You may not have felt the earth move under your feet, but today, Oct. 1, 2015, is liability shift day. It’s not a clash of tectonic plates or anything like that, but it does signal a milestone in the fight against fraud.
Today’s the day when Visa, MasterCard, and the other card giants will henceforth hold liable the weakest link in the transactional chain, and credit unions that have deployed EMV chip cards can be assured that ain’t them.
Merchants and issuers alike have been preparing for this day and beyond but don’t call it a deadline. “It’s not. It’s purely a volunteer date. There’s no requirement and there’s no deadline. It’s a point of time in the conversation. You already have the liability. You’re not going to get more. Figure out what makes sense for your business,” says Michelle Thornton, director of product development at CO-OP Financial Services.
“It’s a journey. This is a milestone, but it’s not the end of the journey,” adds Bob Hackney, president of Card Services for Credit Unions. “It’s like you just crossed the finish line of a marathon and now you’ve got another one to run.”
· Also read: 5 EMV Decisions Every Credit Union Must Make
The brands themselves agree. Carolyn Balfany, senior vice president of EMV product delivery for MasterCard, says, “The liability shift is a milestone for the U.S., but not a deadline. Issuers and merchants are encouraged to assess their business and their risk as well as the experience they want their customers to have, and then migrate when it makes sense to them.”
MasterCard said this week that as of Aug. 31, 40% of all its consumer credit cards in the U.S. now carry the EMV chip. More than 350,000 merchant locations also now accept them, including more than 320,000 single-location operators, the card brand says, and there has been a 446% increase in chip transactions in the past year as the U.S. began catching up with the card’s long-established presence overseas.
Hackney’s CUSO provides processing services for 2,300 credit unions through FIS. He says that essentially his entire membership base is EMV-enabled on the credit side and that about half of the 600 debit issuers CSCU serves are likewise enabled.
Meanwhile, among the client base at PSCU, about 95% — or 500 credit unions — are now certified for credit EMV and about 35% of its debit issuers are, with another 25% expected to be enabled by the end of the year, sys Art Harper, director of solutions consulting for card payments solutions at that big processing CUSO.
Of course, enabled is not the same as in-hand. Fewer than half of all banks and credit unions have adopted EMV and barely one-fourth of all retailers have deployed the needed terminals that make it operational, estimates payments specialist Richard Crone of Crone Consulting.
However, “with that said, at least one chip card will be in the average consumer’s possession by Oct. 1, 2015. More than likely, that’s a credit card,” Crone says.
Will that be debit or credit? Debit EMV adoption is lagging credit adoption because of the major differences in the transaction paths and requirements. In fact, it’s so new, says Thornton at CO-OP, that one of her CUSO’s early debit adopters looking for a live place to test theirs hasn’t even found a merchant site using it.
Chole Casber, who’s leading the EMV migration team at TMG (The Member Group), knows why. “Unlike credit, debit requires a customized approach. There are many moving parts and it’s critical that the issuer, core processor and PIN networks are in alignment,” he says.
TMG began testing the U.S. Common Application Identifier (Common AID) standard in April and has been conducting multiple pilots. One of them, San Diego County Credit Union ($6.92B, San Diego, CA) has just begun sending the chip-enabled debit cards to members, choosing the mass re-issue route over waiting for expiration dates or other re-issue triggers.
TMG says more than 60% of its credit union clients are proactively sending out EMV cards en masse. “We were kind of surprised by that. We thought it would be more of a natural reissue, but I guess it’s because debit cards are used so much on a daily basis that it seemed like our credit unions want to get those out as quickly as they can,” Casber says.
Carolyn Kissick, SDCCU’s senior vice president for operations and card services, says, “Early adoption of solutions like EMV for both credit and debit cards keeps us in a position of relevancy to our influential members.”
Indeed. Perception matters. Sending a member an EMV card is an opportunity to both educate and market. Fraud problems are top-of-mind for many consumers and cardholders can be expected to notice if theirs is ready or not.
“This could be a competitive and marketing issue as much as a financial one,” says cards consultant Tim Kolk of TRK Advisors. “If I was EMV-prepared, I’d definitely be touting that fact. I’d also be implying that significant fraud and information protections are very important to the credit union whenever promoting my card product.”
Chip or PIN? There has been much debate over whether chip-and-signature technology provides any real security advantages over old-fashioned mag stripes. Chip-and-PIN is used in most other lands for credit cards, but is primarily used just for debit cards here.
Harper at PSCU expects that to change. “Merchants will move to upgrade their terminals to accept a PIN-based credit card transaction in the near future and thus will push the market into a chip-and-PIN environment for all transactions,” he says. “However, this shift will not take place for at least 18 months as other liability shift dates need to be achieved, along with full integration into the market.”
One of those liability shift dates, in fact, isn’t until Oct. 1, 2017, when gas stations come under the umbrella. And by then, of course, the fraudsters will have figured out myriad new ways to defeat new protections as they emerge. That includes an expected shift of their own as cyber crooks concentrate more on card-not-present techniques.
“It’s like Playdough,” says Hackney at CSCU. “Remember when you were a kid and you would squeeze a big handful and the stuff would come through your fingers? That’s what fraudsters are like. They just keep finding a way.”
Of course, unless things change dramatically, the consumer is rarely personally liable for card fraud. But that may not matter all that much going forward.
“Let’s face it, every credit card user has several cards to choose from, and if they get EMV cards from the bank but not the credit union, it may lead them to favor the bank-issued card for their next purchase, whether or not it actually tangibly improves their product from a consumer perspective,” says Kolk at TRK Advisors.