By now, everyone’s had the experience of presenting a chip card at a point of sale only to be told to swipe the card, because the chip reader “doesn’t work” or “is down.”
It may not make much difference to consumers, but merchants are now liable for fraud that occurs when EMV-enabled cards are treated as magstripe cards during a transaction. But what does this mean in practice when a large fraud event might mean a merchant is unable to satisfy all claims?
In practice, banks still bear the burden of compensating customers, according to an expert close to the process. The case of the Target breach, which occurred before the liability shift occurred, may serve as an example. Litigation is still ongoing in that case, but essentially banks are seeking compensation for losses, as well as for the cost of reissuing cards, which in the case of EMV, runs between $2 and $3 per card.
Unfortunately, it seems more such disputes are expected. There are indications, therefore, that banks may require additional protections from merchants in order to continue doing business with them. No one wants to be in a situation where a consumer’s bank may be in a dispute with a merchant and therefore not honor transactions at the merchant, for example.
“To protect themselves and customers, banks may require written indemnity agreements from merchants,” said Anton Lavrenko, deputy regional head, financial institutions North America with Allianz Global Corporate & Specialty, which provides a range of services to financial institutions. “The impetus will be on banks to make sure merchants are solvent,” Lavrenko told Bank Innovation.
This seems like it will result in additional costs to banks. “In a lot of cases, under certain thresholds, depending on the bank’s appetite, it will be more costly go after merchants rather than simply eating the cost,” said Madeline Aufseeser, CEO of Tender Armor, which provides dynamic CVVs (card verification values) called CVV+ for card-not-present transactions, which do not benefit from the tokenization offered at the point of sale. This could mean transactions of up to $30, $50, or even $100 might not be worth pursuing, according to Aufseeser.
As fraud heads online to card-not-present (CNP) transactions, which have always been riskier and subject to higher rates, fraudsters will make their way there as well and cost the banks more money and headaches. And as many as one in four transactions will be CNP by 2018, Aufseeser said.
Consumers will feel the pain of fraud too, aside from the anxiety it provokes even when repaid, and delay in getting a nee card delivered. “Consumers will feel the blunt of fraud that happens to merchants without EMV technology sooner since these merchants will automatically be liable for the exploit due to their failure of security policy,” said Chris Strand, senior compliance director for security firm Bit9. “The costs of these events will work their way down to the consumers much faster than traditional exploits since the liability decision will be simplistic…. Merchants will have to cover more of the costs (if not all) associated with the exploit and will pass these cost onto the consumer both directly and indirectly.” Costs will come to the consumer in the form of higher prices resulting from merchant costs.
Oversight of merchants mirrors a major trouble spot banks currently face: managing vendors.
“A major concern of banks right now is overseeing third-party vendors and limiting exposure there,” Lavrenko said. “This means more time scrutinizing and assessing vendors up front. Smaller banks with less sophistication may become more vulnerable as a consequence. But they have fewer vendors.”
More to the point is line items on a budget.
“If you look at income statements, somewhere you’ll see a line item detailing the cost of issuance of cards,” Lavrenko said. Banks don’t want to be in the position of frequently issuing chip-enabled cards.