Lost or stolen credit card chips pose a new threat. Diligence and training is required for retailers to prevent and reduce liability under the new scam. By John D. Goldsmith
Due to massive credit card fraud, EMV (Europay, MasterCard and Visa) was adopted first in Europe, throughout most of the remainder of the world, and most recently in the United States. EMV is now a global standard for the payment industry. Credit cards containing an EMV chip (chip card), embedded in a credit card under a gold or silver foil, are significantly more secure than a magnetic strip card, which contain only static payment information that can be copied or “skimmed” and put on another card.
In comparison, a chip card creates a unique transaction code each time the card is used, so if the code for a particular transaction is stolen it cannot be used for any other transaction. Since the EMV standard was adopted in the U.S., in-person physical credit card fraud has dropped, by some estimates, by more than 50 percent.
One significant risk of a chip card is if the EMV chip, which is glued into the card, falls out or is removed. The removed chip glued into another credit card can be used for unlimited transactions until canceled. The old credit card without the chip will still work with its magnetic strip, so the owner may not realize the chip has been removed and replaced with a dummy chip, instead assuming the chip technology is not working. Although the chips are glued securely in the card, the chip can be removed and replaced quickly or fall out on its own with frequent use.
Who is Liable?
Since the U.S. has not yet adopted the “Chip and PIN,” only requiring the card and a signature – and many U.S. physical credit card transactions are done outside the presence of the customer – there are multiple opportunities for the chip to be stolen. While the customer generally has no liability, the credit card issuer or the merchant will be liable depending on who has adopted the least EMV-compliant technology.
This is a change from the old rules, and is intended to move the payment industry into EMV technology to avoid liability exposure for fraud. The only exception is for automatic fuel dispensers, who now have until October 2020 before these new liability rules apply.
If a stolen chip is glued into another card and the card issuer has adopted “Chip and PIN” and the merchant has not, the merchant is liable. If the retailer has “Chip and PIN” technology and the card issuer does not, the card issuer is liable. In the U.S., to date, few card issuers or merchants have invested in the “Chip and PIN” technology. If neither the card issuer nor the retailer has adopted “Chip and PIN” and a stolen chip is used in another card, traditional comparative fault principles apply.
In such a situation, the merchant will argue the card issuer should have more securely embedded the chip in the credit card so it could not be so easily removed. The card issuer will argue the merchant has the primary responsibility because it should have noticed that the number and name on the credit card does not match the name and number on the credit card receipt. Although a dummy card may still be produced with a name to match the information from the stolen chip, this takes time and provides the customer more time to realize the chip was stolen.
Training to Reduce Risk
Retailers can reduce liability for this type of credit card fraud by regular training of point-of-sale personnel and “secret shoppers,” to make certain credit card receipts are compared with the credit card used in the transaction. As more fraudsters understand EMV technology, the removal of chips will increase, requiring more diligence by retailers and card issuers. Ultimately, following the global standard of “Chip and PIN” provides the best protection for retailers against chip, and most other, credit card frauds.
John D. Goldsmith is a shareholder at Trenam Law in Tampa, Fla., and leads the firm’s cybersecurity practice.