Target may have lost our data, but it gave us some new vocabulary words: “EMV card,” or, perhaps, “smart-chip card.”
In urgent conversations around dinner tables and in the halls of Congress, two points have gained almost universal acceptance:
No. 1: Collectively, merchants, banks and the payment networks must do more to safeguard our identities.
No. 2: Chip-embedded cards, widely used nearly everywhere outside the U.S., are the quickest way to do that.
But wait, there’s a crucial No. 3: EMV is only a partial answer, designed to protect banks much more than us consumers.
“What EMV does is it authenticates the card,” said Philip Andreae, who helped create the standard in the early ’90s while working in Europe. Andreae now is a director of marketing for French card-maker Oberthur, which sells the technology to American banks and credit unions. He lives in Atlanta.
In short, he said, it tells the merchant, the payment network and the issuing bank that “the rightful person is holding the card.”
That’s good for all concerned. If someone is standing at the checkout counter using your card, you would certainly rather that it be you.
But you’re not the one who’s going to actually take the loss if it’s some crook who’s stolen your card or counterfeited it. Today, the merchant and the bank are the losers. And although fraud is at historic lows (only 6 cents of every $100 spent, about half what it was 20 years ago) the losses still come to more than $11 billion a year worldwide.
Chip cards make it harder, if not impossible, for criminals to create bogus cards by placing your personal information, which they’ve stolen, on a piece of plastic. So EMV definitely cuts down on fraud that takes place at brick-and-mortar stores.
It does nothing to actually protect your personal information. Even though you might have to enter a four-digit PIN to complete a transaction, that 16-digit code embossed on the front of your card will still pass through merchants’ systems just as it does today.
“Chip cards don’t protect your data any better,” said Rick Dakin, the chief executive, co-founder and chief security strategist of cyber-security auditor Coalfire Systems.
Crooks will still be able to exploit merchants that don’t safeguard their payment terminals or that store some of your information in their systems. Once the thieves have got your name, card number and address, they’ll still be able to buy stuff online.
The standard is called EMV for its founders: Europay, MasterCard and Visa.
Eighty countries already are in some stage of moving toward it and away from the “mag stripe” cards Americans use today. Some of them have already seen fraud shift from the counter to the Internet.
A majority of cards in those countries contain both a magnetic stripe and a chip, but in-store terminals are programmed to alert employees that they should be used as chip cards, said David Abouchar, the senior director of corporate development at payments security and compliance company ControlScan. That should foil thieves with counterfeit cards bearing only a stripe.
When chip cards hit the mainstream in the U.S., that will be the case here as well.
Visa and MasterCard are pushing it hard. They’ve said that all merchants except gasoline retailers who do not have the equipment to accept EMV cards by October 2015 will become liable for any fraudulent chip card transactions made on their terminals.
Bank of America, Wells Fargo and other card issuers already offer EMV to customers who frequently travel overseas.
There are two flavors: chip-and-PIN and chip-and-signature. The biggest change you’ll probably notice is that you’ll plug your card into a slot in the terminal rather than swiping it.
But behind the scenes there’s a world of difference. Unlike mag stripe cards, which transmit your personal identifying information in plain text, EMV cards generate a special, one-time signature that the terminal authenticates.
The beauty is that the signature is different every time, in a precise way that the authenticating computer is primed to expect. A thief could steal that electronic signature, but it would be useless for making future purchases.
You might think of it this way: Your friends recognize you from day to day although some details change, such as your hair or clothes. If you looked absolutely identical every time they saw you, they would find it suspicious.
In that regard, EMV does represent a big improvement over our current authentication process. Today’s system relies on analytics: comparing what you’re attempting to buy today with what you’ve bought and where you’ve shopped in the past.