EMV Liability Shift and Nixed Signature Rule

Chip-enabled terminals have been a nationwide security protocol since October 2015, but a notable amount of businesses still have yet to adopt the latest payment technology. Learn what’s at stake and why you should install one today.

EMV chip cards have been around since 1994 and were popular in Europe before they gained momentum in the U.S., proving to be more effective in preventing payment card fraud than magnetic stripes. EMV stands for Europay, MasterCard and Visa, and refers to the chip standard these networks originally introduced. There’s a lot of protection inside that small metallic square on the front of your debit or credit card.

Why Are Chips Safer Than Magnetic Stripes?

Magnetic stripe data is static, meaning that it uses the same transaction data every time it’s swiped. Fraud technology is a consumer threat that has long been growing in prevalence and sophistication. Add these two facts together and you have a big risk of credit card fraud. If a thief manages to access your magnetic stripe data, they can replicate it as many times as they want and use it for fraudulent transactions.

How does this happen?

A common situation is when a fraudster uses a “skimmer,” or small data-capturing device discretely placed over a terminal, to collect data that passes through it when customers make card payments. Common targets are ATMs, gas stations and other brick-and-mortar points of sale without a live attendant. The fraudster can forge counterfeit cards from the skimmed magnetic stripe data. Unfortunately, this is only one of many data hacking techniques at large today.

EMV chips, on the other hand, cut out the risk of replication. They produce a unique encrypted code for each transaction. So if chip data gets stolen and is replicated to produce a counterfeit card, it won’t work for any subsequent transactions. Additionally, if someone steals a chip card and forges its magnetic stripe data, then tries to swipe it, the magnetic stripe data will indicate to the EMV terminal that it’s a chip card, and the terminal will refuse the swipe and prompt a “dip” into the EMV slot. So it’s impossible to get around.

All in all, these microprocessor chips are dynamically designed to combat modern day fraud as magnetic stripes, born in the 1960s, become more vulnerable in the face of fraud technology.

The EMV Liability Shift

To drive home the point that EMV chip-enabled terminals should be implemented by every merchant who accepts credit cards, the major card brands Visa, Discover, MasterCard and American Express set out a security standard in October 2015 called the EMV liability shift. While card-issuing banks and card companies covered credit card fraud losses no matter the payment method prior to this date, businesses who don’t have an EMV chip terminal for customers who use EMV chip cards are responsible to cover any fraud losses after the deadline.

That’s not to say that the swipe option has been negated completely. Some customers still use older cards without chips, so in that case merchants should allow them to swipe and, if fraud occurs, the card issuer would be responsible for the losses. The EMV liability shift only applies when chip cardholders experience fraud on non-chip terminals. A simple way of looking at it is: the party without the latest EMV technology has to pay for any money lost from fraud.

When you examine the risks of being held responsible for any fraudulent transactions, the stakes are significantly high for merchants who still haven’t installed an EMV chip terminal. The extra few seconds it takes to process chips is well worth the security they provide. As customers grow used to the new standard, having a chip terminal also instills more trust in your business.

The U.S. Payment Forum’s Spring 2018 Market Snapshot found that 59% of U.S. point-of-sale locations are chip-enabled, which is a 578% increase since the October 2015 liability shift. Also in that time period, there has been a 70% decline in counterfeit card fraud for businesses with chip terminals. While the statistics are encouraging, there are still merchants who need to take the EMV leap.

*Note: the EMV deadline is extended for specialized retailers. For example, Automated Fuel Dispensers (AFDs) at gas stations have until October 2020 because of the intensive process of replacing those terminals.

Signature Requirement Tossed for EMV Payments

As the EMV migration continues, the card brands have added another protocol that offsets the relatively lengthy process of accepting a chip payment. Effective on April 14, 2018, EMV chip and contactless payments that are credit or offline debit (those that would typically require a signature), no longer require a signature for cardholder verification. The no-signature option applies to domestically- and internationally-issued payment cards from Visa, MasterCard, Discover and American Express, no matter the transaction size, as long as the merchant has a chip terminal. The merchant is also no longer required to store those transaction receipts.

Although it’s an option, no longer needing to capture signatures for EMV transactions has resulted in retail lines speeding up and a lightened administrative task load since receipt storage is not required. Point-of-sale software is adaptable enough to remove the signature prompt from the checkout process. When compared to state-of-the-art payment technology like tokenization and EMV chips, signatures don’t add that much security to transactions, the payment card networks determined. They don’t necessarily match the signature on the back of payment cards, so why should they be used to validate payments?

For all of these reasons, installing an EMV-compliant terminal is both a requirement and a benefit for businesses operating in a card-present transaction environment. On top of that, a business’s PCI compliance relies on it.