According to a report released by Barclays in May, nearly half—47 percent—of hacked credit cards are on U.S. accounts, even though American cards make-up just 24 percent of those in use globally.
The reason, security experts say, is not because we’re more likely to send our credit card information to foreign princes who email us out of the blue with promises of riches, but because we rely on magnetic-stripe cards, which are very easy to hack. In contrast, Europe has transitioned over the past decade or so to a more secure system where cards are chip-encoded and a PIN is required for purchases instead of a signature. If you were recently issued a new card, there is a chance it has a chip.
The U.S. has been slow to adapt to the new chip-encoded cards but that is expected to change shortly. As of this October, liability for credit card fraud will switch from card issuers to merchants if they don’t update their payment terminals to read chip cards. However, the U.S. won’t be adopting the PIN system used in Europe, at least not initially.
The push toward a chip-based system is a step in the right direction and overdue, says Connecticut Attorney General George Jepsen. “The magnetic stripe is extremely easy to read and get all the information that’s necessary for a scam artist to use the card,” he says.
John Weeks (right), senior vice president and director of payments and lending products at Webster Bank, a Waterbury-based chain of banks, agrees. “A magnetic stripe contains the same information for every single transaction,” Weeks says, which means if a hacker gets that information one time, they can create a counterfeit card with relative ease. “A chip is dynamic it can change its algorithm for every transaction. Each time it’s used there’s a different algorithm that’s associated specifically to that customer’s card, so it’s very difficult to counterfeit a chip.”
It takes a little longer for a chip card to be read than it does for a magnetic stripe card to be swiped and approved, but the extra time a transaction takes is well-worth it, given the security benefits.
“I think everybody’s in agreement that [the chip system] has significantly cut down by a very large number the amount of credit card fraud,” says Matthew Fitzsimmons, an assistant attorney general and head of that office’s Privacy and Data Protection Department.
Weeks says, in Europe “98 percent of the transactions are called ‘chip on chip,’ meaning the chip was read in a chip-related merchant terminal.” He adds, in Canada the number is closer to 60-65 percent, while in the U.S. it is around 18-20 percent. The goal in the industry in the U.S. is to boost that number significantly by the year’s end. “They hope by October to see around 30-35 percent and roughly 40 percent by the end of 2015,” says Weeks.
Though significant, the move to cards with chips should not have much of an impact on consumers. “From a consumer standpoint, the experience shouldn’t really change at all,” Jepsen says. “The burden is going to be more on the individual retailers and the choices they have to make. The machines are not very expensive. I remember $150 being a number that was quoted to me, so it’s not that big an investment for a retailer, though that’s easy for me to say.
Richard Holton of Enterprise Computer, which has storefronts in Clinton and Branford, says many restaurants are confused by the deadline. Holton’s company operates throughout Connecticut; one of its specialties is working with restaurants to install and update point-of-sale systems.
“Restaurants are being clobbered with phone calls from all kinds of credit card merchants that want to sell them machines to handle it [credit cards with chips],” he says. He adds, not all these “merchants” are selling devices that are actually helpful. “There’s a lot of scams going on right now, people are just calling up and using the mass hysteria to get people to act on it.”
Holton is advising his customers prepare without hitting the panic button. “I tell all the restaurant people that I know, ‘Don’t be afraid of it because it’s not something to be afraid of, but it’s not something you can ignore either because it’s not going away.’”
He also warns that just updating to a system that can read chip cards is not everything restaurants have to do to achieve what’s known as Payment Card Industry (PCI) compliance. Many restaurants with older operating systems can’t download the latest security upgrades, which automatically results in non-compliance, he explains. Oftentimes credit card companies will charge vendors a monthly PCI-compliance insurance fee unless they can prove that a system is PCI compliant. Holton’s company provides free PCI-complaint audits and will then work with restaurants to address any issues.
As far as consumers are concerned, those who don’t have a card with a chip can request a new chip card, but don’t need to, experts say, as they won’t be held liable if their card is hacked. However, for those traveling in Europe hoping to use their card, requesting a chip card is a good idea. Weeks says card issuers state you are not supposed to be denied a purchase because you don’t have a chip card but in reality, in Europe, “Folks flat out won’t accept it if it doesn’t have a chip.”
Chip cards are a positive first step to improve consumer security.
“This isn’t the end all be all of credit card or debit card fraud by any means, but it is a way to significantly decrease counterfeit fraud,” Weeks says. He adds, the cards will do little for card-not-present fraud, which results from an online or phone purchase based on the credit card number itself and the physical card is not scanned. “That’s where all of us continue to have a gap for extra layers of security,” he says.
The U.S. will not be immediately adapting the PIN system used in Europe in addition to the chip, but, Jepsen says he would ultimately like to see that in Connecticut because like the chip, it increases protection. “The shift to the chip is a new standard that is being set by the industry,” he says. “It’s taken longer than it should have but it’s something the industry moved forward on collectively. The reality is it will take a similar industry move to move to a PIN requirement. I think in a year or so we’ll know how effectively chip alone is working.”
Chip-Encoded Credit Cards Are Coming to Connecticut; Is Anyone Ready?
Originally posted on: connecticutmag.com, By Erik Ofgang