What the Looming EMV Deadline Means for Merchants

Another week, another retailer security breach. CVS, Rite-Aid, Sam’s Club, Walmart Canada and other retailers suspended online photo services because of a suspected cyberattack against a third-party provider. These breaches have become so prevalent that 44 percent of Americans expect that their personal data held by a retailer will be compromised within the next year, according to the Unisys Security Insights survey.

The rash of high-profile security breaches among retailers in recent years has led to the development of Europay, Mastercard and Visa (EMV) cards, which will eventually replace traditional magnetic strip cards. While data stored in magnetic strips can be stolen, EMV cards use computer chips that generate a unique code for each transaction at the point of sale. This code can only be used once, so the card would be denied if someone stole the code and tried to use it again.

The United States will make the switch to EMV cards on October 1, 2015, in an effort to more effectively protect cardholder data and minimize the risk of fraud. However, it’s important to understand what will actually happen on October 1.

Merchants will not be forced to be EMV-compliant. The switch is voluntary. In fact, Javelin Strategy and Research study found that only about one-quarter of merchants will be ready for the change to EMV cards, and many card issuers won’t send EMV cards to their customers until after the deadline. The biggest change is the shift in liability for fraudulent purchases. Beginning on October 1, fraud liability will fall upon the least compliant party in the transaction. If EMV technology isn’t being used, that party is likely the merchant, not the credit card issuer.

The cost of fraud is already extremely high for merchants. According to research from Lexis Nexis, merchants paid $2.79 for every dollar in fraud losses incurred in 2013. These losses total tens of billions of dollars each year. With the shift in liability that comes with the switch to EMV, merchants that fail to comply run the risk of footing an even higher bill to cover the cost of fraudulent purchases.

Merchants also risk eroding their credibility in the eyes of the consumer. As consumers receive their EMV cards and become more aware of EMV and its security benefits, they’ll expect to see EMV terminals. If a consumer goes to pay for merchandise and the merchant isn’t using EMV technology, this could be a red flag.

While Payment Card Industry (PCI) Standards largely focus on protecting the environment that houses cardholder data, EMV is designed to make sure stored data is useless to a hacker. When EMV cards are used with PCI Standards, which include patching systems, firewalls, access controls, employee education, and other tools and methods to protect sensitive data, merchants are able to take advantage of a multilayer security strategy that reduces the risk of fraud.

With the October 1, 2015, deadline quickly approaching, it is important for merchants to understand their potential liability and what legal, technological and procedural changes are required to become EMV-compliant. A consultation with an attorney before the shift in liability goes into effect can help merchants make informed business decisions that minimize the cost of fraud.