Retailers, Hospitality: Ready for the payments liability shift on 10/1?

If you take payment cards and don’t  use chip technology by October 1st, the card brands will have you both coming and going.

Because you have suffered a card breach or know someone who has, you know how they try to have you for lunch on the “going” side, by assessing “fraud recovery costs” according to their general formulae to pay off the issuing banks (which have paid the merchants where the fraudulent cards were swiped).   Those fraud recovery costs are usually much bigger than the administrative costs and fines and penalties they also assess (unless you do not have much of a PCI-DSS program to show them).

After October 1, they will also have you for lunch on the “coming” side, when you process a fraudulent card in your establishment, if you don’t deploy EMV or “chip” technology.  The long-delayed introduction of technology like this in the US — which has made us such a fraudster haven — has been further delayed because, although most of us have the chip cards in our wallets, most “merchants” (all entities that take payment cards) have not implemented the technology.  Getting merchants to make that investment and get it done has been the dilemma, and the long-time, clever incentive plan for making it happen has been the EMV liability shift.  As of October 1, all merchants in the United States will be liable for losses and expenses resulting from credit and debit card fraud at the point of sale if they have not upgraded their payment systems to deploy the chip card technology.Walrus_and_Carpenter

"If seven maids with seven mops
 Swept it for half a year,
 Do you suppose," the Walrus said,
 “That they could get it clear?"
 “I doubt it," said the Carpenter,
 And shed a bitter tear.

As you are already beginning to see, the EMV liability shift is a very real shift in liability, but not exactly the shift described by the card brands, because you, the merchant, are at both ends, as the breached entity (“going”) and the point of sale (“coming”).  Only in theory, moreover, is the EMV liability shift  a balanced arrangement in which if either the merchant or the bank has not employed chip technology in a particular fraudulent transaction, it will be liable.  In practice, since banks have generally deployed the technology (and can still of course transfer the costs to the merchant who suffered the breach anyway), the new risks generally belong to the merchants.

Therefore  — assuming that the banks do not get double payments for fraud costs — the EMV liability shift is a shift from the merchants who suffer the breach to the merchants who don’t use chip technology.   Of course, that is something you never read about, because  nobody wants to suggest — again assuming that the banks don’t get paid twice — that some of the money you are spending dealing with PCI-DSS requirements should be diverted to buying EMV readers.  I would certainly never suggest such a thing — please pass the butter — although you might note in that regard that as of October 1, if at least 95% of MasterCard transactions originate from EMV-compliant POS terminals, the merchant is relieved of 100% of MasterCard account data compromise penalties (on the breach or “going” side again).


So, you have been warned.   If you want to consider deploying the chip technology and you like your payment processor or merchant bank, you might want to ask them about it now to beat the rush.  Your payment processor will eventually need to certify you as EMV-compliant.