In 2015, there will be required shifts of credit card technology in the United States that will impact your financial liability and your PCI DSS compliance validation requirements. These changes will affect your website and your in-store point-of-sale purchases.
The credit card industry in the United States has been under fire for several years because of its continued use of the antiquated magnetic and signature verification process used at the point-of-sale (POS). A more secure method using an integrated circuit card and a personal identification number (PIN) was established more than a decade ago, but never adopted in the U.S.
Payment Card Types
The antiquated credit cards use a magnetic strip and a signature for purchase verification. Every cashier is supposed to compare the signature on the sales receipt to the one on the back of the card, but that rarely happens.
The new technology with the chips and PINs are called EMV Chip Cards. The chip and PIN are encoded so a purchase transaction can only be authorized when they are used together at the POS.
On August 9, 2011, Visa announced that EMV card usage adoption would take place in the U.S. as of October 1, 2015. That's 10 months from now.
Since the August 2011 announcement, there have been several payment card data breaches at large retails like Target, Home Depot, and Neman Marcus. It's quite possible that these data breaches could have been prevented if the EMV cards were already in use. Sadly, these breaches have not sped up the EMV chip card adoption process.
Fraud Liability As We Know It
When it comes to credit card fraud liability, if you ask any American they will tell you that they are protected. They won't lose money, nor will the merchant. Usually it's the credit card issuer that absorbs the loss, but they are allowed to take that loss as a tax write-off in the USA. If the merchant is not PCI DSS compliant, then they can be liable for the fraud and penalties will be assessed.
PCI DSS Compliance
As for PCI DSS compliance, most retail businesses (both online and off) don't understand the importance or impact of it. As a merchant, you are supposed to appropriately protect your business and computer systems from theft of customer payment information. This protection includes advanced security on the computer network in your store, password protection on your POS terminals, and preventing anyone from accessing your accounting records unless it's part of their job.
Most people I talk to who are aware of PCI DSS compliance usually think it only applies to website security, but that's only 1 factor in a very long list of other factors. Once you spend the money on setting up PCI DSS compliance, you are then required to pay a third party security company to test the resiliency of your security. The testing can get expensive and you are supposed to submit a report to your bank every 3 months.
It's important to note that every merchant is required to pay for and submit the PCI DSS compliance report. Sadly, most small businesses are not even aware of this. A few years ago Elavon, a major credit card processor in the U.S., started charging $35 fees to all merchants not submitting their compliance reports. This was their own method of an insurance policy to pay for potential data breaches for non-compliant merchants. Other card processors started adding extra fees to their transactions to do the same.
The cost to pay a third party for compliance testing can be far greater than $35 per month, and for small businesses it was easier to pay that $35 than add extra worry into their busy workload.
With data breaches abound, many Americans are asking when the EMV card chips will be issued and usable at the local store. Well, that day will be here before October 1, 2015. However, there's a major shift in liability that comes along with it, and that liability will cause retail store owners to lose a lot of money if they are not careful.
Understanding The New Liability Shift
After October 1, 2015 the fraud liability will change completely. The EMV cards require the chip information to be decoded by the PIN, and it's supposed to be more secure and better at preventing fraud. However, the security only works if the card has a chip and if the retailer has a card terminal that can read the EMV chip.
As of October 1, 2015, the financial liability will be placed on the party that lacks the EMV chip card technology. The EMV cards still have the magnetic strip to make purchases when the EMV card reader is not available.
Example 1:
You have an EMV merchant terminal, but a customer uses a non-EMV card to purchase a $1,000 ring. If the purchase is fraudulent then the card issuer (Chase, Citybank, Capital One, etc.) will be liable for the $1,000 and you get to keep the money from that sale.
Example 2:
You did not install a new EMV merchant terminal, and a customer uses an EMV card to purchase a $1,000 ring. Without the EMV terminal you are required to use the magnetic card swipe. If the purchase is fraudulent, then it's now your fault for not having the EMV card reader and you will be liable for the $1,000. You've just lost $1,000.
Example 3:
You have an EMV merchant terminal but the chip reader is malfunctioning. A customer uses an EMV card to purchase a $1,000 ring. Since the EMV chip reader is broken you are required to use the magnetic card swipe. If the purchase is fraudulent then it's now your fault for because you didn't maintain your equipment and you will be liable for the $1,000. You've just lost $1,000. The solution here is to always have 2 EMV card terminals in your store.
Additional Potential Liability
As I write this Nugget, I found additional liability information already in place in the European Union (EU), but no mention of it yet for the U.S. In the EU, card holders will be liable for fraudulent purchases when their card is stolen and purchases are correctly made with the PIN.
Many people use their birth date, anniversary, or other important dates as PINs. These are easy to guess. Other easy to guess numbers include home addresses, or even the last 4 of the social security number. Some people even carry their ATM PIN with them in their wallet because they never memorized it.
Whatever the case, in the EU, cardholders are responsible for the financial loss when a fraudulent purchase is made with their card and correct PIN.
I'm not sure if that level of liability will come to the U.S., but I felt it was best to mention it here.
Cost of EMV Deployment
The cost of the EMV cards is between $15 and $20 each. Some banks already make you pay to have cards reissued now, so don't be surprised if you have to pay for your EMV card before October 1st.
The cost of the EMV merchant terminal is estimated at $400. You will have to pay for that new terminal yourself. Some merchant companies, like Fatt Merchant (fattmerchant.com) will give it to you for free, but most will not. When you consider Example 3 above, it will be a wise investment to have two of these terminals.
In order to offset this financial investment, Visa will waive the PCI DSS compliance validation requirements. That means you won't have to pay a third party company to test the security of your system monthly, but you are still responsible to establish the security in the first place.
When you really look at the bottom line, small businesses who are not paying for compliance testing right now won't view this as a cost savings. They managed to get away without the testing fees and now they are forced to purchase new terminals and upgrade their POS in order to prevent loss due to liability.
Bottom Line
EMV chip cards should be issued by all U.S. card issuers before October 1, 2015 and all retail stores will be required to upgrade their equipment by that date too.
Although PCI DSS compliance testing and reporting will be waived, you are still responsible for maintaining your security. Instead of daily or weekly testing you can lower your security testing to a minimum of once every 3 months. You won't have to submit the results of the test, but you are still required to fix any security holes in your website and in-store computer network.
