Many consumers have begun receiving letters from their banks and credit card companies notifying them that they will soon be getting new cards enabled with EMV chip technology. While chipped credit and debit cards have been the norm in Canada and Europe for several years, the technology is new to most U.S. cardholders. However, in the wake of major security breaches at retailers like Target and Home Depot over the past year, cards with chips are a welcome security upgrade.
A chipped card provides an extra layer of security for customers paying at credit card terminals or using an ATM. Instead of sending all of the details about the transaction and the customer’s information over the network — information gathered from the magnetic strip on the back of the card — the chip turns all of the transaction information into a unique one-time use code that is transmitted to the processing center. This code is far more difficult for hackers to intercept and crack, meaning that even if they do manage to infiltrate a payment system, customer details will still be encrypted and secure, preventing thieves from duplicating card information into a fraudulent card.
The problem, of course, is that not only do banks need to send the chip-equipped cards to customers, but also retailers that accept credit cards need to install readers in order to accept them. This transition is what has many people concerned.
Who Is Liable for Fraud?
The major credit card issuers, including MasterCard and Visa, have set a deadline of October 1, 2015 for retailers accepting their products to have chip-enabled card readers installed. Gas stations that allow customers to pay at the pump have until 2017 to install the necessary readers. Businesses that do not install the chip readers by that date will then be liable for any fraud that occurs because of fraudulent transactions at their business. This is a significant shift from the current standard of bank liability for fraudulent transactions.
With the new requirements, customers will still be exempt from liability for fraudulent transactions on their accounts. Many small businesses, though, are balking at the requirement to install the chip readers. They say that the cost of the readers — which can be well into the thousands of dollars — is much higher than their typical liability for fraudulent transactions. For a major retailer like Target, though, the cost of installing the new readers is far less than the liability associated with a major breach; in the 2014 incident, the company paid out $67 million in damages to customers who had their identities compromised in the breach.
Are Chips the Answer?
While EMV-chip enabled cards do offer an additional layer of protection — and customers comparing credit cards are beginning to look for the security feature when evaluating their options — some experts suggest that chip-enabled cards may not be the final solution to security risks.
One of the major issues with the cards is that unlike their European counterparts, the U.S. versions of chip-equipped cards will not require a PIN when making a transaction. According to the American Bankers Association, this is due to American customers being accustomed to simply swiping and signing to use their cards, and being unwilling to set yet another security code in order to use their credit cards. In initial market research about EMV-equipped cards, many customers indicated that requiring a PIN to use a credit card would be a turnoff, thus banks opted not to drive customers away and continue with the current standard of requiring a signature only.
By not requiring a PIN, though, the banks have effectively removed one of the ways that the chipped cards are impervious to fraud. Because you don’t have to enter a PIN to make a purchase, it is still possible for a criminal to use the physical card and make fraudulent purchases. In other words, criminals may not be able to hack into a bank or retail network and steal credit card information electronically, but that won’t stop them from stealing actual cards.
Another drawback to the EMV cards is that they do not provide any protection when used online. The same vulnerabilities still exist when using a card online whether it has a chip or not, so existing liability standards will remain for online merchants.
For now, the main effect of the October 1 deadline for installing EMV card readers is a shift of liability for fraudulent transactions, and customers using their chipped cards at the terminals will have more peace of mind that their information won’t be exposed in a breach. There are likely to be more security changes going forward, but many see this change as a step in the right direction.