With the holidays around the corner, many consumers can rest easier this gift-giving season because of greater consumer protections at the checkout line.
EMV is the now familiar acronym for the EuroPay, MasterCard, Visa standard, which incorporates chip technology to encrypt card information. Starting Thursday, liability for counterfeit card-present transactions will shift away from the issuer — where it normally resides under the card brands' zero-liability provisions — to the merchant if it is not EMV-compliant. From now on, the liability for counterfeit card transactions will fall on the shoulders of whichever party does not offer EMV-compliant devices (the merchant) or cards (the issuer). If neither party is EMV-compliant, or if both are, the fraud liability remains the same as it was before the shift.
Many wonder if EMV technology will be a silver bullet for protecting consumers' sensitive information and preventing fraud. Without question, EMV is a step in the right direction. Migration to EMV technology will help with certain types of fraud. Specifically, it will make stealing data from consumers much harder and producing counterfeit cards nearly impossible.
Unfortunately, as with any single technology, successfully preventing all fraud is unrealistic. Data from other countries suggest that while increased use of EMV cards will result in a reduction of card-present counterfeit fraud, card-not-present fraud may experience a simultaneous, and potentially dramatic, increase. For example, when the U.K. adopted EMV online card fraud rose significantly.
In light of this, issuers and payment networks will continue developing technologies that can address new threats in an ever-changing security landscape. For example, end-to-end encryption is making payments more secure by encoding consumers' information into unreadable formats as it makes its loop from checkout to card network to the bank and back. Moreover, tokenization replaces the sensitive electronic consumer account information at the cash register or online with a random "token," rendering the information useless to criminals.
At the same time, around-the-clock fraud protection is already a hallmark of issuers and networks, which employ teams of experts using advanced computer systems to monitor transactions and detect unusual activity that may indicate a customer's account has been hacked. EMV is just one layer of protection that should be used alongside other security measures in the ongoing fight against fraud.
Protecting consumers requires all players in the payment card network to do their part in combating card-based fraud. Many issuers are well on their way to EMV migration or already have a plan to do so. But as recent studies indicate, many merchants are still completely unaware of the Oct. 1 liability shift. A recent Wells Fargo survey revealed that fewer than half of small-business owners who take card payments said they were not even aware of the liability shift deadline and that only 31% of business owners say their existing systems are ready.
According to the Identity Theft Research Center, merchants account for a significantly greater percentage of breaches in the U.S. when compared with financial institutions. For consumers to receive maximum protection, merchants need to be on the same page as issuers. Issuers and networks will continue to innovate, but merchants need to be ready to implement technologies and develop stronger data security measures to further reduce damage from fraud activity. Without equal buy-in from all participants in the system, the consumer's sensitive information will continue to be at risk.
With less than 90 days until Christmas, consumers have plenty to worry about, but hackers stealing their personal and sensitive information shouldn't be among them. We welcome today's change in technology and liability as another step toward stronger security standards for everyone, most of all consumers.
Dave Pommerehn is a vice president and senior counsel at the Consumer Bankers Association.