Tuesday, August 11, 2015

The Chips Are in the Mail: EMV Liability Shift in October 2015

A few weeks ago I got a new credit card with a microchip.  Last weekend, when I swiped it at Target, I got a lesson on how to use the microchip reader in the checkout line.  The new technology is called "EMV" which refers to a technical standard developed in the 1990's for payment instruments that store data on integrated circuits (chips) rather than magnetic stripes. The term comes from the names of the three companies that created the technical standards: Europay, Mastercard and Visa.  These three companies, along with JCB, American Express, China UnionPay and Discover formed a consortium managed by EMVCo.  The six member organizations work together with banks, merchants, payment processors and other stakeholders.

Use of chip technology reduces fraud relative to use of magnetic stripe technology because the chip permits "dynamic authentication" of the payment.  Put very simply, a magnetic stripe embeds a unique identifier, but all it does when swiped through a reader is show the identifier, which is always the same.  A dynamic authentication protocol authenticates the payment by computing a unique response to a challenge which uses both the data presented in the challenge (from the authentication server) and the secret data contained in the chip.   A thief can steal the credit card number, but without the chip-enabled dynamic authentication, the number is useless.

In August 2011, Visa announced its plans to implement the "Global POS (point of sale) Liability Shift Policy" for the US. For most counterfeit card fraud at a retailer's in-store locations ("card present" transactions), liability for an unauthorized transaction has always fallen on the card issuing bank and not the merchant. Effective October 1, 2015, the new policy shifts liability to the party in the payment process that has not made the investment in EMV chip cards or readers.  Each payment network (e.g., Visa, MasterCard, Discover) has its own rules, but they all implement the same cheaper loss avoider principle.  According to a paper by EMV Migration Forum that summarizes information collected from payment networks, the party supporting the most secure technology for each fraud type will prevail, and in the case of a technology tie, the fraud liability will remain with the card issuing bank. So, if the issuing bank hasn't switched to chip enabled cards, the issuer will bear the loss even if the merchant hasn't switched to a chip reader.  However, the merchant will bear the loss from use of data copied from a chip-enabled card if the data is used on a counterfeit card at the merchant's swipe card reader.  The merchant could have prevented that loss by switching to a chip reader that would have blocked approval of the counterfeit magnetic swipe transaction.

Chip technology will reduce counterfeit loss in "card present" transactions. But, it won't affect counterfeit fraud in "card-not-present" (CNP) transactions, e.g., via internet, mail (snail and e) and telephone.  So far, there is no single, simple solution to eliminate CNP fraud.  According to the EMV Migration Forum Card-Not-Present Working Committee, the best practice is multi-layered. The key is to authenticate the identity of the person who initiates the CNP transaction. The best practice is to adopt an authentication protocol that requires at least two of these three authentication factors:  1) ownership --something the authorized user has, such as a credit card; 2) knowledge -- something the authorized user knows (such as a PIN); or 3) inherence --something the authorized user is or does (such as a fingerprint).

No comments: