February 20, 2019
When the major U.S. credit card companies — including Visa, MasterCard, Discover and American Express — agreed to switch to chip-enabled payment cards, many saw it as a way to chip away at billions of dollars in losses from payment card fraud. Unfortunately, more than three years after the major U.S. card companies mandated a liability shift for certain in-store payment card transactions, credit card fraud continues to plague the United States.
Statistics collected from October 2017 to October 2018 show that criminals compromised roughly 45.8 million payment cards via point-of-sale (POS) devices. Of those thefts, 90% were chip cards, according to a report by cybersecurity firm Gemini Advisory.
How have thieves stolen data from chip cards, and why has the adoption of chip cards failed to generate similar reductions in fraud as it did in the United Kingdom and Canada? The answers may help U.S. merchants and credit card companies understand how to curb future losses.
How do chip cards help fight payment card fraud? Chip cards — also known as Europay, MasterCard and Visa (EMV) cards — contain tiny metallic squares that are actually minicomputers, designed to generate a unique encrypted code for each transaction. Instead of being swiped, EMV-equipped cards are dipped into the merchant’s card reader for about 10 seconds, giving the card’s chip and the merchant’s terminal time to communicate. The time it takes to complete a chip-card transaction is similar to the time it takes to pay cash and receive change.
Outside of the United States, chip cards typically require a personal identification number (PIN) to authenticate transactions. This enhances the security of chip cards issued abroad, because criminals must steal a payment card number along with the cardholder’s PIN.
Many U.S. merchants have been reluctant to switch to chip-and-PIN cards, because some chip card readers aren’t equipped to accept PINs, just signatures. In addition, some cardholders aren’t in favor of memorizing PINs and, instead, prefer to authenticate transactions with signatures as they’ve done in the past.
Magnetic Strip Cards
By comparison, magnetic strip cards store static information, similar to old-fashioned music cassette tapes. Instead of dipping the payment card in a reader, cardholders swipe the card to allow the merchant’s POS to read the information encoded on the card’s magnetic strip. This outdated technology makes them easy targets for hackers.
When issuing new chip-enabled cards, U.S. card issuers didn’t remove magnetic strips from the back of the new cards. While that decision provided merchants and their customers with two ways to complete transactions — and a backup in case a POS device was unable to read a chip — it reduced the pressure on merchants to invest in new POS chip readers. As a result, some merchants haven’t yet updated their card readers.
When a cardholder swipes the magnetic strip on a chip card, instead of dipping it, they make it possible for criminals to steal data from the less secure magnetic strip. Once the information is stolen, it can be used to create a cloned card that can be used online or at merchants that haven’t upgraded their POS devices.
Facilitating Secure Payments
Consumers aren’t directly affected by the liability shift when their credit cards are dipped, instead of swiped. The change just transferred liability from credit card companies to merchants that continue to accept magnetic strip cards for in-store purchases. Consumers do, however, benefit indirectly from the shift, because chip cards generally offer a more secure payment method.
Nonetheless, if criminals continue to steal U.S. payment card numbers from POS systems, cardholders still may be forced to accept replacement cards and then update their monthly autopayments for their new card numbers. This inconvenience, in turn, may cause consumers to pressure merchants to speed up their adoption of chip technology — and credit card companies to adopt PIN-and-chip technology.
Merchants that haven’t yet upgraded their equipment and internal processing systems to allow for the processing of chip cards should do so immediately. In addition, they might consider enabling mobile near field communication (NFC) payments, such as Apple Pay or Google Wallet. Doing so is likely to minimize the long-term cost and hassle of upgrading card readers, as well as providing optimal flexibility and fraud protection when processing transactions for years to come.