EMV Chip Cards – Falling Behind the Curve Could Mean Liability for Merchants and Card Issuers Alike

During the holiday season, stores throughout the United States process millions of credit card transactions per day. Although this flurry of sales activity is good for business, it also comes with a potential risk of liability if the credit cards used in those transactions are equipped with the chip-card technology that the merchants’ payment processing machines are not capable of handling.

During the past year, credit card issuers have been transitioning to the Europay, Mastercard, Visa (“EMV”) chip cards, which contain smart microprocessor chip technology. Using the chip reader in the credit card payment terminal, the chip serves as the communication conduit between the card issuer and the merchant’s bank to authenticate the card and complete the sales transaction. Unlike magnetic stripe credit cards, chip cards generate a unique transaction code that cannot be reused. This “dynamic” data technology helps to guard against credit card fraud arising out of data or security breaches where the credit card information is compromised. For some chip cards, the users may also be required to enter a PIN. This new chip card technology requires new payment processing terminals that many merchants have not yet implemented.

Although the card issuers themselves have not completed their issuance of EMV chip cards to replace existing magnetic stripe cards, the issuers imposed an October 2015 deadline on merchants and card payment processors to become EMV-ready. After October 2015, under the modified terms of their agreements with the credit card payment processors or networks (e.g., VISA, MasterCard, American Express, Discover), merchants who accept credit cards and who are not EMV-ready may be liable for any fraudulent transactions and possibly fined and/or sanctioned by the Payment Card Industry Security Standards Council, an industry organization that promulgates data and cybersecurity standards for the credit card sector. Liability will be shifted to the party who used the lower level of security and compliance with the EMV standards. This means that, for example, a merchant may be assigned liability for the fraudulent transaction if the purchase was made with a chip card but the merchant was not capable of processing the chip card payment, using instead the magnetic stripe method. Conversely, the card issuer may be assigned liability if the merchant was EMV-capable but the card issuer has not issued a chip card to the consumer.

Notably, the EMV standards do not apply to purchases where the cards are not physically presented, including online and telephone transactions.

Although they impose increased liability and breed disputes between potentially liable parties, EMV chip cards and their attendant standards and rules are intended to provide more consumer protection and create an incentive for merchants, card issuers, and payment processors alike to conform with best practices in an ever-evolving world of data and cybersecurity challenges.

How Your Business Can Avoid a Merchant/Vendor Data Breach

In October 2015, many of the major vendors in the payment processing world will move to a new system for ensuring secure payment transactions.  The new payment systems will be chip-and-PIN or chip-and-signature, depending on the merchant/vendor.  Already successful in the earlier European rollout, the new systems should make information harder to steal and shift some or all of the liability to those vendors that have not become chip-and-PIN compliant.  Further, the Payment Card Industry Data Security Standard (PCI DSS) has issued a set of requirements to ensure that merchants process, store, and transmit encrypted data in a safe environment.

While these measures will help, they won’t eliminate the possibility of data being exposed during the point of sale. So regardless of what solutions are offered to secure data during the point of sale, one thing is for sure: It may not be enough to solve all levels of fraud.

Four Steps Merchants Must Take to Protect Themselves:

  1. Secure your perimeter IT network and web-based applications. Your IT network needs constant security updates/vulnerability assessments to ensure that no openings exist for hackers to compromise your secure data. Above all else, this perimeter or first line of defense system should be upgraded to ensure no areas of weakness exist.
  2. Monitor your systems at all times for suspicious IT and financial traffic. In this fast-driven world, you need constant 24/7 monitoring so your company can detect breaches faster and take immediate actions to stop and mitigate losses.  Vendors and merchants should formalize technologies to notify customers of potential data breaches or threats of same.
  3. Be prepared for the worst. Prepare your company with data breach response training and crisis management in every jurisdiction you are located. Develop processes and periodically perform data breach preparation and readiness training with your employees, and practice with them at various times and under different simulated data breaches.  Considering your company’s level of risk tolerance, you may want to hire a security forensics team before any breach.  Having a forensics team evaluated and retained before a breach occurs allows you to understand what it can and can’t do for your company plus you can evaluate its skills and expertise before using the team.
  4. Purchase data breach insurance. Since this is a new and growing area of coverage, insurance companies can help you focus on what level of coverage the business needs and what is financially at risk. Since insurance companies have checklists and protocols established for data protection, use your insurance company’s checklist/process to confirm that your protection systems meet its underwriting requirements before you purchase the insurance.

All told, there is no simple way to prevent data breaches but with foresight, preparation and an immediate action plan, you can prevent, minimize and respond quickly to any privacy breaches.