How am I impacted by the liability shift?
With the liability shift, if a chip card is presented to a business that has not adopted a terminal that is certified for chip card acceptance, liability for counterfeit fraud may shift to the business’ acquirer – who may then pass this fee back to the merchant. The liability shift encourages chip adoption since any chip-on-chip transaction (chip card read by a chip certified terminal) provides the dynamic authentication data that helps to better protect all parties. In addition, if a counterfeit magnetic stripe card is presented at a chip certified terminal, the liability for the counterfeit fraud will be the responsibility of the card issuer.
Am I required to support EMV?
No, you are not required to support EMV in the U.S. region at this time. However, one item that you need to consider is that even if your organization hasn't been targeted by high levels of card-present fraud in the past, you may be putting your business at risk in the future, as we expect that fraudsters will target businesses that have not upgraded to the more secure EMV technology. Therefore, you may want to ensure that all your terminals are chip capable and that your payment processing application can support chip card acceptance. The good news is that most terminals deployed in the last five years are already chip capable, so you may be ready to accept these cards today. Check with your terminal provider to make sure your EMV software is up to date.
What does EMV migration mean for card-not-present (CNP) businesses?
As EMV technology is adopted in the card-present space, it is expected that fraud will also shift to the least secure channels, including CNP. From an online fraud perspective, it's important that CNP businesses be prepared for this anticipated shift, as experienced in other regions that have already migrated toward chip card technology.
As fraud migrates online and fraudsters continue to get more sophisticated, the tools you have in place now may no longer be advanced enough to protect you and your customers. Strategy is key, and it's imperative to take the extra measures to know good customers and good customer behavior (beyond just AVS and CVV). It is recommended that you avoid the use of Address Verification and card validation values (security code) checks as your sole fraud detector since the false positive exposure can be high with these tools alone. You should consider strengthening the value of these tools by supporting additional technology to confirm and mitigate fraudulent activity.
A good fraud prevention tool will enable in-house management in real time, with no negative impact on your good customers' experiences (those transactions that are not fraudulent in nature). Having the ability to control your fraud prevention at the business level, without the required assistance of IT support or third-party vendors, helps to ensure that your good transactions get through and your customer is not burdened with holds or declines based on suspected fraud. Simply put, you can prevent the fraudulent transactions without compromising the legitimate ones. This will protect you, your good customers, your bottom line and your brand.
For more information, speak to your payment processor about security tools you can use to help further protect your card-not-present environment. You may be able to deploy end-to-end encryption and tokenization to help further strengthen your security.