Pub. 10 2015-2016 Issue 2

July/August 2015 13 Extraordinary Service for Extraordinary Members.  Counselor’s Corner — continued on page 14 14 See “Chip-Card Rollout Has Banks, Retailers Scrambling” Wall Street Journal April 21, 2014, www.wsj.com/articles/chip-card-rollout-has-banks-retailers-scrambling-1429568104; “Smaller Banks Not Sweating EMV Liability Shift” www.bankinnovation.net/2014/08/smaller-banks-not-sweating-emv-liability-shift/. 15 Id. See also “Five Months and Counting to EMV: Are You Ready?” www.paymentweek.com/2015-7-8-five-months-and-counting-to-emv-are-you-ready-7637/ July 8, 2015; “Report: 75 Percent of Merchants May Miss EMV Liability Shift Date” ABA Banking Journal June 29, 2015, www.bankingjournal.aba.com/2015/06/report-75-percent-of-merchants-may-miss-emv-liability-shift-date/; “EMV Ahead” Stores Magazine April 2015, www.nrf.com/news/emv-ahead. 16 A more specific way of describing this: “when a merchant accepts a magnetic stripe card that was counterfeited with track data copied from an EMV chip card, and the card is subsequently swiped at a POS device/application that is not EMV chip-enabled, and the transaction is successfully processed, the acquirer/merchant may be liable for the chargeback resulting from the fraud.” EMV Migration Forum Whitepaper “Understanding the 2015 U.S. Fraud Liability Shifts” Version 1.0 – May 2015. The white paper also has a useful table laying out the various permuta- tions of who is liable in various transactions and who bears the loss. Spoiler: the issuer loses in four out of five scenarios, winning only if it is chip compliant and the merchant is not. 17 There is no expected change in this area for Visa transactions. Lost/stolen liability will remain with the issuer. 18 A more specific way of describing this: “the acquirer/merchant may also be liable for a chargeback resulting from fraud if: 1) A PIN-preferred (either online or offline PIN) chip card that has been stolen (not a copy or counterfeit) is presented at a magnetic stripe-only POS device/application, and the stolen chip card is processed as a magnetic stripe transaction; or 2) A PIN- preferred (either online or offline PIN) chip card that has been stolen (not a copy or counterfeit) is presented at a chip-enabled merchant POS device/application that does not support either online or offline PIN, and the stolen chip card is processed as a signature chip transaction. No CVM (Cardholder Verification Method) transactions that meet the No CVM requirements of the payment network are not affected by the EMV lost or stolen liability shift.” EMV Migration Forum Whitepaper “Understanding the 2015 U.S. Fraud Liability Shifts” Version 1.0 – May 2015. The white paper also has a useful table laying out the various permutations of who is liable in various transactions and who bears the loss. Spoiler: the issuer loses in five out of seven scenarios, winning only if it is chip compliant with a PIN-preferred CVM and the merchant is not EMV compliant or doesn’t have PIN capability. 19 An old joke has some relevance here: Two big game hunters see a lion walking towards them. One stops to put on running shoes. Says one: “What are you doing? You can’t outrun a lion.” Says the other: “I don’t have to outrun the lion, I just have to outrun you.” Fraud losses also can result from lost, stolen, and never- received cards (e.g., cards used by the thief before they are reported lost and blocked). Chip cards can provide card- holder authentication to prevent this type of fraud, if they are required to be used with a PIN. In EMV-language, PINs are a “cardholder verification method,” or “CVM.” 4 Other CVM choices open to a card issuer are signature and “none” (none might be an option, for example, for an unattended ticket kiosk). PIN-based CVM is not as common as signature- based CVM in the United States, especially for credit card transactions. Card-not-present fraud (e.g., for online transactions) is the other big category for fraud losses. 5 If it hasn’t already, card-not-present fraud will soon overtake counterfeit fraud in dollars lost. Unlike the preceding categories, these losses typi- cally come to rest with themerchant. EMVmight theoretically help prevent card-not-present fraud, but that could require deployment of additional resources such as a secure reader for the cardholder. 6 Diligent issuers andmerchants currently employ other strategies tominimize card-not-present fraud. 7 Who Is Affected? Everybody that participates in the card industry is affected. Against the billions of dollars in annual fraud losses in this country, billions are being invested in EMV technology. 8 Is- suers have cards to issue, merchants have new readers and terminals as well as associated software to implement and get certified, acquirers have specific technology to support, customers have cards to learn to use, and card associations and vendors have to support it all and sell new products. Even fraudsters are affected, since they will have to steal dif- ferently. 9 Hopefully, the result of all this investment will be a reduction in counterfeit card fraud, as has been the case in other countries. 10 The reduction in counterfeit fraud may be offset by an increase in other fraud such as card-not-present fraud. 11 What Has Happened Already? It is difficult to say how far along EMV migration is now and how far it will be by the end of the year. MasterCard has predicted that by year-end 2015 63 percent of cards will be migrated and 47 percent of terminals will be. 12 Predictions, however, vary widely. 13 Banks (especially the large issuers) already have begun to issue EMV cards. Smaller banks are reportedly not as far along. 14 Like the banking side, the largest merchants are already well down the road. Smallermerchants are probably a different story. 15 Merchants have some added incentives to drive a high percentage of their transactions through EMV compliant terminals. They can earn PCI audit relief and at least partial relief from certain card association security breach assessments in some circumstances. Even though EMV developments are often presented as a battle between banks and merchants, many of these smaller slow-to-implement merchants are bank customers. Some of themmight appreciate a little friendly guidance and support from their banking partners to help them make smart deci- sions in this area. What Is Oct. 15, 2015? Although sometimes referred to as a deadline, Oct. 15th is not like a normal regulatory compliance deadline. Issuers and merchants that are not EMV ready by then should not be considered in violation of any law, rule, or regulation and should not be subject to any particular card association fines or punitive assessments as a result. Oct. 15th is when the so- called “liability shift” occurs. What Is the Liability Shift? The liability shift is when certain new card association rules take effect that impact who bears certain fraud losses in certain circumstances. One way to look at the liability shift is as an incentive to adopt EMV. Liability Shift for Counterfeit Fraud: Today, card issuers generally bear the risk of counterfeit card fraud transac- tions. After the liability shift, when a counterfeit card fraud transaction occurs, 16 the liability for the transaction will shift to the non-chip-compliant party. In other words, an EMV- compliant bank may be able to shift a counterfeit fraud loss to a merchant that is not EMV-compliant. If the merchant is EMV-compliant, liability remains with the issuer. Liability Shift for Lost/Stolen Fraud: For American Express, Discover, and MasterCard transactions, 17 if PIN is the preferred CVM, the liability for lost, stolen, and never- received cards resulting in fraudulent transactions when one party is not yet able to support chip/PIN transactions will