New Credit Card Chips Shift Liability to Retailers
By: Andrew Cohn (Insurance Journal) December 2015
On Oct. 1, 2015, many of the insurance industry’s clients took on a lot more risk, and may not even know it. The Payment Card Industry, PCI, which is the self-regulating organization that oversees everyone that accepts or issues payment cards, set the date of Oct. 1, for point-of-sale machines to begin accepting “chip cards.”
By now, most consumers have received at least one of these chip cards in the mail, but they may not have seen many businesses accepting the cards, except big name stores such as Target, Publix and Wal-Mart. The announcement of the 2015 integration date came in August 2011, and many notices and warnings have been issued in the past year. But many, if not most, retailer insurance clients probably do not have the machines necessary to accept these cards. And that’s kind of a big deal because effective Oct. 1, the liability for fraud was shifted from the banks, to them. And they expect their risk managers and insurance professionals to assist them in managing these risks.
First, let’s go over the basics. The new cards already have a few nomenclatures, so it’s important to be familiar with them if clients use any variations of them. They are called chip cards, Chip and Pin, or EMV, which stands for Europay, Mastercard and Visa. They could also be referred to NFC, or Near Field Communications, which is actually just a feature that some of the cards will have that enable the user to tap the card against a reader, instead of dipping the card in for the chip to be read.
Signatures will still be required, at least until the PIN part of the chip and pin is implemented. The new cards still have the magnetic strips on the back as a convenience for customers if the merchant does not have the ability to read the chip. But due to the shift in liability, this benefits the customer and the bank, not your client, the business.
Payment Card Fraud
It is undisputed that fraud in the payment card industry in rampant. Everyone has read about the breaches and hacks involving Target, TJX, Home Depot and others. According to the Wall Street Journal, fraud last year in brick and mortar stores in the U.S. accounted for more than $3.8 billion of the estimated $10 billion in annual fraud in the payment card industry.
The hope is that the new chip card technology will reduce fraud significantly. The old cards work by swiping a magnetic strip through a point-of-sale machine which sends the card’s data to be processed by the bank and then back to the point-of-sale machine to complete the sale. The chip machines will do the same thing, but now instead of sending the card’s information it will send a one-time use code to process that transaction. So if that code is intercepted or stolen, it will be useless, versus stealing the credit card number from the magnetic strip which could be used again and again until the card is cancelled. The magnetic strip cards stored data, which was unchanging and could be replicated by counterfeit card makers or simply used without the card present.
The technology has been around for a few years and is widely used in Europe. The end-game in the United States will be a chip and pin payment card transaction. This will mean that you slide your card into the machine, and then you put a PIN code in, like you do when using a debit card. Oct. 1 was a big date in the United States because that is the day that the payment card industry set for the shift for point-of-sale (POS) machines to accept the new chip technology, with the exception of fuel dispensers, which do not have to comply until 2017. After that date, if a business has a POS that doesn’t accept the chip card, the customer has a chip card, and there is fraud, the banks will no longer accept the liability for that fraud. This deadline currently has no effect on card-not-present merchants, which are typically businesses that accept payments over the Internet or phone.
New Liability for Merchants
It is very important for insurance brokers to make their clients aware of their new liability if they do not switch to the chip reader machines. It is estimated that as many as 75 percent of merchants have not switched to the new terminals that can accept the chip technology.
Insurance may help as a risk transfer tool, but insurance professionals should be focused on risk avoidance and risk reduction, which can be accomplished by switching to the new point-of-sale terminals that accept the chip technology.
However, the time an agent is speaking with clients about their new liability is a perfect opportunity to discuss their need for privacy liability insurance. Privacy liability or cyber liability protects a business for the damages they are liable due to a variety of claims scenarios depending on the type of coverage selected. Many policies are designed to cover events such as privacy breaches, viruses, cyber extortion, intellectual property infringement, denial of service attacks, data destruction, fines due to regulations such as HIPAA, PCI and more. Some policies are silent on whether they will cover fraud arising from not having the chip card readers; others require compliance with payment card industry standards.
Insurance professionals are well aware that policy forms and conditions differ, but with cyber liability every insurer’s forms are different. It’s very important to read the policies and work with professionals to get the best policy for each situation. Agents should discuss these concerns with their customers, and get a full picture of what their actual exposures are, so they can offer coverage necessary for their customers’ actual risks.
Now is the time for agents to meet with clients, explain the chip card changes to them, and make sure they are adequately protected for all of their liabilities, not just the slips and falls. They’ve been reading about hacks and breaches every week, and they are concerned. This is the time to educate them about how they can be better prepared to prevent a loss, and to be protected when the loss occurs.
