Banks have been sending millions of Americans credit and debit cards equipped with computer chips to improve the security of in-store purchases.
Meanwhile, banks and credit card companies are pushing merchants to upgrade their payment terminals so they can read the chips on the cards and bring the U.S. in line with credit card security used in much of the rest of the world.
The conversion process from older magnetic stripe cards to chip cards has sped up in recent months because of an Oct. 1 deadline. That's the day when liability for credit card fraud will shift from banks to merchants or the party using the least-secure technology. Credit card users, who won't bear liability for fraud, are unlikely to notice the deadline at all.
However, card users might want to know what's happening so they'll be ready when lines form at checkout lanes this holiday shopping season because merchants will have begun deploying chip-card readers. Some industry analysts say chaos will ensue because chip cards take a few seconds longer to read than magnetic stripe cards, and some customers and store clerks will be unfamiliar with how to use them.
The following is information you can share with other shoppers (after Oct. 1) if you happen to be (patiently) waiting in line at the checkout counter.
What's a chip card?
A chip card, also called a smart card, is a credit or debit card with a computer chip embedded in the face of the card. That's the only difference in its appearance. Nearly all of the chip cards that banks are sending their customers still have magnetic stripes that will be used by stores that don't have chip-card readers. Magnetic stripe technology is decades old and is still widely used in the U.S. even though it is relatively easy to hack.
According to industry estimates, about half of the 12 million card readers at payment terminals in the U.S. will be converted to support chip cards by the end of 2015. Meanwhile, there are about 1.2 billion debit and credit cards in circulation among the 335 million people who live in the U.S. Eight major banks account for half of the U.S. card volume; they estimate that nearly two-thirds of their cards will be reissued as chip cards by the end of the year.
There are 3.4 billion chip cards in use worldwide, primarily in 80 countries, according to the EMV Connection website. EMV stands for Europay, MasterCard and Visa, the companies that originally developed chip cards.
The numbers are important because there won't be a complete conversion to chip cards for many years. It took Canada about eight years to reach 90% conversion to chip cards. Major retailers like Wal-Mart have been converting payment terminals to support chip cards for years.
How do I use a chip card?
GoChipCard.com, a website supported by major banks and credit card companies, posted a three-step illustration for how to use a chip card. Step 1 is to insert the card at the bottom of the terminal, with the chip toward the terminal facing up. That's instead of swiping the magnetic stripe along the side of the machine.
Many new terminals will support both methods, as well as NFC payments via smartphones and smartwatches such as the latest iPhones or the Apple Watch, which use Apple Pay. NFC payments are usually done by just touching, or nearly touching, a device to a payment terminal and entering a confirmation on the phone. In addition to "touch and pay" with a smartphone, some retailers like Rite-Aid will support the ability to touch the terminal with a chip card to pay.
As the GoChipCard graphic notes, a key detail of the first step is that users should not remove the card from the reader "until prompted." Analysts have noted that, on the first few tries, U.S. shoppers who are accustomed to swiping magnetic stripes may be likely to remove their chip cards quickly. Sales clerks will have to be ready for this -- and patient enough to remind users to leave the cards in place until the terminal beeps or a light goes on, or until the clerk gives the customer the thumbs up. There are more than 20 vendors of payment terminals, and they have varying methods for confirming that a sale is complete and that a card can be removed.
There are a wide variety of chip card payment terminals, but they mostly look alike, as indicated in the GoChipCard.com illustration. Some will be attached to a pedestal, just as older magnetic-stripe card readers are today. The terminals will almost all have a keypad to capture a PIN (personal identification number) and a screen and a digital pen to capture a signatures.
Step 2 in the graphic is to "provide your signature or PIN as prompted by the terminal." Many retailers won't require either, especially if the transaction is for a small amount, usually under $25. There's disagreement in the industry about whether a signature or a PIN will be required for larger purchases, but the decision will be made by the banks issuing the cards. (More on that below.)
Step 3 is to remove your card when the transaction is complete. As mentioned above, different terminals may have different ways to indicate that it's OK to remove the card.
Are chip cards really more secure, and are they necessary?
Yes. Chip cards are light years ahead of magnetic stripe cards in terms of security. The main thing to know is that the chip in the card is communicating with the network behind the terminal to enhance security instead of just forwarding your card number and related data to the network, as with the magnetic stripe approach.
The chip can communicate a unique encrypted token (or an alias) with the network instead of your actual credit card number. That way, the network, and even the store, won't know your card number. When the token reaches your bank, it is decrypted so the bank can verify your account and then authorize payment. This all happens in a few seconds or less.
As to whether the security is necessary, the answer is again, yes, especially for banks, but not necessarily for card users. Obviously, it is in everyone's interest to reduce fraud where possible, and banks have long said that customers aren't held liable for fraud. That policy of keeping customers harmless will continue with chip cards. Enhancing security helps banks reduce the cost of paying for stolen card numbers and stolen merchandise, which theoretically keeps costs in check for average bank customers. In countries where chip cards have been used for years, as in Europe and Canada, fraud rates have dropped dramatically.
So if the chip makes the card so secure, why do I need a PIN or a signature?
The main reason for a PIN or signature is to provide the merchant (and the bank behind the card) further evidence that the user of the card is the actual owner of the card. If your card is lost or stolen, even with a chip, it can still potentially be used by someone else.
There's an ongoing debate as to whether a signature will really provide that added layer of security, since chip terminals don't verify in real-time that a signature belongs to the person using the card. The signature used by somebody committing fraud could be helpful in a subsequent investigation of fraud (using handwriting analysis), or a fastidious sales clerk might ask to see another card or form of identification to compare signatures.
A PIN is considered unique, but it can be stolen, even by a thief who watched a cardholder type in a PIN on a terminal before stealing the card. (That kind of theft is rare in the U.S. ) Some merchants want to avoid the added cost of terminals that have keypads, but nearly all the terminals being installed will have them. Another potential problem is that people who have never used PINs might have trouble remembering them.
Several industry officials said that MasterCard has indicated support for chip-and-PIN security with credit cards, while Visa has supported the chip-and-signature approach in various public remarks. However, an official at Visa recently told Computerworld that Visa has no official preference, and some analysts consider MasterCard neutral on the matter. Some banks that issue both types of cards have been issuing MasterCard chip cards with a PIN requirement and Visa chip cards with a signature requirement.
The jury is still out on signature vs. PIN, and banks will be weighing preferences of consumers in coming months. In other words, it is entirely possible that come Oct. 1, average customers might not know if their cards require a PIN or a signature unless they're informed by their banks. It's possible that some may not find out until they're in line to make a chip-based purchase for the first time.
What about when I shop online with a chip card?
The chip in the card offers no improvement in security when you're using your credit card number to shop online. It will be the same as if the card were a magnetic stripe card. If you happen to have a small portable chip card reader, then the enhanced security could come into play, assuming the seller on the other end could accept that kind of data. An artist selling paintings or a small merchant using chip-reading technology provided by Square or another vendor would still need to read an actual chip card in person, even though the transaction would almost seem to be online.
What's the significance of this Oct. 1 deadline?
Banks and card companies set Oct. 1 as the day when the liability for losses from card fraud will be transferred from banks to merchants, or the party with the least-secure technology.
The liability shift means that if a someone tries to buy a $500 espresso machine with a stolen card that doesn't have an embedded chip, and the merchant accepts the card, the merchant would take the loss, not the bank.
There's really no deadline for consumers, who will continue to be protected by banks against liability due to fraud. Consumers will still need to report lost or stolen cards, of course.
Major merchants that are making the conversion and are worried about their newfound liability will likely require shoppers to use chip cards after Oct. 1. It isn't clear how much backlash will come from customers who aren't prepared. People who have only magnetic strip cards will probably be permitted to complete their transactions with a normal swipe. In such situations, the liability would fall back onto the bank that issued the noncompliant card, according to Jordan McKee, an analyst at 451 Research.
It's possible that some small merchants who have been accepting magnetic strip cards but don't have the ability to process chip cards will stop accepting cards and will insist on payment by cash or check. A number of companies, like Square, sell chip card readers for small businesses, and PayPal is expected to offer one this fall.
Come on, isn't this conversion to chip cards going to be a breeze?
The process of converting to chip cards would seem to be easy, but perhaps only to technically minded people. Americans have used magnetic swipe cards for decades and the practice is entrenched. And store clerks might, or might not, be trained to help customers use the new chip card payment terminals.
"Never underestimate how difficult it is to change entrenched behaviors," said McKee of 451 Research. "Card issuers are already uneasy about the change in the process from swiping a card [with a magnetic stripe] to dipping [inserting]" a card with a chip.
To show how the transaction process could work with chip cards, Computerworld recently attempted to make a large purchase using a Bank of America MasterCard debit card with a chip at a new chip-enabled terminal in a Wal-Mart in Harrisonburg, Va. After three failed attempts to pay by inserting the card into the chip reader, the transaction was successfully completed with a swipe of the card's magnetic stripe. The clerk said it should have worked as a chip card.
Wal-Mart and Bank of America didn't respond when asked to comment about the incident in the Virginia store, but there are still about seven weeks until Oct. 1, when theoretically Wal-Mart expects to be ready for chip transactions and meet the liability deadline. Or, perhaps, that simple test is a foreshadowing of problems to come.
"The U.S. is transitioning to chip cards during the onset of the holiday shopping season," McKee noted. "The combination of long queues, impatient shoppers and a new process for card transactions will not be pretty. Chaos will ensue ... It will be messy."
In interviews, officials at both Visa and MasterCard have indicated that they hope their public information campaigns through GoChipCard.com and other venues will enhance public understanding of the conversion.
Carolyn Belfany, senior vice president of U.S. product delivery at MasterCard, said in an interview in late June, "We certainly don't think that the consumer should fumble through" using a new chip card.
The GoChipCard.com site was designed to provide clear, simple instructions -- such as the caveat to resist the impulse to remove the card quickly, she said. Variations in the way chip card terminals work should be apparent. "Hopefully that stuff will be minimized, but we'll still have variation," she said.
It's safe to say that merchants, banks, card companies and consumers will all have their collective fingers crossed in coming weeks as the advent of chip cards approaches.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.