Safer, not perfect:
U.S. finally catches up with rest of the world
There’s an implied promise in the new piece of plastic you might have received in the mail, the one with the embedded chip.
That when you begin to plug it instead of swipe it, it will be safer. And it is — sort of.
Chip cards “protect against counterfeit fraud and guarantees that card is unique,” said Philip Andreae, a vice president of French cardmaker Oberthur’s North American financial services industry business unit.
Visa estimates that about two-thirds of the fraudulent purchases in brickand-mortar stores that pass through its network are the result of counterfeit cards.
But that’s only one piece of the fraud problem faced by banks, merchants and payment networks.
The chip cards, also known as EMV
(for Europay, MasterCard, Visa) cards, are based on a protocol developed in the ’90s to combat rising numbers of bunk plastic purchases overseas.
By the end of the decade, the cards had become the European standard.
Between then and now, most of the rest of the world has followed suit — with the U.S. among the final holdouts, in part because of the number of merchants here and the cost of the upgrades.
But in the last year or so that’s begun to change, culminating in a defining moment at the start of next month when all merchants who refuse to accommodate chip cards will be forced to shoulder more of the burden of fraudulent transactions.
The payment networks — Visa and MasterCard included — have made it clear that most who do not have the equipment to accept chip cards will become liable for illegitimate purchases made on their terminals with those cards.
Overall, the shift from magnetic stripe to chip might not seem significant, but in the way data is transmitted between merchants and banks, there’s a world of difference.
Unlike older mag stripe cards that transmit information in a fashion that criminals can steal, chip cards generate a special, onetime code called an “application cryptogram.”
That code changes with every purchase, but in a predictable way that allows card issuers to authenticate each transaction.
So, in theory, even if a thief intercepted that data, it would be useless for future payments.
Still, some merchants don’t yet see the value in such security.
Upgrading equipment to accept chip cards also costs merchants. For some, it’s as little as $49 for a simple card reader from Square; for larger retailers it can cost millions.
“Dry cleaners, restaurants, coffee shops, not common destinations for someone with a counterfeit card,” said Jason Oxman, chief executive of the Electronic Transactions Association, of the hundreds of thousands of merchants that have yet to purchase upgraded readers and point-of-sale equipment.
A minority, though their numbers may seem huge.
Oxman added that thieves who use counterfeit cards often make big purchases that they can then fence — say a big-screen TV. “They’re not going to sit at a restaurant for three hours and then pay,” Oxman said.
Even though chip cards do a lot to protect consumers, they don’t eliminate fraud.
The cards do nothing to protect online transactions. And merchants will still store all of your card information in the same ways that they do today, which is less than ideal given the rash of recent breaches.
EMV technology wouldn’t have stopped the breaches at Target or Home Depot — though it would have prevented criminals from creating counterfeit cards from the stolen information and using them in stores.
To boot, thieves have a knack of staying ahead of the curve.
And because of the glut of breaches, consumers’ financial information is already available on online forums where criminals buy and sell dates of birth, passwords, Social Security numbers and addresses, among other bits, like an eBay for identity thieves.
“I have heard from some of the top banks that have actually been seeing spikes in issuance fraud,” said payments consultant Cherian Abraham. “It’s still pretty easy to call in to a bank and say: ‘I’m such and such. I haven’t gotten my card, yet,’ or ‘I’m stuck somewhere in Miami,’ or something, ‘and I need a card to be overnighted to me.’ ”
Chip cards are just one part of a bigger fight against fraud.
Visa and MasterCard continue to promote tokenization and pointto-point encryption — both meant to further curb fraud. Rather than risk exposing the number on the front of your card, tokenization provides for a token that can be stored by, say, a retailer or held on your phone (think Apple Pay). Encryption obscures card numbers with complex calculus.
EMV addresses the point of sale. Tokenization handles data being stored. And encryption secures information in transit.
It’s a layered approach — with chip cards the most visible part.