Though debit and credit cards with chip technology are slowly making their way into wallets throughout the U.S., the official liability shift date for businesses is fast approaching.
Europay, MasterCard and Visa (EMV) cards use microchip technology to create unique encryptions for each transaction. The EMV chip-enabled cards, while not immune to fraud, are significantly less susceptible to it.
Already in use around the world, EMV cards are beginning to be distributed to U.S. consumers. Locally, First Tennessee Bank, subsidiary of First Horizon National Corp. (NYSE: FHN) announced it will start replacing credit cards in October 2015, debit cards in January, and prepaid cards after that. New cards, which come at no additional cost to the customer, will be issued when current cards expire or replacements are needed.
For consumers, the change means new cards will be need to be inserted into card readers when paying for purchases, rather than swiped, but most cards will still have the magnetic stripes that can be swiped at businesses that do not have chip readers.
For businesses, the EMV switch may be even more important. As of Oct. 1, 2015, the official EMV liability shift date, businesses without chip readers could be held responsible for any fraudulent activity that occurs.
To learn more, the Memphis Business Journal talked with Justin Joy, an attorney with Lewis Thomason’s Memphis office who handles various liability matters, as well as business litigation.
Memphis Business Journal: From a legal standpoint, what repercussions could a business that doesn’t switch to the new card reader face?
Justin Joy: Generally speaking, after the EMV liability shift, the weakest link in the payment card ecosystem will be liable for certain in-person (or “card present”) fraudulent transactions. This represents a significant shift from the traditional responsibilities for payment card transactions where the credit card company or issuing bank have, in the past, typically absorbed the costs of fraudulent transfers where a card was physically presented for payment.
MBJ: Are businesses required by law to make the switch to EMV by a certain date?
JJ: No. The migration to EMV technology is not required by government regulations but rather is incentivized by rules that are promulgated by the payment card industry, specifically the various card brands.
MBJ: What advice would you give business owners that have yet to switch to EMV?
JJ: While recent surveys indicate only a relatively small percentage of merchants will be fully EMV-capable by the October 1 liability shift date, this development is something that could have a significant impact on a business. Costs are involved in acquiring and installing new equipment and employees need to be trained on using the new terminals. The more complex the point-of-sale (POS) system, the more costs and time will be involved to accomplish the migration. If a business has not begun the switch to EMV, they need to contact their payment card acquirer/processor and/or POS vendor to get the process started.
MBJ: What does the transition to EMV mean for consumers?
JJ: From a liability standpoint, the rules remain the same for consumers—generally, cardholders will continue not to be liable for fraudulent transactions. There are still millions of chip cards to be issued, which is expected to continue well into 2016 and beyond. As the public becomes more familiar with chip cards and the security features associated with EMV, at some point, consumers are going to expect merchants to have up-to-date equipment in place to accept their new, more secure cards. The EMV standards also address “contactless” card payments made utilizing near field communication (NFC) technology and payments made using mobile devices. As the adoption of these technologies widens, consumers will want their favorite businesses to accept payments using these new methods.
MBJ: What else should businesses be aware of?
JJ: While the move to the EMV standards is a significant development in improving the security of the payment card process, it really only address one specific type of vulnerability. It is important that businesses take a multi-layered approach to data security. This includes migration to EMV for businesses accepting payment cards in-person but also includes continued compliance with PCI Data Security Standards (PCI DSS) and the implementation of other security measures such as tokenization and point-to-point encryption (P2PE). With the increasing focus on data security across all industries, now is good time to review—and as necessary, update—security policies and procedures with your attorney and involve IT, HR, and other professionals in the process.
See the full article by Meagan Nichols on September 23 in the Memphis Business Journal by clicking link below.