advertisement
advertisement
advertisement

The New Chip-Equipped Credit Cards: Safer, And (For Now) More Confusing

Credit-card issuers are racing to get new cards with embedded chips into customers’ hands. But merchants aren’t ready for the shift.

The New Chip-Equipped Credit Cards: Safer, And (For Now) More Confusing
[Photo: Flickr user Ciaran McGuiggan]

If you live in the U.S. and have a credit card, you’ve almost certainly received a replacement card out of the blue in the last three months, often paired with an elaborate explanatory booklet. Your new card, the booklet explains, features a special chip that will protect your transactions more effectively, reduce fraud, and make your life better. The first two parts of that statement, at least, are true.

advertisement
advertisement

But you won’t need a PIN (personal identification number) for credit-card transactions, despite what you may have read in newspaper and magazine stories in U.S. publications over the last year. (Debit cards will still require PINs, as they do today.) The confusion over what’s coming will lead to frustration, merchant liability, and potential lost sales and unexpected fraud after a rule change kicks in October 1.

Being forewarned will leave you forearmed–even as retail clerks receiving little or no training may be baffled by the basics of processing a transaction, and you encounter outdated payment systems all over.

A Chip (And PIN) Off The Old Block

Chip-and-PIN cards pair an embedded chip in a credit or debit card with a short numeric code. The chip replaces the magnetic-tape strip that’s been a mainstay in cards for decades to swipe through a reader or insert into a kiosk, and the PIN is familiar from debit-card transactions and cash withdrawals.

The EMV transaction chip is widely used around the rest of the world, with card issuers leading the way in the United Kingdom over a decade ago, and most of the rest of Europe following within a couple of years. (EMV originally stood for Europay, MasterCard, and Visa, which jointly created the standard; now it’s run by EMVCo, a consortium operated by American Express, Discover, JCB, MasterCard, UnionPay, and Visa.)

A chip-equipped Visa card

EMV use has spread worldwide, and America is the last market of any substance that hasn’t adopted the standard. EMV chips are mostly used in a contact-based form: You dip or slide a card into a reader, which creates a circuit that allows handshaking with the payment terminal. A unique transaction is created that involves cryptographic data embedded in the chip.

For cards that require PINs, the transaction can’t be completed without that code, which isn’t transmitted remotely as with today’s debit and ATM transactions. Some cards are equipped with near-field communications (NFC) radios for contactless EMV, and will work with point-of-sale systems that support Apple Pay and other emerging technologies.

advertisement

EMV chips reduce fraud that arises from counterfeit cards, and, at their introduction, also protected against the misuse of lost and stolen cards. Magnetic-stripe cards can be easily forged by individual thieves or crime rings from card data stolen online. These cards can them be distributed out to networks of unwitting mules and knowing compatriots. The EMV chip prevents this kind of easy counterfeiting.

The code requirement in chip-and-PIN transactions existed originally because it was too expensive in the U.K. and Europe to verify each transaction via “callout”: a credit-card terminal dialing up or using an Internet connection to validate that the card wasn’t canceled and wasn’t marked lost or stolen. Instead, transactions were batch-processed after the fact.

Julie Conroy, research director for retail banking at Aite Group, says in the early 2000s the U.K had a fraud rate nearly four times as high as the U.S. Because chip and PIN uses the code to unlock the card without a live network connection, it fit perfectly into the existing infrastructure. (Online PINs are also possible in the standard, but approving transactions as they happen is no longer the challenge it was over a decade ago.)

Conroy says PINs initially dramatically reduced fraud rates with lost and stolen cards compared to magnetic-stripe cards, as the older style could simply be swiped and signed for. But over time, she says, criminals have adapted, and retail fraud is “back above where they started their migration.”

advertisement

The chip requirement does still help reduce counterfeiting, and fraud with lost and stolen cards represents only 13% of all card fraud, according to her research. But deterring counterfeiting can create huge savings. Conroy says counterfeit fraud in the U.S. was about $1 billion in 2012 and doubled to $2 billion by 2013. This is why card issuers finally set a deadline after years of dragging their feet.

With a highly competitive environment for obtaining and retaining customers–and no compelling anti-fraud argument–all the big issuers are using “chip and signature”: dip and sign, rather than dip and enter a PIN. All debit cards will retain PINs, which can be as long as six digits. ATMs may lag in supporting chipped cards, however.

Imposing a PIN requirement in America for credit cards would apparently irritate and confuse us. “No card issuer wants to be the card that has the most difficult experience,” says Conroy. She notes that an earlier rollout in Canada in which some banks opted for PINs was a cautionary tale for U.S. banks. Due to problems issuing PINs, “they saw their transaction volume dip significantly.”

For the foreseeable future, all credit and debit cards will have both magnetic strips and chips, for backwards compatibility. While banks have gotten on the bandwagon, the merchant side of the equation is going to lag. It could be an ongoing headache, especially for smaller retail outlets and people who make mobile sales, such as merchants at fairs.

Swipe My Card? Don’t Be A Dip

Here’s where it gets especially confusing. In an ideal world, a well-planned transition would allow merchants the time—and potentially even a price break on the cost of the new equipment—to move from a system that costs banks substantial money to one that’s much less fraud-prone. Helping merchants make the move would ensure most of the estimated 8 to 10 million retail locations in America that accept swipeable cards would have EMV readers ready to go.

Of course, we don’t live in an ideal world, as you can tell by consulting the prime-time television lineup. Rather, we live in a world that operates in fits and starts with uneven dissemination of information. On October 1, 2015, the major card networks—Visa, MasterCard, and the rest—will impose a shift in liability for fraudulent transactions at points of sale. (Except for gas-station pumps, which will get 10 months of additional relief.)

advertisement

Merchants who lack terminals that can read EMV cards will bear the entire cost of a counterfeit, lost, or stolen “card present” transaction starting October 1, except if the bank issuing the card that’s used hasn’t yet updated to use EMV. In that case alone will the bank bear responsibility. Most cards should be upgraded, but Conroy’s research shows that only 59% of retail locations will be ready to go with chip readers by the end of 2016. That leaves millions with just old-fashioned swipe readers.

A consumer who swipes a chipped credit card in a reader that’s equipped with an EMV reader should be prompted to dip the card instead. This should keep the merchant from bearing excess risk due to someone swiping instead of dipping. If the card has a PIN—whether from one of the few U.S. bank which require it, a debit card, or an international traveler from a chip-and-PIN region—the consumer is prompted to enter the PIN.

Square’s new reader is equipped for dipping and tapping.

But in some cases, depending on how the card is set up, even a card that supposedly requires a PIN can be verified with just a signature. Even more confusingly, some merchants Conroy’s firm has surveyed believe their terminal systems may support just signing or just PIN, which is seemingly incorrect, and will lead to mistakes in training clerks.

Conversely, Americans going to Europe and other chip-and-PIN regions with their newly chipped cards will have to convince clerks there that they can just sign for a transaction. While terminals have been updated to allow bypassing PIN entry, I’ve already heard stories about merchants being dubious. They’ll get used to it. Most self-serve kiosks that accept cards have only recently received chip-and-signature updates.

Terminals that work with chipped cards will also support Apple Pay and other gadget-based payment services.

Merchants typically get to choose a limit under which no signature is required with today’s stripe-based credit cards; the same will apply with EMV transactions. So you will be able to dip-and-not-sign just as you swipe-and-don’t-sign today.

In some countries, it’s easy for consumers to get credit cards with embedded NFC technology, allowing them to make a payment by waving the card at a reader. Some banks push these heavily to their customers. In America, though, because NFC hasn’t caught on until recently, analysts expect that NFC via smartphone and smartwatch services such as Apple Pay and Android Pay will dominate contactless transactions.

advertisement

Nonetheless, domestic and international NFC cards will be supported at almost all EMV terminals, because merchants who upgrade are getting both EMV and NFC at once. Touchless payment cards can have different no-signature limits, too, just as we’ve already seen with Apple Pay et al., so you might be asked to tap and sign.

In a survey of a range of merchants in October 2014, Conroy’s group found that only 16% of respondents planned to have any formal training for front-line employees. Seventy-eight percent plan “informal employee-to-employee training,” which can sometimes be the equivalent of urban myth. That should make for a fun experience for customers.

Don’t Look A Gift Card In Its Face Value

In that same Aite Group survey, one in three small to midsize merchants—those with up to several million in annual sales—hadn’t yet even heard of EMV. A poll from Wells Fargo/Gallup released on August 6 found 49% of small merchants were unaware of the October 1 liability shift. (Wells Fargo offers merchant services to such businesses.)

This is troubling because of where liability lies. Conroy notes that for some kinds of retail businesses with regular and local customers, the liability shift won’t matter much. Merchants will still be getting card approvals, and, she says, a car mechanic or a hair salon typically faces a very low level of fraud.

But Conroy says that convenience and corner stores are more vulnerable. If you’ve been in one lately, you’ll note racks of gift cards. They’re also sold in department stores and full-scale groceries, but those retailers are more likely to convert to EMV terminals quickly.

Because these gifts are essentially as good as cash, merchants that have swipe-only terminals will become the most attractive target for users of counterfeit cards, who can use them to buy gift cards. “Some of those guys are going to go out of business,” Conroy says of small stores. (She notes likewise that any bank that hasn’t pushed out EMV cards will be in bad shape: “Fraudsters will target much more intensively those banks that haven’t upgraded.”)

advertisement
Gift cards are a godsend for fraudstersPhoto: Flickr user 401(K) 2012

There is definitely some positive news on the horizon for smaller merchants, though, especially those already tied into Square, PayPal, and other smartphone-savvy payment systems. Both Square and PayPal have announced EMV/NFC readers coming this fall. Square carried out a public demonstration at Apple’s WWDC conference in June in San Francisco; its reader looks like a jumbo-sized version of its famous white square-shaped reader, and will support all major NFC payment systems.

Square hardware chief Jesse Dorogusker says the firm will try to get its new, battery-powered, Bluetooth-connected device into the hands of all merchants, regardless of size, as well as a host of other small businesses that lack a retail presence but accept credit cards. The company is giving 250,000 readers away and will charge all others $49. However, the company will rebate that amount by crediting its usage fees against the purchase price. Square also announced a few days ago it will absorb merchant liability for swiped transactions for any of its customers who order the EMV/NFC reader until it arrives.

Dorogusker says that customers should “insist on paying with authenticated payment technologies,” whether EMV or Apple, Android, and Samsung-style NFC tokenized payment systems. “We are taking a strong position that these authenticated payment technologies are important,” he says, by releasing a device designed to make the transaction as straightforward as the current Square reader.

PayPal’s new reader

He notes that these new technologies come with different gestures: Americans have been mostly trained to hand their cards over a clerk, while people in countries with chipped cards perform the transaction themselves, whether tapping or dipping. The Square reader is designed to be straightforward and unobtrusive. PayPal has designed a similar device that much more closely resembles in form and function existing card-processing units, and includes manual-entry buttons.

Fraud Seeks Out The Vulnerable

When you walk into most chains on October 1, you’ll see the latest and greatest in swipe and tap technology. In my neck of the woods, I saw precisely the shape of things to come when Trader Joe’s upgraded its terminal throughout Seattle. In the space of a couple of weeks, I went to three different stores on multiple occasions, and gently asked clerks about the systems.

In some cases, they were unaware that the NFC option worked, until I paid with Apple Pay. (The system is still funky, requiring extra steps after tapping as if I’d swiped a card.) Some knew the chip-dipping feature was coming, but all thought it wasn’t active yet—I didn’t try, lest I mess something up.

advertisement

Smaller merchants will lag and microbusinesses without retail presences may lag the longest of all, but the ones that experience high rates of fraud will quickly change their systems or go bust.

But you can predict what this means: Once the window to commit credit-card fraud is closed down to a wee crack, criminals will turn their attention to other methods of thievery, including online theft. It’s already rampant, and it’s about to get worse.

advertisement
advertisement

About the author

Glenn Fleishman is a veteran technology reporter based in Seattle, who covers security, privacy, and the intersection of technology with culture. Since the mid-1990s, Glenn has written for a host of publications, including the Economist, Macworld, the New York Times, and Wired

More