On October 1, 2015 Visa, MasterCard, Amex, and Discover will be instituting a liability shift for fraudulent transactions. If either the merchant or the issuer (the customer's bank who issued the credit/debit card) are not EMV-compliant and the other is EMV-compliant, then the party with the lesser technology will bear the liability for card-present transactions that are found to be fraudulent. In other words, the party that has made investment in EMV deployment will be protected from financial liability for card-present counterfeit fraud losses. If neither or both parties are EMV-compliant, the fraud liability remains the same as it is today.
For example, if a merchant has EMV-compliant POS terminals and the customer's bank does not issue EMV cards, then the customer's bank would be liable for the fraud. Conversely, if the merchant does not have EMV-compliant POS terminals, then the merchant and/or the acquirer would be liable for fraudulent transactions if the customer has a chip card.
The biggest PCI implication of moving to EMV-compatible technology is audit and breach penalty relief from the card brands. If more than 75% of a merchant's transactions originate from EMV-compliant POS terminals that support both contact and contactless transactions, most card brands will offer relief from PCI audit requirements (you still have to be PCI compliant) and decrease the financial penalties associated with a credit card breach. This audit and breach penalty relief clause is already in effect.
Here's what I recommend merchants do in regard to dealing with the October 2015 deadline:
1. Talk with your acquiring bank to see what their plans are to rotate out POS terminals to meet the EMV October 2015 mandate. Card brands have been offering incentives to acquiring banks to speed this along.
2. Read the contract that you have with your acquiring bank to see if it addresses this liability shift. You will want to know if after October 1, 2015 will you bear the full liability, will the acquiring bank, or will it be shared?