Mr. Hogan

Revenue Management

Understanding the EMV Fraud Liability Shift

Why it May be Time to Switch to the Chip

By David Hogan, Executive Director of Major Accounts, Heartland Payment Systems

Even though it's been almost 18 months since the U.S. migrated to EMV smart-chip based payment technology, many businesses - for various reasons - are still hesitant to get on board. Many hotel property management system products don't support EMV acceptance, even though almost 80 percent of credit cards are now issued with smart chips. In fact, credit card issuers prioritized which cards were issued with chips first, which included high-limit international or travel cards - the types of cards being used often in hotels. Without the ability to accept EMV transactions, business owners - including hoteliers like you - are seeing liability shift chargebacks for which there is no defense.

EMV Liability Shift Explained

EMV, which stands for Europay, MasterCard and Visa, is now the global standard for cards equipped with computer chips and the technology used to authenticate chip-card transactions. For most consumers, it's the difference between swiping a magnetic strip card and "dipping" a chip-enabled card. Migrating to EMV technology improves payment security for consumers and protects merchants from counterfeit fraud, which seems to have become much too commonplace in the past decade (think: large data breaches).

With the push by the card brands to have merchants update their payment's eco-system to EMV, came the "liability shift." As of Oct. 1, 2015, U.S. credit card companies (MasterCard, Visa, Discover and American Express) shifted card-present fraud liability to whichever party is the least EMV-compliant in a fraudulent transaction, most often the merchant. One important thing to note - the liability shift only applies to card-present fraud. It does not affect online sales, only face-to-face card-present sales.

Although some business owners feel inundated with news about the liability shift, it's possible you haven't heard of it at all. In a survey released last fall by Wells Fargo and Gallup, a majority of small business owners were unaware of it. If you're part of that majority, the main takeaway is this: As long as your business has the ability to process an EMV-enabled chip card, you will never be liable for counterfeit transactions, regardless of the card type. The next step is deciding whether upgrading to EMV is worth the cost and effort.

Most hoteliers already realize that updating to EMV technology isn't always cheap or simple. Not only is there a cost, time and training associated with updating the physical equipment, there are also other processes involved. As of October 2016, Visa reported that about 37 percent of merchants are EMV-ready. This slow merchant migration is at least in part due to a delay in EMV terminal certifications. In some instances, hotels may have the right equipment in place, but their property management systems and related point of sale have not been certified by the card brand, which means the merchant cannot configure the reader to process chip-card transactions. Unfortunately, this sends a complicated message to the consumer, whether there's a note on the chip reader saying they must still swipe their card or the place to dip the EMV card is taped off. Each card network (Visa, MasterCard, American Express and Discover) must test and certify a merchant's EMV upgrades, and the merchant must wait until all card networks have approved before they can use the EMV terminal. Basically, according to the liability shift terms, if the merchant has the equipment in place, but has to wait for certification before using it, the merchant is still responsible for fraudulent chargebacks until the terminals are certified.

To combat the issues caused by the certification process, Visa and MasterCard announced last summer that they would simplify the certification process and limit the costs retailers may incur for counterfeit transactions while they wait. Visa said card issuing banks will stop sending fraudulent EMV chargebacks to merchants on transactions below $25, and merchants would only be responsible for chargebacks on a maximum of 10 transactions per account, with banks assuming liability above that level as of October 2016. For hotels, the $25 minimum has little impact considering the average ticket for a hotel transaction is much higher than $25. The 10 transaction maximum, however, could be helpful. For example, if there are 40 fraudulent sales across the country but the bank can only dispute 10, the hotel may not be one of the 10 items.

How the Technology Works

Traditional magnetic strip cards contain static data, making them a prime target for counterfeiters. They can access the sensitive card data and cardholder information and replicate the data to sell to fraudsters online. On the other hand, an EMV card is equipped with a smart chip, which creates a unique transaction code that cannot be used again. Even if a counterfeiter stole the chip information and used it, the card would be denied if the merchant running the transaction used EMV technology.

According to the Nilson Report, card issuers in the U.S. lost $4.91 billion and merchants lost $2.95 billion to counterfeit card fraud in 2015. In some ways, the liability shift is intended to spread out the liability more equally and incentivize merchants to switch to the chip. Other countries that have implemented EMV technology have seen significantly reduced rates of fraud. In the U.S. - the only country where counterfeit card fraud is consistently growing - Visa reported a 43 percent drop in counterfeit fraud among its EMV-enabled merchants from October 2015 to October 2016. MasterCard reported a 54 percent decrease from April 2015 to April 2016. Although in-person credit card fraud has declined by more than half due to EMV chip-reading technology, there has been a 77 percent increase in counterfeit fraud costs year over year for larger U.S. merchants that have not yet adopted EMV.

What About NFC-Enabled Cards?

Dipping a smart-chip enabled card isn't the only option. There is also a technology called near field communication, NFC-enabled cards, which are tapped against a terminal scanner that can pick up the card data from the embedded chip. Although there is momentum worldwide to move to dual-interface (contact and contactless chip technology), in the U.S., most financial institutions are only issuing contact cards - the kind that have to be dipped into an EMV-enabled terminal.

How Criminals Take Advantage

Hotels have been plagued for years by counterfeit, stolen and cloned credit card activity, but it's much more apparent now that liability for these fraudulent charges shifted to the party using the least secure technology.

Customers who may frequent your establishment could have been using counterfeit cards previously without exposure, because the issuing bank was taking the loss. But now, your business, and livelihood, could be held liable. If you haven't enabled EMV chip-reading technology, here are a couple tactics fraudsters could use to take advantage.

First, criminals prefer magnetic strip cards. And just because a card doesn't have a physical EMV chip (magnetic strip only card), the data on the card may still be EMV. When criminals purchase credit card numbers online, the data - regardless of whether it is magnetic strip only or EMV technology - is loaded on a standard magnetic strip counterfeit card and shipped to them. With a vast majority of U.S. credit cards now using EMV technology, odds are the counterfeit magnetic strip card they received uses EMV data.

This is when having an EMV chip-embedded card reader at your business comes in handy. If the criminal swipes the counterfeit magnetic strip credit card housing EMV data on an EMV card reader, it will prompt them to use the chip reader. They won't be able to use the card, because no actual chip exists. For this reason, fraudsters intentionally seek out non-EMV enabled businesses because the transaction process is not secure, and they can use the counterfeit magnetic strip card successfully, bringing unwanted chargebacks to your business.

Next, low-level fraudsters often make small purchase for a quick win, such as racking up room service charges or drinks at the hotel bar. Although it may only be a $50 dinner and drinks, hotel restaurants and bars are low-risk targets for criminals because law enforcement generally does not assist with recouping such a relatively small loss. But these small one-off losses can add up.

Now's the time to start thinking about upgrading to EMV before offering turn-down service to the next counterfeiter.

Protect Your Business

College and university towns, large cities and major metropolitan areas, especially near the coast, are the most vulnerable to fraudulent credit card use, but credit card fraud can happen to businesses anywhere. The best defense against credit card fraud is to install EMV chip reader terminals as soon as possible and enable the full technology - including encryption and tokenization. This combination of end-to-end encryption and tokenization protects your customer's card data as soon as the credit or debit card is used, making all data completely useless to hackers.

Different point-of-sale systems and property management systems are now available specifically for hotels that have EMV capability. Although there is an upfront cost associated with upgrading, it may be worth it when you consider the potential risk of fraudulent charges adding up.

If upgrading to EMV simply isn't an option for your business at this time, here are a few additional tips you can use to protect yourself from fraudsters.

  • Verify the last four digits of the card number match the last four digits on the printed receipt,
  • Compare the signatures on the card and receipt,
  • Check cards for legitimate features like holograms, logos, CVV/CID/CVV2 and AVS verification, etc.,
  • Never rerun a card if it declines - for any reason.

As a merchant, be sure to leverage your acquirer as a resource. They can offer a wealth of information and should be invested in your success to help you determine what type of upgrade is best for your business, whether that means upgrading existing terminals or purchasing new ones with EMV software already integrated.

Remember, the migration to EMV is still a process and being inundated with news about it likely won't come to an end anytime soon. For now, rest assured in knowing that after the headaches are gone, U.S. merchants and consumers will both be better protected. Why take the risk?

As the Executive Director of Major Accounts at Heartland Payment Systems, David Hogan leads the company’s major accounts sales team that is focused on driving significant business growth among mid-to-large level businesses in the retail and hospitality industries. Prior to joining Heartland, Mr. Hogan served as chief information officer and senior vice president of retail operations for the National Retail Federation (NRF), the world’s largest retail association. Responsible for the association’s IT, supply chain, e-commerce and loss prevention departments, he directed numerous internal and retail industry IT initiatives. Mr. Hogan has a bachelor’s degree in computer science from The Ohio State University and earned his MBA from the University of Dayton. Mr. Hogan can be contacted at 972-295-8677 or david.hogan@e-hps.com Extended Bio...

HotelExecutive.com retains the copyright to the articles published in the Hotel Business Review. Articles cannot be republished without prior written consent by HotelExecutive.com.

Receive our daily newsletter with the latest breaking news and hotel management best practices.
Hotel Business Review on Facebook
RESOURCE CENTER - SEARCH ARCHIVES
General Search:

AUGUST: Food & Beverage: Multiplicity and Diversity are Key

Paul Hancock

Vegetables are no longer served as garnishes or accompaniments but, center stage in the dining scene in this day. Plate design and bold flavors are more paramount than ever. The “wow” effect is in full effect. Guests are more eager to try something new more than ever before. It is entertainment, so it has to be great and throughout the dining experience. There is a cultural shift happening right in front of our eyes with vegetables. Vegetables have been the unsung heroes of the plate for many decades. That is changing. READ MORE

Robert  Hood

What does a restaurant look like in 2017? To define what a restaurant is is a difficult process and not an easy thing to do considering that foodservice has evolved so much and comes in so many shapes and sizes. In 2017 restaurants are not even defined for having chairs or tables for diners or even want diners to stay after the point of food purchase and the sale is completed. This is the world of the ‘QSR’ or ‘Quick Service Restaurant’ and since it arrived it has changed restaurant culture, our food service experiences on an almost daily basis, and begs the question ‘is QSR the new fine dining?’ READ MORE

Chris Ferrier

Many hotels are overwhelmed by the thought of putting together a ‘buy local’ or ‘farm-to-table’ culinary program when they also have to serve many guests. Where do you start? Should chefs contact all the local farms, breweries, wineries, fish mongers, meat and poultry farms in their area? Should they visit each farm? Many years ago, this was what we did; but with 1,200 meals to prepare, often we would clear out the farmers’ goods and still not have enough for what we needed. READ MORE

Bobby Martyna

A key trend in hotel development is making the hotel lobby a destination for guests. Where in the past, the focus was primarily on the guest room, moving forward, brands and independents are looking to transform the lobby into a space where guests can socialize, work, snack and dine. In order for the lobby destination to be both compelling and memorable, the retail design, visual merchandising and food selection need to convey what is special about the location and must work together to deliver a surpassing guest experience. READ MORE

Coming Up In The September Online Hotel Business Review




{300x250.media}
Feature Focus
Hotel Group Meetings: Blue Skies Ahead
After a decade of sacrifice and struggle, it seems that hotels and meeting planners have every reason to be optimistic about the group meeting business going forward. By every industry benchmark and measure, 2017 is shaping up to be a record year, which means more meetings in more locations for more attendees. And though no one in the industry is complaining about this rosy outlook, the strong demand is increasing competition among meeting planners across the board – for the most desirable locations, for the best hotels, for the most creative experiences, for the most talented chefs, and for the best technology available. Because of this robust demand, hotels are in the driver’s seat and they are flexing their collective muscles. Even though over 100,000 new rooms were added last year, hotel rates are expected to rise by a minimum of 4.0%, and they are also charging fees on amenities that were often gratis in the past. In addition, hotels are offering shorter lead times on booking commitments, forcing planners to sign contracts earlier than in past years. Planners are having to work more quickly and to commit farther in advance to secure key properties. Planners are also having to meet increased attendee expectations. They no longer are content with a trade show and a few dinners; they want an experience. Planners need to find ways to create a meaningful experience to ensure that attendees walk away with an impactful memory. This kind of experiential learning can generate a deeper emotional connection, which can ultimately result in increased brand recognition, client retention, and incremental sales. The September Hotel Business Review will examine issues relevant to group business and will report on what some hotels are doing to promote this sector of their operations.