Beginning Oct. 1, 2015, most retail establishments in the United States had to accept new payment cards, known as EMV cards, that contain an embedded microchip. You've probably received one already.
The chipped cards are safer to use than the traditional credit, charge and debit cards that have only the familiar magnetic stripe along the back. However, the new payment cards are not as safe as they could be. Here's why, along with what else you need to know.
What happened Oct. 1?
American Express, Discover, MasterCard and Visa implemented new rules that shifted the liability for credit- and charge-card fraud from card issuers to the weakest link in the payment chain.
Retailers who haven't upgraded their point-of-sale systems to accept the new EMV cards may be on the hook for fraudulent charges if crooks use cloned magnetic-stripe cards in their stores. If a bank hasn't issued EMV cards yet, then the bank's on the hook.
This a break from the system in place before Oct. 1, in which card issuers were obliged to eat all fraudulent charges involving credit cards and charge cards, and account holders were sometimes liable for fraud involving debit cards.
Are all merchants affected?
No. Gas stations won't have to upgrade their card readers to EMV until Oct. 1, 2017.
What about ATMs?
MasterCard is forcing a shift on Oct. 1, 2016. Visa's shift doesn't kick in until a year later, but since most ATMs accept both brands, the MasterCard deadline matters more.
Can I still use my old credit card?
Yes. Even the newer card readers set up to accept EMV cards have a slot for the traditional magstripe swipe. And most EMV cards issued in the U.S. will have a magnetic stripe on the back to be used at retailers who haven't yet upgraded.
So what is an EMV card?
Widely used throughout Europe, EMV payment cards look and feel much like American credit and charge cards. But instead of using a magnetic stripe to store financial information, these cards store the data on embedded secure microchips.
The EMV standard — for Europay, MasterCard and Visa, its originators — is often called the chip-and-PIN system, although that's somewhat misleading. It was first established in 1999 and has almost completely replaced the magnetic-stripe standard in Europe. (Debit cards in Europe had EMV in the early 1990s, but most could not be used internationally.) EMV cards are also gradually replacing conventional "magstripe" cards in Asia, South America, Canada and Mexico.
How do EMV cards work?
Like magnetic-stripe credit cards, EMV cards can be used in person at a point-of-sale (POS) terminal, online or over the telephone. To make an in-store purchase, EM cardholders insert their cards into a point-of-sale terminal and leave it in place throughout the entire transaction.
Once the card is read, the cardholder either enters a PIN number or signs his or her name to authenticate the transaction. In most countries, a signature is not acceptable and a PIN is mandatory, hence the "chip-and-PIN" name common in the English-speaking world.
In the U.S., the large banks insist that a signature will suffice, and hence the American standard could more accurately be called "chip-and-signature." However, some U.S. card issuers are nevertheless insisting on a PIN, which is seen by some experts as safer than a signature (more on that in a bit).
EMV cards can also be used online or over the phone. Depending on the card provider, virtual transactions will either require users to enter the three-digit security code on the back of their card or a secure password provided by the card-issuing company.
It's unlikely that a user's PIN, if part of the user's profile, will be required to make a purchase online or via telephone, at least not immediately after the EMV standard is implemented in the U.S. (In parts of Europe, banks give USB-connected chip-and-PIN reader to consumers for home use while shopping online.)
Are EMV cards safer than magnetic-stripe cards?
The short answer is yes, because EMV cards cannot be easily counterfeited. Forty-five percent of U.S. payment-card fraud in 2014 — $3 billion in stolen transactions — involved "cloned" cards that replicated the magnetic-stripe-data from a legitimate user's card and were fraudulently used in retail stores. (Magnetic-stripe data can be stolen from individual cards by crooked clerks with "skimmer" devices, or en masse when cybercriminals break into payment-processing computers.)
However, the chip-and-signature process can't protect against fraud if a card is physically lost or stolen. Think about it: When was the last time a retail clerk asked to verify your signature?
Chip-and-PIN cards do protect against lost-and-stolen-card fraud, because they rely on two-factor authentication. Someone using a chip-and-PIN card at a retail establishment must (1) be in possession of the card and (2) know the PIN that verifies that card. It's similar to the two-factor authentication system used for ATM transactions in the United States.
Yet lost-and-stolen-card fraud is not much of a factor in the U.S. In 2014, it amounted to $800 million in losses, or about 12 percent of total payment-card fraud. That sounds like a lot, but it's less than it used to be, even as cloned-card fraud skyrockets.
So then why are we getting chip-and-signature instead of chip-and-PIN?
Card-issuing banks say that PINs are too hard for customers to remember. (Never mind that those same customers already use PINs with their ATM cards and debit cards.) That's caused some pushback from consumer advocates who demand higher standards.
"Combining those chip cards with a Personal Identification Number is a critical security component that cannot be dismissed," said Steve Pocsiak, president of the American Consumer Institute for Citizen Research, in a statement issued Oct. 7, 2015, as the House of Representatives Committee on Small Business held a hearing on the transition to EMV cards. "One need not look further for evidence of the effectiveness of using PINs with credit cards than the fact that hundreds of millions of retail bank accounts in the U.S. require PINs to conduct transactions."
There may be another reason banks favor chip-and-signature, as pointed out by Gartner analyst Avivah Litan in an informative 2014 interview with independent security reporter Brian Krebs. If an EMV card has a magnetic stripe for use in older card readers (and most EMV cards will for the next several years), then card thieves who get both the magnetic-stripe data and the PIN can "max out" cloned cards — withdraw cash up to the account limit — at any ATM. When that happens to credit cards, the banks have to eat those losses.
Which card issuers are insisting on chip-and-PIN instead of chip-and-signature?
There aren't that many, but the big one is Target, which is making its store-branded cards chip-and-PIN instead of chip-and-signature. Ironically, EMV cards would have only lessened, not prevented, the effects of the devastating December 2013 theft of 40 million card numbers from Target. (See below for why.)
Most of the other card issuers insisting on chip-and-PIN are non-profit credit unions. If your credit card comes from a big bank, it's almost certainly chip-and-signature.
Do EMV cards protect against online card fraud?
No. EMV cards are still vulnerable to card-not-present fraud (i.e. fraud committed via the Internet or telephone), which constituted 43 percent of card fraud in 2014 in the U.S., about $2.9 billion in losses. Several European countries saw Internet-related fraudulent card use rise after the implementation of EMV systems, though some European banks now give at-home EMV readers, complete with PIN pads, to their customers for online use.
My EMV card number was stolen in a data breach. Am I safe?
Not necessarily. Most mass credit-card thefts involving database break-ins, such as the Target data breach, involve stealing card-transaction data from payment-processing computers. With EMV cards, that card data can't be used to create counterfeit cards — but it can be used for card-not-present transactions, i.e. online shopping.
Why can't you counterfeit an EMV card?
Chipped cards are not susceptible to "skimming" scams, in which a crooked checkout clerk or waiter illegally records the data from a regular card's magnetic stripe. Each EMV transaction as a unique number that's used only once, so the data stolen from an EMV card wouldn't work. Furthermore, EMV cards cannot be cloned, as each embedded chip is uniquely encrypted for a specific card.
Can EMV cards still be used for fraud?
Yes. Not only are they susceptible to card-not-present fraud, as noted above, but weaknesses have been found in the EMV standard itself that can be exploited by sophisticated card thieves.
If EMV cards are safer, then why has the U.S. been so slow to adopt them?
Several factors contributed to the slow adoption of the EMV standard in the United States. For one thing, both merchants and credit-card companies were hesitant to bear the cost of supplying cardholders with new credit cards and to deploy new credit-card terminals.
Those same entities were skeptical as to whether U.S. consumers themselves were ready for the switch to a new system. Consumers were thought to have little demand for EMV cards, as end users in the U.S. are almost never responsible for fraudulent charges resulting from stolen cards. (That policy regarding consumer liability may change with the implementation of EMV cards.)
In the late 1990s, when the EMV standard was formulated, Europe did not have a continent-wide payment network in place able to immediately verify all payment-card transactions, and EMV cards were a solution that would verify cards on-site, without a merchant having to dial a remote server.
North America did have a continent-wide payment network, with a resulting lower rate of fraud, and hence had no need for immediate on-site verification. That immediate-verification system is another argument put forward by U.S. banks for chip-and-signature instead of chip-and-PIN.
Aside from enhanced security, do EMV cards offer any other advantages?
EMV cards are a widely accepted form of payment around the world. Frequent travelers may have noted that, in recent years, it's become increasingly difficult to use a magnetic-stripe credit card outside the United States.
With more international banks making the switch to the EMV standard, many foreign merchants have replaced their magnetic-stripe card readers with chip-and-PIN point-of-sale terminals. [See also: iOS Point-of-Sale Apps Have Hidden Security Risks] In most cases, a chip-and-signature card can be used overseas, even in countries that have implemented the stricter chip-and-PIN standard.