It’s been more than six months since the rules surrounding credit card fraud changed, driving a shift from old magnetic-stripe credit cards to cards embedded with EMV chips. But only 20% of credit card terminals in the U.S. had been activated for chip use through April 2016, according to the Mercator Advisory Group. And only 60% of all credit cards had been updated with chips.
Nevertheless, you may have gone through the new process of sticking your chip card in a reader, waiting for the transaction to be verified, and getting beeped at by the machine if you leave your card in too long.
The process has been heavily promoted as taking better care of your data. But it’s probably not as secure as an EMV transaction could be. And there’s a fairly low bar for how secure any EMV transaction can be. Part of that is the limits of the technology, and part is the realities of human behavior.
Consumer behavior as sticking point
Some snags in the EMV transition have been widely noted. For one thing, transactions can be slow. For another, you still verify your identity the old-fashioned way, by signing your name — and for smaller transactions, you don’t even have to do that.
“The transactions will take considerably longer at the checkout lanes of stores that require chip cards to be dipped into their chip card readers — at least for the short run, as merchants learn to speed the process,” says Brian Krebs, a journalist and security expert at Krebs on Security. “Also, probably lots more people will be leaving their cards inside the machines and increasing lost-and-stolen [card] losses for banks, at least in the near term until consumers get used to the devices.”
In Europe, consumers have been using chipped credit cards for years — decades, in some cases. But for additional security, the cards require cardholders to enter a PIN code to verify their identity during a transaction. So why didn’t the U.S. adopt a chip-and-PIN system, instead of chip-and-signature? A major factor was issuers’ recognition of how hard it is to force a change in consumer behavior.
“U.S. consumers are not used to inputting a PIN with credit card transactions,” says Julie Conroy, research director at the Aite Group in Massachusetts. “A lot of the issuers that I spoke with elected chip-and-signature because no issuer wanted to be issuing cards whose user experience put it at a competitive disadvantage. In the words of one issuer, teaching consumers to dip instead of swipe was enough change; they didn’t want to risk having to teach consumers to change two behaviors at the same time.”
An attempt to stop fraud
Why make U.S. consumers change anything? The primary reason was fraud.
In 2014, more than $16 billion was lost in worldwide credit card fraud, according to The Nilson Report, which covers the payments industry. Of the losses, 48% occurred in the U.S. Traditional magnetic-stripe cards are easier to hack, because the information stored on the stripe is static, or unchanging. Copy it once, and you can make a duplicate card. EMV chips, however, generate a unique code for each transaction, so information copied from one transaction can’t be used in another.
“U.S. consumers are largely shielded from [the direct cost of credit card] fraud, thanks to the U.S. regulatory environment and the zero-liability guarantee that the payment networks provide,” Conroy says. The shift to EMV, then, is really more about protecting credit card issuers from fraud losses than protecting consumers.
October 2015 saw the introduction of new rules on liability for credit card fraud. If fraud occurs, whichever party was not using EMV technology is liable for the losses. If the card in question wasn’t EMV-chipped, the liability is on the issuer. If the merchant didn’t have an EMV chip reader, then the merchant bears responsibility. Liability also could be shared.
PIN offers only limited protection
What doesn’t factor into the liability equation is whether the chip card relies on a PIN or a signature for verification. And the truth is that most credit card fraud wouldn’t even be prevented with chip-and-PIN.
“Chip-and-PIN protects against lost-and-stolen fraud — i.e., if someone steals your wallet, they can’t easily take your cards on a shopping spree,” Conroy says. That type of fraud is minuscule compared with general credit card fraud, Conroy says.
In addition, thieves will always find a way around security. “We’ve seen, based on the example of other countries, that criminals have gotten to be quite adept at capturing the PIN, either via skimming attacks, shoulder-surfing or pinpoint cameras,” Conroy says. Because the PIN doesn’t change with each purchase, Conroy said it “has its limits in terms of its ability to effectively fight fraud. When the U.K. went to chip-and-PIN, lost-and-stolen fraud dipped briefly but within a few years was right back to pre-PIN levels.”
EMV chips also have no role in online transactions, so chip cards are just as vulnerable there as magnetic-stripe cards.
Is there a more secure way?
Conroy says chip-and-PIN is at best a short-term fix. “Ideally, I’d like to see the industry leapfrog PIN and move to other forms of verification, such as biometrics, mobile verification, etc.,” she says. “In the process, we should also do away with the signature — that’s costly for merchants to store and is useless as a customer authentication method as currently implemented.”
Krebs suggests using “tokens” as a way to combat fraud. With tokenization, merchants’ computers don’t store credit card data at all. Instead, they store a placeholder number, or token, that can be used to retrieve data from the issuer.
“Tokenization can help merchants avoid storing card data for any length of time and in the process decrease the likelihood that cybercrooks will target them for card data,” he says. Tokenization would reduce the threat from data breaches, which is how most consumers become victims of credit card fraud.
Mobile solutions have their own limitations
Mobile payments and digital wallets such as Apple Pay may provide an alternative. But Conroy says, “While some merchant-specific implementations of mobile payments are seeing great success — Starbucks, for one — adoption of the open-loop mobile payments — Apple Pay, Android Pay — is moving much slower.”
Krebs sees a security risk for mobile payments, too. “Apple Pay uses a form of tokenization, but the problems in the past with Apple Pay stemmed from lax enrollment procedures at banks and a reliance on static data elements [such as Social Security numbers or birth dates] for authentication when these data elements are widely compromised and for sale on just about all Americans.”
The one thing that will stay mobile will likely be the card in your wallet. “Consumers are very comfortable transacting with cards,” Conroy says, “and changing consumer behavior is difficult, so cards will be with us for some time to come.”