Are You and Your ATM at Risk for Fraud?

October 1, 2015 was the deadline for US retailers to switch over to a payment technology called EMV.  EMV stands for Europay, MasterCard, and Visa; which are the three companies that created the standard.

The process of migrating to EMV technology was to provide better protection against counterfeit fraud.  EMV cards have microprocessor chips inside which make it more difficult for anyone to steal account information while using the card.  The microprocessor chip in the EMV card generates a unique code for every transaction, so although a fraudster may be able to obtain the code, it becomes virtually useless and won’t work a second time for a different transaction.  In addition, the code cannot be traced back to the actual card number.

Liability shift

Prior to the deadline for EMV technology, credit card issuers were mainly responsible for fraudulent purchases.  If someone stole a card number and used it to buy goods or services, the card issuer (not the consumer or the retailer) would be responsible for covering the cost.  After the deadline, if retailers did not accept EMV cards, it became up to them, rather than the card issuer, to cover the cost of counterfeit fraud.

Information provided by Visa was, “The party that has made investment in EMV deployment is protected from financial liability for card-present counterfeit fraud losses on this date.  If neither or both parties are EMV compliant, the fraud liability remains the same as it is today.”

ATM liability shift

October 1, 2016 was the date that MasterCard shifted liability for fraudulent ATM usage, while Visa shifted its liability for fraudulent ATM usage on October 1, 2017.  What does that all really mean?  Although not mandated (which means that an ATM owner will not be penalized for non-compliance), the ATM owner can be exposed or held liable for any counterfeit or lost/stolen fraud if the ATM is not EMV chip enabled.

So, basically it means the same for the ATM owner as it did earlier in 2015 for the retailers that did not migrate to EMV technology.   If the ATM owner has not made the investment in EMV technology on its ATMs, they would be liable for any ATM fraud that was committed at its machines. 

Liability shifts apply only to counterfeit or lost/stolen cards used at an ATM and not for other types of fraud, such as skimming, malware attacks on the ATM software, or cyber-attacks.

The liability shifts do not apply to card-not-present transactions.  In these cases, the liability remains subject to existing liability and chargeback rules.

Where do you go from here?

Making the decision to update ATMs with EMV technology should be based on a bank’s tolerance for risk versus the cost of the upgrades, which based on information from industry experts, has been estimated to cost up to $3,000 per ATM.  Part of the decision making process may include analyzing traffic and usage (can the bank recoup the costs within a reasonable time), determining which ATMs may be at end of its life cycle and whether it’s worth upgrading or replacing, and assessing ATM hardware/software vendors, as well as ATM servicing vendors.

Whatever the immediate decision, it is important to realize that upgrading to EMV technology is inevitable.  Taking the necessary steps to upgrade today may help to reduce future costs of fraud.  Experience in other countries has proven that non-EMV compliant ATMs have faced an increasingly aggressive threat of counterfeit transactions, which in turn; increased the chargeback liability to the ATM owner.