Chances are that in recent months you’ve found yourself staring down a new credit card reader while trying to buy something at a store. Do you swipe your card? Dip it in the slot? Wait for an impatient cashier to hurriedly tell you which one you’re supposed to use? All three?
You’re not alone. Almost everything about the new credit card chips has been confusing—for the merchants, for the banks, and most of all, for the consumers. In fact, as of September 2015 when banks really started rolling out the chip card technology, only 32% of people knew what was happening[1]. The rest had no idea what it was all about.
If you count yourself in that group, read on to everything you need to know about the new credit card chips.
Why are credit cards with chips being introduced?
The whole reason that chip cards are being introduced now is to help combat credit card fraud. We’ve all seen news reports about big credit card data breaches from companies like Target, Home Depot, and Neiman Marcus. Collectively, these companies have inadvertently released millions of credit card numbers.
Even discounting these large data breaches, credit card theft also happens through other nefarious means. Credit card skimming in particular is still a huge problem; criminals harvest your credit card number using a variety of swipe-type mechanisms nestled in or near otherwise legitimate card readers.
Some criminals hire employees to swipe cards a second time onto a recording device when they remove the card from your sight, such as at a restaurant. Other times, they can get your credit card number by installing malware on your computer without your knowledge or by using an RFID device to read your private information when you’re standing nearby. Some thieves even hide skimmers in plain sight on store credit card swipe machines or ATMs.
Once thieves harvest credit card numbers, they can sell them to third parties or make realistic forgeries of credit cards. They then use these at stores and ATM machines to buy things or drain your bank accounts.
Counterfeit credit card fraud is a huge problem; in 2014, 37%[2] of all credit card fraud in the U.S. was done using these methods. And to make matters worse, Americans in particular are a prime target for credit card fraud. According to a 2015 Barclay report[3], even though the U.S. only makes up 24% of the worldwide credit card market, a staggering 47% of all credit card fraud happens here.
Part of the reason why the U.S. has such a problem with credit card fraud is because we’ve been using an antiquated system that doesn’t adequately protect credit card data. Prior to the introduction of chip cards, to process a payment in-person via credit card, all you needed was a card with a number encoded on the magnetic strip and the ability to record a signature. This type of transaction is easy for criminals to forge, as long as they have a valid credit card number to use.
EMV (Europay, Mastercard, and Visa) cards – aka chip cards – are a much more secure way to pay. Almost every other country in the world already uses them—Europe, for instance, has been using them for over ten years already. We in the U.S. are late to get on board with this new technology.
How do chip cards work and why are they safer?
Functionally, the way these cards work isn’t terribly different from how we use them now, with one key difference: instead of swiping a credit card so the reader can get the data from the magnetic strip, you’ll insert the card so the payment processing system can do all kinds of background tech magic involving the special chip embedded in the card. The process of sliding your card into the slot is called “dipping,” and it takes a few seconds longer than the old method of swiping.
After you dip your card into the credit card chip reader, that’s when the magic starts to happen. The reader picks up your credit card number just as it did from a magnetic strip, but it also picks up an extra code. This special code works kind of like a PIN number, and without the code, the credit card transaction won’t be approved. To make things even more secure, the chip in your card generates a new, one-time-use-only code for every single transaction. Because of this, even if thieves are able to get ahold of your credit card number, they won’t be able to make a forged credit card that works.
It’s a bit like the German Enigma code from World War II that Alan Turing worked so hard to break (and coincidentally ended up inventing the computer in the process). The Enigma code was so famous because it was a tough code to break, and to make matters worse, the Germans changed the code every single day, erasing any effort that codebreakers made towards cracking it.
A chip card goes a step beyond the Enigma. The codes it generates are random, meaning that it’s almost impossible for thieves to copy a credit card now (I say almost impossible because if there’s anything we’ve learned from technology, it’s that hackers work hard to find a way around every security measure, so no obstacle is a sure thing). The EMV code resets after every single transaction, instead of just once daily.
All in all, EMV has proven to be a great system. Five years after introducing the new chip cards, counterfeit credit card fraud had decreased by over 50% in the U.K.[4]
How are banks and businesses implementing the new chip cards?
In the U.S., there has been no government mandate for banks and businesses to switch to the new EMV chip technology. Rather, the change was prompted by the two biggest credit card issuers in the U.S.—Visa® and MasterCard®. These two companies are working together to make credit card transactions more secure for consumers, and shift the burden of costly credit card fraud away from themselves.
To see how this works, we need to understand who foots the bill when credit card fraud has occurred. Most of the time, the criminals won’t be caught, meaning that someone needs to cover the loss incurred by the fraudulent charges. Before chip card technology was rolled out in the U.S., the credit card issuers themselves absorbed the cost of the fraudulent activity.
Things changed on October 1, 2015. Although you might not have noticed any fanfare on that date, something big did happen. For the first time in the U.S., credit card issuers shifted the liability for fraudulent charges directly to the merchants themselves if they do not have an operable chip card reader.
Suddenly, businesses started scrambling to get their hands on chip readers, lest they be held accountable for fraudulent charges at their stores. These chip card readers aren’t cheap. They can run several hundred (or thousand) dollars each. This makes it harder for many small businesses to buy chip readers. For a big business like Target or Home Depot, we’re talking about upgrades well into seven or eight figures.
Even after a business buys a chip reader, it must take several more steps to go before using them. They first need to install new software to handle the extra code information. Then, for each credit card network they want to accept, the business needs to go through a certification process. [5]
It can take a long time to complete these steps after a merchant has already bought the new chip readers (especially with long lines of merchants waiting to be certified). In fact, the wait is so long that card networks have told merchants they don’t know when the certification process will happen. That’s why you often find yourself in the uncomfortable position of trying to figure out which method to use—swipe or dip—at many cash registers now. Over the next 12 to 18 months, these issues should resolve as more merchants are certified by the credit card issuers.
Why should I use a chip card?
Better security is the number one reason you want to be using chip cards going forward in the future. By using these chip cards, we can drastically reduce major sources of credit card fraud today.
There is also another good reason to use these cards as well. Except for the U.S. and much of Asia, almost all credit card transactions around the world today require chip cards. If you don’t have a chip card, you might not be able to use your credit card beyond our borders.
I found this out myself two years ago while driving across Canada—Canadian shopkeepers were confused when this silly American kept trying to find the slot to slide the credit card through at the EMV chip reader machines.
Furthermore, some unmanned kiosks in Europe, such as at gas stations, require a chip-and-PIN card. Currently, most chip-enabled cards issued in the U.S. require the cardholder’s signature to complete the transaction. If you’re planning to travel, it’s a good idea to ask your card issuer if you can get a chip-and-PIN card before your trip.
What are the drawbacks of using a chip card?
Chip cards are generally regarded to be much safer than traditional types of credit card transactions. Unfortunately, even these cards have their downsides: they are effective protection against counterfeit credit card fraud where you are required to verify your card in-person, but as stated earlier, this type of fraud only makes up 37% of all credit card fraud.
That means that the new chip cards don’t necessarily protect against 63% of credit card fraud. A majority of this type of fraud occurs online, where there is no chip reader to dip your card into—all you need is a valid credit card number to enter in or read off to a merchant over the phone. Most merchants also require your zip code and/or the CVV (Card Verification Value) number printed on the back of the card, but even then, there are ways for thieves to get access to this information.
We can see the effects of the chip technology roll-out on other types of credit card fraud in other countries, and it isn’t pretty. Because thieves were pushed out of counterfeit credit card fraud, they simply moved to other, easier ways to commit credit card fraud, like online. In fact, after the chip cards were introduced in the U.K., online fraud increased by 79%.[6]
Furthermore, now that thieves know the technology they relied on to scam people out of money is being phased out, they are in a massive push to conduct fraudulent transactions using counterfeit cards while they still can. They especially target merchants who don’t yet have EMV chip technology enabled, resulting in higher fraud costs to merchants who are now responsible for fraudulent charges if they don’t have EMV chip readers.
What do I need to know about chip cards going forward?
- It might be a while before you see chip readers at gas pumps. The equipment needed to outfit gas pumps with new chip readers is more expensive, and so these were given a reprieve: gas stations have until October 1, 2017 before credit card issuers shift liability to gas stations for fraudulent purchases made at gas pumps.
- You’ll have better peace of mind when making purchases in-person at major retailers. Thanks to the new EMV chip technology, we are less likely to see big data breaches involving leaked credit card numbers in the future (and even if thieves do get card numbers, they won’t be able to use them to make counterfeit credit cards).
- You are still vulnerable to having your credit card number stolen through skimming, malware, and other operations, especially if the card still has a magnetic strip. Just because it’ll be harder for thieves to use your credit card in person doesn’t mean they can’t use your credit card number online.
- Online fraud will likely rise as a result of thieves being pushed from one fraud method to another. Make sure to keep a close eye on your credit card statements. Credit card thieves sometimes hold onto your credit card number for long periods of time to lull you into a false sense of security after a breach or theft before they make charges (they could even have your information right now). A common tactic among fraudsters is to make several small charges to see if you’ll notice them, and then make larger purchases once they know the card is good; keep a close eye out for these “test” charges.
- Credit cards issued with the new chip technology also still have a magnetic strip to be backwards-compatible with merchants who haven’t been able to get on board with the new technology. Even if you are issued a chip card, you will still be able to swipe it at non-chip merchants for the time being.
[1] http://www.businesswire.com/news/home/20150921005091/en/ACI-Worldwide-Survey-6-10-U.S.-Consumers#.VgMGXmD92-R
[2] http://www.nasdaq.com/article/credit-card-fraud-and-id-theft-statistics-cm520388
[3] http://www.securitymagazine.com/articles/86413-of-the-worlds-credit-card-fraud-happens-in-the-us
[4] http://www.theukcardsassociation.org.uk/news/new-card-banking-fraud-figures.asp
[5] http://www.cbsnews.com/news/retailers-have-chip-card-readers-why-arent-they-using-them/
[6] https://www.emc.com/collateral/white-papers/card-not-present-fraud-post-emv-env-wp.pdf
