Saturday, September 12, 2015

Liability Shift (Tradecraft)

Starting in 18 days, there's a shift in whose liable for bad credit cards. Right now, if we accept a card and there's some fraud or other problem related to it, the issuer absorbs it. The US is woefully behind the rest of the civilized world when it comes to credit card technology, because card issuers dug in their heels and decided it was cheaper to pay out fraud claims than implement new technology. That was the past though, and as they watched fraud double over the past seven years, they decided to get off their butts and implement some security.

Unfortunately, they took a perfectly good standard and nerfed it. They took EMV chip cards and half assed the implementation.  EMV stands for Europay, MasterCard and Visa, a standard controlled by a consortium of the six largest card issuers. The EMV card itself isn't half assed, it's cool, smart chip technology. The American deployment of EMV is what's half assed. Let me tell you why.

I need to do a brief primer on computer security. This will take just a moment of your time. I once did a big user authentication security project and learned about the various "factors" of authentication. A good example of single factor authentication is "something you have." For example, your credit card. It's something you have. It's the weakest of security, since anyone who has it can use it. Two factor authentication would be something you have, combined with something you know, like a PIN. There's obviously fraud potential there too, but far less than one factor authentication. For the sake of trivia, three factor authentication would include "something you are," like a fingerprint or retina scan. It's super secure and a reason Apple Pay and similar smart phone technology is kind of exciting; it can be three factor.

EMV chip cards should be two factor authentication PIN cards. The tech is there. However, the card issuers decided that's too complicated for Americans, so instead we get these really high tech chip cards, with no second factor. It's basically no more secure than it is now on the front end. People can still steal your card and use it; in our case it's usually kids with their parents cards. On the plus side, the chip technology prevents counterfeiting and shenanigans on the back end like we get with easy to replicate magnetic strips.

For this modest improvement in security, the issuers have shifted the liability to retailers. As of October 1st, if someone has a EMV chip card and they use a traditional swiper, which almost everyone still has, and there's fraud, it's now on the retailer. Hey, we did our part by issuing chip cards, now you implement the new technology on your end, retailer.

This has come up on retailers far too fast. Plus, it's not like we can just pick a solution off the shelf. Our credit card processors, mostly small businesses, need to provide this new hardware. In our case, we had to switch processors to get it. It's especially complicated because there are many different point of sale systems and each has various hardware and software requirements.

The big credit card companies delayed forever when it was their turn, but now we've got this technology foisted on retailers, who are far less organized and dependent on others for technology, far too quickly. Most retailers I talk to don't even know it's coming. To be completely honest, most don't even understand what I'm talking about.

So yesterday we got our super fancy EMV chip card reader. This was a project of mine, finding a way to beat the deadline. It's not like I was wasting time on this. I'm two weeks from the deadline and it's unlikely I could have done it much faster.

Not only does our new terminal read EMV chip cards, it also does other cool things like Apple Pay, debit cards (our old terminal couldn't do them) and the holy grail of point of sale technology, electronic signature capture. I have plastic buckets full of signature sheets. The terminal is way cooler on the front end than the kludgy way it integrates with our POS, but that's our problem (and a future project).

So are we set for October 1st? Nope. The company that leases us this high tech device is furiously working on the back end software to make those chip cards work. Do you think it will be ready in 18 days? Do you think we'll get a reprieve like the big card issuers? Do you think we'll get instruction on and when to start using EMV cards? Unlikely.

No comments:

Post a Comment