Major credit card companies, including Visa, MasterCard, Discover, and American Express, have announced plans to switch to EMV cards in the United States over the course of 2015. Nearly eighty other countries around the world have already made the switch to EMV credit cards (also known as “chip and pin” credit cards) from the magnetic strip variety. While the transition is happening gradually, it is happening. EMV cards will help prevent some types of fraud, but consumers should be aware that they will not put an end to all fraud.
EMV stands for Europay, MasterCard, and Visa, the originators of the cards. They got the name “chip and pin” because a computer chip is built into each card and a personal identification number (PIN) can be set up by the owner to use with the card.
The EMV cards are expected to decrease fraud because the computer chip inside each card creates a unique code for every transaction. The code is only good for one specific transaction and cannot be used again. The traditional magnetic cards store data in their strips, which can be copied and reused, allowing thieves to create counterfeit versions of the cards. With the EMV cards, it should be much more difficult for potential thieves to create counterfeit working copies.
It is widely agreed that the chip and pin technology will significantly deter some types of fraud, but security risk experts warn that the EMV cards come with their own vulnerabilities. According to Geoffery Blackburn, a Senior Risk Analyst at EBay Enterprise, EMV cards can be used without a PIN. This is called “chip and signature” payment, and it removes the extra layer of security provided by the PIN, meaning thieves do not have to steal as much information to use the card. The EMV cards can also be used in the same swipe-and-sign way that magnetic strip cards are currently used, making the EMV cards as vulnerable to attack as the magnetic cards.
An even more significant drawback, Blackburn asserts, is that the EMV cards will not increase protection for online transactions. Because the EMV cards will improve protection for physical transactions when both the chip and PIN technologies are applied, thieves could be led to focus their attacks on online transactions. This is precisely what happened in the United Kingdom; online credit card fraud rose by almost eighty percent within three years of the United Kingdom’s switch to the EMV cards.
When credit card fraud does occur after EMV cards are widely used in the United States, it will be necessary to determine who is liable. Several major credit card companies are pushing for a shift in the rules that would take effect on October 1, 2015. Cardholders’ liability would be as limited as it is now. Liability for credit card fraud among financial institutions and merchants would fall upon whichever party has the least advanced technology with respect to the new EMV credit cards. If the bank issuing the credit card does not provide chip and pin technology, but the merchant does, the liability will fall on the issuing bank. If the bank provides the technology, but the merchant is unable to support it, the liability will fall on the merchant. If neither or both has the technology, liability is unchanged from how it exists now and will hinge on whether the merchant complied with all rules and regulations.
Overall, consumers and merchants need to be aware that EMV cards will help deter fraud in stores, but the cards will not increase protections in online transactions. This could lead criminals to target online transactions more frequently. As a result, consumers and merchants must remain vigilant for fraud, even after the EMV cards are in place.