By now, nearly every credit card holder in the U.S. has received the new Chip and PIN credit card to replace their old mag stripe card. We’ve used magnetic stripe for decades at retail locations, gas stations, and our favorite restaurants so this is a welcome security change, right? Not so fast.
I’m continually asked if it is safe to shop with Chip and PIN cards. I wish I had a better response, but my typical answer is yes and no.
First, a little background on credit cards in the U.S. The United States is decades behind the rest of the world for accepting secure credit card transactions. But this is not as bad as it seems because the consumer protections we enjoy in the United States are strong. Right now, the typical U.S. credit card has an average interest payment of 12.51%. Banks and credit card companies make a lot of money on consumer balances carrying over month to month. This steady stream of billions is their priority instead of security so they gladly pay fraud charges to keep those high interest paying customers happy.
Many of us have had our credit card(s) compromised. Between my business and personal, I have personally replaced 6 cards that were fraudulently used without my permission. The issuing bank was of little help when it came to tracking the perpetrators and preventing this from happening again. If you want to learn more about how I got hacked and then Hacked Again, read my book, but you don’t need to read a book to know how annoying the entire process of claiming fraud, canceling current cards, and waiting for new ones to appear in the mail can be. But what you might not know is that the only liability to credit card holders in the U.S. is a maximum of $50. And if you ask the issuing bank to waive this fee, 9 out of 10 times they will to keep you happy. This keeps customers locked in but does it keep them safe? And what about that Chip and PIN?
Chip and PIN cards do make it challenging for fraudsters to counterfeit fraudulent cards. This is long overdue in the U.S., but still an important step in the right direction. Financial institutions and merchants benefit the most from the switch to Chip and PIN cards (also known as EMV comprised of Europay, Mastercard, and Visa) because new in-store technology must comply with new security standards, as well as the new liability rules. But how does this help consumers?
The old mag stripe is easy to replicate data over and over again since it does not change. So a thief only needs an impression of that data once to go on multiple shopping sprees before they move on to their next victim. But when an EMV card is used for payment, each card creates a unique transaction code that cannot be used again. So if the cyber thief steals the chip information at a specific POS (point of sale) terminal, they still cannot duplicate that card. EMV technology does not prevent a data breach from occurring, but it makes it significantly more difficult for criminals to profit easily. Keep in mind that Chip and PIN card on the Internet is no safer than a traditional magnetic stripe card, so make sure you use best practices for online shopping with credit cards.
The good news is we’ve already begun to see huge drops in counterfeit credit card fraud in 2016. Visa and Mastercard have reported 43% and 54% decrease, respectively, among all merchants that have adopted EMV hardware and practices. However, reports also indicate a 77% increase in counterfeit card fraud from merchants that have not yet switched to EMV. The data clearly shows it is essential to move all merchants over to EMV payment systems, but why have so many merchants resisted?
The average cost to credit card companies is only $3.50 to issue a new EMV card, but the cost to merchants to replace all 15 million POS terminals with EMV compliant ones is estimated at $6.75 billion. Credit card companies cannot force retailers to switch their hardware to support EMV, but they can shift the liability down the chain to retailers. Beginning in October 2015, liability shifted from card issuers to merchants if proper EMV updates were not executed. This includes chargebacks resulting from stolen credit cards for instance. Unfortunately, this did little to incentivize retailers to upgrade hardware and security practices. Simply take a look at most major breaches throughout the past few years and you will see that retailers such as Target, Home Depot, Michaels, and PF Changs do not put security before profits.
Another hesitation for retailers to jump on board the new EMV cards are the growing consumer lines. Chip and PIN verification takes much longer than traditional mag stripe to verify. This led to many retailers actually turning off their EMV terminals in favor of the old, less secure ones during the holiday shopping season. Many merchants justified the risk of fraud by comparing it to the risk of losing impatient shoppers on long lines. Fortunately, 2016 was the first full on EMV shopping season in the U.S. so as consumers grow more accustomed to EMV, transactions are expected to speed up.
At the rate Chip and PIN is actually phasing into use throughout the next few years, it’s no wonder why consumers and merchants are so confused and hesitant to adopt it’s superior security. In fact, we are actually using a hybrid, less secure approach called chip and signature at the vast majority of retailers. The authentication of a chip and signature card happens when you sign your name, but signatures deliver zero security and very little in the way of legal protections. They are simply an old fashioned bookkeeping method for organizational purchases.
“Please swipe your card.” I witnessed this handmade sign first hand during the holiday shopping season on POS terminals. Some retailers even went so far as to block front of the POS where you insert the security chip of your EMV card. All EMV POS terminals have a secondary payment method, which is the traditional swiping method. Bypassing your EMV card’s inherent security because a note blocking the chip reader says so is like playing roulette with your savings—except without the possibility of a win.
So are Chip and PIN cards really safe? They are safe enough to use, but that’s the problem in a nutshell. Very few consumers are using them and even fewer retailers are making it easy for consumers to use. This brings us to terms like biometric security and NFC (near-field communications). When consumers verify purchases with their fingerprint using Apple’s Touch ID or Samsung Pay, they are not necessarily being more secure, but rather more convenient. Convenience doesn’t usually equate to better or more secure, but if it gets large numbers of consumers to adopt its security measures, it has done its job.
NFC is a wireless transaction allowing us to use our mobile phones as digital wallets by simply holding the phone within a few inches of a contactless POS terminal and verifying with a quick fingerprint scan. Apple Pay and Android Pay both use secure, tokenized NFC payments. This means Apple Pay does not save your transaction information or card numbers on their servers. A device account number is created for each specific card you have assigned. That account number is assigned, encrypted, and securely stored in the Secure Element, a dedicated chip that generates and passes tokenized payments from the bank directly to the retailer or merchant. This means that merchants never have direct access to your card, only your issuing bank.
I always opt to use Apple Pay where it is accepted, and cash as a fallback, but I cannot recommend anyone use a payment system they are not comfortable with no matter how securely it works. Contactless payment systems are young in the U.S. and have a long way to go before they become the norm. I have multiple EMV cards, but avoid using them. Perhaps by not joining the millions who have already embraced Chip and PIN, I am part of the problem. What I do know is the payment systems I do chose keep my credit card and personal data off limits to retailers and the Dark Web. And that just might be the most each of us can do.
Scott Schober, BVS president/CEO, cybersecurity expert, author of Hacked Again www.ScottSchober.com