What is EMV compliance law and should your business worry about it?

As with all forms of payment, businesses that accept credit cards face an inherent level of risk. Hackers and thieves make a career of figuring out ways to steal your customers’ credit card details so they can run up fraudulent charges for in-person and online purchases.

Fortunately, many credit cards come with zero fraud liability protection, meaning your customers won’t be on the hook for fraudulent charges posted to your account. Further protection afforded by the Fair Credit Billing Act (FCBA) ensures they’ll never be liable for more than $50 in fraudulent charges posted to the account. But if your business doesn’t have an EMV-compliant point-of-sale system to accept chip credit cards, it could be a costly mistake.

A cautionary tale

Daniel Vasquez, owner of Miami-based Dynamic Auto Movers, said he learned a “hard lesson” in April 2023 after he continued using a MagTek magnetic stripe card reader that wasn’t EMV compliant. “Many companies are still unaware that if they are not EMV compliant, fraudulent transactions are directly blamed on them rather than the bank.”

Those chargebacks cost the company around $15,000, said Vasquez. “On top of that, our processing fees shot up because of the non-compliance.” he added. But after upgrading to an EMV-compliant system, everything improved, said Vasquez. “Our fraud rates decreased dramatically and clients felt safer doing business with us,” he said. “What is frequently missed [by businesses] is that EMV compliance does more than simply prevent fraud. It also develops trust and boosts your reputation, adding genuine long-term value to your organization.”

Chip card protections

Another layer of protection you can expect to see with most credit cards comes in the form of a chip, located on the left mid-side. Chip-enabled credit cards are also called EMV-enabled credit cards, due to the EMV technology used to create them (EMV stands for “Europay, Mastercard and Visa,” signifying the three major credit card providers).

Before chip technology, all credit cards used a magnetic stripe to store cardholder data. But where magnetic stripe credit cards can be “skimmed” by hackers and thieves, this type of theft is much less common with chip credit cards.

Today, chip cards can be either:

• Chip-and-PIN cards, which require customers to enter their personal identification number (PIN) to complete a transaction, or
• Chip-and-signature cards, which use a signature instead of a PIN to verify the cardholder’s identity.

With both types of chip cards, the embedded chip holds your payment data and provides a unique code for every purchase made. The code that is generated is only good for that single transaction, and the codes are always changing. As a result, credit cards with chip technology are considerably more difficult to hack than their magnetic stripe counterparts. However, that extra protection means chip cards take a bit longer to process.

While EMV technology is intended to cut down on consumer credit card fraud, it also helps businesses reduce chargebacks that result from fraudulent purchases.

How do customers use an EMV card to make a purchase?

Compared to swiping magnetic stripe cards, completing an in-person transaction with an EMV-enabled credit card requires a different process.

Specifically, both chip and PIN and chip and signature credit cards require shoppers to dip their credit card into the terminal, at which point the card is read and a unique token is created for the transaction. From there, cardholders either enter their PINs (if they have chip and PIN credit cards) or provide their signatures (if they hold chip and signature cards).

What is the EMV compliance standard?

Major credit card issuers asked that most U.S. businesses that accept credit cards move toward an EMV-compliant credit card point of sale (POS) system by Oct. 1, 2015 (for fuel retailers, the EMV liability deadline was April 2021).

This deadline also instituted a shift in liability in terms of who would be responsible for fraudulent charges. Prior to Oct. 1, 2015, either the merchant or card issuer could be held liable for losses due to fraud. After this date, however, liability shifted to whichever party — the merchant or the card issuer — was the least compliant with EMV requirements.

In theory, this deadline should have been enough to motivate businesses to change their payment systems in order to reduce fraud and avoid financial losses. However, many businesses have not yet upgraded their payment systems, though there is momentum in the right direction.

Nearly 13 billion chip cards were in global circulation in 2022, up seven percent compared to the year before, according to Mountain View, Calif.-based EMVCo, a partnership that specializes in payment specifications, security, interoperability and secure payments. It was founded in 1999 and is collectively owned by American Express, Discover, JCB, Mastercard, UnionPay and Visa.

EMVco data also shows that 69 percent of all issued cards are EMV-enabled and 93 percent of all card-present transactions conducted globally used EMV Chip technology.

How does EMV compliance affect you as a business owner?

Businesses are not currently being fined for failing to upgrade their payment systems. If you’re a business owner who hasn’t yet upgraded to EMV-compliant systems, you should do so — but you won’t be on the hook for government penalties if you don’t make the change.

While EMV compliance is more of an industry standard that serves as a guideline, rather than a government-mandated law, you could still face liability for fraud and chargeback situations if you aren’t compliant.

In order to minimize your risk of being held liable for credit card fraud, there are a few measures you’ll want to take, including:

• Ensure you’re compliant with the EMV standard
• Make the switch to EMV-compliant card readers if you haven’t already done so
• Acquire POS systems that are EMV compatible
• Have mobile readers that accept chip cards

Vendors such as Square offer EMV-compliant readers for small businesses that you can easily use at your point of sale.

When will you be liable?

If you haven’t upgraded to an EMV-compliant card terminal, but you process EMV credit card transactions, you may be found liable if any fraud occurs. That’s because, although the card issuer was compliant, you aren’t since you haven’t upgraded your card reader to be EMV compliant.

Even if you have upgraded to an EMV-compliant card terminal, you may be liable for fraudulent transactions if you manually entered the customer’s card information rather than processing the card in the terminal.

When will you not be liable?

If you process a magnetic stripe card on your EMV-compliant card terminal and the transaction turns out to be fraudulent, you likely won’t be held liable since you used an upgraded card reader.

Further, if you process an EMV credit card on your EMV-compliant system and the transaction turns out to be fraudulent, you shouldn’t be held responsible since you’re compliant with the EMV standard.

Among merchants completing their chip upgrade, counterfeit fraud dropped 76 percent from September 2015 and December 2018, according to Visa. Consider partnering with an EMV-compliant payment processing company to eliminate liability and reduce stress. Potential companies include PayPal, Clover and Shopify.

How small businesses should adjust their practices

Make it a practice to keep copies of credit card receipts and relevant order documentation. If you ever have to make a case to a card issuer refuting a customer chargeback, having all the information at hand can help you make a good case.

For instance, in a case of “card not present” fraud, you could present the issuer with shipping information and delivery confirmation, as well as any records of your communication with the customer.

Finally, make it a policy that, if a customer transaction doesn’t go through on your EMV-compliant card reader, you won’t manually enter their card information.

The bottom line

It’s been 10 years since the EMV liability shift put the burden on small business merchants when it comes to accepting credit cards, said Robert Livingstone, CEO of NoRate.com and IdealCost.com, who advises owners on how to protect themselves from unfair fees, disputes, noncompliant payment systems and fraud.

“There are many POS systems that have not been upgraded and will only swipe a credit card. Small business clients with that setup are setting themselves up for several problems,” said Livingstone. “They include a 1 percent or greater additional charge for non-EMV transactions and losing cardholder charge disputes for fraud and virtually any other reasons.”

The exact amount of these charges are determined by participating credit card processors, said Livingstone. “Visa has a fallback program charging merchants if 10 percent or more of their total sales are non-EMV,” he said.

Scammers can target businesses that don’t have an upgraded POS system, said Livingstone. “They can target those businesses and ring up a bunch of charges knowing that they’ll likely never have to actually pay for any products or services,” he warned.

EMV-enabled credit cards are usable anywhere credit cards are accepted, but businesses should also know the U.S. is still behind other regions worldwide when it comes to EMV technology. In Europe, for example, most countries made the transition to EMV technology years ago, and chip and PIN cards are now the norm.

If you’re a business owner, be aware that while you can’t be legally prosecuted for not upgrading to EMV-compliant payment systems, making the switch should still be a priority. With the deadline for EMV implementations now passed, you risk facing liability in credit card fraud situations if your business remains out of compliance with this industry standard.