Thursday, July 10, 2014

The Unfortunate Truth About Your New Chip Credit Card

By Matt Schulz, Senior Industry Analyst for CreditCards.com

Call it chip-and-meh.



This weekend, a shiny little technological marvel appeared in my mailbox. It's my new-and-improved Delta SkyMiles American Express card.



How is it improved? It has an EMV chip.



These chips -- which store your data and replace the card's traditional magnetic stripe -- make it harder for hackers to make a counterfeit copy of your credit card if they steal your account information. The chips generate a unique code for every transaction so if fraudsters steal data from a retailer, they won't be able to use that information to make future purchases. And the chips have become the standard in most of the credit-card-accepting world, leaving the United States as the only major economy that still relies on magnetic stripes.



In these post-Target-breach days of heightened worry about credit card fraud, the arrival of EMV (which stands for Europay, MasterCard and Visa -- the card companies that spurred its creation) in America is a big deal. After all, about half of the world's credit card fraud reportedly happens in the U.S., due in large part to our preference for mag stripe cards.



With that in mind, many credit card issuers have begun sending out EMV-chip-enabled cards to people like me with letters that talk about the extra levels of security that these cards provide. In June, Sam's Club became the latest to boast of its new chip-bearing card.



So this is great news, right?



Again, meh.



Let me explain ...



Say I take my little boy to the local sporting goods store to get a new baseball bat. We find one that looks cool, of course, and is the right size. Then he takes a few test swings, and we go pay for it.



I pull out my card and -- unsurprisingly -- see that the card reader isn't chip-enabled. (How can you tell? A chip-enabled reader has a slot into which you insert the card, like what you might see at an ATM. If you don't see one, then the terminal's not chip-enabled.) Knowing that, I swipe my card the same way I have for years, sign and walk away, ready to help my son break in his new bat. I'm able to swipe because my new AmEx chip card still comes with a magnetic stripe on the back.



So I've got the best of both worlds, right? I've got the convenience of a mag stripe and the protection of a chip card.



Not really.



The problem is that because I swiped the card to make the purchase, the chip never came into play. All of the positive things that it can do remained undone. I may as well have had my old card.



That brings me to the dirty little secret of chip cards: They're awesome fraud fighters when you can use them to the fullest -- but that's pretty much impossible in America right now.



Sure, it is great that the card's chip makes it much harder to counterfeit. That is a significant step in fraud protection and shouldn't be ignored. I also understand the technology has its detractors and flaws: For example, it costs a fortune to put in place yet it doesn't really deter "card-not-present" fraud -- fraud done by folks who don't actually possess the physical card.



However, chip technology remains a powerful anti-fraud tool. Now American banks and merchants need to unleash it in full.



Here's what I mean ...



1. Get chip-card readers in stores.
Chip cards aren't any good if most places won't accept them, and that's where we are now in the U.S.

Within the next two to five years, chip-enabled card readers will be everywhere in America. That's because Visa, MasterCard, Discover and American Express have told merchants that if they haven't upgraded their equipment to read chip cards by October 1, 2015, they will be fully liable for their losses in any data breaches.

That move, plus high-profile data breaches like Target, lit a fire under merchants to update their point-of-sale terminals. But it won't happen overnight. Until then, very few merchants -- Walmart being one huge exception -- can read your chip cards. And if your chip card can't be read, then it can't generate a unique code with each transaction, thus negating one of the major benefits of the chip-enabled card.

2. Forget chip-and-signature; give us chip-and-PIN.
While most chip cards around the world are of the chip-and-PIN variety, the vast majority of chip-enabled cards produced in the U.S. (mine included) are chip-and-signature cards. There's no PIN involved. You sign for your purchase, as you always have, with your mag stripe.

That's changing. Barclays recently announced that a chip-and-PIN version of their Barclaycard Arrival Plus World Elite MasterCard is now available. USAA offers chip-and-PIN cards today, but you have to specifically request them. Chase has announced it will start issuing chip-and-PIN cards later in 2014 and Target will start issuing chip-and-PIN cards in early 2015. But it's a slow change at best, and that's a shame.

Putting a chip in a card without also attaching a PIN to it is a wasted opportunity.

Why? It's much easier to forge someone's signature than to hack their PIN. The PIN and the security that it offers are really the key to making all of this work most effectively. (Credit card fraud in the United Kingdom famously fell by more than a third after chip-and-PIN was implemented.)

In short, American Express and other banks are taking baby steps toward new fraud-prevention technology when what is needed is a full-out sprint.



While I understand that many of the steps toward full-scale chip-and-PIN implementation are out of banks' control and must be taken by merchants and others, I'm looking forward to the day when I can break out a chip-and-PIN card to pay for anything, anywhere. That's when we'll begin to see just how powerful a fraud-prevention tool this technology can be.



Until then, meh.



No comments:

Post a Comment