08 Sep Squeeze play on business: Shifting liability
Businesses large and small that accept credit cards in the United States are facing a harsh reality when it comes to fraud liability. In October 2015, most all major credit card companies will shift liability for data breaches and fraudulent purchasing onto businesses that have failed to adopt upgraded card security technology. What does that mean to businesses and their consumers?
For some time, there has been technology considered more secure than the old magnetic stripe on credit cards. Though used in other countries for several years, U.S. merchants have been slow to adopt the EMV global standard. The technology places a “chip” right on the card for use with verification software.
What is EVM? It’s an acronym for Europay, MasterCard and Visa. Members of this standard-setting facility include those entities plus American Express, Discover, Japan Credit Bureau (JCB) and China Union Pay. Their objectives include making the secure use of credit and debit cards seamless around the globe.
If companies in a country refuse to adopt better security technology yet the credit card companies are expected to absorb the cost of fraudulent data breaches, it won’t be long before the card issuers are unfairly or possible critically impaired. In a world that relies on “plastic” to buy a cup of coffee or pay a college tuition, an impaired credit company could spell disaster for consumers. That’s another reason why credit card companies are looking for universal technology upgrades.
The card companies have taken the only step that seems reasonable which is to shift the liability for data breaches back on retailers who do not adopt reasonable security technology. The consequences for non-compliant businesses whose data is breached could mean the end of those enterprises. The notion of a business being protected for unauthorized use of a card goes right out the window – the business will be bare.
Each credit card company has different milestones in implementing their expectations for conversion to EMV but the date most commonly agreed upon is October of 2015. Some card issuers are staggering their roll out to exempt fuel dispensers (gas stations) until 2016 or 2017.
There seems to be a distinction between what is known as “card-present” and “contactless” transactions. Card-present would be a merchant with a clerk or waiter facilitating the transaction while contactless purchases would be over-the-phone, online, kiosks and ATM transactions.
There are incentives to make the switch. According to Smart Card Alliance, if a merchant has at least 95 percent of all transactions to be from EMV enabled cards, MasterCard, for example, will extend 100 percent liability coverage.
So what’s all the fuss?
Gloria Colgan of Market Platform Dynamics recounts that EMV was a success in reducing rampant debit card fraud in Europe not long after it was implemented. But she noted that while the reduction in fraud was focused on card-present transactions, contactless fraud skyrocketed among purchases made via phone, internet and mail order.
It seems that for some, the debate on technology is similar to VHS versus Betamax video formats. VHS won but now has been eclipsed by DVDs and Blu-ray technology. All of these changes are in the name of efficiency and security. The point is that security and transaction processes continue to evolve and there are costs associated with that evolution.
From the perspective of the insurance industry, the shift changes both pricing and underwriting. Retailers have been scrambling for coverage and/or increased limits of coverage given the potential for exposure. Give that every day another story of data breaches seems to appear in the headlines, getting cyber coverage seems all the more prudent. What most retailers have not done is to explore insurance for the data they collect. This shift in liability simply raises the stakes.
As quickly as case law, insurance policies and technology seem to respond to this evolving world of global business transactions, the thieves are staying a step ahead. That thievery has costs that will ultimately be borne by the consumer. Taking a wait-and-see posture, however, is not really an option for the risk averse.
For more information about the roadmap to compliance, the Smart Card Alliance has a paper entitled Card Payments Roadmap in the U.S.