Lou-Ellen Barkan likes to be prepared. When she learned that liabilities regarding card-present credit card fraud would shift in October, the president and CEO of the Alzheimer’s Association New York City chapter sprang into action. Barkan hopes her organization will be compliant with the new regulations for its Forget-Me-Not Gala this month even though the deadline is months away.
Credit cards embedded with microchips — called EMV cards after major issuers Europay, MasterCard and Visa, and also known as smart cards or chip cards — will become standard in the immediate future. Whereas the magnetic strips found on current cards store static information, the chips create a unique transaction code for every transaction, making EMV cards much more difficult to counterfeit.
Visa, MasterCard, Discover and American Express will shift their liability rules for card-present fraud in October. Whichever party is the least protected will be liable for the fraud. That means if your nonprofit is having a live auction and someone purchases an item fraudulently, your organization will be on the hook if you don’t have the equipment to process EMV card transactions. The credit card issuer previously was liable.
“The credit card companies will try to protect themselves, and we will do the same. It’s an interesting business problem,” said Barkan. “You have to think about the worst case scenario. Hopefully nobody’s going to come to my gala, buy a very expensive live auction item and give me a fraudulent credit card. But, we have to plan for that to happen. We have to have the best equipment, stay up with the regulations and know what the banks are doing.”
The U.S. is behind the times. Europe has been using chip cards for years, said Jon Biedermann, vice president of fundraising products and software at SofterWare, makers of DonorPerfect, in Horsham, Pa. SofterWare produces a mobile credit card reader that attaches to a smartphone or tablet and enables credit card transactions.
The move is necessary because while the U.S. is responsible for only about one-quarter of worldwide credit card transactions, about half of all credit card fraud takes place here, according to mobile payment company Square. A Square spokesperson said new EMV card readers are available for preorder and will ship soon.
“Fraudulent credit cards are rampant. One of the reasons credit card companies charge usurious fees is because everyone else has to pay for the miscreant,” said Eric Kreuter, a partner in New York City-based accounting firm Marks Paneth’s litigation and financial services group. “That makes sense. Banks are there to make money, so if they’re losing money they have to make it up in interest and fees. They’re trying to create technology to eliminate fraud at the source.”
Kreuter said nonprofits have plenty of time to get new credit card terminals and comply with the upcoming regulations. “From the nonprofit point of view, they definitely don’t want to get burned by any transfer of credit card fraud,” he said. “There’s a lot of time between now and October to understand the technology shift, create a budget and gear up to where they have zero potential liability. The savvy nonprofit would be one that is proactive.”
There are two levels of security associated with chip cards, chip-and-signature and chip-and-PIN. Of the two, chip-and-pin is more secure, but the credit card issuers are only requiring merchants to be able to take chip-and-signature transactions later this year. Square’s reader will process chip-and-signature transactions. Biedermann said the new DP Mobile terminals would be able to process both types of transactions.
“What the requirements are is chip and sig,” said Biedermann. “It’s a joke. Signature authentication is ridiculous. It’s just for the merchants to verify. Anyone can sign someone else’s name,” he said.
Biedermann said the biggest problem with upgrading is the card reader. The price point, about $75 each, might turn customers off, and the new reader will be “bigger and needs its own power supply, which is a huge problem,” he said. DonorPerfect is testing card reader models. Square’s reader will cost $29 and will be powered by a rechargeable battery, according to a Square spokesperson.
If the other major mobile terminal issuers have similar price points, that’s a cost that Barkan does not mind bearing. Getting the new card readers will be her organization’s first step. “First, we’ll get the new machines. They’re not very expensive,” she said. “We’ll upgrade our machines for when people do transactions so if there’s a problem, we’re not responsible.”
Biedermann and Kreuter both think that the October 1 deadline is not firm. “Just like PCI (payment card industry) compliance, we’re pretty confident that that deadline date is going to come and go,” said Biedermann. Kreuter said he’s not sure how the credit card companies can legally shift the liability, and he’s confident others will have questions, as well. Nonprofits should not depend on court cases to delay the implementation deadline, he cautioned.
“What could happen is you could have the banks try to transfer liability to the merchants and the merchants can complain. Until it runs through the court, we won’t have finalization,” said Kreuter. He added: “Nonprofits won’t be the test market to try and fight the banks in court.”