The Credit Card Liability Shift – What Merchants Need to Know

EMV is the acronym for Europay, Mastercard and Visa—the three credit card companies responsible for pioneering a new credit card technology in the 1990s. Though they were the first innovators, since then, all major credit card companies have adopted the technology, which has been in widespread use in Europe and elsewhere in the world for several years. On Oct. 1, 2015, that same standard will come to the United States as credit card companies enact the “EMV liability shift.”

In the simplest terms, this means that the cost of fraudulent charges on certain kinds of credit and debit card transactions will be determined solely by the technology used in the transaction. Whoever has the least EMV-compliant technology—either the merchant processing the transaction or the card issuer—will be liable for the costs of the fraudulent charge.

Such a shift could have huge financial implications for businesses, especially since card issuers have typically borne the bulk of fraud liability. To minimize the impact of this shift on your business, it’s important to understand what EMV is, why it’s being adopted as the new standard and what the new technology will and won’t do in terms of minimizing risk.

Understanding the New Technology
credit-card-frontEMV replaces the old standard of encoding cardholder information—the magnetic stripe on the back of the card—with a microprocessor chip that’s embedded within the card. Customers then punch in a personal identification number (PIN), much like a debit card, or sign for the transaction in the same way customers currently do with magnetic stripe cards.

Whoever has the least EMV-compliant technology—either the merchant processing the transaction or the card issuer—will be liable for the costs of the fraudulent charge.

EMV cards offer major security benefits. Specifically, in contrast to their magnetic stripe counterparts, EMV chip cards are almost impossible to clone. On magnetic stripe cards, thieves can steal cardholder information using a device called a “skimmer.” On EMV chip cards, cardholder information is stored in a microprocessor that generates a unique signature for every transaction, effectively “communicating” its authenticity every time it’s scanned. In fact, in countries that have adopted the EMV standard, the use of counterfeit cards has dropped nearly to zero.

EMV Migration – What Businesses Need to Do
There are certain steps a business will have to take in order to become EMV compliant. These can take time, so starting as soon as possible is the best strategy.

  • Examine Hardware: Some businesses that have upgraded point-of-sale (POS) card readers in the past few years might find them capable of reading EMV cards. Many businesses, however, will have to upgrade their existing hardware.
  • Consult With Third Parties: Businesses should contact their merchant acquirers, payment processors and independent software vendors. These third parties can help by offering specific recommendations and solutions that fit with each individual business’s needs.
  • Purchase and Certify New Hardware: The merchant acquirer or payment processor should be able to tell a business what certification, if any, that business might need.
    • Often, if the card reader isn’t heavily customized, the acquirer or processor may have already taken care of certification.
    • If, however, the card reader is highly integrated into the business’s POS, that business might need to obtain proper certifications. In some cases, the same policy can cover multiple events.
    • Certification takes time. Level 3 certification, for instance, can take anywhere from a couple of weeks to several months.
  • Decide on Chip-and-PIN or Chip-and-signature: Businesses should also consider whether the terminals they purchase can handle chip-and-PIN transactions or only chip-and signature transactions. At the moment, most card companies are issuing chip-and-signature cards. However, it’s likely that chip-and-PIN will be the standard in a few years. Rather than update hardware twice, it might make sense to make that investment now.
  • Implement Internal Training: EMV cards are processed a bit differently than magnetic stripe cards, so it’s important that employees understand the differences:
    • The total amount of the transaction must be entered into the terminal before the card is inserted.
    • An EMV card must remain inserted in the terminal for the entire duration of the transaction.
  • Educate Customers: Most businesses will be far more knowledgeable on the new technology than their customers. Teaching employees how to instruct customers on using their new EMV cards will be essential in making the transition as smooth as possible.

Important Exclusions to EMV
The liability shift only applies to card-present, face-to-face transactions. Currently, there’s a separate liability shift, scheduled for October 2017, for ATM withdrawals and automated fuel dispensers.

Card-not-present (CNP) transactions won’t be affected by the liability shift. That means that even if a business has an EMV-compliant terminal, if the card information is manually entered, or if the transaction occurs on the internet, the business will usually be responsible for the costs associated with a fraudulent transaction.

It’s also worth noting that many EMV cards will also have a magnetic stripe in addition to the chip. If a business uses the stripe to read the card rather than use the chip, it will assume liability, regardless of whether the terminal is EMV compliant or not.

Putting it All Together
EMV is a technology designed to reduce losses and should be thought of as another piece of your business’s overall security strategy. For more information on how to assess and mitigate your business’s risks, contact your professional agents and underwriters here at Morris & Reynolds Insurance today.

Cyber Attacks: A Growing Business Interruption Threat

When you think about what usually causes a business interruption, natural disasters such as fires, earthquakes and floods probably come to mind first. These events can physically damage your property and equipment, making your workspace unusable for a time. The damages from Hurricane Katrina and Superstorm Sandy are great examples of how a natural disaster can put a halt to a business’ day-to-day operations. Many of those affected businesses remain closed to this day.

While natural disasters are still the main reason for an interruption, another cause is quickly moving up the ranks: cyber attacks. As businesses continue to rely on computers and digital storage of essential data, cyber attacks will continue to be a potential exposure. Read on to learn how a cyber attack could lead to a business interruption and what you can do to mitigate the risk.

How can a cyber attack cause a business interruption?
Hackers, thieves and other unauthorized individuals have become adept at exploiting weaknesses in a business’ computer system, whether through traditional hacking methods or social engineering. There are several types of attacks that could completely cripple your ability to perform normal business activities, including:

  • Malicious code that renders your website unusable
  • Distributed denial of service (DDoS) attacks that make your website inaccessible to employees and customers alike
  • Viruses, worms or other code that deletes critical information on a business’ hard drives and other hardware

It is quite easy to see how any of these events might leave your company scrambling to do business. Unfortunately, many smaller businesses don’t have the manpower available to detect the problem and work on fixing it, which only increases the length of an interruption.

Third-party interruptions can have a major effect on your business
You can still be affected even if it isn’t your business that experiences a cyber attack. Imagine what would happen if one of your vendors suffered an attack, resulting in a complete shutdown of its warehouse or website. Unfortunately, attacks on third parties are often out of your control. Such an event could have a profound effect on how much business you are able to do, and that would trickle down to your customers, who may rely on your products or services.

Ways to prevent a cyber attack from causing a business interruption
A common saying in the cyber security world is, “It’s not if you’ll be a victim of a data breach, but when.” While 100 percent protection is impossible, you can help lower your chance of business interruption due to a cyber attack by following these tips:

  • Create a formal, documented risk management plan that addresses the scope, roles, responsibilities, compliance criteria and methodology for performing cyber risk assessments. This plan should include a characterization of all systems used at the organization based on their functions, the data they store and process, and their importance to the organization.
  • Make sure all firewalls and routers are secure and kept up to date.
  • Implement a cyber security policy that educates employees about the dangers of computer intrusions and how to prevent them. Morris & Reynolds Insurance can help you draft a cyber security policy specifically tailored to your company.
  • Download and install software updates for your operating systems and applications as they become available.
  • Implement a strict password policy and have employees change system passwords every 90 days.
  • Limit employee access to company data and information, and limit authority to install software.
  • Make sure you are covered by a cyber liability insurance policy.

How can cyber liability coverage help?
Most traditional commercial general liability (CGL) policies will not cover business interruption losses due to a cyber event. Luckily, cyber liability coverage can fill that void.

Should your business be unable to perform normal business operations, a cyber liability policy can help pay for expenses related to an interruption. The coverage pays for:

  • Lost income due to the event
  • Profits that would have been earned had the event not occurred
  • Operating expenses, such as utilities, that must be paid even though business temporarily ceased
  • Rented or leased equipment

Cyber liability coverage also helps protect your business from the following events:

  • Data breaches, including costs for customer notification, some legal costs and credit monitoring for those affected
  • Damages to third-party systems, if, for example, an infected email from your servers crashes the system of a customer or vendor
  • Data or code loss due to a natural disaster or malicious activity. Physical destruction of equipment is covered under a different policy.
  • Cyber extortion, including ransomware, which is malicious code installed into a computer on your network that prevents you from accessing it until a ransom is paid

Even though business interruptions due to cyber attacks are relatively uncommon, being unprepared for one could prohibit you from doing business as usual. Contact Morris & Reynolds Insurance today to find out how we can help you avoid a business interruption.