The EMV Migration Forum has published a new "roadmap" to help card issuers, acquirers and merchants prepare for the October card-present fraud liability shift date - when U.S. card issuers and merchants are expected to be prepared to accept EMV-compliant card payment transactions (see October Fraud Surprise for Retailers?).
In an interview with Information Security Media Group, Randy Vanderhoof, director of the forum, says questions surrounding exactly what is and is not considered "fraud" after October spurred the forum to issue its report, "Understanding the 2015 U.S. Fraud Liability Shifts."
"The report was published as a way to provide a ... clearer roadmap for merchants and issuers, to better understand the ramifications of what's going to happen in October, when the liability shift date takes place," Vanderhoof says. "We've simplified it down to the key scenarios."
Because the U.S. likely will not be fully EMV compliant for some time, Vanderhoof says the forum wanted to clarify the fraud losses for which merchants, acquirers and card-issuing institutions would be liable after the October date (see EMV: U.S. Won't Make October Deadline).
"It's all about documenting for the community the real conditions that are going to happen after the liability shift date," Vanderhoof says. "It's hard to find actual details - through an authoritative source - of what to plan for."
Two Types of Card Fraud
Vanderhoof says EMV helps to address both counterfeit card fraud and lost-and-stolen card fraud.
Compromised magnetic-stripe cards are used to create counterfeit cards used for card-present/in-person point-of-sale transactions. If card fraud results because the card issuer has not yet issued an EMV-chip-compliant card, then the fraud expense still will fall on the shoulders of the issuer, he notes. But if an EMV-compliant card is used and the merchant is unable to accept an EMV transaction - meaning the payment must default to using the mag-stripe - then the fraud expense will fall on the merchant after the liability shift date.
"That is the primary change, and most issuers and merchants understand that change," he says.
But a minority of banking institutions are opting to issue EMV-chip compliant cards that require PINs, rather than signatures, for authorization at the point of sale to mitigate lost-and-stolen card fraud. If an EMV card is lost or stolen, and the merchant is not in a position to accept a PIN authorization for the EMV-chip payment that is being transacted with a lost or stolen EMV card, then the merchant will be liable for fraud, under certain conditions, after the liability shift date, Vanderhoof says.
"Issuers had a lot of questions about what will happen if we don't have a PIN associated with the card," Vanderhoof says. "If there is no PIN associated with the card, then the issuer maintains or retains the liability, as they always have. The only time it [may] shift is if the issuer's card is PIN-preferring and the merchant doesn't accept PIN."
But not all card brands have adopted the same policies for fraud that results under these conditions, he says. Visa has said that even if fraud results in a merchant's PIN-acceptance environment for EMV, the issuer is still liable. "Visa has come up with a blanket lost-and-stolen card policy," Vanderhoof says. "Regardless of whether a PIN is used, if fraud results, the issuer is liable."
During this interview, Vanderhoof discusses:
- Why merchants have more questions than banks about the varying card brands' rules;
- How the EMV Migration Forum is educating merchants and banking institutions about the new fraud liability shift requirements; and
- Why more clarifications about EMV fraud liability shift expectations are likely.
In addition to serving as director of the EMV Migration Forum, a cross-industry body focused on supporting the EMV chip implementation steps required for successful introduction of chip technology in the U.S., Vanderhoof also is the executive director of the Smart Card Alliance, multi-industry association of more than 180 member firms working to accelerate the widespread acceptance of smart card technology.