Square Guide

A Guide to the Liability Shift: What Businesses Should Know

This guide will walk you through everything you need to know about the liability shift — and what easy steps you can take to protect your business.

Table of contents

Intro

Intro to the Liability Shift

On October 1, 2015, the way banks and processing networks handle certain types of fraud changed. In something called ‘the liability shift,’ the onus for some types of fraudulent charges can now fall on your business if you don’t use an EMV (chip card) processing device when buyers present a chip card. Understandably, this all sounds a little scary, but not to worry. We’ll walk you through everything you need to know about the liability shift in this guide—as well as what easy steps you can take to protect your business.

FAQ

Eight Frequently Asked Questions About the Liability Shift

What is the liability shift?

The liability shift is a change in how banks and processing networks handle certain types of credit card fraud. As of October 1, 2015, businesses that aren’t set up to accept chip cards could now be on the hook for certain types of fraudulent transactions.

What type of fraudulent transactions are no longer covered?

If a fraudster pays with a counterfeit EMV card, and you don’t have an EMV card reader (so you swipe the mag stripe versus insert the EMV chip), you could be on the hook for that charge.

What was the reason for the liability shift?

The liability shift is an effort to accelerate the adoption of EMV, which is a much more secure way to pay and to process payments.

When did the liability shift go into effect?

October 01, 2016

You need to get set up to accept chip cards (EMV) at your business.

Are EMV readers expensive?

Square’s EMV reader (which also accepts Apple Pay) is just $49. Some readers cost hundreds of dollars.

Does the liability shift apply to online fraud?

No, the liability shift only applies to in-person fraud with an EMV card on a non-EMV card reader.

When you take a charge over the phone, does the liability shift apply to it?

No, the liability shift only applies to in-person fraud with an EMV card on a non-EMV card reader.

Start selling with Square Reader for contactless and chip.

Accept chip cards and contactless payments for one low rate per dip, tap, or swipe.

Learn More

Deep Dive

Why we need to phase out magnetic-stripe cards

To explain why the liability shift happened in October, we need to back up even further and talk about magnetic-stripe cards. As you’ve probably noticed, cards with only a magnetic stripe are being phased out. They’re being replaced by chip cards (aka EMV cards), which are a lot more secure. The banks and processing networks have been rolling out these new cards for the past year or so (chances are you’ve probably received a new card equipped with chip technology in the mail).

Image of a magstripe card with an arrow to a chip card, indicating a transition

What’s so wrong with magnetic-stripe cards and why are we getting rid of them? In short, the technology is extremely old (it’s been around since the 1960s) and really easy to counterfeit. Magnetic-stripe cards run on the same technology as cassette tapes (yep, cassette tapes). The data on them is static, meaning all your bank details are right there on the card—a sitting duck for a fraudster to lift, clone onto a new card, and then go on a fraudulent shopping spree. To rip off your bank information, a fraudster would just need to buy a skimmer—a relatively unsophisticated piece of technology that you can get for under $20.

The shift to EMV is intended to better protect both consumers and merchants.

None of this is good for fraud in the United States—which, unfortunately, is particularly rampant. Here’s a scary statistic: Half of the world’s credit card fraud happens in the United States, even though only a quarter of all credit card transactions happen here. This is largely due to magnetic-stripe cards being so easy to counterfeit. The shift to EMV technology will help immensely to curb certain types of fraud (this has proven to be the case in other countries), so it’s being fast-tracked. Banks are issuing new chip cards as fast as they can. And sellers are being asked to do their part by upgrading their POS to accept EMV as soon as possible. The liability shift gives this effort a push.

Why we need to accelerate our adoption of EMV

Chip cards have far more sophisticated security features to help catch fraud. That chip on the left side of your new card is actually a tiny computer chip that’s protecting your data. Whereas data on a magnetic-stripe card is static, the data on a chip card is dynamic and constantly changing, making it extremely hard for anyone to isolate and then extract. To get ahold of it, a fraudster would have to somehow access the physical chip circuit and manipulate things to get your bank details. This would require extremely sophisticated knowledge—as well as high-tech equipment that costs more than $1 million. So, needless to say, with EMV cards the hurdle for fraudsters is way higher than with magstripe cards.

Photo of a hand dipping a chip card into the Square Reader

The actual EMV transaction is also a lot more secure than a magnetic-stripe transaction. Magnetic-stripe cards broadcast bank information to the payment terminal as-is. Chip cards are different in that they have sophisticated encryption built right into the chip. When you dip a chip card (it’s a dip instead of a swipe), it talks back and forth with the payment terminal in an encrypted language to make sure everything checks out. For all of these reasons, chip cards are far more adept at both protecting your information and spotting fraud quickly.

EMV chip cards are much more secure than traditional magnetic stripe cards.

Perhaps surprisingly, the United States is pretty late to the EMV party. Chip cards have been the standard in the rest of the world for years. In fact, according to a report by payment processing company First Data, it’s now estimated that 70 percent of non-U.S. credit card terminals are chip card enabled. (You’ve probably noticed this if you’ve traveled to Europe or Canada).

The good news is that abroad, EMV has proven to be effective in fighting fraud. The UK, for example, has seen a nearly 70 percent decline in counterfeit card transactions since adopting chip cards, according to Barclays. Similarly, in Canada, research firm Aite Group reports that losses from counterfeit, lost, and stolen cards dropped from CA$245 million in 2008 to 111 million in 2013.

The hope is that when we fully transition to EMV, we’ll see similar declines in fraud in the United States. The liability shift is an effort to help quicken adoption of EMV and EMV processing devices so we can reduce fraud in the U.S.

What’s changing

Contrary to what you may be hearing (there are a lot of scare tactics out there), the liability shift is not actually a law. It’s up to individual businesses as to whether or not they’d like to upgrade their payments terminals to accept EMV. However, as more and more of your customers realize that chip cards are more secure, more and more of your customers will expect to be able to pay with them. Accepting chip cards will not only protect you against certain types of fraud and secure your business, but also it will make sure that you can securely accept what may become your customers’ preferred form of payment.

New rules mean that businesses may be held liable for some types of fraud.

What is changing is that, under the liability shift, a certain type of fraud is no longer covered. Specifically, it’s something called “card-present” fraud with a counterfeit EMV card. “Card present” is a payments industry term that means cardholders were physically present when they paid for something at your store. So if a fraudster comes in and pays with a counterfeit EMV card, and you process that transaction as a magstripe payment, you could now be held liable. If the person pays with a magnetic-stripe card and you process it as a magnetic-stripe payment, however, you won’t be held liable (nothing changes).

Diagram of how the merchant can be liable when fraud happens

Put another way, the liability has shifted to the party with the lesser technology. If fraudsters pay with a counterfeit magstripe card, the banks still eat that cost. If they pay with a counterfeit EMV card, and you don’t process it as an EMV transaction, you could be held liable. The reason: If you had processed that transaction as an EMV payment, the technology would have caught and stopped the fraudulent activity.

What’s staying the same

The liability shift only applies to card-present fraud with a chip card (if you didn’t process that transaction as an EMV payment). But other than that, nothing else has changed. (Like we mentioned above, if someone pays with a fraudulent magnetic-stripe card, you won’t be held liable).

Photo of a woman sitting in the back of a mobile art gallery truck with a Square Stand in the background

Sellers often get tripped up on the nuances of the liability shift when it comes to another form of payment—something the industry calls “card-not-present” fraud. This type of fraud refers to all payments that you don’t physically process on your card reader with the card in hand.

The liability shift only applies to fraud that occurs in person with an EMV card.

If you take a credit card number over the phone to process a payment, for example, that’s a card-not-present transaction because you didn’t physically process it. Card-not-present transactions also apply to online payments. If a fraudster uses a counterfeit card to pay for things in your online store, the fraud rules stay the same.

To reiterate, only fraud that occurs in person with an EMV card is subject to the liability shift if you don’t have a chip card processing device.

How to become EMV compliant and protect your business

To protect your business from the liability shift, you need to get an EMV reader. This may seem daunting, but it’s actually pretty easy. It’s also affordable.

The Square contactless and chip reader is just $49. What’s cool about it is that it can process both EMV and NFC payments—meaning you’ll be all set up for the next wave of new, secure payment technologies like Apple Pay (which are starting to pick up steam). What’s more, if you order the Square contactless and chip reader, we’ll cover the liability shift until you receive yours in the mail. That’s right, you don’t have to worry about the liability shift if you order the Square contactless and chip reader.

Once you get your new reader, it’s a good idea to familiarize yourself with how to take EMV payments. Chip cards are actually processed differently than magnetic-stripe cards. They’re dipped vertically into the payments reader instead of swiped horizontally like magnetic-stripe cards.

Photo of a locksmith dipping a customer's card into the Square Reader

You should train yourself (and your staff) to have an eagle eye when it comes to the credit cards your customers hand over. If it has a little chip on the left side, it’s an EMV card and should be processed that way. If you try to swipe the mag stripe on the back of a chip card, the reader will prompt you to insert the EMV chip instead.

Prepare your business by updating your terminal to an EMV reader.

Another thing to realize about EMV transactions is that they actually take quite a bit longer than magnetic-stripe transactions. The card needs to be inserted into the reader for the entire transaction—which can take several seconds. This is all while the technology in the card is talking back and forth with the reader to make sure there’s nothing fishy. If something’s off, the technology will spot it and the transaction won’t go through.

Other secure payments technology

The fact that EMV transactions can be a bit sluggish will likely help accelerate the adoption of another new form of payment: NFC transactions. NFC stands for “near field communication” and refers to the technology that underpins “contactless” mobile payments like Apple Pay and Android Pay.

Contactless payments are authenticated payments—meaning they’re extremely secure and have a very low fraud risk. In a contactless payment like Apple Pay, your payments details are dynamically encrypted (through a technology called tokenization), which makes it near impossible for fraudsters to hack. They’re also protected by Apple’s fingerprint technology (Touch ID), so even if someone were to steal your phone, they wouldn’t be able to get at your mobile wallet.

Apple Pay and other contactless payments are just as secure as EMV transactions (and leagues more secure than magnetic-stripe transactions) but take a fraction of the time to process. They’re also extremely convenient, since they’re all through your mobile device (which is pretty much like an extra appendage these days).

Photo of a phone making an Apple Pay payment near a Square Reader on a countertop

As EMV adoption picks up, and people start to experience its lag time, contactless payment adoption will likely accelerate. This is a trend we’ve seen in countries that have adopted EMV as the standard.

In short, the liability shift can seem complicated, but it doesn’t need to be scary. Hopefully this guide has armed you with all the information you need to know—and explained how you can protect your business. To be completely protected against the liability shift, order the Square contactless and chip reader. We’ll cover all liability shift charges that would have been passed on to you until you receive your new reader in the mail. Then, you’ll be good to go with accepting the latest, most secure forms of payment.

Accept every way your customers want to pay.

Take chip cards, Apple Pay, and Android Pay anywhere and never miss a sale again.

Learn More

How to Choose Merchant Services Providers

A Simple Guide to Credit Card Processing

What Are Mobile Payments?

Everything You Need to Know About Near Field Communication

How to Accept Payments: A Comprehensive Payments Guide for Businesses

Everything You Need to Know About Near Field Communication