With the transition to EMV firmly underway in the United States, we thought it would be a good time to discuss progress and the potential impact to your card fraud programs.
Liability Shift
As of October 2015, Liability Shift (LS) was implemented at Point of Sale (POS) terminals across all major Card Brands in the US. LS provides a framework for transferring losses associated with certain types of card fraud away from the party with the highest level of EMV security. As a Bank or Credit Union (Issuer) what this effectively means is that if the counterfeit magnetic stripe (MAG) data of your EMV card is used at a non-EMV terminal then you have the ability to shift liability to that terminal owner.
Key Changes to Liability Shift
Unfortunately, the inability of many merchants to install EMV-compliant terminals has slowed adoption in the US. In turn, as per LS protocols, those merchants were held liable for the chargeback of a significant number of counterfeit card transactions. Card Brands responded by implementing two key rule changes to the LS protocols:
- No more chargebacks under $25 on counterfeit cards; and
- No more than 10 chargebacks over $25 on a counterfeit card.
Impact to Issuers
Although these rule changes seem relatively minor they are estimated to reduce LS chargeback volumes by 40% and dollars by 15%. With this in mind, Issuers should closely monitor non-EMV card usage to limit their exposure and ensure they are taking full advantage of all LS opportunities.
ATM Liability Shift on the Horizon
There has obviously been a lot of grumbling from Issuers on the slow adoption of EMV terminals by merchants, which is understandable. However, with MasterCard ready to introduce ATM LS this October, Issuers should learn from the merchants’ pain and ensure their ATMs are EMV capable well before then.
The challenge with the ATM LS is that the Card Brands do not have consistent dates (as shown in the following chart). This may leave some confusion in the market as to the proper time to upgrade ATMs.
Preparing for ATM Liability Shift
We recommend that earlier is better when it comes to converting your institution’s ATMs to EMV. The longer your institution waits to implement EMV, the greater the risk that you will miss key LS dates in your program as suppliers and vendors struggle to manage the effort of an industry trying to make such a significant change. Being late to market with EMV will make you a greater target to fraudsters.
This becomes especially important as ATMs are frequently targeted for skimming attacks by fraudsters looking to maximize their profits through the collection of MAG and PIN in order to use counterfeit cards to withdraw cash at ATMs. The challenge with ATM skimming is the lion’s share of the risk is with your institution as backstops such as CAMS alerts and industry groups are less likely to identify a possible compromise.
Having EMV ATMs and cards in market is the best way for Issuers to protect themselves with the oncoming wave of counterfeit card fraud in the next couple years.
Seven Mitigation Strategies for your Transition to EMV
There are several key tactics that your institution should consider to mitigate risks during your EMV transition period:
- Prepare for significant increases in ATM skimming attacks — ensure both your cards and ATMs are EMV-capable to minimize fraud risk.
- Discuss fraud mitigation solutions with your ATM vendor frequently. They can share fraud mitigation strategies and techniques that will help diminish your risk.
- Carry out regular checks of your ATMs for attached devices. Your staff should complete these checks in pairs to ensure their safety — fraudsters often monitor ATM locations and may confront an individual identifying a skimming device.
- Provide signage (such as “Protect your PIN”) that reminds customers of the value of their PIN and contact numbers to call if they suspect ATM tampering.
- Consider having extra stock of instant issuance cards at your branches during the transition to EMV. This ensures you minimize disruption to your customers in the event of an attack.
- Work with your third-party card fraud provider to confirm your solutions are in line with your risk appetite. There are often different tiers of service available, so you may need to increase your level of protection to bring it in line with your risk appetite.
- Develop and communicate policies for CPP blocking early. Having these policies understood by senior management and approved by your institution’s executive team empowers your fraud management professionals in the event of an attack – helping them move quickly to reduce losses.