Credit card holders may be getting new cards in the next year as major issuers like Visa and MasterCard urge retailers to switch technology to cut down on fraudulent purchases.
What it means is that you likely will “dip” your card – more akin to how you’d use it at an ATM – rather than swiping a reader.
And retailers have a major incentive to make the switch: After Oct. 1, 2015, any fraudulent charges will fall on them rather than the credit card issuer if the store’s technology isn’t up to date.
Recently hacks of major retailers like Target, Home Depot and Jimmy John’s have made news. Part of the problem may be that the United States still uses swipe card technology that is less secure than what’s used in Europe and Canada.
Currently when you swipe your card at a retailer, the reader takes your credit card number and expiration date and sends it to be authorized by the card issuer.
What much of the rest of the world uses is EMV, which stands for Europay, Mastercard and Visa. With this technology, the store reads a chip on the card. The chip allows the card to be authenticated but also includes a one-time use security code in every transaction.
The difference is how long stolen credit card information is good for, says John Mayleben, Michigan Retail Association Senior Vice President of Technology and Product Development.
Right now he said if you drop your wallet somebody could scan a credit card, make a fake duplicate and use it until you notice unusual activity on your account. With an EMV chip, somebody who accessed the data would get it with that one-time-use security code. That security code is only good for the next transaction, and changes after that.
So then it’s a race. If you use your card first the thief’s fake will get denied because it will have the wrong security code. If the thief uses the information with the temporary code first, he or she can make only one transaction. After that the thief’s temporary code would be wrong and the card would be denied.
“What it does is it accelerates the time from theft to stopping the theft,” Mayleben said.
Major credit card companies are pushing this change. The EMV Migration Forum is an independent body with more than 140 member companies, including global brands like American Express, Visa and MasterCard Worldwide. It’s putting into motion new policies aimed to make retailers switch over.
Randy Vanderhoof, director of the EMV Migration Forum, said what’s changing on Oct. 1, 2015 is who pays for a fraudulent purchase. Right now card issuers typically pay for any fraudulent activity. Starting in October of next year, whichever entity’s technology isn’t updated will have to bear the burden.
That means that if a thief uses a card with an EMV chip at a store without an EMV chip reader, the store pays. Conversely, if the store has an updated card reader but the bank is still issuing cards without EMV chips, the bank would have to pay for the fraudulent transaction.
Abtek, a Michigan-based credit card processing company that serves small and medium businesses, offers a more secure transaction called “tokenization”. When you swipe a card the system transmits random numbers that correlate to your card instead of your card’s straight information. On top of that, Abtek can encrypt information.
But Abtek Vice President Tami Cohorst said businesses are sometimes slow to want this or other protections.
“All this is an expense to the business owners. Expenses that they aren’t used to having,” Cohorst said.
Mayleben said the retailers association also handles credit card transactions for businesses, and is trying to prepare them for the EMV switch.
“We have been actively deploying machines that are chip card compatible,” Mayleben said. But it’s unlikely that by October of next year every retailer will have switched over, he noted.
Vanderhoof said each retailer should weigh the cost of implementing EMV chip card acceptance versus the cost of taking on additional fraud.
“They should also keep in mind that criminals will go after the weakest link; even if a retailer does not experience a lot of fraud today, not accepting chip cards could make their locations more attractive to criminals looking to commit counterfeit card fraud,” Vanderhoof said.
As far as consumer experience goes, Mayleben said the customer using an EMV chip card will “dip” instead of “swipe” the card. It’s a vertical insertion more akin to putting the card in an ATM than swiping it at the grocery store. EMV readers are typically at the bottom of devices.
“It is a completely different user experience than what we’re familiar with as consumers,” Mayleben said.
In Europe, the EMV transaction is sometimes referred to as “chip and PIN.” However in the U.S. the EMV Migration Forum advises that “Not all chip cards issued in the U.S. will require the use of a PIN.”
Cohorst said the PIN instead of a signature is used in the rest of the world, and would add an additional layer of security.
“I think the issuers might re-think that, and I think we’ll see more pin-based cards than we had anticipated,” she said.
In the Lansing area, retail locations including Target and Kroger have installed card readers that can process both traditional swipe and EMV chip readers, though the chip readers aren’t yet activated. Some card issuers are also issuing cards with EMV chip capability.