By: Jessica Rubery
Over the last year or so banks and credit card, companies have changed debit and credit cards to cards with small computer chips. Some stores have even begun using pin pads that accept the new chip and pin technology. However, who is responsible when there is a data breach despite the use of chip and pin technology?
For some time countries in Europe have been using the chip and pin technology, therefore, while it is new to the United States, it has been around for some time now. The chip and pin program is called Europay MasterCard and Visa, or EMV for short. The idea is that the consumer inserts the chip into the card reader slot on the pin pad. The pin pad reads encrypted chip and prompts for the pin or for a signature. The encrypted chips are being used to make obtaining the credit card number fraudulently harder. However, this technology is limited to in-store purchases, thus online purchases are not given the same protection.
The law does not directly require anyone to use the chip cards and does not require businesses to purchase the technology to process chip cards. However, through executive order President Obama has required all businesses and banks issuing payment or providing services to government personnel, such as base exchanges, to switch cards and card readers to the new chip technology. Nevertheless, there is no other law or legal means that requires the change to chip and pin technology. The switch is primarily by the credit card companies forcing stores and businesses to switch by shifting the fraud liability to the transaction processor.
Under the Consumer Credit Protection Act Amendments of 1977, Part 1 dictates that consumers will not be responsible for “misuse, unauthorized transfer, or misrepresentation of electronic funds transfer (EFT) privileges; provide consumers with prompt error correction and transaction cancellation mechanisms; and establish conditions and extent of consumer liability for unauthorized EFT transactions.” 92 P.L. 321, 86 Stat. 382, Amendments of 1977. Therefore, consumers are not responsible for fraudulent transactions made using the EFT programs. However, since October 2015, anyone who processes credit or debit cards using the magnetic strips or EFT method instead of the chip technology will be responsible for any fraud that occurs.
While the current law does not require this shift in fraud liability, a future law or case law will be needed to fully enforce the liability shift. For many years, credit card companies have taken the loss when fraudulent transactions occurred from using their cards. However, the shift of liability now pushes businesses to upgrade their technology to the new chip reading card pin pads or be forced to pay back any fraudulent transaction a consumer is faced with. This change will not come without some push back from businesses, especially those who find it too costly to switch. The credit card companies will likely argue that credit card fraud typically occurs at the purchasing level, therefore those processing the transactions should be responsible. The need for future legislation or case law comes from the language in the Consumer Credit Protection Act Amendments of 1977, which is silent on who is responsible for such fraud. While the law is currently quiet, it will not stay quiet for long because both parties will be pushing for what is most beneficial for them.
Blogger Bio: Jessica is a Staff Member of the Journal of High Technology Law. She is currently a 2L at Suffolk Law. She possesses a B.S. in Legal Studies and Foreign Language from Roger Williams University.