US deadline for EMV credit cards looming: What you need to know
On October 1, 2015, EMV (Europay, MasterCard, and Visa) credit cards (as well as Discover and American Express) gain significance for merchants, card issuers, and financial institutions in the US, as liability from fraudulent credit-card transactions may or may not be their responsibility depending on the card issuer’s stipulations.
Users will be affected as well, but to a lesser degree. Instead of the well-practiced swipe, “dipping” will be required. The user will:
- insert (dip) the EMV card into the provided slot of the POS terminal;
- leave the card there until the transaction is done; and
- remove the EMV card.
Letting go of the credit card will take some getting used to, especially when you’re in a hurry.
The ease at which a memory stripe credit card can be cloned is well known. The new EMV style credit card combats that by replacing the magnetic stripe with a small computer chip that creates a one-time transaction code that cannot be duplicated (well kind of — more on that later).
What happens on October 1st?
October 1, 2015 is when the “liability shift” takes place; what that means is complicated and dependent on which card issuer is used. CreditCard.com explains: “After an Oct. 1, 2015 deadline created by major U.S. credit card issuers MasterCard, Visa, Discover and American Express, the liability for card-present fraud will shift to whichever party is the least EMV-compliant in a fraudulent transaction.”
The site clarifies its statement using the following example. A financial institution issues an EMV card to a merchant that has not changed the existing POS system to accept chip technology. Not changing the POS system allows a counterfeit card to be successfully used at the merchant’s checkout. The cost of the fraud is the merchant’s responsibility.
The Veriphone site (PDF) has a schedule with dates and what changes occur on those dates. For example, on October 1st, Visa’s position becomes: “The party that is the cause of a contact chip transaction not occurring will be financially liable for any resulting card present counterfeit fraud losses.”
Basically, the card issuers are moving the financial risk to whomever still solely relies on magnetic stripe technology.
Why a magnetic stripe and a chip?
People issued credit cards recently will notice the chip; something else they will notice is the familiar magnetic stripe on the back. What’s that about?
Card issuers are concerned about businesses that have not yet upgraded their POS systems to accept EMV cards. So, for the foreseeable future, consumers will have to guess whether to swipe or dip. Randy Vanderhoof, executive director of Smart Card Alliance, describes how that works in this video:
“The magnetic stripe on EMV issued cards will let the POS terminal know that the card was issued with a chip. If the terminal is enabled to accept an EMV chip transaction, it prevents the magnetic stripe from completing the transaction.”
Chip and signature?
Besides swiping and or dipping, there’s something else that differentiates US credit cards: The term chip and PIN card has seemingly been replaced by EMV card, and PIN has been replaced by signature. Brian Krebs asked Julie Conroy, a fraud analyst with The Aite Group, why. In response, Conroy quotes a card issuer, “We don’t really think we can teach Americans to do two things at once. So we’re going to start with teaching them how to dip, and if we have another watershed event like the Target breach and consumers start clamoring for PIN, then we’ll adjust.”
Chris Hoffman at How-To Geek offers another explanation why card issuers in the US may have chosen signatures instead of PINs. “While retailers would probably prefer Chip and PIN, banks don’t want to use Chip and PIN,” writes Hoffman. “When you insert the card into an ATM to withdraw money, you need to enter the PIN. If this is the same PIN you’re constantly entering when using your card, it’s easier to eavesdrop on and capture. If the PIN is something you only enter at ATMs because you use a signature when making most payments, that protects banks from fraudulent ATM transactions.”
That said, there are a few problems with using signatures instead of PINs:
- Seldom if ever are signatures checked;
- If the EMV card is stolen, the thief can use the card at any EMV terminal that allows signatures; and
- Chip and PIN could be considered two-factor authentication, whereas Chip and Signature is one factor.
Fraud protection, not a security technology
Tim Thomas at ComplianceGuide.org cautions that EMV cards should be considered fraud protection, not components of a security technology. “If someone steals a credit card number, they cannot use that number to manufacture a fraudulent EMV card,” writes Thomas. “In other words, the EMV technology ensures that the card being presented is not a fraudulent card.”
Thomas offers the following reasons why EMV card systems do not enhance security.
- Once an EMV card is used, the credit card number still has to get to the processor and can be stolen while the digital information is traversing the internet.
- EMV’s fraud prevention capability only works in card-present scenarios (physically at a POS terminal). Stolen credit card numbers can still be used in e-commerce transactions.
No longer the easiest target
“Half of the world’s credit card fraud happens in the United States, even though only a quarter of all credit card transactions happen here,” mentions this paper by Square, a supplier of POS systems. “A primary culprit? Fraudsters who can’t hack chip cards and are now turning their efforts to the U.S.”
So, in a few days, thanks to EMV card technology, cardholders in the US should be less susceptible to credit-card fraud. Well, maybe. There are those who disagree, arguing that relying on signatures instead of PINs keeps the bull’s eye right where it is.
The technology is already broken
As to the anti-fraud capabilities, way back in 2010, I wrote Chip and PIN: The technology is no longer secure. Idan Aharoni in his July 23, 2015 post Cybercriminals Clone EMV Cards – No Longer a Theoretical Threat further topples the benefits of chip and “whatever” technology.
Still, EMV technology will make it more difficult for the bad guys — maybe even to the point where they will shift their focus to e-commerce transactions, where chip and PIN or chip and signature do not come into play.
Also see on ZDNet
Note: ZDNet is a sister site of TechRepublic.
Originally posted here: