By Clifford Warren Lober, MD, JD, October 01, 2015
Bryan has just arrived in his office and learns that a long-time client, Dr. Warren Clifford, has called. He returns Warren’s call and begins the conversation.
Bryan: Good morning, Warren! How are you?
Warren: Bryan, I just learned that if I was not “EMV compliant” by Oct. 1, 2015, I am liable for any fraud connected with our acceptance of credit cards. What is this all about?
Bryan: Prior to Oct. 1, 2015, virtually all credit and debit cards used in the United States required the cardholder to simply swipe their card and sign a paper receipt or electronic device to acknowledge the transaction (“swipe and sign”). The static magnetic strip used on these cards was ideal for thieves who could simply “skim” the cards and begin fraudulently using them immediately and repeatedly. In order to combat skyrocketing credit card fraud, Europeans have been using EMV (Europay/ Mastercard/ VISA) contact and near-field communication (NFC) chip technology to substantially reduce credit card fraud. It is now being introduced in the United States.
Warren: You just use a lot of terms that I don’t understand. What do you mean by chip technology?
Bryan: Credit cards issued by most major financial institutions now have a chip embedded in them which, in conjunction with the merchant’s chip-compatible terminal, provide interactive verification of the user’s identity. This dynamic authentication makes fraud far more difficult. Each time the chip-enabled card is used in conjunction with a chip-compatible terminal, a new, unique number is transmitted to the issuing financial institution for authentication. The purchaser then either provides his or her PIN (“chip-and-pin”) or signs (“chip-and-sign”) to acknowledge and approve the transaction. The vast majority of all chip-enabled cards now being issued in the United States are chip-and-sign, not chip-and-pin cards. (This may be problem if the cardholder attempts to use the card in some countries where the majority of card readers are chip-and-pin, since some chip-and-sign cards may not have a PIN associated with them.)
Warren: You mentioned “contact” and “near-field communication (NFC)” technology. What do you mean?
Bryan: By contact, we mean that the cardholder places his or her card into a chip-compliant terminal. This is called “dipping” since most chip-compliant terminals have the card readers at the bottom of the device. Unlike swiping, when a card is dipped into the chip-compliant terminal it may take a moment for the card to be authenticated.
Alternatively, instead of dipping his or her card, a cardholder may be able to use NFC to tap or merely wave the card near a compatible terminal. NFC uses a radio field to enable the credit or debit card and a chip-enabled terminal to communicate over a short distance (usually less than 10 cm) so that information can be exchanged. Both the card and the terminal must be equipped with an NFC chip. You have probably seen this technology in use, such as when a “smart” phone is used to pay for transactions in a store by tapping the store’s chip-enabled terminal.
Warren: What if I do not yet have a chip-compliant terminal and a patient wants to make a payment using a chip-compliant card? Can I accept their card?
Bryan: Virtually all chip cards presently being issued also have a magnetic strip that can be swiped if the merchant does not have a chip-complaint terminal. In the future, however, it is anticipated that the magnetic strips will be deleted from credit and debit cards when the majority of merchants have chip-enabled terminals. [pagebreak]
Warren: Who is liable for fraud?
Bryan: Excellent question! Under the “swipe and sign,” chip-and-pin, or chip-and-sign methods, the cardholder is not personally responsible. Prior to Oct. 1, 2015, the issuing financial institution or bank incurred the losses in virtually all cases. After that date, if the merchant has the new chip technology and the bank has not issued the customer a chip card, or if the merchant is chip compliant and accepts a chip-embedded credit or debit card, the bank remains responsible. However, if the bank has issued the customer a chip-enabled card and the merchant is not chip compliant, the merchant now bears the liability for fraudulent activity. This is the primary reason your terminal should be chip-compatible.
Warren: Who is liable if I accept a payment over the telephone? Many of our patients call us and want to pay their balances once their insurance company has adjudicated their claims.
Bryan: That situation is known as “card-not-present” (CNP) in the financial industry. In this case, it will depend upon the contractual arrangement between you and the issuing financial entity. Most commonly, if you as the merchant have complied with the requirements (e.g., requesting the security code on the back of the card and expiration date) the liability will be on the financial institution should fraud occur. In the future, credit and debit card issuers may incorporate features such as one-time passwords or on-card displays to prevent CNP fraud.
Warren: Do all merchants have to be EMV-compliant by Oct. 1, 2015?
Bryan: No, Warren. Fuel-selling merchants such as gas stations have until Oct. 1, 2017, before the liability shift takes effect. No other merchants, including physicians who accept credit and debit cards, are exempt.
Warren: Thank, Bryan! I really appreciate your clarifying the situation.
- EMV (Europay/ Mastercard/ VISA) compliant credit and debit cards are replacing the older “swipe-and-sign” magnetic-stripped cards in the United States.
- If you are not EMV complaint as of Oct. 1, 2015, you may be liable for any fraud associated with a credit or debit card you accept that is EMV chip-enabled.
- After “dipping” his or her card into a chip-compatible terminal, the cardholder either provides his or her PIN number (“chip-and-pin”) or signs (“chip-and-sign”) to acknowledge and approve a transaction. Chip-and-sign is presently the most common form of authentication in the United States.
- Near-field communication (NFC) uses a radio field to allow a chip-enabled card and a chip-enabled terminal to exchange information when the cardholder taps or waves the card near the terminal.
- Technology such as one-time passwords and on-card displays are being explored to reduce fraud when the cardholder is not physically available to present the card.