EMV: MasterCard supports current liability shift dates…should your credit union?

On January 8, 2014, Chris McWilton, president of North American markets for MasterCard, released a letter addressing concerns regarding recent data breaches and liability shift dates for the financial industry. According to the letter, MasterCard continues to support EMV chip technology as the upgrade in technology and security that is needed to help mitigate fraud at the POS and ATM.

McWilton also reiterates that the liability shift dates are not mandates but “incentives to migrate to EMV.” Given this opening, it comes as no surprise that the bulk of the address is aimed at announcing MasterCard’s intent to maintain their 2015 liability shift dates for POS…and 2016 for ATMs.

The letter goes on to detail the steps MasterCard has taken to help the U.S. financial industry establish EMV, including their “streamlined testing and certification process” and the introduction of a MasterCard EMV routing solution that is available to networks at no cost.

It is clear that the major card networks and EMVCo are committed to the introduction of EMV in the United States. However, there are still many in the industry with questions about this migration.

Is EMV the Right Fraud Solution for Card Issuers?

Credit Unions may be asking how the liability shift will affect them and what timetable to follow in their migration to a new card system since credit unions, as the card issuers, have previously borne the brunt of costs from fraud. EMV could also mean an increase in expenditure for credit unions since chip cards cost more to produce and issue than current mag-stripe cards. Credit unions must also consider any ATM upgrades that would be required in their overall cost assessment.

However, EMV supporters point out that current numbers are showing that the implementation of chip-based card transactions in other countries has caused a significant migration of fraud to the United States. The Nilson Report for 2012 estimates global losses from credit and debit card fraud at $11.27 billion, with the U.S. accounting for 47.3% of those losses. This uptick in fraudulent activity in the U.S. could increase the financial risks for credit unions and result in fraud numbers that outweigh the extra expenditure for EMV migration.

The December 2013Target breach is now being cited as an example of how EMV could have protected cardholders and credit unions. However, no matter how the “encrypted” data is transferred, the card user’s account information must, at some point, be decrypted in order to perform a transaction. While EMV likely will not stop hackers from eventually finding a workaround, it can certainly narrow the doorway for interaction with the decrypted data, making a data breach much harder to achieve, at least in the short term.

Is EMV the Right Fraud Solution for ATMs?

As of October 1, 2016, owners of ATMs that are not EMV compliant may be liable for some card fraud at those ATMs. (Current exposure to an EMV liability shift began last April, with the shift on international Maestro cards issued abroad by MasterCard and counterfeited to commit fraud at non-EMV compliant ATMs in the U.S.)* While the majority of ATM fraud happens via the card reader, ATMs face far less fraud than merchant POS transactions. For credit unions that own ATMs, an upgrade to their machines as well as their cards will help protect them from fraud generated by counterfeit cards used in “on us” transactions made at their ATMs. Credit unions with outsourced and/or managed ATMs, where the ATMs are not owned by the credit union, will not be liable for fraud based on ATM compliance after October 1, 2016, as the liability shifts to the ATM owner. For ATM deployers, the issue of EMV migration is a bit murkier.

“The direct cost/benefit of EMV to the ATM providers is questionable,” says Bruce Renard, executive director of the National ATM Council, Inc. (NAC). “EMV primarily benefits card issuers and their underlying networks as a means to reduce card fraud. ATM providers have not been liable for such fraudulent transactions in the past. Unlike credit union ATM providers, who are also card issuers, non-credit union ATM providers are being incented to upgrade their ATMs with a new liability exposure but no cost savings.”

Other Concerns Still Impact a U.S. EMV Migration

Renard points out that there is still no finalized U.S. EMV Application Identifier (AID) specification and current federal court proceedings that may impact the final solution are still pending. Under these circumstances, “The existing liability shift dates for ATMs need to be carefully reviewed by all affected parties.” If U.S. ATM providers upgrade in the current environment, they will likely incur costly extra trips to each ATM once the U.S. AID is finalized. “Worst case,” Renard points out, “the final U.S. EMV solution would require not just a software change but a modification to the EMV hardware that was already installed.”

“ATM owners and operators [including credit unions that currently operate their own ATM fleet] are caught between a rock and a hard place,” Renard concludes, “They can begin their EMV migration now and hope what they buy and install works with the final U.S. EMV spec, or they can delay their EMV migration until the U.S AID is finalized and risk paying premium prices for limited supplies late in the transition.”

ATM manufacturers have not announced plans to increase production, despite the potential uptick in order numbers the U.S. EMV migration will likely cause. Those credit unions and ATM deployers that choose to wait for a final EMV solution to purchase their equipment and upgrade kits may also be exposing themselves to the danger of an equipment shortage.

Similar risks such as new card programming (requiring a card reissue), maintenance calls and equipment shortages could also be encountered for merchants and card issuers preparing for their October 2015 liability shift without final U.S. EMV solutions in place.

An additional consideration for credit unions and ATM operators making upgrade decisions is whether the mag-stripe system will remain viable after the liability shifts hit the U.S. While it is not currently written in the network migration plans, the card companies have made it clear the goal is to completely eliminate the mag-stripe option in favor of chip-based cards. If this is the case, the entire financial payments industry will eventually have no choice but to migrate to EMV or risk becoming obsolete.

 

*Fraud liability in an EMV country shifts to the non-EMV-compliant party. October 1, 2016 marks the liability shift for counterfeit EMV cards issued by MasterCard.

 

 

Rebecca Hellmann

Rebecca Hellmann

Rebecca Hellmann is a marketing manager and branding professional with over seven years of experience in the industry. Her primary areas of expertise include copywriting, marketing strategy, design and advertising. ... Web: www.atmmarketplace.com Details