IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Government Now Liable for Fraud Under Credit, Debit Liability Shift

Oct. 1 signaled the start of a new fraud liability for payment takers and merchants without updated chip-enabled credit and debit terminals.

As of Oct. 1, an industrywide “liability shift” for credit card fraud has occurred: Merchants not meeting the Europay, MasterCard and Visa (EMV) specifications are now responsible for fraudulent payments — and government is no exception.

The EMV movement will mean the replacement of magnetic payment terminals for chip-enabled systems, which are already in place at many large retail locations across the country. The chip technology is also in place in more than 80 countries around the world. 

“The liability shift protects the entity — be it merchant or bank — who offers the greater level of security by holding the other entity with less secure systems responsible for fraud,” MasterCard spokesperson James Issokson said. “For example, if fraud occurs when a magnetic stripe card is swiped at a chip-enabled terminal, the bank is responsible for the fraud. And vice versa, if fraud occurs when a chip card is used at a terminal that hasn’t been upgraded, the merchant is responsible for the fraud. Prior, the issuing banks were held responsible for fraud. Now the responsibility is shared.”

Issokson said the liability shift was originally announced in early 2012 to allow time for businesses to plan accordingly.

“The Oct. 1, 2015, liability shift is a milestone for the U.S. but not a deadline," he said. "Merchants are encouraged to assess their business and their risk, as well as the experience they want their customers to have, and migrate when it make sense for them."

But retailers won’t be the only ones on the hook for fraudulent charges made through the now-outdated terminals. Issokson said government agencies who handle credit and debit transactions will be held to the same standards.

The embedded chip uses cryptography to create a one-time identification code for each transaction, making the cards more difficult to forge than non-embedded cards. 

“Chip cards offer advanced security in store and at the ATM because they are inserted into payment terminals where the chip in the card and the terminal ‘talk’ and generate unique codes for transactions,” he said. “If someone were to use this unique code again, the transaction would be flagged as fraudulent. Conventional magnetic stripe swipe cards use static data. This is how chip cards help eliminate counterfeit fraud.”

As for whether government should rush to make the switch, Mukesh Patel, president of NIC Services, told Government Technology in July that his company is recommending that its public-sector partners analyze their history of chargebacks and fraudulent transactions, and then make a business decision as to whether it’s beneficial to invest heavily in the terminals.

“Just from our experience, with the 28 to 30 states we work with, government services in general don’t tend to have a high fraudulence rate," he said, "because as a citizen you wouldn’t go to your DMV and renew your own driver’s license with a stolen card. It would be very easy to find out who you are.”

NIC’s recommendation is that unless an office encounters a high incidence of payment card fraud, they should wait to see what happens in the industry.

According to statistics published by the Payment Security Task Force, an industry collective focused on payment system security, nearly 100 percent of cards will feature the chip technology by 2017. At the moment, financial institutions estimate only 30 percent of cards are embedded with the security device.

“For now, we’ll continue to see magnetic stripes as new layers of security like chips are added to the payments ecosystem. So consumers who have been issued a new chip card will still see a magnetic stripe on the back,” Issokson said, adding that merchants should contact their payment service provider to find out how to upgrade their terminals.

Eyragon Eidam is the web editor for Government Technology magazine, after previously serving as assistant news editor and covering such topics as legislation, social media and public safety. He can be reached at eeidam@erepublic.com.