In the wake of recent data breaches at Target, Neiman Marcus and other companies, it’s reasonable to ask what banks are doing to protect against identity theft. According to the U.S. Department of Justice, there were 16.6 million U.S. identity theft victims in 2012, a number that skyrocketed to over 70 million in 2013. This startling jump in breaches begs the question: will these high numbers be enough to finally bring smart chip credit cards to the U.S.?
Smart chip credit cards, which are a part of the EMV (Europay, MasterCard, and Visa) credit system, have been promoted as the safer alternative to magnetic stripe cards. However, the U.S. has been slow to adopt these cards because it’s expensive to replace magnetic swipe systems and ATMs and produce the cards. That being said, by the end of 2015, change may be inevitable.
What makes a smart chip card so special?
Smart chip credit cards are exactly what they sound like—a credit card with a chip on it that stores your encrypted account information. Unlike cards with magnetic stripes, these cards cannot be read by swiping. Instead, they’re scanned by a point of sale (POS) terminal or ATM that reads the chip. Sometimes the terminal requires a PIN to decrypt the chip’s information. Sometimes all the merchant needs is the customer’s signature, but this is less secure than the chip and PIN option as fraudsters can more easily forge signatures.
In many ways, the chip is more secure than a magnetic stripe, particularly when purchases are made in person at POS terminals. Over time, identity thieves have developed fairly simple ways of altering or taking information in magnetic stripes. Skimming, for example, is when an identity thief sets up a card reading device where folks generally swipe their credit cards, like gas station pay stations or retail stores. As the recent Target incident shows, all it takes is one swipe for your information to be compromised and stored in the skimming device.
While the encrypted information in chips isn’t as vulnerable to theft, it has its own weaknesses that can potentially be exploited. For example, if thieves get ahold of cards, they can make purchases where the cardholder’s PIN, signature, or presence isn’t required. The success of a few large PIN harvesting schemes and experiments—including a recent one from Cambridge—reveal other vulnerabilities in chip cards. However, on the whole, losses due to credit card fraud have decreased dramatically since EMV took hold in Europe.
Will the U.S. be fashionably late to the smart card party?
Although consumer safety is a critical issue, the dominant issue for card issuers and merchants in the U.S. is who will foot the bill for the chips and POS terminals. Card issuers are putting pressure on merchants to purchase POS terminals by 2015, and they’re doing so by shifting the liability of identity theft from themselves to the merchant. This means that if identity fraud results from a merchant using a non-EMV terminal for a transaction with an EMV card, the liability falls on the merchant. However, if the merchant uses an EMV compatible POS terminal, card issuers would be liable for any fraud resulting from that transaction.
While this liability shift puts pressure on the merchant to get EMV terminals, merchants and card issuers alike want to avoid paying more than they have to. Subsequently, the high cost of replacing existing terminals may result in cardholders having to pay transaction fees when using POS terminals. Similarly, card issuers may pass on the high cost of the card’s production to the consumer through fees. Interestingly, the retailers themselves might take the lead on EMV adoption: Target just announced that it will be accelerating implementation following the data breach.
Chances are that the U.S. will eventually adopt the EMV smart chip credit card, like the other 80 countries around the globe that have already done so. While the smart chip cards could potentially alleviate consumers’ fears and limit their losses due to fraud, the real motivation behind the change might boil down to something else. Namely, credit issuers won’t have to shoulder the burden of total liability when credit card fraud occurs. The new pressure on merchants will likely result in more EMV POS terminals in the U.S. by 2015, but just how many merchants will take the pressure to change seriously remains to be seen.
Chip card image via Shutterstock.