With a crucial deadline just 266 days away, the payments industry is starting to look at just what kind of fraud liability—and how much fraud—merchant acquirers will have to assume if their merchants aren’t ready to accept Europay-MasterCard-Visa (EMV) chip cards by October.
There’s about $6 billion annually in lost, stolen, and counterfeit card fraud at stake, according to estimates by Javelin Strategy & Research, a Pleasanton, Calif.-based payments-research firm. While issuers currently absorb these losses, under card-network rules that burden will shift to acquirers this fall in cases where the fraud occurs at merchants unprepared for EMV. Petroleum merchants have an additional two years to prepare.
As a result, acquirers will have to reckon with a whole new category of risk exposure. “In card-not-present transactions, acquirers have faced this, but in the overwhelming majority of cases” they’ll be confronting it for the first time, says Marc Abbey, managing partner at First Annapolis Consulting, Annapolis, Md. Abbey has recently completed a study of the new risk facing the acquiring business because of the EMV liability shift.
Surprisingly, for all the talk in the industry about the imminent arrival of EMV, it appears few acquiring executives have fully accounted for what the shift really means for them. Among his clients, Abbey tells Digital Transactions News, the matter is “very deep on their priority list.”
But it’s a very high priority for card issuers, according to Abbey. Fearing the prospect of being on the wrong side of the risk shift, financial institutions have begun to churn out chip cards. “The issuing business appears to us and other observers to be out ahead of the acquiring world,” Abbey says. That contrasts with the experience in other parts of the world that have already adopted EMV, he notes, where acquirers generally had merchants equipped faster than issuers could pump out cards.
Some 24% of U.S. point-of-sale terminals are “EMV-capable,” while 9% of debit/prepaid cards issued, and 2% of credit cards, have EMV chips so far, according to Javelin estimates. But while terminals may be technically capable, it isn’t known just how many of these merchants have the software and trained personnel to accept EMV.
Abbey says foreign issuers, especially, may be licking their chops at the prospect of offloading their consumer-fraud risk onto U.S. acquirers. “For years and years, these non-U.S. issuers have invested in EMV, but the U.S. is still using the mag stripe. So non-U.S. issuers appear to be very aware of the liability shift,” he says.
To be sure, acquirers’ increased risk exposure may be relatively short-lived. Under the network rules, liability rests with the issuer in cases where both the merchant and the issuer are EMV-compliant. That could be nearly universally the case within a few years. By 2018, nearly all cards and terminals will be compliant, according to Javelin’s forecast.
But that still leaves open the question of how many of these terminals will really be running chip card transactions. The issue isn’t so much about terminals as about software, Abbey warns. Many mid-size merchants are using so-called integrated solutions that run payments as part of a larger business-management system. That means acquirers must work with a number of other parties to reconfigure software, and that presents a challenge when it comes to getting masses of merchants EMV-compliant.
“The bigger problem is the integrated point-of-sale market,” Abbey says. “It’s crazy-fragmented.”
Still, while the liability shift may impact acquirers, not all them are convinced their exposure will rise all that much. Some argue the risk of loss from lost/stolen/counterfeit cards at the point of sale is low and not likely to rise, especially for small-ticket merchants. “It’s such a small number, we’re not concerned,” says Jeff Fortney, vice president of ISO channel management at Clearent LLC, a Clayton, Mo.-based merchant processor.
Fraudsters, he says, are much more inclined to practice their trade online, where the risk of being caught is lower, compared to face-to-face transactions. “Online,” he says, “nobody knows who you are.”