Helping businesses make informed decisions
Skip to main content

EMV Liability Shift: Who Pays for Fraud at the Terminal

Marc Ropelato Tech CEO & Software Developer | 20+ Years in Digital Media
9 min read
We may earn a fee or commission from partners on this site.
EMV Liability Shift: Who Pays for Fraud at the Terminal

If you accept a chip card on a terminal that can't read chips, your business pays for any counterfeit fraud loss on that transaction. That's the core of the EMV liability shift the major U.S. card networks announced in 2015, and the rule still applies in 2026. Before October 1, 2015, card issuers absorbed counterfeit card-present fraud almost universally. After that date, responsibility moved to whichever party hadn't adopted EMV chip technology. For merchants, that meant terminal upgrades stopped being optional in any practical sense. What the 2015 EMV Liability Shift Changed The shift wasn't a federal law. It was a coordinated set of rules announced separately by Visa, Mastercard, American Express, and Discover, each updating their own merchant operating regulations. The rules took effect on October 1, 2015 for in-store, card-present transactions at most U.S. merchants. Automated fuel dispensers got a longer runway, which we'll cover in a separate section. ATMs followed their own timelines through Mastercard and Visa, generally aligning with deadlines in 2016 and 2017. Before the shift, the issuing bank typically ate the loss when a counterfeit magnetic-stripe card was used at a merchant's terminal. The merchant might face a chargeback, but the issuer's fraud reserves absorbed most of the cost. After the shift, the calculation reversed when a chip-enabled card was presented. If the merchant's terminal couldn't read the chip, the merchant became the liable party for that fraud loss. If the terminal could read the chip but the issuer hadn't yet provided the cardholder with a chip card, the issuer kept the loss. That's the pivot in plain terms. The party that hasn't adopted EMV pays for counterfeit fraud at the point of sale. Counterfeit Card Liability Today The current rules in 2026 work the same way they did in 2015, with one important update. The original fuel-pump deadline was extended, then enforced. For a typical retail counterfeit-card fraud event today, the answer comes down to which party was further behind on EMV at the moment of the transaction. Three scenarios cover most cases. First, a counterfeit chip-enabled card swiped at a non-chip terminal: the merchant absorbs the loss. The issuer provided a chip card, but the merchant didn't deploy a chip reader to use it, so responsibility falls to the side that skipped the upgrade. The cardholder isn't penalized in any of these cases, and the dispute settles between the merchant's acquirer and the issuing bank. Second, a counterfeit magnetic-stripe-only card used at any terminal: the issuer typically absorbs the loss because the issuer hasn't yet upgraded its cards to chip. Magnetic-stripe-only cards became rare years ago for major U.S. issuers, but the scenario still appears in some prepaid and gift card categories. Third, a counterfeit chip card properly dipped into a chip terminal: the issuer absorbs the loss in most cases because both parties met the EMV standard, and the fraud was successful despite chip authentication, which generally points to a card-not-present compromise or another exception that bypassed the chip-read step entirely. That third scenario is rarer than the first two, but it matters in dispute resolution. EMV chip authentication uses a cryptogram that's nearly impossible to clone with skimmer hardware, so successful counterfeit fraud against a properly used chip card often means the underlying account was compromised through a different channel, and the rules redirect responsibility accordingly. The Gas Pump Extension and What Followed Fuel pumps were the asterisk on the original 2015 deadline. Card networks recognized that automated fuel dispensers (AFDs) presented hardware constraints that retail terminals didn't. Most pumps required physical retrofitting or full replacement, and the petroleum industry pushed back on the timeline. The original AFD liability shift was set for October 1, 2017. Visa and Mastercard announced extensions in late 2016, moving the AFD deadline to October 1, 2020. The networks cited the technical complexity of pump upgrades, supply-chain limitations for compliant hardware, and the risk that thousands of fuel sites would simply shut down dispensing rather than miss the deadline. When October 2020 arrived, networks didn't extend it again. The deadline held. Fuel merchants who hadn't upgraded their AFDs to chip-capable readers became liable for counterfeit fraud at the pump. Skimming attacks on outdoor pumps had become an organized criminal enterprise in the years leading up to that deadline, and the post-2020 environment shifted financial responsibility onto the station operator for any pump that still couldn't read chips. The fuel category is where you can still see the 2015-era pattern playing out in ongoing enforcement. Some independent fuel sites and convenience-store chains continued to operate non-chip pumps well past the deadline, accepting the liability cost as a calculated business decision. That math has gotten harder as fraud rings have specifically targeted lagging stations. Fallback Transactions and Swipe Edge Cases Not every chip-card transaction reads cleanly. When a terminal recognizes a chip card but the chip read fails, most terminals fall back to a magnetic-stripe read. This is called a fallback transaction, and it carries its own liability rules. Fallback transactions generally shift liability back to the merchant if the fraud is later determined to have been a counterfeit chip card that the fallback exposed. Card networks have published rules treating excessive fallback rates as a fraud signal, and merchants whose terminals generate fallback transactions at unusually high rates can face additional scrutiny. The intent is to prevent merchants from defaulting to swipe by accident or design when chip reads should have worked. Swipe transactions on cards that never had a chip remain at issuer liability for counterfeit fraud, but those cards are increasingly uncommon in the U.S. consumer credit market. Most prepaid cards and reloadable products have transitioned to chip technology over the past decade. The few remaining magnetic-stripe-only cards tend to be limited-purpose gift cards or international cards from issuers in markets that still allow stripe-only issuance. Card-not-present transactions, meaning online and phone orders, aren't covered by the EMV liability shift at all. Those transactions follow separate rules under the card networks' card-not-present chargeback frameworks. EMV doesn't apply there. Lost or Stolen Cards: A Different Liability Track The EMV liability shift specifically addressed counterfeit card fraud, not lost-or-stolen card fraud. Those are different fraud types under network rules, and the liability structure for lost-or-stolen cases hasn't moved as decisively toward merchants as the counterfeit shift did. In most cases for U.S. transactions, lost-or-stolen card fraud at a retail terminal still routes through chargeback rules where the issuer can recover the loss from the merchant under specific reason codes such as cardholder dispute, but the merchant isn't automatically the liable party in the same way as with counterfeit fraud. Some networks introduced lost-or-stolen liability shifts in international markets earlier, but the U.S. didn't adopt the same chip-and-PIN structure that drives those rules in countries like the U.K. or Canada. U.S. EMV cards are typically chip-and-signature or chip-and-no-CVM, meaning no cardholder verification method, for most credit card transactions, which limits how much the lost-or-stolen liability can shift cleanly to the merchant. The practical result is that a stolen card used at a chip terminal still tends to land back on the issuer rather than the merchant, provided the merchant followed network procedures, retained signature records where required, and didn't ignore obvious fraud indicators at the time of sale. Requirements vary by network and by transaction type. A merchant facing repeated lost-or-stolen disputes should review the specific reason codes on each chargeback, because the liability assignment depends on the documented evidence at the time of the transaction. Do You Still Need a Chip Reader in 2026? Yes, for any business accepting card-present payments at a physical location. The liability rule hasn't softened. A non-chip terminal in 2026 still puts the merchant on the hook for counterfeit fraud, and the chip-card penetration rate among U.S. issuers means almost every card presented is chip-capable. Operating without a chip reader in 2026 isn't a cost-saving measure anymore. It's an unhedged fraud liability position. There's a separate question about contactless and tap-to-pay support. The 2015 EMV liability shift covered chip authentication broadly, including contactless EMV, which uses the same chip cryptogram as a dip transaction. A terminal that supports both chip-dip and contactless meets the liability standard. A terminal that supports only swipe doesn't. Newer payment terminals sold today include all three: swipe, chip, and contactless. The hardware floor has moved up. If you're running terminals deployed before roughly 2015 that haven't been replaced, you're operating outside the standard the rest of the U.S. payment ecosystem assumes. Why EMV Liability Shift Rules Still Drive Terminal Upgrades The financial math of staying non-EMV has only gotten worse since 2015. Counterfeit-card fraud schemes have evolved to specifically target merchants known to operate non-chip terminals. Card networks publish merchant fraud rates and regularly assess fees on outliers. The chargeback recovery process for counterfeit losses on non-EMV terminals is administrative for the issuer and contested for the merchant, which means the merchant typically pays plus dispute fees. Beyond direct fraud loss, there's a secondary cost. Card data breaches at non-EMV terminals carry larger PCI penalty exposure. The PCI Security Standards Council documents EMV deployment as part of the broader merchant security framework, and a breach at a swipe-only terminal raises questions about overall security posture that an EMV deployment would have already answered. The original 2015 shift created a clear financial incentive to upgrade. Eleven years later, that incentive has compounded. Modern terminals from major manufacturers cost a fraction of what an early EMV deployment did, and most providers in this market bundle terminal hardware with their merchant accounts, often with no upfront cost. For businesses currently evaluating credit card processing options, the chip-reader question shouldn't be a deciding factor anymore. Every credible provider supplies EMV-capable terminals as the default. The main variables now are pricing structure, payout speed, and support quality. You can review current providers in this market on our credit card processing ranking page to compare options against the criteria that actually vary in 2026.