Current Issue
This Month's Print Issue

Follow Fast Company

We’ll come to you.

3 minute read

Technology

Credit Card Security Still A Few Chips Short, Experts Say

Incomplete adoption of chip cards and readers, and failure to require PINs, leaves consumers and merchants vulnerable.

[Photo: Flickr user Allan Donque]

New chip-enabled credit and debit cards can help reduce fraud, but they can’t eliminate it, particularly since most card readers are still asking consumers to swipe their cards rather than insert the smart chips, say some industry experts.

Stephanie Ericksen, vice president of risk products at Visa, said that as of the end of last year, only about 766,000 U.S. merchant locations—or slightly less than 20% of the U.S. total—had activated new credit card readers, which read a unique code from the cards’ chips on each transaction. Those readers make it more difficult for criminals to create counterfeit cards after data breaches, since they can’t duplicate the secret data the chips use to generate those codes, she said.

"It’s not data that they can use to create counterfeit cards, because they can’t replicate that dynamic code that’s different in each transaction," Ericksen said.

Since chips also don’t transmit a secret code stored on cards’ magnetic strips, it’s also hard to use stolen chip transaction data to create fake cards for use on traditional card readers. But hackers and fraudsters can still target those merchants that haven’t yet activated their chip readers—and it may be some time before all retailers are up to date, according to Ericksen.

"It takes several years to get to critical mass of adoption," she said.

In other countries that have recently moved to chip-enabled cards, it took two or three years before at least 60% of transactions involved chipped cards and chip readers, Ericksen said. And in the meantime, fraudsters learn to target merchants that haven’t switched over from traditional magnetic stripe readers.

Other countries have also seen fraud shift from brick-and-mortar stores to online and phone orders, where chips aren’t used, according to a September report from credit card information service NerdWallet.

"They help prevent only one type of fraud—counterfeit fraud—and even then only when you dip the card as opposed to swiping it," NerdWallet’s Sean McQuay said in a statement at the time.

Still, merchants without chip readers—who, since October 1, can often face liability for fraud tied to not switching over—can take some steps to weed out counterfeit cards, like verifying that the final four digits of a card number that print on a receipt are the same as on a physical card, said Ericksen.

Consumers still don’t face liability for fraudulent charges on their accounts, but they can also take steps to protect themselves, like enabling new security features some card issuers are offering, including making sure transaction locations match cellphone GPS coordinates.

"If you’re using your card in Florida, and your phone is in New York, for example, that might look like a much more suspicious transaction than if both you and your phone are in New Orleans," Ericksen said.

Visa is not, however, requiring consumers to enter secret PINs for credit card transactions—something that was deployed in some other countries in conjunction with chip card rollouts, a measure consumer advocates say could help reduce fraud even in online transactions.

"The PIN requirement adds a distinct layer of security and complexity to each transaction that dramatically reduces fraud," wrote Debra Berlyn, the president of Consumer Policy Solutions, in an email to Fast Company. "That’s why I believe chip-enabled cards must be coupled with the requirement that consumers enter a PIN to properly authorize a transaction."

But, Ericksen explained, PINs themselves can be stolen, and other technological advances will offer similar protections—like the fingerprint authentication used by mobile payment apps like Apple Pay. New safeguards have led other countries to raise the limits on transaction sizes that can be completed without a PIN.

"We’ve seen Australia go up to $100 without a PIN, if it’s mobile or contactless—Canada has done the same," Ericksen said. "They’re really seeing that mobile and these other technologies are providing enhanced security."