How are we going to implement Chip and PIN by October?

By - August 17, 2015

We have had a lot of clients coming to us recently asking about the Card Brands (VISA, Mastercard, American Express, Discover, and JCB) announcement of a liability shift that will occur this October related to the use the Chip and PIN, Europay-Mastercard-Visa (EMV), or Chip cards. While EMV cards are generally used everywhere else in the world except the United States, In the US we have been slow to adopt and are ill equipped in our understanding of EMV cards. So many of our clients have asked us about the chip migration that we decided to write a whitepaper to give a deep dive of what is going to happen related to the switch in October. Like the tax code it is more complicated than it needs to be. But that doesn’t mean that most organizations can’t figure it out on their own with just a little guidance.

It provides a great background on how we go to where we are and where the industry is trying to go and I really encourage you to read the full paper because it is much better than my summary here. However, EMV is an important initiative in the US. Credit card fraud for card present transactions (where the actual card was supposedly used in the purchase) is far higher in the US than anywhere else in the world. Industry estimates put over 70% of credit card fraud in the US because traditional Magnetic swipe only cards are so much easier to counterfeit than EMV cards. So to push for the use of EMV (Chip Cards) in the USA and even out the fraud rates worldwide the card brands (VISA, Mastercard, American Express, Discover, JCB) have changed the liability rules for fraudulent transactions.

What does that mean, change the liability? Simply put if a criminal came into a store and made a purchase with a stolen or cloned card the person who had their credit card stolen does not have to pay for that purchase. They would have the chance to challenge the purchase, have it removed, and then the merchant and the bank must determine who is going to take the loss. There are lots of different ways that can be settled. However, after Oct 1 the rules will change for all organizations. After Oct 1 the organization that had the lesser technology will always have to incur the loss. So if you are a merchant and your card readers only take magnetic swipe and a customer uses a card that the bank has issued with a chip you as the merchant will incur the loss by default. If as a merchant you make the investment in a chip reader for your payments and a customer comes in with a card that does not have a chip, then the fraud will automatically go to the bank. If both the merchant and the bank are on equal footing (i.e. no chip on either or both chip capable) then the resolution rules go back to the pre-Oct 1 rules.

So after Oct 1 everyone that could take payments still will be able to. Depending on the amount of card fraud your organization experiences it might not even be worth the cost to upgrade readers until they come down in price. However, I will say that the criminals have become very technology sophisticated and will be able to identify merchants that do not require chip payments very quickly. Consequentially, I would expect if you do not upgrade that you will experience more fraud than before. So keep that in mind as part of your decision. For a detailed explanation check out our whitepaper (Link), and if you have questions reach out to us or comment below.

You can download the detailed whitepaper from here:
http://rsmus.com/what-we-do/services/risk-advisory/security-and-privacy/payment-card-industry-data-security-standard-compliance/the-true-impact-of-chip-and-pin-separating-fact-from-fiction.html

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Receive Posts by Email

Subscribe to the Management Consulting blog and receive notifications of new posts by email.