What Is an EMV Payment Card?

In the EMV standard, credit cards have an embedded microchip.In the EMV standard, credit cards have an embedded microchip.

Beginning Oct. 1, 2015, most retail establishments in the United States had to accept new payment cards, known as EMV cards, that contain an embedded microchip. You've probably received one already.

The chipped cards are safer to use than the traditional credit, charge and debit cards that have only the familiar magnetic stripe along the back. However, the new payment cards are not as safe as they could be. Here's why, along with what else you need to know.

What happened Oct. 1?

American Express, Discover, MasterCard and Visa implemented new rules that shifted the liability for credit- and charge-card fraud from card issuers to the weakest link in the payment chain.

Retailers who haven't upgraded their point-of-sale systems to accept the new EMV cards may be on the hook for fraudulent charges if crooks use cloned magnetic-stripe cards in their stores. If a bank hasn't issued EMV cards yet, then the bank's on the hook.

This a break from the system in place before Oct. 1, in which card issuers were obliged to eat all fraudulent charges involving credit cards and charge cards, and account holders were sometimes liable for fraud involving debit cards.

Are all merchants affected?

No. Gas stations won't have to upgrade their card readers to EMV until Oct. 1, 2017.

What about ATMs?

MasterCard is forcing a shift on Oct. 1, 2016. Visa's shift doesn't kick in until a year later, but since most ATMs accept both brands, the MasterCard deadline matters more.

Can I still use my old credit card?

Yes. Even the newer card readers set up to accept EMV cards have a slot for the traditional magstripe swipe. And most EMV cards issued in the U.S. will have a magnetic stripe on the back to be used at retailers who haven't yet upgraded.

So what is an EMV card?

Widely used throughout Europe, EMV payment cards look and feel much like American credit and charge cards. But instead of using a magnetic stripe to store financial information, these cards store the data on embedded secure microchips.

The EMV standard — for Europay, MasterCard and Visa, its originators — is often called the chip-and-PIN system, although that's somewhat misleading. It was first established in 1999 and has almost completely replaced the magnetic-stripe standard in Europe. (Debit cards in Europe had EMV in the early 1990s, but most could not be used internationally.) EMV cards are also gradually replacing conventional "magstripe" cards in Asia, South America, Canada and Mexico.

How do EMV cards work?

Like magnetic-stripe credit cards, EMV cards can be used in person at a point-of-sale (POS) terminal, online or over the telephone. To make an in-store purchase, EM cardholders insert their cards into a point-of-sale terminal and leave it in place throughout the entire transaction.

Once the card is read, the cardholder either enters a PIN number or signs his or her name to authenticate the transaction. In most countries, a signature is not acceptable and a PIN is mandatory, hence the "chip-and-PIN" name common in the English-speaking world.

In the U.S., the large banks insist that a signature will suffice, and hence the American standard could more accurately be called "chip-and-signature." However, some U.S. card issuers are nevertheless insisting on a PIN, which is seen by some experts as safer than a signature (more on that in a bit).

EMV cards can also be used online or over the phone. Depending on the card provider, virtual transactions will either require users to enter the three-digit security code on the back of their card or a secure password provided by the card-issuing company.

It's unlikely that a user's PIN, if part of the user's profile, will be required to make a purchase online or via telephone, at least not immediately after the EMV standard is implemented in the U.S. (In parts of Europe, banks give USB-connected chip-and-PIN reader to consumers for home use while shopping online.)

Are EMV cards safer than magnetic-stripe cards?

The short answer is yes, because EMV cards cannot be easily counterfeited. Forty-five percent of U.S. payment-card fraud in 2014 — $3 billion in stolen transactions — involved "cloned" cards that replicated the magnetic-stripe-data from a legitimate user's card and were fraudulently used in retail stores. (Magnetic-stripe data can be stolen from individual cards by crooked clerks with "skimmer" devices, or en masse when cybercriminals break into payment-processing computers.)

However, the chip-and-signature process can't protect against fraud if a card is physically lost or stolen. Think about it: When was the last time a retail clerk asked to verify your signature?

Chip-and-PIN cards do protect against lost-and-stolen-card fraud, because they rely on two-factor authentication. Someone using a chip-and-PIN card at a retail establishment must (1) be in possession of the card and (2) know the PIN that verifies that card. It's similar to the two-factor authentication system used for ATM transactions in the United States.

Yet lost-and-stolen-card fraud is not much of a factor in the U.S. In 2014, it amounted to $800 million in losses, or about 12 percent of total payment-card fraud. That sounds like a lot, but it's less than it used to be, even as cloned-card fraud skyrockets.

So then why are we getting chip-and-signature instead of chip-and-PIN?

Card-issuing banks say that PINs are too hard for customers to remember. (Never mind that those same customers already use PINs with their ATM cards and debit cards.) That's caused some pushback from consumer advocates who demand higher standards.

"Combining those chip cards with a Personal Identification Number is a critical security component that cannot be dismissed," said Steve Pocsiak, president of the American Consumer Institute for Citizen Research, in a statement issued Oct. 7, 2015, as the House of Representatives Committee on Small Business held a hearing on the transition to EMV cards. "One need not look further for evidence of the effectiveness of using PINs with credit cards than the fact that hundreds of millions of retail bank accounts in the U.S. require PINs to conduct transactions."

There may be another reason banks favor chip-and-signature, as pointed out by Gartner analyst Avivah Litan in an informative 2014 interview with independent security reporter Brian Krebs. If an EMV card has a magnetic stripe for use in older card readers (and most EMV cards will for the next several years), then card thieves who get both the magnetic-stripe data and the PIN can "max out" cloned cards — withdraw cash up to the account limit — at any ATM. When that happens to credit cards, the banks have to eat those losses.

Which card issuers are insisting on chip-and-PIN instead of chip-and-signature?

There aren't that many, but the big one is Target, which is making its store-branded cards chip-and-PIN instead of chip-and-signature. Ironically, EMV cards would have only lessened, not prevented, the effects of the devastating December 2013 theft of 40 million card numbers from Target. (See below for why.)

Most of the other card issuers insisting on chip-and-PIN are non-profit credit unions. If your credit card comes from a big bank, it's almost certainly chip-and-signature.

Do EMV cards protect against online card fraud?

No. EMV cards are still vulnerable to card-not-present fraud (i.e. fraud committed via the Internet or telephone), which constituted 43 percent of card fraud in 2014 in the U.S., about $2.9 billion in losses. Several European countries saw Internet-related fraudulent card use rise after the implementation of EMV systems, though some European banks now give at-home EMV readers, complete with PIN pads, to their customers for online use.

My EMV card number was stolen in a data breach. Am I safe?

Not necessarily. Most mass credit-card thefts involving database break-ins, such as the Target data breach, involve stealing card-transaction data from payment-processing computers. With EMV cards, that card data can't be used to create counterfeit cards — but it can be used for card-not-present transactions, i.e. online shopping.

Why can't you counterfeit an EMV card?

Chipped cards are not susceptible to "skimming" scams, in which a crooked checkout clerk or waiter illegally records the data from a regular card's magnetic stripe. Each EMV transaction as a unique number that's used only once, so the data stolen from an EMV card wouldn't work. Furthermore, EMV cards cannot be cloned, as each embedded chip is uniquely encrypted for a specific card.

Can EMV cards still be used for fraud?

Yes. Not only are they susceptible to card-not-present fraud, as noted above, but weaknesses have been found in the EMV standard itself that can be exploited by sophisticated card thieves.

If EMV cards are safer, then why has the U.S. been so slow to adopt them?

Several factors contributed to the slow adoption of the EMV standard in the United States. For one thing, both merchants and credit-card companies were hesitant to bear the cost of supplying cardholders with new credit cards and to deploy new credit-card terminals.

Those same entities were skeptical as to whether U.S. consumers themselves were ready for the switch to a new system. Consumers were thought to have little demand for EMV cards, as end users in the U.S. are almost never responsible for fraudulent charges resulting from stolen cards. (That policy regarding consumer liability may change with the implementation of EMV cards.)

In the late 1990s, when the EMV standard was formulated, Europe did not have a continent-wide payment network in place able to immediately verify all payment-card transactions, and EMV cards were a solution that would verify cards on-site, without a merchant having to dial a remote server.

North America did have a continent-wide payment network, with a resulting lower rate of fraud, and hence had no need for immediate on-site verification. That immediate-verification system is another argument put forward by U.S. banks for chip-and-signature instead of chip-and-PIN.

Aside from enhanced security, do EMV cards offer any other advantages?

EMV cards are a widely accepted form of payment around the world. Frequent travelers may have noted that, in recent years, it's become increasingly difficult to use a magnetic-stripe credit card outside the United States.

With more international banks making the switch to the EMV standard, many foreign merchants have replaced their magnetic-stripe card readers with chip-and-PIN point-of-sale terminals. [See also: iOS Point-of-Sale Apps Have Hidden Security Risks] In most cases, a chip-and-signature card can be used overseas, even in countries that have implemented the stricter chip-and-PIN standard.

Follow Elizabeth Palermo on Twitter @techEpalermo, Facebook & Google+. Follow Tom's Guide @tomsguide We're also on Facebook & Google+.

Create a new thread in the Streaming Video & TVs forum about this subject
This thread is closed for comments
10 comments
    Your comment
  • maxwellmelon
    so basicly they have to ad cost to a card to do what an atm card does by just requiring a pin to be typed in instead of signing. so stupid. why not just allow the quick swiping and use a 6 digit pin.
    -1
  • bschwarz
    The main part of this article, the claim that the U.S. is moving to Chip and Pin, is incorrect. The U.S. is indeed in the process of deploying EMV payment systems, but that system is based on Chip and Signature and not Chip and Pin as in Europe. To the consumer, the systems are similar but there is no required PIN with Chip and Signature. Almost all U.S. based EMV cards on the market are Chip and Signature, do not include an embedded PIN, and will not work in most unmanned point-of-sale kiosks in Europe. It is unlikely that this will change moving forward as the EMV systems are deployed in the U.S.
    0
  • bschwarz
    Quote:
    so basicly they have to ad cost to a card to do what an atm card does by just requiring a pin to be typed in instead of signing. so stupid. why not just allow the quick swiping and use a 6 digit pin.
    The difference is that with Chip and PIN the PIN is tied to the card. In an ATM transaction, the payment network verifies the PIN against the account information stored on the magnetic strip. Chip and PIN authentication can work without being connected to a payment network.
    1
  • Someone Somewhere
    We've had these for several years in NZ. Generally they still have a magnetic stripe, but it's flagged in the card vendor's system and can't be used without essentially calling them up.The main difference is that these are unclonable. You can't make a copy just with ATM skimmers or similar, because the card has a secret key that it doesn't give out.Main issue with them is that they're a little slow to read.PINs are basically essential here, but I'm not sure whether it's on the payment provider's system or on the card.
    1
  • chicofehr
    I had no idea the US didn't use this yet. Here in Canada we started using it years ago too. I guess the US is behind on a few things. We will have NFC way before them too I am sure but most of Europe already uses their cell phones to pay for stuff I believe.
    1
  • liquid0h
    Quote:
    The main part of this article, the claim that the U.S. is moving to Chip and Pin, is incorrect. The U.S. is indeed in the process of deploying EMV payment systems, but that system is based on Chip and Signature and not Chip and Pin as in Europe. To the consumer, the systems are similar but there is no required PIN with Chip and Signature. Almost all U.S. based EMV cards on the market are Chip and Signature, do not include an embedded PIN, and will not work in most unmanned point-of-sale kiosks in Europe. It is unlikely that this will change moving forward as the EMV systems are deployed in the U.S.
    Man, that's gonna suck for people like me who have an American bank but I live in England. I'm sure there's gonna be a way for Americans to use their cards in Europe. How else would you do transactions if your visiting abroad?
    0
  • liquid0h
    Quote:
    The main part of this article, the claim that the U.S. is moving to Chip and Pin, is incorrect. The U.S. is indeed in the process of deploying EMV payment systems, but that system is based on Chip and Signature and not Chip and Pin as in Europe. To the consumer, the systems are similar but there is no required PIN with Chip and Signature. Almost all U.S. based EMV cards on the market are Chip and Signature, do not include an embedded PIN, and will not work in most unmanned point-of-sale kiosks in Europe. It is unlikely that this will change moving forward as the EMV systems are deployed in the U.S.
    Man, that's gonna suck for people like me who have an American bank but I live in England. I'm sure there's gonna be a way for Americans to use their cards in Europe. How else would you do transactions if your visiting abroad?
    0
  • ammerique
    Quote:
    Quote:
    The main part of this article, the claim that the U.S. is moving to Chip and Pin, is incorrect. The U.S. is indeed in the process of deploying EMV payment systems, but that system is based on Chip and Signature and not Chip and Pin as in Europe. To the consumer, the systems are similar but there is no required PIN with Chip and Signature. Almost all U.S. based EMV cards on the market are Chip and Signature, do not include an embedded PIN, and will not work in most unmanned point-of-sale kiosks in Europe. It is unlikely that this will change moving forward as the EMV systems are deployed in the U.S.
    Man, that's gonna suck for people like me who have an American bank but I live in England. I'm sure there's gonna be a way for Americans to use their cards in Europe. How else would you do transactions if your visiting abroad?
    I used ATMs a lot to take out money when I was in Ireland. Very few merchants would take the magnetic strip card as a credit card but some places would allow me to use it as a Debit card.
    0
  • lightspeed11
    QUOTE:
    The main part of this article, the claim that the U.S. is moving to Chip and Pin, is incorrect. The U.S. is indeed in the process of deploying EMV payment systems, but that system is based on Chip and Signature and not Chip and Pin as in Europe. To the consumer, the systems are similar but there is no required PIN with Chip and Signature. Almost all U.S. based EMV cards on the market are Chip and Signature, do not include an embedded PIN, and will not work in most unmanned point-of-sale kiosks in Europe. It is unlikely that this will change moving forward as the EMV systems are deployed in the U.S.
    0
  • rgd1101
    Anonymous said:
    QUOTE: The main part of this article, the claim that the U.S. is moving to Chip and Pin, is incorrect. The U.S. is indeed in the process of deploying EMV payment systems, but that system is based on Chip and Signature and not Chip and Pin as in Europe. To the consumer, the systems are similar but there is no required PIN with Chip and Signature. Almost all U.S. based EMV cards on the market are Chip and Signature, do not include an embedded PIN, and will not work in most unmanned point-of-sale kiosks in Europe. It is unlikely that this will change moving forward as the EMV systems are deployed in the U.S.


    You do know it from Jan 2014, the info are outdated.
    0