Hampton Roads Physician

A comprehensive publication for and about he local medical community

Are You Compliant?

By

What You Need to Know About the EMV Fraud Liability Shift

By Nicole J. Harrell and Beth A. Norton

CreditCardsIf you are one of the 51 percent of small business owners who haven’t heard about the new credit card rule that went into effect on October 1st, you should know that there has been a significant shift in liability for credit card fraud, and that liability likely just shifted to you.

Chances are, you recently received a new debit and/or credit card from your bank in preparation for the shift.  The new card, called an EMV card, contains a microchip that stores the cardholder’s data on integrated circuits rather than magnetic strips, and which is more secure than the magnetic strip cards.  Cryptographic keys used in the transaction help protect against fraud at the point-of-sale, thus making the EMV cards more difficult to counterfeit.

Previously, the card-issuer bore all the risk of a fraudulent use.  Now, however, the liability for all fraudulent charges will shift to the least secure, or non-EMV compliant, party.  What that means is that if the bank has issued an EMV card and the card is fraudulently used, or a retailer suffers a security breach and the cardholder’s information is obtained, the retailer bears all the liability for the fraudulent charges unless the retailer is using an EMV terminal.

The converse is true and the bank bears the liability for fraudulent use if the retailer is using an EMV terminal.  If both parties have implemented EMV technology and fraud or a breach occurs, then the bank bears the liability.

Therefore, the surest way to ensure liability remains with the bank is to install and implement an EMV-enabled payment terminal with at least chip-and-signature capability.  Chip-and-signature is most widely used now, but chip-and-PIN will be transitioned in over time.

First, practice managers should contact the practice’s bank and POS device provider to learn about the process and costs associated with integrating EMV-enabled technology into your practice.  Discounts on equipment may be available.  Each payment card brand may also have additional guidance.

Next, given the likelihood of a breach, practice managers should engage in risk/benefit analysis to determine whether mitigating liability outweighs the cost of purchasing and implementing the EMV-enabled payment terminal and associated software.  The EMV terminals still accommodate magnetic strip cards, so there is no need to maintain two terminals in order to accommodate both types of cards.

Last, if you elect to upgrade to EMV technology, your staff will need to be trained on the new devices, including the configuration and validation requirements necessary to integrate EMV with legacy systems.  You will also need to make sure your  IT administrator is familiar and compliant with Payment Card Industry (PCI) data security standards.

Be vigilant and watch for future changes in the ever-evolving payment technology industry, particularly if you accept online payments.  They’re likely the next target.

NicholeNicole J. Harrell is the Chair of the Cybersecurity Response Team at Kaufman & Canoles.  She routinely assists clients with planning and response to cyber breaches including the Payment Card Industry Security Standards.  Nicole can be reached at (757) 624.3306 or njharrell@kaufcan.com.

 

BethBeth A. Norton is an associate in the Health Care Practice Group at Kaufman & Canoles.  She can be reached at (757) 624.3210 or banorton@kaufcan.com.