In a little noticed but highly significant event, two small Florida merchants are lead plaintiffs in a potential class action suing the financial services industry for conspiring to get the merchants to eat more fraud. The merchants point out that their fraud rates and charges have risen more than twenty times since the October 2015 EMV deadlines that shift liability from the banks to merchants for card present card fraud, if merchants are not accepting chip transactions.
For more information on this please refer to bobsullivan.net
This is unfair because merchants cannot accept EMV chip card transactions unless their equipment is EMV certified and there is a long backlog and queue for this certification process. The plaintiffs did what they could and installed the necessary EMV equipment long ago, but cannot turn the chip readers on. Many card-accepting companies throughout the U.S. are in the same position.
We pointed this problem out last September when we learned of this potential crisis brewing, but we did not realize it would end up this bad. See blogs.gartner.com
In the meantime, interestingly the FTC just announced it will study credit card industry data security auditing practices (ala PCI). See ftc.gov.
I was encouraged to read about this FTC study because the PCI audit/assessment process is notoriously uneven, and way too dependent on the subjective views of the auditors, some (but certainly not all) of whom have little expertise. Also there have been financial revenue sharing arrangements in the past between the PCI assessment firms and the merchant acquiring processors which seems like a major conflict of interest to me. Auditors should remain independent of all parties.
Another major conflict of interest is that the qualified assessment firms are able to sell PCI remediation services after their audits to ‘fix’ the problems they uncover in their audits. Together, these conflicts of interest compromise the integrity and usefulness of the audits.
I hope the FTC takes the time to study the trade practices involved in the EMV liability shift as well. It’s a lot more complicated than PCI audits but heavily related.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.