Credit cards with new EMV security chip technology (for “Euromoney, Mastercard, Visa”) were designed to reduce fraud by using a cryptographic key to verify the card’s legitimacy and to generate a one-time code for each transaction. Regrettably, users’experiences with EMV cards have not matched expectations. Many users report that the card is a hassle because transaction processing is too slow. Moreover, retailers and other entities that accept the cards for payment are concerned that the cards are shifting liability for fraud away from issuing banks and onto them. Entities that are being forced to accept EMV security chip cards can best protect themselves from that liability with cyber liability insurance.
In 2014, card issuers experienced losses from fraud in excess of $16 billion, with reports that more than 13 million card users had been victimized by fraud. After one year of use, Visa and Mastercard reported almost 50 percent reductions in fraud incidents as a result of the new EMV technology. The technology, however, is not foolproof. A European hacker ring stole almost $700,000 with a scheme that cracked an earlier generation of EMV cards.
The retail industry and other entities in other industries that accept credit card payments are vulnerable to many of the risks that plagued older types of credit cards:
- Signature verification is easier than PIN verification. Retailers default to a card user’s signature to speed up transactions and to avoid problems with chip readers and PIN input machines.
- As in-person fraud has been reduced, ecommerce fraud is increasing. Retailers accept credit card information by phone or in online transactions with 3-digit card verification values (“CVVs”) imprinted in each card, but those CVVs are easy for cyber thieves to steal along with the card number itself.
- Payment processing machines do not encrypt payment information. This increases the risk that hackers can steal card information and rewrite a card’s coding to allow it to be used fraudulently.
The most significant drawback for entities that accept credit card payments is that with the new EMV chip technology, liability for credit card fraud has shifted to the party that is least compliant with EMV standards. Merchants that do not procure updated equipment that is capable of accepting EMV cards will bear the entire cost of any fraudulent use of the card, with no liability going back to the card’s issuer. Those merchants have two options: update their equipment, and procure cyber liability insurance to cover the costs of any fraudulent transactions that have victimized them.
Updating equipment will require a lockstep approach to merchants’ giving their customers assurances that the few extra seconds required by each EMV transaction are well worth the wait. As equipment improves and more merchants transition to chip-and-PIN credit card readers, those few seconds will be less of an issue.
Cyber liability insurance is the last defense that a merchant can erect against financial losses that will continue, even with the extra security provided by EMV credit cards. This insurance will protect a merchant from direct financial losses that card issuers have shifted to them with the new cards, and for any third-party exposure and liability that merchants may have as a result of any loss of customer data that they hold. Small merchants do not expect to be the targets of cyberattacks, but any business, regardless of size, that accepts credit cards for payments is opening a door to credit card fraud and other data losses that can have a serious impact on a small company’s profitability. Cyber liability insurance will help a business maintain a healthy bottom line in the face of growing credit card fraud problems.