What Retailers Need to Know About New Card Payment Technology and Cyber Liability
By now, as a retailer, you know the October 1, 2015, deadline has passed to install the necessary hardware and software to support new, anti-fraud payment card technology in your stores. The new terminals read a card’s data chip to produce a new transaction code after each use, unlike the old magnetic strip cards that use the same information time and again. This means that if you are not EMV (Europay, MasterCard, Visa) compliant, then you — not the card issuer — may be responsible for any fraudulent activity on customers’ payment cards stemming from fraudulent transactions at your store. That’s a big liability shift.
But does the enhanced liability for merchants and increased fraud protection for card issuers impact your cyber insurance policy? In a word: No.
EMV AND CYBER INSURANCE
When it comes to cyber policies, the EMV shift typically does not impact coverage. While you have not lost any coverage, you haven’t gained any either.
Here’s why: Loss as a result of a fraudulent transaction that is presented to a merchant wasn’t covered before the EMV shift occurred, and it’s not covered under cyber policies now either. Cyber policies typically address a merchant’s liability for theft of payment card data that is actually stolen from you, not presented in a fraudulent manner to you.
The good news is that even if you haven't yet made the switch, the absence of EMV compliance is usually not an absolute bar against obtaining or renewing cyber coverage. Here are four insurance-related factors to consider related to EMV compliance:
- Cyber insurers like to see EMV compliance. While not a requirement, adoption of EMV is viewed as an indicator of the overall maturity and sophistication of an insured’s controls.
- It helps if you are working toward EMV compliance. Insurers know that merchants can be at different points in the implementation cycle, so if you have not adopted it but are moving that way, let your insurer know.
- Misrepresenting EMV status can hurt. If a merchant inaccurately represents its EMV compliance or implementation timeline as part of the insurance application process, coverage might be jeopardized. Saying you are EMV compliant when you aren’t can be considered a misrepresentation.
- Insuring for the increased exposure for the EMV liability shift is not feasible. Most insurers consider it a moral hazard to insure the extra exposure. There is not much incentive for insurers to alter the fundamental components of a cyber policy to include coverage for EMV-related fraudulent charges; availability of such coverage is almost non-existent.
While the EMV liability shift doesn’t really change the landscape of insurable risks for merchants, EMV compliance is still a best practice for effective cybersecurity.