Who is liable, and how are credit unions impacted?
Sponsored by Kaufman & Canoles
The utilization of chip technology in credit cards was introduced to combat credit card fraud and increase information security. Credit cards are embedded with microprocessor chips, commonly known as “EMV technology”—named after the original developers, Europay, MasterCard and Visa. Unlike traditional magnetic stripe cards, chip-enabled cards support dynamic authentication, which includes unique data in each transaction and makes stored data significantly more difficult for would-be thieves to copy. To encourage the adoption of this technology, there was a fraud liability shift in October 2015: Now, if merchants choose not to provide EMV payment terminals, but the card the consumer used is chip-enabled, the liability for any counterfeit card purchases will fall to the merchant rather than the card issuer. In the case of a “technology tie”—where both the card issuer and the merchant, or neither the card issuer nor the merchant, adopt EMV technology—the liability remains with the issuer. The transition to EMV technology has generally been successful.
While initial evidence suggests that the introduction of EMV technology has reduced fraud where the credit card is physically present, there has been an increase in “card not present” fraud—fraudulent transactions in situations where the customer is not required to physically present the card to the merchant, such as online or over the phone. One study estimates that, as a result of the EMV liability shift and the increase in e-commerce, CNP fraud in the U.S. is expected to increase from $3.1 billion in 2015 to $6.4 billion in 2018. This increase in CNP fraud is not surprising. As credit card information has become harder to steal through in-person transactions, it is only logical that identity thieves would look for an easier target: the enormous and still rapidly growing online sales market. Additionally, the U.S. was one of the last major economies to shift to EMV technology; data collected after other countries transitioned to EMV demonstrated that there would likely be an increase in CNP fraud after the shift. For example, one year after “chip-on-chip rates hit a breaking point of … 50 percent” in Canada, CNP fraud increased by 30.1 percent. In Australia, the increase was a staggering 126.1 percent. A November 2016 report from ACI Worldwide estimated that CNP fraud attempt rates in the U.S. would increase 12 percent by volume.
Merchants faced with increasing CNP fraud are caught between dueling priorities: On the one hand, online merchants want to provide quick, efficient checkout services to ensure that customers do not “abandon” their purchases. Ease of purchase maximizes both profits and the online customer experience. On the other hand, merchants want to provide security for their customers. Instituting security measures—such as device verification or one-time passwords—may increase checkout times, but it also increases consumer security. However, instituting overly sensitive security measures that flag legitimate purchases as potentially fraudulent can lead to declined purchases and loss of sales. It is a difficult balance to strike, which may explain why a recent survey found that although “52 percent of merchants say their CNP losses are growing,” 70 percent nevertheless said that “they are satisfied with their CNP fraud prevention tools.” This satisfaction may decline as CNP fraud continues to increase.
Because merchants are typically liable for CNP fraud losses, it may appear that there is little incentive for card issuers to help combat the problem. However, CNP fraud affects card issuers in several key ways. Consumer trust in e-commerce, the cost of reissuing cards when cardholder data is compromised, and the cost of ongoing maintenance and system compliance all directly impact card issuers. (See, for example, the Smart Card Alliance 2014 whitepaper, “Card-Not-Present Fraud: A Primer on Trends and Authentication Process.”) Thus, a coordinated effort to reduce CNP fraud is in the best interest of merchants, issuers and consumers alike. One potential avenue is exploring the availability of dynamic authentication techniques. Just as chip technology provides more security than traditional magstripe cards via the utilization of dynamic authentication, this general principle may be applicable to the CNP arena, as well.
Dustin H. DeVore is co-chair of Kaufman & Canoles’ credit union team and works closely with a number of credit unions on regulatory and lending issues. He can be reached at email@example.com or 757.259.3808.
Erin Deal Johnson is an associate on the firm’s credit union team and can be reached at firstname.lastname@example.org or 757.259.3801.
The K&C credit union team serves as general counsel to credit unions, large and small, regularly advising clients on consumer compliance issues, NCUA requirements, and the rules governing credit union service organizations. For more information about our team visit.