why are we getting rid of them? In short, the technology is extremely old (it’s been around since the 1960s) and really easy to counterfeit. Magnetic-stripe cards run on the same technology as cassette tapes (yep, cassette tapes). The data on them is static, meaning all your bank details are right there on the card—a sitting duck for a fraudster to lift, clone onto a new card, and then go on a fraudulent shopping spree. To rip off your bank information, a fraudster would just need to buy a skimmer—a relatively unsophisticated piece of technology that you can get for under $20.
The shift to EMV is intended to better protect both consumers and merchants.
None of this is good for fraud in the United States—which, unfortunately, is particularly rampant. Here’s a scary statistic: Half of the world’s credit card fraud happens in the United States, even though only a quarter of all credit card transactions happen here. This is largely due to magnetic-stripe cards being so easy to counterfeit.
The shift to EMV technology will help immensely to curb certain types of fraud (this has proven to be the case in other countries), so it’s being fast-tracked. Banks are issuing new chip cards as fast as they can. And sellers are being asked to do their part by upgrading their POS to accept EMV as soon as possible. The liability shift gives this effort a push.
Why we need to accelerate our adoption of EMV
Chip cards have far more sophisticated security features to help catch fraud. That chip on the left side of your new card is actually a tiny computer chip that’s protecting your data. Whereas data on a magnetic-stripe card is static, the data on a chip card is dynamic and constantly changing, making it extremely hard for anyone to isolate and then extract. To get ahold of it, a fraudster would have to somehow access the physical chip circuit and manipulate things to get your bank details. This would require extremely sophisticated knowledge—as well as high-tech equipment that costs more than $1 million. So, needless to say, with EMV cards the hurdle for fraudsters is way higher than with magstripe cards.
The actual EMV transaction is also a lot more secure than a magnetic-stripe transaction. Magnetic-stripe cards broadcast bank information to the payment terminal as-is. Chip cards are different in that they have sophisticated encryption built right into the chip.
When you dip a chip card (it’s a dip instead of a swipe), it talks back and forth with the payment terminal (like a credit card machine or payment processor) in an encrypted language to make sure everything checks out. For all of these reasons, chip cards are far more adept at both protecting your information and spotting fraud quickly.
EMV chip cards are much more secure than traditional magnetic stripe cards.
The liability shift was an effort to help quicken adoption of EMV and EMV processing devices so we can reduce fraud in the U.S. And it seems to be working. At then end of 2017, nearly 92 percent of cards processed on Square were EMV chip cards. And Visa recently released data that counterfeit fraud dropped 70 percent from September 2015 to December 2017 for those retailers that upgraded their POS hardware to accept chip enabled cards.
What changed with the liability shift?
Contrary to what you might have heard (there are a lot of scare tactics out there), the liability shift is not actually a law. It’s up to individual businesses as to whether or not they’d like to upgrade their payments terminals to accept EMV.
However, as more and more of your customers realize that chip cards are more secure, more and more of your customers will expect to be able to pay with them. Accepting chip cards will not only protect you against certain types of fraud and secure your business, but also it will make sure that you can securely accept what may become your customers’ preferred form of payment.
New rules mean that businesses may be held liable for some types of fraud.
What changed is that, under the liability shift, a certain type of fraud is no longer covered. Specifically, it’s something called “card-present” fraud with a counterfeit EMV card. “Card present” is a payments industry term that means cardholders were physically present when they paid for something at your store. So if a fraudster comes in and pays with a counterfeit EMV card, and you process that transaction as a magstripe payment, you could now be held liable. If the person pays with a card that doesn’t have a chip and you process it as a magnetic-stripe payment, however, it’s unlikely you’ll be held liable (nothing changes).
Put another way, the liability shifted to the party with the lesser technology. If fraudsters pay with a counterfeit magstripe card, the banks still eat that cost. If they pay with a counterfeit EMV card, and you don’t process it as an EMV transaction, you could be held liable. The reason: If you processed that transaction as an EMV payment, the technology would have caught and stopped the fraudulent activity.
What stayed the same?
The liability shift only applies to card-present fraud with a chip card (if you didn’t process that transaction as an EMV payment). But other than that, nothing else changed. (Like we mentioned above, if someone pays with a fraudulent magnetic-stripe card, you won’t be held liable).
Sellers often get tripped up on the nuances of the liability shift when it comes to another form of payment—something the industry calls “card-not-present” fraud. This type of fraud refers to all payments that you don’t physically process on your card reader with the card in hand.
The liability shift only applies to fraud that occurs in person with an EMV card.
If you take a credit card number over the phone (or with Square’s Virtual Terminal) to process a payment, for example, that’s a card-not-present transaction because you didn’t physically process it. Card-not-present transactions also apply to online payments. If a fraudster uses a counterfeit card to pay for things in your online store, the fraud rules stay the same.
To reiterate, only fraud that occurs in person with an EMV card is subject to the liability shift if you don’t have a chip card processing device.
How to become EMV compliant and protect your business
To protect your business from the liability shift, you need to get an EMV reader. This may seem daunting, but it’s actually pretty easy. The Square Reader for contactless and chip can process both EMV and NFC payments—meaning you’ll be all set up for the next wave of new, secure payment technologies like Apple Pay (which are starting to pick up steam).
Once you get your new reader, it’s a good idea to familiarize yourself with how to take EMV payments. Chip cards are actually processed differently than magnetic-stripe cards. They’re dipped vertically into the payments reader instead of swiped horizontally like magnetic-stripe cards.
You should train yourself (and your staff) to have an eagle eye when it comes to the credit cards your customers hand over. If it has a little chip on the left side, it’s an EMV card and should be processed that way. If you try to swipe the mag stripe on the back of a chip card, the reader will prompt you to insert the EMV chip instead.
Prepare your business by updating your terminal to an EMV reader.
Another thing to realize about EMV transactions is that they sometimes actually take quite a bit longer than magnetic-stripe transactions. (This isn’t the case if you use Square readers, which can process chip cards in two seconds.) The card needs to be inserted into the reader for the entire transaction—which can take several seconds. This is all while the technology in the card is talking back and forth with the reader to make sure there’s nothing fishy. If something’s off, the technology will spot it and the transaction won’t go through.
Other secure payments technology
The fact that EMV transactions can be a bit sluggish will likely help accelerate the adoption of another new form of payment: NFC transactions. NFC stands for “near field communication” and refers to the technology that underpins “contactless” mobile payments like Apple Pay and Android Pay.
Contactless payments are authenticated payments—meaning they’re extremely secure and have a very low fraud risk. In a contactless payment like Apple Pay, your payments details are dynamically encrypted (through a technology called tokenization), which makes it near impossible for fraudsters to hack. They’re also protected by Apple’s fingerprint technology (Touch ID), so even if someone were to steal your phone, they wouldn’t be able to get at your mobile wallet.
Apple Pay and other contactless payments are just as secure as EMV transactions (and leagues more secure than magnetic-stripe transactions) but take a fraction of the time to process. They’re also extremely convenient, since they’re all through your mobile device (which is pretty much like an extra appendage these days).
As EMV adoption picks up, and people start to experience its lag time, contactless payment adoption will likely accelerate. This is a trend we’ve seen in countries that have adopted EMV as the standard.
In short, the liability shift can seem complicated, but it doesn’t need to be scary. Hopefully this guide has armed you with all the information you need to know—and explained how you can protect your business. To be completely protected against the liability shift, order the Square Reader for contactless and chip. Then, you’ll be good to go with accepting the latest, most secure forms of payment.