Mon, Sep 14, 2015
What does the EMV liability shift mean to your credit union? Regardless of whether you’re implementing EMV or have chosen to skip it altogether, the EMV liability shift on October 1st will have a dramatic effect on the way you and your members do business.
Opinions differ on what EMV and the upcoming liability shift on October 1st, 2015 will mean to the payment industry. However, one thing is certain: card fraud is getting worse each year and particularly in the U.S.
In fact, card fraud in the U.S. reached new heights in 2014, increasing 11.6% year-over-year, to $0.1275 for every $100 in transactions compared to $0.0373 in other parts of the world, according to a recently published Nilson study. Is EMV the answer? That’s the $3.89 billion question - the amount financial institutions lost to counterfeit cards in 2014.
EMV is designed to mitigate losses related from card-present fraud and specifically counterfeit cards. Compared to its less secure counterpart, magnetic stripe, EMV generates a dynamic, one-time authentication making it significantly more difficult to duplicate and counterfeit on a mass scale.
While EMV looks to help the counterfeiting side of the equation, it does not directly solve for making cardholder data more secure from data breaches or terminals that are not EMV-enabled. If magnetic cards were counterfeited from the data obtained from EMV enabled cards, they could only be used at terminals that are not EMV-enabled giving the credit union chargeback rights.
In theory, this approach should allow the credit union to be made whole. In practice however, costs associated with chargebacks and EMV-card reissuance may off-set the benefits until the ecosystem is more or fully EMV-enabled. Keep in mind, ATMs and gas stations won’t face a liability shift until 2016 and 2017, depending on the card network. As a result, early adopters might face some additional costs, but without that sacrifice the system will likely not improve as quickly.
Given the card-present environment will benefit from some added EMV security, fraudsters will likely shift operations to focus on card-not-present transactions.
EMV was not designed to enhance the card-not-present channel, primarily because card-not-present protection through CVV2 / CVC2 codes on the back of the payment cards already exists. Beyond that, financial institutions continue to have chargeback rights in scenarios where proper security protocols are not followed by retailers for online transactions.
Unfortunately, the U.S. card industry is complex and fraudsters are far too creative to truly predict with any degree of certainty what affect EMV will have on the payment ecosystem.
No matter what decision your credit union makes to address EMV and the upcoming liability shift, make sure you’re open and prepared to adapt quickly.
Risk Mitigation Tips
- Decide if and when moving to EMV makes sense. Perform extensive due diligence and weigh the total cost of EMV against the projected reduction in fraud.
- Make sure controls are optimized for card-not-present transactions. Ensure Address Verification Services and CVV2/CVC2 is supported and turned-on. Additionally, pursuing services that leverage tokenization and modern authentication techniques may prove effective.
- Remember your chargeback rights. Don’t forget if you’re EMV-enabled and have fraud occur on a non-EMV enabled payment terminal, you have the ability to charge that transaction back. Ensure familiarity with the appropriate way to identify EMV enabled merchants as well as the appropriate chargeback codes with each card network.
- Educate your members on best practices. Members act as the first line of defense. Having them know how to properly use EMV cards and that transacting at non-EMV enabled terminals poses a higher risk may act as a deterrent. Also, protecting their PIN information at ATMs or point-of-sale terminals and being aware of phishing scams to get at CVV2/CVC2 information can also help.
Source: CUNA Mutual