NEWS BULLETIN Maine Automobile Dealers Association

180 Civic Center Drive P. O. Box 2667 Augusta, Maine 04338-2667 DIAL 623-3882 e-mail:info@maineautodealers.com FAX 623-2318

2015-16 DISTRIBUTION

• General Manager • Office Manager

• Parts Manager CREDIT CARDS and OCTOBER 1 • Sales Manager • Service Manager

October 1 is an important date in the credit card world, for you as the merchant, for

your customer and credit card holder, and for the credit card company.

The issue is liability for counterfeit transactions. Today, the merchant which

unknowingly accepts a counterfeit card and does everything else related to the card

purchase correctly, does NOT have liability for the chargeback. The credit card issuer is responsible for any loss. On October 1, 2015, any counterfeit card loss could become the merchant’s

liability.

The reason for this change, known as the “liability shift”, is that the card networks (Visa,

MasterCard, Discover and American Express) all have changed their rules to allow for the liability on

a counterfeit card, and is some cases a stolen card, to fall to the merchant. The liability shift is coming about because of the use of the new EMV or “chip cards” or “smart cards”. These are cards that

have an embedded chip. Banks and credit unions are issuing the chip cards to consumers now, in

preparation for the liability shift later this year.

If you have not already upgraded your credit card terminal to accept chip cards (see News

Bulletin 2015-11 and enclosed NADA memo) you need to seriously consider the impact that not

upgrading will have on your business after October 1. While there is no requirement that you

upgrade your terminal, failure to do so could expose you to chargebacks you don’t currently see in

your business. There are several different scenarios that could occur after October 1:

1. You chose not to upgrade your terminal and a consumer with a non-chip card makes a

purchase at the dealership. This is identical to what happens today, and there is no change in

the liability. The issuing bank is still responsible for counterfeit transaction.

2. You upgraded your terminal and the consumer uses a non-chip card in your store. Same

thing, you are not responsible for the bad transaction.

3. You upgraded and the consumer presents a chip card for payment. No change in liability

here, either. The issuing bank is still responsible for the bad transaction.

4. You chose not to upgrade and the consumer presents a counterfeit chip card in your store. You are responsible for the chargeback, even though you did all of the other things

correctly.

Obviously, #4 is the cause for concern and confusion in the merchant community. Since you

have the least secure system (non-chip card ready) you bear the risk of the counterfeit card. In some

cases, you may also assume some additional risk in the world of lost or stolen cards. Please review

your credit card agreements to familiarize your organization with the new rules.

2015-17

MORE ON CREDIT CARDS – MASTERCARD

MasterCard’s recent announcement that it will begin issuing cards which start with the

number “2”, in addition to its historical start with 5 (Visa = 4, American Express = 3, Discover = 6),

will cause merchants to make sure their processing terminals are of current vintage and not “legacy”

terminals (no longer supported by manufacturer).

The programming inside the standalone credit card terminal may only recognize certain start

numbers (3, 4, 5 and 6 historically). With MasterCard’s announcement, merchants must ensure that

their processing terminals can also accept “2” as a starting number. If you have recently upgraded to

a terminal which accepts contactless or EMV transactions, your terminal should be ready to accept

the expanded code. These beginning credit card digits are critical to the proper identification of the

credit card issuer, the type of card (rewards, debit, business), and the interchange rate your

dealership pays for accepting the card.

EEO-1 REPORTING DELAYED

The Equal Employment Opportunity Commission has for several years required an annual

EEO-1 report from businesses which employ 100 or more persons (full & part-time) in a single

company or group of affiliated entities. These reports have been required by September 30 in past

years, but the deadline this year has been extended to October 30. Dealerships which filed in the

past were sent notification letters in July. There are some changes this year to the report which

gathers information to be categorized by race/ethnicity, gender and job type. Additional information

on the EEO-1 reporting requirements is available at http://www1.eeoc.gov/employers/eeo1survey.

Your MADA office is available to assist with questions you may have as to your obligations.

AUDITS BY MAINE BUREAU OF CONSUMER CREDIT PROTECTION

A number of MADA members are being audited this year by Maine’s Bureau of Consumer

Credit Protection. As we have discussed in the past, these audits are conducted periodically to

determine compliance with the Maine Consumer Credit Code and Federal Trade Commission rules

governing Truth-in-Lending and Truth-in-Leasing. This year, there is also a focus on dealership

compliance under the federal Gramm-Leach-Bliley law which requires distribution of a Privacy Notice

to customers as well as the development and annual review of a Safeguards Policy and a Red Flags

Policy. These are not new obligations on dealerships. Should any dealership need assistance with

the Notice or Policies, please contact your MADA office. This subject will be an agenda item for our

Fall Regional Meetings.

SCAM E-MAILS

The past few months have seen a significant volume and variety of email traffic which appears

to come from a trusted source, but is in fact an attempt to gain access or obtain funds from your

company. The “apparent” senders have included NADA, MADA, EZ-Pass, individuals from

dealerships, and others. These emails have, in fact, come from other individuals or companies not

related, endorsed, supported or even known to the “apparent” senders. Please carefully screen your

emails, and if you have doubts about the authenticity of an email, feel free to inquire of the “apparent”

sender.

CHIP CARD READERS MAY BE REQUIRED BY OCTOBER 1, 2015

Many of the major credit card companies have announced that retailers must implement “chip-

card” (“EMV”) reading devices by October 1, 2015 or they could face potential contractual

liability for any fraud that may occur. Dealers should consult their counsel and their credit card

providers to determine the outlines of their contractual obligations.

What is EMV?

EMV is an acronym for EuroPay, Mastercard, and Visa, the three companies that developed the

technology. EMV-enabled payment cards have embedded microchips that store the cardholder’s

information. Most credit cards currently in use in the United States do not contain a microchip;

instead, they have a magnetic stripe that stores information about the cardholder.

EMV cards may take a few different forms, most notably “chip-and-PIN” and “chip-and-

signature.” In order to make a purchase using a chip-and-PIN card, the cardholder must insert

his or her card into a card reader terminal and then enter a PIN known only to the

cardholder. Chip-and-signature cards, in contrast, allow the cardholder to sign their name (rather

than entering a PIN) in order to complete a transaction.

What is the Difference Between a Chip Card and a Card with a Magnetic Stripe?

The EMV chip-based technology is thought to provide greater security than magnetic stripe

technology. For example, the requirement of a PIN for chip-and-PIN cards adds an extra layer of

security, thus making the cards less susceptible to fraud. Magnetic stripe cards also are easier to

counterfeit than chip-embedded cards as they can more easily be “skimmed” – that is, a

counterfeiter can hijack an ATM machine or payment terminal with equipment that allows them

to read data off the magnetic stripe. Once the counterfeiter harvests the data, it can be used to

create a counterfeit card. Chip-embedded cards, however, are more difficult to counterfeit

because they employ a technology known as dynamic data authentication (DDA), which is

intended to prevent skimming.i

This does not mean that chip-embedded cards are completely impervious to fraud. Stolen EMV

cards still may be used to complete transactions in environments in which no chip-reading

authentication mechanism is provided, such as e-commerce transactions. It is also important to

note that EMV technology does not preclude the possibility of a data breach, since EMV

technology does not prevent hackers from accessing unencrypted card information that either is

in transmission or being stored by a dealer.ii

National Automobile Dealers Association Copyright© 2015

What Should Dealers Do?

As mentioned above, in order for a customer to complete a chip-based transaction using an EMV

card, the dealer must have installed a card reader that can read the data contained on a card’s

chip. Although dealers are not required to implement technology capable of handling EMV

transactions, the incentives to do so are strong. As noted above, the major credit card companies

have announced that as of October 2015, their contracts will be amended to shift liability as

between a retailer and card issuer so that the party that does not support EMV will be held liable

for credit card fraud. For example, liability for a fraudulent transaction will fall on a retailer if

the affected customer presented an EMV card for payment but resorted to the magnetic stripe on

the card because the retailer did not have chip-embedded card readers. Likewise, a customer’s

bank will be held liable for credit card fraud if the retailer in question offers chip-card reading

terminals but the bank has not yet issued a chip-embedded card to the customer. The “liability

shift” will take place in October 2015 for retailers, and will come into effect for ATMs in

October 2016 and automatic fuel dispensers (for example, at gas stations) in October 2017.

Dealers must evaluate their contracts in consultation with their counsel, and after doing so,

should determine whether to incur the costs of upgrading equipment to accept EMV cards, how

that decision will impact their contractual obligations for fraud charges, and also how their

decision will be viewed in the future in the event that they suffer a point-of-sale data breach.

Dealers are encouraged to consult with their counsel, their credit card companies, and their credit

card processing vendors to explore their obligations and options.

i VISA describes DDA as “a type of Offline Data Authentication in which the card uses public key technology to generate a cryptographic value, which includes transaction-specific data elements, that is validated by the terminal to protect against skimming.” ii Dealers are encouraged not to retain credit card numbers or related information, and should work with their

vendors to ensure that any credit card transmission required for processing is done securely and in an encrypted fashion.

Commentary: NADA Refocuse§ On Core Services

ByBillFox

The National Automobile Dealers Association was founded in 1917 with a singular mission: to

PrOteCt the interests of new-Car dealerships and advocate for an industry that would become an

economic backbone of the nation.

For nearly a century, NADA has been fulfilling that goal and, in血e process, Pioneered some of the

most valunble services in the industry for its growing membership, right under its roof These

Services include the NADA Used Car Guide, Which has been part ofNADA’s heritage for more than

80 years, and NADART, founded in 1 957.

We never imagined we would part with either one, and we would not have unless we fimly believed

doing so would benefit our dealer members and advance NADA’s core mission.

This was the case when J.D. Power made an unsolicited offer to purchase the Used Car Guide

business. With a di縦cult decision at hand but unanimous consensus,瓜e NADA board of directors,

the Guide board of advisors and NADA’s finance and executive committees, all agreed that the best

COurSe Ofaction was to sell the Guide to J.D. Power, a truSted industry ally.

This decision, Which was not reached easily or without careful consideration, Will benefit all parties

invoIved, eSPeCially our dealer members and the Guide’s current and future customers. The Guide

business will continue to grow and become an even stronger industry resource under J.D. Power. As

Part Of its agreement with NADA, J.D. Power will continue to provide NADA members with aCOmPlimentary Guide subiCription as a membership benefit.

In a move uurelated to Guide, after conducting an in-depth review of various retirement plan

PrOViders, NADA made a decision to enter into a relationship with Empower Retirement, a division

Of Great-West Life and Amuity Insurance Company, tO Offer re血ement plans to NADA members.

Empower Retirement is the second-largest retirement plan provider in the United States with nearly 7

million participants. The new NADA Retirement Program from Empower will go live in October of

20 1 5, aS the long-Standing NADART program is retired.

NADA Retirement Program participants can expect to see many enhanced bene紐s, including a

neahy 50-PerCent reduction in program fees, a State-OfLthe-art Website designed to make it easier for

Participants to track their progress in saving for retirement, and fiduciary support services at a level

higher than those offered by other retirement service.providers’Which is a service already familiar to

NADART plan sponsors・ NADART has been working cIosely with Empower to ensure a streamlined

transition process for plans億ansferring to Empower.

While it's di:縦cult to see these long-time services, built over NADA-s history, leave the NADA

family’We look to the future with optimism and renewed vigor. And, as always, We Will continue to

guard the interests ofthe franchised dealers we are privileged to serve’While remaining steadfast to

NADA’s mission that began nearly 100 years ago.

Most importantly・ these moves will allow NADA to become more mission-focused, Centering on

COre member services’Which include protecting and strengthening the dealer franchise system,

advocating on behalf of new-Car dealers with Congress, the regulatory agencies in Washington,

manufacturers’the media and the public, PrOViding education and training resources for dealers and

their empIoyees・ and providing dealer§ With better tooIs to e血ance profitability.

Bill I凍is 2015 M4DA chairman and a m初i諦anchise dealer /n即state NGw %rた