Multiple choice question. Does the risk for card fraud lie with:

a) the customer

b) their card issuer

c) the card processing company (Streamline,Cardnet etc.)

d) the merchant

If you guessed a, b or c then go stand in the corner

Any fraudulent transaction get charged back to the merchant, plus an administration/penalty fee for the privilege

I'm a little tired of all the scare stories about card fraud when no one ever mentions that it's not the customer or the banks that lose out, but the merchant who loses both the goods and the money. And the police couldn't care less.

That's not strictly true. The risk lies with different people depending on what type of transaction it is. In CP (Card Present) Transaction the risk lies with the customer for Chip and PIN verified but with the merchant for signature verified - unless the merchant can produce a copy of the signature and show that that signature looks the same as the one on the card. It would clearly be unfair to place the risk with the merchant on C&P transactions because there is nothing that the merchant can do about it...unlike with signatures where the merchant can check the signature. If you accept a signature and it's not the same as the one on the card then you deserve to lose the money.

For CNP (Card Not Present) transactions the risk again lies with the merchant unless there is a 'Verified by Visa' (or equivalent) element in which case the card processor will assume risk. In actual fact they will pass it on to the customer because these are considered 'uncrackable' - and when the banking industry learns that nothing is uncrackable when there's a human element involved the world will be a much better place.

Incidentally, in the US banks have to disprove fraud before they can pass on the risk to the customer whereas in the UK the customer has to prove fraud to pass the risk to the bank.

For those who dont know how it works.

The card companies calculate a percentage of chargebacks .v. transactions and the penalise the merchant on that sum.

For example:

(assuming a transaction value of £50)

1000 genuine transaction

100 charge backs (fraud, intentional and 'forgotten transaction' charge backs

=10%

Then the charge a fee for each chargeback of around £10-20

so in this case £2,000 BUT then there is a penalty of :

£2000 multipled by the percentage as a whole number therefore 10.00% as 10.

So £2000 X 10 = £20,000

So for one month you could look at a bill of £22K!!!!!!!

For anyone with some nous that leaves 900 genuine transactions of £50 (£45K) to cover a bill of £22k after costs.

Run for cover SME's!

The banks in the U.S. are performing a novel form of multi-level fraud by promoting "identity theft" services and conveniently ignoring/denying/discrediting EMV simply because they stand to lose much more money if they go to EMV.

To follow-up on the excellent "balance of risk II" comment, guestimate the level of gross fraud at about 1%-3% of all transactions. You can figure the "net fraud." e.g. the cost the bank assumes. And then subtract Net Fraud from the income generated by "identity theft" services and the banks come out way, way ahead.

So, even if the gov't paid 100% of the costs of implementing emv. It's the money the bank loses with the elimination of "identity theft" and merchant charge backs that stops them.

CP transactions do not eliminate the risk for the merchant. The merchant still pays any fines/chargebacks but receives a lower processing rate from the card issuer if the card is present. Does not change the fines.

According to our card processing t&cs, there is no risk to the merchant from chip and pin transactions. The only risk is from signature-verified transactions which...well...we haven't done one for over 12 months. According to various articles I've read this was decided as a strategy by the processors to encourage take up.

My company is lucky in that in over 10 years of accepting plastic we've never had a single chargeback. We had 1 request for 'proof of signature' which we supplied once and that was never charged back. Just lucky I guess.

There is a huge problem with awareness of the PCI DSS. A lot of our clients that are large retailers are just not aware of it. They are also not used to running "controlled" environments so the whole process of having to become compliant with a standard is a culture shock, let alone maintaining control over their systems to stay compliant!

This isn't just SME's its high street stores too. Merchants need to do more to protect our card data when it hits their back office systems. I've seen places that I wouldn't shop at again now I know what they do!