Up until Oct. 1, banks and other financial institutions were liable for any fraudulent charges on their cards. But in a push to heighten the security of POS systems, the liability shifted on Oct. 1 to whoever has the least secure systems. For retailers, that means if you don’t update the standard swipe credit card readers to EMV chip card readers, you’ll be on the hook for any fraudulent charges.
Banks are already pushing ahead to transform credit cards. Until recently, the back of most credit cards included your signature, a security code, and the famous black magnetic strip. But U.S. cardholders will soon receive – if they haven’t already – cards embedded with a smart chip that enables more secure payments. By Q4 of 2016, nearly 90 percent of credit cards issued in the United States will be EMV-chip enabled.
So if a couple walks into a neighborhood store and buys something with a stolen credit card, who is held responsible for the fraudulent charge? If they used a chip card and the store didn’t have a POS system that could read that chip, the store is responsible. If the card only has a magnetic stripe, but the store is capable of reading chip cards, the bank takes care of the fraud.
The National Retail Federation recently told Congress that new chip-and-signature credit cards without a PIN will not stop data breaches, and that small businesses should not be pressured to install the equipment to accept them at the expense of more effective technology.
“The new EMV equipment does not stop breaches,” NRF Senior Vice President for Government Relations David French said. “Indeed, in many cases it provides no significant benefits either to the business or to the business’ regular customers. It is merely an additional expense small businesses are being told to bear.”
If small businesses are pushed to adopt Europay MasterCard Visa technology, alternatives such as mobile payment apps and other competing smartphone-based technology “may effectively be locked out of the market,” French said.
“These are important considerations that businesses of all sizes must carefully ponder,” French said. “It would be inappropriate to prejudge their decision-making and stampede businesses into the adoption of solutions less protective for businesses and consumers than what has existed throughout the industrialized world for more than a generation.”
Cards currently being issued by U.S. banks feature a computer microchip that will eventually replace cards’ easily copied magnetic stripe to store data. But French said the cards also need a secure personal identification number, or PIN, which would eventually replace easily forged signatures, as is done in all other countries that use EMV cards. While the chips make the cards more difficult to counterfeit, they do nothing to protect lost or stolen cards, while a PIN alone could prevent both types of fraud, he said.
While the new cards make it somewhat more difficult for criminals to use stolen card numbers, they do not actually prevent numbers from being stolen in the first place, and stolen numbers can still be used for online and other types of fraud.
French’s comments came in a statement submitted to the House Small Business Committee, which is holding a hearing today on what chip-based cards will mean for small businesses. Today’s hearing is scheduled to feature witnesses from the card industry, but another session with small businesses and retailers is expected to be held later this month. The hearing follows last week’s deadline for merchants to install chip-card readers or face increased fraud liability if a chip card is used in a non-chip reader.
French said credit and debit card fees are the second-largest expense for many small businesses after labor, and that the card industry imposes “a multitude of complex rules on small businesses.” Chip-card readers and installation can vary from “a few hundred dollars to thousands of dollars” per terminal, he said, with an industry average of $2,000.