In fight against fraud, chip trumps stripe

28 Sep 2015 | Author: | No comments yet »

Chip cards are safer, but they only solve part of fraud problem.

Magnetic stripes contain information that doesn’t change, such as your account number and card expiration date. The credit-card industry is pushing stores, banks and any business that accepts credit cards to switch to chip-card technology by that date — or face the consequences.You’d think that in the wake of a massive theft of credit card information in a 2013 network breach, Target would be extra careful about protecting its customers credit cards.The nation’s merchants are not exactly racing to install new chip card readers by Oct. 1, when they will face liability for fraudulent credit and debit cards.Chip cards “protect against counterfeit fraud and guarantees that card is unique,” said Philip Andreae, a vice president of French cardmaker Oberthur’s North American financial services industry business unit.

But according to a survey commissioned by the payments company ACI Worldwide, nearly three in five U.S. consumers with one or more credit or debit cards reported they hadn’t yet received a new chip-enabled card. Those that have made the switch say it’s pretty painless, once you get past training employees or customers to insert chip cards into a slot at the end of a terminal rather than swiping them. “Every transaction has an extra five seconds of awkwardness, like a weird first kiss where you say, ‘How do we do this?’” said Pete Mulvihill, co-owner of Green Apple Books in San Francisco. Visa estimates that about two-thirds of the fraudulent purchases in brick-and-mortar stores that pass through its network are the result of counterfeit cards. The new pieces of plastic that banks and other card issuers have been sending to customers contain a tiny metallic chip designed to reduce counterfeiting, just as similar Europay credit cards have cut such fraud throughout Europe.

The findings from a scientific poll of about 1,000 U.S. adults in late August, suggests the U.S. transition to EMV — Europay, MasterCard and Visa — technology on Oct. 1 might not be as fast as some imagined. Like other retailers, Target is preparing for the switchover from debit and credit cards with magnetic stripes to cards with embedded microchips, which are said to be more secure. A: Instead of quickly swiping your card with the magnetic stripe through a slot, you insert it into a different opening — chip end first with the chip facing up — and leave it there until the machine prompts you to remove it. The chip cards, also known as EMV (for Europay, MasterCard, Visa) cards, are based on a protocol developed in the ’90s to combat rising numbers of bunk plastic purchases overseas.

On Thursday, the credit card industry will add bite to its rollout by shifting liability for covering counterfeits to the party that has not adopted chip technology — either the merchant or the credit card issuer. “To the extent that this cuts down on fraud, it’s probably a win for everyone,” said Michael Simkovic, an associate professor at Seton Hall University School of Law. Banks and credit card companies have been putting chips in newly issued and updated cards for months (the chips are plainly visible on the front of the cards).

This is called dipping, and it takes a bit longer than swiping because you are waiting for the transaction amount to be finalized and a one-time code generated. Between then and now, most of the rest of the world has followed suit — with the U.S. among the final holdouts, in part because of the number of merchants here and the cost of the upgrades. By next month, U.S. retailers must have card readers (and systems) in place for processing transactions with chip cards, or else they’ll be responsible for any fraudulent charges. But in the last year or so that’s begun to change, culminating in a defining moment at the start of next month when all merchants who refuse to accommodate chip cards will be forced to shoulder more of the burden of fraudulent transactions.

Seth Ruden, a senior fraud consultant at ACI, a company that sells electronic payment processing software, says one reason some people are still sporting magstripe cards is because banks are issuing chipped cards in waves — not all at once. At a Home Depot in Burbank, Robert Montanez said he worried it would give criminals a greater opportunity to steal his data if the sales terminal were hacked. Adding to the security effort is a requirement that customers either sign the transaction or use a personal identification number to complete a purchase. For some, it’s as little as $49 for a simple card reader from Square; for larger retailers it can cost millions. “Dry cleaners, restaurants, coffee shops, not common destinations for someone with a counterfeit card,” said Jason Oxman, chief executive of the Electronic Transactions Association, of the hundreds of thousands of merchants that have yet to purchase upgraded readers and point-of-sale equipment. Prepaid cards also are moving toward chip technology, but at a much slower rate because of a wider variety of offerings, lower value limits and less risk for merchants and card issuers, said Brian Riley, an executive at research firm CEB TowerGroup.

Oxman added that thieves who use counterfeit cards often make big purchases that they can then fence — say a big-screen TV. “They’re not going to sit at a restaurant for three hours and then pay,” Oxman said. The U.S. has become a target because most major countries already have switched to chip cards, leaving the U.S. “the path of least resistance,” said Thad Peterson, a senior analyst with Aite Group, a research consultant.

While you’ll likely get most of your credit cards reissued before the Oct. 1 deadline, don’t expect to get a chipped debit card by that time, Ruden says. EMV technology wouldn’t have stopped the breaches at Target or Home Depot — though it would have prevented criminals from creating counterfeit cards from the stolen information and using them in stores. There was just one problem: Both times I used the chip-and-PIN process, Target’s system validated my purchases without requiring me to enter my PIN. At Paper Caper in Burlingame, which has a fast Internet connection and store personnel who dip the card, “it’s a couple seconds” longer, said co-owner Dale Ferrel. I haven’t gotten my card, yet,’ or ‘I’m stuck somewhere in Miami,’ or something, ‘and I need a card to be overnighted to me.’” Visa and MasterCard continue to promote tokenization and point-to-point encryption — both meant to further curb fraud.

Carolyn Balfany, a senior vice president with MasterCard, said it generally takes an extra second or two but might seem longer because “you leave the card in the slot while it’s completing the transaction.” Warning: Until people get used to waiting longer, some might leave the store with their card in the reader, Bob Sullivan wrote in a blog post at Another one, said Michael Moeser, director of payments for Javelin Strategy & Research, is the Durbin Amendment, which required debit cards to be processed over at least two unaffiliated systems. Good citizen that I am, I notified the person at the service desk that the PIN step in the process was missing — making it possible for anyone with a stolen chip card to waltz out the door with a shopping basket full of stuff. About 52% of those transactions involved cards that were presented to retailers for purchases; the rest were attributed to online and other fraud where the card isn’t used at a store. Q: I recently bought a new Android smartphone, and I want to enable the security feature that will prevent it from being used if it’s lost or stolen.

But if you’re among the 59% who haven’t received a chipped card yet, and are planning an international vacation, or if you just want to thwart a potential counterfeit card operation, you may want to call your issuer to request an updated card. If the terminal can accept chips but the card does not have a chip, the bank is liable. “The real objective of the liability shift is to create incentives for both the banks and merchants to upgrade the card and terminals to chip,” said Balfany. A: Android’s “kill switch,” called Device Protection, is only built into phones running Android 5.1, the latest incarnation of the operating system (although some manufacturers have offered it as a patch for selected phones with version 5.0). Until more merchants transition, you’ll likely be swiping your EMV card in old card readers, instead of doing chip-enabled transaction on new terminals. Our guest bloggers are not employed or directed by the Monitor and the views expressed are the bloggers’ own, as is responsibility for the content of their blogs.

Every version of Apple’s mobile operating system starting with iOS 7 has included Activation Lock, the kill switch feature that Android basically copied. Large retailers such as the Home Depot Inc., Target Inc. and Wal-Mart Stores Inc. said the transition to sales terminals for chip cards is complete or on track to finish by Thursday’s deadline. Not only is that unfair to consumers, it has put some new phones in conflict with a California law that requires any smartphone manufactured after July 1 and sold in the state to be equipped with a kill switch. Madelyn Alfano would have to pay up to $25,000 to update the sales terminals in her 10 Maria’s Italian Kitchen restaurants throughout the Los Angeles area.

She said she will probably get one or two readers for each location in the next few weeks, which could slow down daily operations since the staff usually operates from five sales terminals at each restaurant. Gwyneth Borden, executive director of the Golden Gate Restaurant Association, estimates that only 5 percent of San Francisco restaurants have installed them, partly because of confusion over whether tipping comes before or after dipping. For now, the focus is on familiarizing consumers and merchants with using chip cards. “Adding PIN for additional security is another measure that merchants/issuers could take; however, this only protects for the physical theft of plastic, or ‘lost/stolen’ fraud, which is a much smaller contributor to fraud overall,” said Dina DeMerell, Chase executive director, payments security. “At this point, rolling out chips smoothly and developing tokenized payment solutions are our main focus.” A: Not really. Should the strip’s data get stolen and counterfeited, the new fake chip card won’t work in a chip-card reader — and swiping the card should pop up the instructions that this is a chip card.

Either you’ve paid to upgrade your credit-card machines and payment systems, or you accept the risk being responsible for counterfeit cards swiped at your business beginning in October. Visa has identified several high-risk merchant categories: stores that sell high-dollar items (jewelry, electronics), services (optometrists) or gift cards (grocery and drug stores).

Here you can write a commentary on the recording "In fight against fraud, chip trumps stripe".

* Required fields
Our partners
Follow us
Contact us
Our contacts

About this site