Cyber Risk Liability Cost Shift

Effective October 1, 2015 businesses in the US will be required to install EMV (Europay Mastercard Visa) chip card readers. Following the Oct. 1 deadline, the liability for who is responsible for fraudulent losses will fall on the entity using the less secure technology. Missing the deadline for implementing Chip and PIN technology could come with a costly price tag for banks and small businesses.

After the liability shift on October 1, if a vendor is still using the “swipe and signature” methodology and the customer has a smartcard, the merchant is liable for any fradulent transaction. If the merchant has the new Chip and PIN technology but the bank hasn’t issued the customer a Chip and PIN card, the bank is liable. If the merchant uses Chip and PIN technology and the customer uses a smartcard and fraud still takes place, the credit card company bears the liability, as is the case today.

  Where the Chip and PIN technology has been adopted it has driven credit card fraud down to low levels. France, for instance, claims an 80% reduction in credit card fraud since implementing the Chip and PIN technology.   Because the credit card is embedded with a chip which generates a different single-use code for every transaction, hacking to acquire card data is thwarted. The technology’s proven success at reducing fraud is driving the October deadline.   In a typical consumer-vendor business transaction, the card issuer, the merchant bank, and the point-of-sale card reader (the vendor) all have responsibility to keep the details of the transaction secure. Liability for notification costs can then vary depending on how secure each member in the chain is. (The term “issuer” refers to the banks, credit unions, and any other financial institution issuing a credit or debit cards, not to the credit card companies themselves.   Notification costs are one of the biggest issues facing businesses when looking to insure against the impacts of a data breach. Regulation varies from state to state, but generally notification laws require entities which have suffered a data breach to notify their customers and other relevant parties about the breach within a certain time period.   So what does this mean from a small business perspective? Businesses that accept credit card transactions need a good cyber risk insurance policy. Such a policy will include some manner of breach response service; a third party who specializes in providing the services required directly after a breach is first identified, such as IT forensics and data monitoring. This will help to minimize the number of notifications if the breach is still in progress, and also help with advice as to who will be liable for the notification costs.   Notification costs can be some of the most costly elements of a breach, so it is important to make sure your organization understands where it is exposed, what it is doing to prevent a breach, and the plan of action should one occur.