Why new "chip-and-pin" cards won't protect you -- yet
The so-called "chip-and-pin" credit card is heralded as a technology that can thwart the types of security breaches that have hit Target (TGT) and possibly Home Depot (HD), which is investigating a suspected attack.
And while millions of Americans now carry such cards -- the plastic includes an embedded microchip that stores customer data -- there's a snag: Most retailers don't have the technology to run the cards.
"The only place I've used it has been in Canada," said Michael Misasi, senior analyst at Mercator Advisory Group, a research firm that focuses on the payments and banking industry. As an analyst covering the technology, he asked his bank for a card with a chip, but so far he hasn't been able to use it in the U.S.
Retailers "were taking the wait-and-see approach," he noted. "Then the data breaches happened, and that told them they had to get moving, for their own customers and the sake of their businesses."
Chip-enabled cards, also called EMV cards (short for Europay, MasterCard and Visa) are currently held by millions of consumers in the U.S., notes Carolyn Balfany, senior vice president of product delivery for MasterCard. But that's still a small fraction of the 1.2 billion credit and debit cards held by American consumers, and may explain why retailers have been slow to upgrade their systems.
But even before the breaches, there was an incentive spurring the rollout of the cards and new point-of-sale systems at retailers. In October 2015, new credit-card standards will go into effect, changing how liability falls between credit-card issuers and retailers. While EMV compliance won't be mandatory, liability for fraud will fall on the party that hasn't upgraded their systems.
"In industry jargon, it's a liability shift," Balfany notes. "It creates incentives and an alignment in the industry" for both retailers and banks to migrate to the EMV technology.
The chip-enabled cards are more secure because retailers and card processors don't store the card data in their systems, as they do with magnetic-strip cards, said John Pironti, a risk and security advisory with ISACA, an IT and information security association. "The idea is that it enables the information to be read off a secure chip on the card," he noted. "It has to be present for the transaction, and the card number itself is never released to the provider."
The transition to the new cards is expected to accelerate, with the Payments Security Task Force forecasting that more than 575 million chip-enabled cards will be in the hands of U.S. consumers by the end of 2015. Even though the cards include the chips, they still continue to have a magnetic strip on the back, which means stores without the ability to read the chips can still use the old-fashioned "swipe" to run the card.
Already, retailers are reacting to the security breaches and investing in new software and point-of-sale card readers. Target, which is still recovering from a massive breach that led to stolen card data and personal information for as many as 110 million customers, will next year reissue all Target-branded and co-branded cards with the EMV technology.
Retail giant Walmart (WMT) is one of the few retailers that have installed checkout terminals that can process the chip-enabled cards. It's also issuing its branded credit cards with EMV technology, it said in an August blog post.
But by the end of 2015, retailers will still be lagging card-issuers, according to a forecast from Mercator. It estimates that while 58 percent of credit-cards will be EMV compliant by the end of next year, only 26 percent of check-out terminals will be equipped to handle them.
"On the merchant side, the terminals won't be completely replaced until 2020," Misasi said.
One downside for consumers? The new cards might take some getting used to, Misasi notes. That's because the cards are slotted into the checkout terminals, where they remain for a few moments, similar to how some ATMs work. "What some retailers have found is at first consumers walk away and forget their cards," he said.
In the meantime, consumers still need to be diligent about checking their statements, and calling their banks if they notice any odd activity. About 90 percent of consumers fail to check their card statements, or only skim them.
As for the criminals, they'll likely be continuing to work on schemes to steal credit-card data as the U.S. migrates to EMV cards.
"As other markets have migrated to chip cards, we've seen an increasingly rate of fraud migrate to the U.S.," notes MasterCard's Balfany. "That's pretty logical. Fraudsters will go to where it's most easy."