The so-called "liability shift" in card fraud that occurred in October 2015 has come and gone, but questions remain about EMV cards, also known as chip cards, and what foodservice operators are required to do.

EMV stands for Europay, MasterCard and Visa, the three companies that initially worked on the technology for these safer, more secure cards. EMV cards are nearly impossible to counterfeit because they store information on a microcomputer chip that generates a unique code for each transaction. By contrast, magnetic-stripe cards contain static data that can be easily copied.

To encourage U.S. businesses to accept EMV cards, the card brands decided to make merchants liable for fraudulent card use if they hadn’t switched to EMV by October 2015. Prior to the liability shift, restaurants and other merchants were not liable for fraudulent card purchases.

Today, EMV cards have reached nearly full penetration in the U.S. market, with almost all cards now containing a chip. While EMV cards still have a magnetic stripe on the back, these dual cards will eventually disappear as more and more merchants accept EMV.

With wider acceptance of the new cards, fraudsters have begun targeting merchants who still use magstripe readers. This has put increasing pressure on smaller businesses, including independent restaurants, to adopt EMV.

“Before October 2015, restaurants weren’t aware of counterfeit-card use. It wasn’t their responsibility and no one thought to tell them,” notes Laura Knapp Chadwick, the Association’s director of membership engagement for technology and data security. “With the EMV liability shift in late 2015, your restaurant is now responsible if someone uses a counterfeit card in your restaurant. So today, you either eat those fraud costs or upgrade to EMV so you can confirm that the card presented is not a counterfeit.”

However, as Chadwick points out, “There’s still a lot of confusion surrounding EMV," including whether EMV terminals are required. Chadwick clarifies: "Congress did not pass a law requiring EMV. EMV is not a legal mandate. Instead, it is a business decision that each business must make for themselves.”

Here are some points to consider about EMV:

  • Weigh the costs. To evaluate your potential liability, look at how many, if any, of your chargebacks are due to the use of counterfeit or stolen cards. If the numbers are low, it may be hard to justify the cost of EMV-enabled terminals. Even if you experience fraud, the cost of the chargeback may be far less than the cost of installing a new EMV reader, or fleet of readers. “Many restaurants have found they can’t make the business case to integrate EMV readers into their operation,” says Chadwick. “If you’ve been hit with just one $1,000 chargeback from fraud, it doesn’t justify the cost of investing thousands upon thousands in a new point of sale system.”
  • Ask the right questions. As you upgrade your POS system, make sure the new system incorporates not only EMV technology, but also encryption and tokenization technologies. The National Restaurant Association considers these technologies far more important for restaurants than EMV, says Chadwick. Encryption technology immediately encrypts card data as it’s entered into the POS system, so it’s unintelligible even if stolen. Tokenization replaces stored card data with “tokens.” These tokens are unusable by hackers and have no value. “One of the positives of EMV,” says Larry Godfrey, vice president of U.S. product at Heartland Payment Systems, “is that the new devices do support data encryption. When you use a PCI-compliant device that encrypts data, it makes it almost impossible to steal card data.”
  • Don’t forget about mobile payments. Mobile payments are enabled either by NFC or QR codes. , as you consider payment upgrades to accept EMV cards, also be sure to consider how your restaurant can accept mobile payments.
  • Consider waiting. “Over time, EMV will become a standard part of new POS systems,” says Chadwick. “So as you upgrade, it will become a standard feature. If you are willing to bear the risk in the interim, you’ll be okay when the new upgrades come out.” In addition, new hardware will have infrastructure enhancements that are capable of biometrics, contactless payment and mobile payments.

Dealing with chargebacks

As conventional targets of counterfeit-card fraudsters, such as electronics stores, have switched to EMV, merchants who previously may not have been targets are finding themselves victims of fraud. Unfortunately, this includes many restaurants. Magstripe cards are easy to counterfeit, which means many counterfeiters aren’t sophisticated thieves. They may simply make fake cards to purchase food, cigarettes and gas. Consequently, chargebacks may be for small amounts.

Chargebacks occur when a cardholder disputes a charge on his or her credit card bill as fraudulent. The issuing bank notifies the card network and processor, and the merchant receives notice. Merchants can also see chargeback reports on their processor’s online portal.

Merchants have a right to appeal chargebacks; however, if the cardholder used an EMV card and you don't have an EMV-enabled card reader, you will not be able to prove the card was legitimate. Fraudsters use hacked files of credit and debit card numbers to make fake magstripe cards. If the personal account number (PAN) is assigned to an EMV-enabled card (and the vast majority are these days) and it's used on a magstripe reader, then the restaurant will get dinged for a EMV-related chargeback. Had the restaurant had a EMV card reader, the terminal would reject the faked card.

This post is sponsored by Heartland, a Global Payments company that delivers fast, secure omnichannel payment processing and business solutions to more than 400,000 business locations nationwide. Product offerings include payments, payroll, point of sale, customer engagement and lending. Heartland is an endorsed partner of the Association.