When the EMV card liability shift happened in October 2015, the situation seemed to be fairly straightforward: If a merchant wanted to avoid new rules transferring liability for stolen or counterfeit cards to them, they needed to accept the more secure types of payment cards outfitted with a Europay, MasterCard and Visa chip.
Those cards, widely accepted nearly everywhere in the world except in the United States, are nearly impossible to counterfeit and provide great security in transactions because they can be used with a PIN code authenticated by the credit card network.
Unfortunately, that’s not how things worked out. October came, and merchants began buying the new credit card readers and point-of-sale (POS) systems designed to accept the EMV cards. But then the merchants found that their supposedly secure transactions actually weren’t secure, and the credit card companies weren’t protecting them from losses despite their buy-in to the new technology.
This was because the big credit card companies, primarily MasterCard and Visa, were requiring that each credit card terminal be certified and because those same companies were not permitting the use of cards that used PIN codes for authentication.
Merchants soon learned it was nearly impossible to obtain certifications for those terminals from the credit card companies. Furthermore, even though merchants had the new credit card terminals, they were getting hit with the cost of fraudulent transactions anyway.
The problem with using PINs at terminals was more complex and caused a lot of finger-pointing. The use of PINs at a card reader requires access to a PIN processing network. But with the advent of EMV cards, the credit card companies decided the PIN network they’d been using wouldn’t do and required a new authentication network, run by (surprise!) Visa and MasterCard.
Another complication emerged when the credit card companies decided that merchants no longer could require the use of PINs, but had to allow the use of signatures with the chip-enabled cards. Perhaps it should be no surprise that the processing of signatures through those captive networks suddenly was much more expensive than it was to use other networks.
Merchants, then, were being hit in two directions: They were seeing a huge increase in chargebacks because of fraudulent card use, yet they couldn’t protect themselves by demanding the use of more secure chip and PIN cards.
In some cases, the situation was worse than it had been: Merchants were not able to insist on PIN use for chip-enabled debit cards, which meant they had to accept the liability for those in addition to the credit cards.
Because of those issues, there are two sets of lawsuits. In one, some large retailers including Walmart, Home Depot and Kroger are suing because the credit card companies and their issuing banks won’t let them require PINs for payment cards that have them, including debit cards, for which, until now, PINs were the standard.
Fed Up Merchants File Lawsuits Over EMV Credit Card Chargebacks
The other set of lawsuits, one of which is a class action lawsuit from a number of plaintiffs who were unable to get their new EMV terminals certified, claims that by requiring the certified EMV terminals and then not making certification available, the credit card companies were unfairly forcing them to pay for chargebacks when they were unable to accept EMV cards through no fault of their own.
All of the lawsuits are being heard in federal court because they allege violation of the Sherman Antitrust Act and the Clayton Antitrust Act. The lawsuits claim that the banks and card issuers were in collusion when they set the credit card rules and when they chose not to allow the use of more secure authentication.
Meanwhile, Visa is suing Walmart for using a non-Visa PIN network so that it can require the use of PIN codes for EMV debit cards. There’s federal law that’s supposed to allow merchants to choose their debit card processing network, but apparently Visa is trying to work around that. A number of merchant industry groups are working to get credit card processing networks covered by the same law, but currently they’re not.
Adding insult to injury, when merchants pay their credit card processors for the service, part of the payment is supposed to cover the cost of chargebacks due to fraudulent use. After the liability shift, the credit card merchant fees haven’t changed, even though the merchants are now paying for the chargebacks. Effectively, they’re paying double for those chargebacks.
So far, the credit card companies and the banks have shown little interest in helping their merchants, either by speeding up certification or by lowering merchant processing fees. But that may change. According to a representative for the law firm handling the class action suit, the defendants—Visa, MasterCard, etc.—are required to respond to the complaints by this week.
What has become clear in all this is that the transition to what were supposed to be secure payment cards in the United States has become a mess. If the plaintiffs are to be believed, it appears that the credit card companies and the banks have found a new means to rip off merchants and their customers.
While the credit card companies and their banks probably would beg to differ, the allegations in the suits are pretty compelling. My experience in years of covering this area of payment card security seems to support that.
For that matter, so does my personal experience with chip and PIN cards—two credit cards I use that used to be chip and PIN payment cards now aren’t—they’ve been devolved into signature cards, and repeated efforts to change them back have been rebuffed.