A proclamation released by President Obama on September 30th has given October of 2015 the distinction of being National Cyber Security Awareness Month, which involves a month-long series of outreach programs promoted by the Department of Homeland Security and the National Cyber Security Alliance. Observed every October since it was instituted in 2004, sponsored events during this year’s month of cybersecurity observation have focused on themes of general cybersecurity, training cyber professionals and issues related to connected communities.
Another cybersecurity theme for this year’s month of awareness is “Creating a Culture of Cybersecurity at Work.” Cybersecurity threats exist throughout the workplace but especially at the point-of-sale for retail establishments. Credit and debit cards have presented financial account information as data recorded on a magnetic stripe, the same basic technique used to record sound onto cassette tapes, since the 1960s. This outdated technology has been exposed in recent years as highly susceptible to malicious cyber attacks designed to steal financial account information. Target Corporation (NYSE:TGT) is perhaps best known as being the first major victim to such a scam but similar incidents have affected other major retailers like Barnes & Noble, Inc. (NYSE:BKS) and Neiman Marcus.
Threats to business cybersecurity have been growing in recent years, a subject we’ve been following here on IPWatchdog. Despite a high percentage of American consumers believing that American financial institutions can keep their bank accounts safe, but most banks can only recoup pennies on each dollar lost from hacked financial accounts. In fact, according to statistics published by financial services provider Square, half of all credit card fraud happens in America even though the country only processes one-quarter of the world’s credit card transactions. As a result of repeated cyber attacks leveraging the low security of magnetic stripe cards, American financial institutions have been pushing towards phasing in computer chip-enabled cards which have more sophisticated security measures.
This October marks a very important moment in financial account cybersecurity as a liability shift is taking place. As of October 1st, the liability for covering fraudulent activities which take advantage of magnetic stripe readers falls to the party that has not adopted technology which enables purchases from chip-enabled cards. It’s not clear the legal impetus behind this fraud liability shift, although similar shifts have taken place in countries like England more than a decade earlier.
This liability shift was a major focus of a webinar on Wednesday, October 14th, focused on chip-enabled cards, or EMV cards, presented by Square in conjunction with the U.S. Small Business Administration. The lecture, entitled EMV 101: What Small Businesses Need to Know About The Switch to Chip Card Technology, explained the liability shift in clear terms. Starting this October, if a business does not have a card reader designed to process EMV payments, that business can be held liable for fraudulent activities stemming from the transaction if the customer presents a chip-enabled card.
EMV stands for Europay-Mastercard-Visa, the three companies who have been the main players in developing the chip-enabled card standards. Many other financial account providers, including American Express (NYSE:AXP) and Capital One (NYSE:COF), are also making the switch to chip-enabled EVP cards. By the end of 2015, about 40 percent of all credit and debit card transactions will use EMV cards, according to the SBA/Square presentation. In order to process payments on EMV cards, all businesses which processes card-present payments must upgrade to new card processing or point-of-sale technologies.
Instead of swiping an EMV card in the way that a magnetic stripe would be run through a card reader, EMV card readers require cards to be “dipped” into the reader where they remain held for a few seconds. During that time, the card reader communicates with the chip, which newly encrypts financial data for transmission each time the card is dipped into the EMV reader. The one-time code generated by the computer chip is currently impossible to counterfeit.
So, where does this leave American small businesses? Any business, large or small, that handles card-present transactions must upgrade to new EMV card readers if they want do not want the liability that comes with fraud stemming from magnetic stripe cards. If a customer presents a magnetic stripe card and not a chip-enabled EMV, then the liability remains with the financial institution which issued the card. If the customer presents an EMV card and the business only has a magnetic stripe card reader, the EMV card will still have a magnetic stripe so that the transaction can be completed. However, any financial account fraud stemming from that transaction becomes the liability of the business and the financial institution will not step in to take responsibility.
Some businesses have already taken the right steps in ordering EMV card readers required to operate business without the threat of fraud liability. However, there’s been a backlog in EMV card reader orders and, as Square representatives themselves noted during the SBA presentation, many businesses that have ordered their readers have not received them, which has some business owners concerned now that we’re past the liability shift occurred on October 1st. Although Square representatives encouraged business owners to contact their merchant payment services provider, some EMV card reader companies, including Square itself, are offering to absorb the liability for businesses who have ordered a Square EMV card reader but haven’t received it after the liability shift.
There are many businesses that process credit and debit card payments that will not have to deal with the liability shift, especially e-commerce businesses that process payments online. In a question and answer session after the SBA/Square presentation, Square representatives responded to multiple questions surrounding processing card-not-present transactions, where customers input their card information through a payment portal or via telephone call. The liability shift only affects card-present transactions where a customer physically presents a card while at a brick-and-mortar establishment.
If a business owner doesn’t have an EMV card reader and tries to input the card number through the card reader’s keypad, it may avoid the fraud issue specific to magnetic stripe cards but it does not meet the liability shift standards; if the payment is made with a fraudulent card number, the financial institution will not be responsible for making restitution of the funds. Business owners who have an EMV reader do not have to worry about accidentally triggering liability by swiping the magnetic stripe. In those cases, the reader will detect that the card has a chip and instruct the cashier to instead process the payment by dipping the card into the EMV reader. If the EMV computer chip is damaged, preventing the transaction from processing, the magnetic stripe will enable a customer to complete a purchase, although it was unclear whether or not the liability remained with the financial institution if the chip was damaged.
Although Square did mention it’s own EMV chip card reader, which can be ordered for about $30, Square representatives did mention that most businesses should contact their current payment services provider in order to find out what EMV reader options they might have available. A number of payment service providers already have EMV readers out on the market, including PayPal (NASDAQ:PYPL) and Intuit (NASDAQ:INTU).
EMV is not the only payment transaction standard developed in recent years which improves upon the security of magnetic stripe cards. Digital wallets, which employ similar encryption methods to ensure that sensitive financial account data remains private, have been developed in recent years by Apple Inc. (NASDAQ:AAPL), Alphabet Inc. (NASDAQ:GOOG) after Google acquired Softcard earlier this year, and Samsung Electronics (KRX:005930), which acquired the digital wallet services developed by LoopPay earlier this year. The Apple Pay and Android Pay systems need their own dedicated near field communications (NFC) terminals, much like EMV cards require a reader to communicate with the card’s computer chip. Samsung’s digital wallet system, on the other hand, can communicate wirelessly with any card reader terminal without requiring a special terminal.