Businesses preparing for chip-card shift
Jeremy Nobile, Crain's Cleveland Business
Originally Published: 10/04/15
Small and midsize businesses may have missed, or possibly dismissed, a landmark change in the card payment space that kicked in at the start of the month — and it could end up costing them big bucks.
Oct. 1 marked a shift in card transaction fraud liability in the United States to businesses that must have upgraded payment systems to be compatible with fraud-fighting technology embedded in new credit and debit cards.
In short, businesses now are on the hook for fraudulent charges if a customer uses a so-called EMV (European MasterCard & Visa) chip-based card and fraud still occurs and the business hasn't upgraded their payment systems. Previously, banks largely made up for the losses as consumers and businesses weren't held responsible.
Brendan Hickey, director of business development for Twinsburg-based electronic payment processing company Solupay, said he sees many businesses and retailers in Northeast Ohio who haven't updated their points-of-sales with new terminals that work with the new cards banks of all sizes are rolling out.
“But the under-reached market is that smaller business type, the type of people who are worried about inventory, their ordering, and this is another hat they have to wear, something else to worry about,” Hickey said, “and there hasn't been anyone reaching out to these organizations.”
The chipped cards are being issued by banks to cut down on fraudulent transactions. However, the change really began in Europe, where the new technology has been present for several years. And it's being pushed by the major card issuers: MasterCard, Visa, Discover and American Express.
Compared with those using only magnetic strips and PIN numbers, the EMV cards prevent fraud by also issuing one-time, encrypted codes associated with every transaction, making it much more difficult for a fraudster to copy and use card information and to make fake cards. The cards only battle fraud for in-person transactions where the card is physically read by a machine at the time of sale.
Consumers have never been liable for fraud and still aren't, and their non-EMV, magnetic strip cards will still work just the same as before at both new and old terminals.
What changes for businesses is who shoulders the liability, Hickey explained. In terms of the policy, liability falls to whoever is the least EMV compliant. That means if a fraudulent transaction is processed at a business that doesn't have a machine to read the new cards, it's considered the business' fault, and the loss will fall to them instead of being covered by the bank.
So merchants that don't have new EMV-compliant units, which Hickey said go for about $350 per terminal on the “low end” and as much as $1,000 (there are exceptions on both ends of the spectrum), could be setting themselves up for problems.
Jamie Ramsey, a Cleveland partner at Calfee, Halter & Griswold LLP and chair of the firm's privacy and data security group, said he knows some business are at risk not because of who's calling with concerns, but of who isn't.
“These smaller, midsize businesses think they are not a target,” he said. “They think, "I don't have anything anyone wants and I don't have the money to put these in place.' But the reality is they're the low-hanging fruit, and their credit card info is just as valuable as the information at big box companies.”
Hickey and Ramsey said the ones more resistant to updating their systems tend to be smaller businesses, restaurants and mom-and-pop shops. Both point out that major retailers, like Target and Walmart, already have new EMV-compliant terminals, and that movement will actually push fraudsters to target vulnerable smaller businesses.
Some businesses could be impacted and not even realize it either because they haven't been following the news, they think they won't be targeted, or in some cases, they have contracts where this comes into play and aren't aware, Ramsey said.
For example, one of Ramsey's clients works with multiple vendors who in turn manage this person's properties. A new contract with those entities holds that their client — the business owner in this example — is responsible for payment system compliance.
In this case, a business owner who doesn't actively sell anything to anyone in a traditional sense is responsible for updating the payment systems. Should one of their vendors be involved in a fraudulent transaction where this comes up, the business owner, not the vendor or a bank, is required to cover the loss. It's a convoluted situation, but not an entirely uncommon one.
While Hickey's advice is for all businesses to eventually invest in new payment systems, it's Ramsey's advice for entrepreneurs to review their vendor contracts.
“Many are assuming the issuing banks will be responsible (for fraud),” Ramsey said, “but not anymore.”