In a little noticed but highly significant event, two small Florida merchants are lead plaintiffs in a potential class action suing the financial services industry for conspiring to get the merchants to eat more fraud. The merchants point out that their fraud rates and charges have risen more than twenty times since the October 2015 EMV deadlines that shift liability from the banks to merchants for card present card fraud, if merchants are not accepting chip transactions.
For more information on this please refer to bobsullivan.net
This is unfair because merchants cannot accept EMV chip card transactions unless their equipment is EMV certified and there is a long backlog and queue for this certification process. The plaintiffs did what they could and installed the necessary EMV equipment long ago, but cannot turn the chip readers on. Many card-accepting companies throughout the U.S. are in the same position.
We pointed this problem out last September when we learned of this potential crisis brewing, but we did not realize it would end up this bad. See blogs.gartner.com
In the meantime, interestingly the FTC just announced it will study credit card industry data security auditing practices (ala PCI). See ftc.gov.
I was encouraged to read about this FTC study because the PCI audit/assessment process is notoriously uneven, and way too dependent on the subjective views of the auditors, some (but certainly not all) of whom have little expertise. Also there have been financial revenue sharing arrangements in the past between the PCI assessment firms and the merchant acquiring processors which seems like a major conflict of interest to me. Auditors should remain independent of all parties.
Another major conflict of interest is that the qualified assessment firms are able to sell PCI remediation services after their audits to ‘fix’ the problems they uncover in their audits. Together, these conflicts of interest compromise the integrity and usefulness of the audits.
I hope the FTC takes the time to study the trade practices involved in the EMV liability shift as well. It’s a lot more complicated than PCI audits but heavily related.