EMV CARD FRAUD LIABILITY SHIFT FRAMEWORK (ECFLSF)
(Appendix to Section 148 on IT Risk Management Systems)
II. Statement of Policy
III. Applicability and Scope
IV. Definition of Terms
a. Acquiring institution (Acquirer), is a bank or non-financial institution that processes credit or debit card transactions via ATMs, POS terminals, and other similar devices.
b. EMV compliant device or terminal is a device or terminal that has, or is connected to, a contact chip card reader, has an EMV application, certified, and is able to process EMV transactions.
c. Co-branded cards are Philippine- issued cards affiliated with international payment networks.
d. Counterfeit card is an imitation or falsification of a genuine magstripe card or EMV chip card with track data copied from a hybrid EMV card.
e. Debit cards are payment cards linked to bank deposit or prepaid/electronic money (e-money) accounts.
f. Fallback to magstripe transaction occurs when the chip on the card is not being read by a terminal. This is similar to technical fallback, which is defined in Appendix 112 as a state in which the chip cannot be used and another type of entry, such as magstripe, is used to complete a transaction.
g. Hybrid cards are payment cards that have both EMV chip and magstripe.
h. International payment networks refer to the payment networks that have global establishment. For purposes of subject guidelines, recognized international networks shall refer to Visa, Mastercard, UnionPay, Diners/Discover, American Express, Japan Credit Bureau (JCB).
i. Issuing institution (Issuer) is a bank or non-bank financial institution that issues payment cards, whether proprietary or co-branded, to consumers.
j. Payment cards are cards that can be used by cardholders and accepted by terminals to withdraw cash and/or make payment for purchase of goods or services, fund transfer and other financial transactions. Typically, payment cards are electronically-linked to deposit, prepaid or loan/credit accounts.
V. Guiding Principles
a. The adoption of EMV technology is designed to reduce and mitigate risks arising from counterfeit card fraud. While it remains virtually impossible to create a counterfeit EMV card that can be used to conduct an EMV payment transaction successfully, the presence of magstripe in a hybrid EMV card makes it still vulnerable to counterfeit attacks.
b. A BSFI that has enabled the most secure EMV options shall be protected from financial liability arising from losses on counterfeit card fraud. The liability for this type of fraud shall shift to the BSFI which is not or is partially compliant with the EMV migration requirement.
c. To resolve the issue on the allocation of card fraud liability using the guidelines described herein, the involved parties (such as issuer, acquirer, and payment network) should, first, characterize the fraud committed, and then, assess the technology being employed, in light of the applicable payment network rules. The party supporting EMV technology will prevail and in case of a technology-tie (neither or both parties are EMV compliant), the liability for fraudulent transactions generally remains with the Issuer.
VI. Allocation of Card Fraud Liability
|Card Capabilities||Acceptance Device Support||Scenario||Liability|
|1||Magnetic stripe only||Magnetic stripe only||Magnetic card transaction was completed||Issuer|
|2||Magnetic stripe only||EMV compliant||Magnetic card transaction was completed||Issuer|
|3||EMV compliant hybrid card||Magnetic stripe only||Magnetic card transaction was completed||Acquirer1|
|4||EMV compliant hybrid card||EMV compliant||Fallback transaction Magnetic card transaction was complted||Issuer|
VII. Consumer Protection and Complaints Handling and Resolution
a. The participants in the domestic payment network (such as issuer, acquirer, and payment network) should collaborate and devise detailed rules and procedures including arbitration mechanisms to operationalize the ECFLSF. Accordingly, a body responsible for strictly implementing the above-mentioned detailed rules and procedures on ECFLSF should be constituted.
b. Cardholders’ complaints and/or requests for chargeback as a result of counterfeit card shall be considered as complex complaint/request defined in Appendix 115 and hence, shall follow the standards provided in such regulations, except for the processing and resolution timeline which should be within ten (10) days instead of forty five (45) days.
c. Issuers and Acquirers should ensure that affiliated international payment networks align their existing liability and chargeback rules with the ECFLSF insofar as Philippine-issued payment cards used in the domestic payment environment are concerned.
(Circular No. 936 dated 28 December 2016)
- When an Acquirer accepts a magstripe card that was counterfeited with track data copied from an EMV compliant hybrid card and the counterfeit card is used at a device/terminal that is not EMV-compliant, resulting in a transaction to be successfully processed, the Acquirer is liable for any chargeback resulting from such fraud.