Banks claim the chip cards will offer stronger security for consumers, using an embedded microchip that cannot be replicated, making it more difficult for hackers to use stolen card numbers to produce fraudulent credit cards. On the retail side, stores, restaurants and other service providers will roll out new payment terminals designed specifically for the new chip cards.
But there is some conflict between financial institutions and advocacy and trade groups about whether the new cards will be "ready to go" by an industry mandated October 1, 2015 deadline. The most recent numbers indicate that only 18% of Visa's 720 million debit and credit cards in the U.S. as of July contain a new embedded chip that will be ready for the October 1 shift.
In fact, Randy Vanderhook, executive director of the Smart Card Alliance, an Arlington, Va.-based trade group that is pro chip-card, says that that banks, credit unions and the card networks are nowhere close to replacing the more than 1.2 billion cards Americans carry in their wallets. "Issuers have largely gotten the cards into consumer's hands, but merchants have not activated terminals or completed migration for chip," notes Vanderhook.
Other industry advocates generally agree, noting the strength of card security being touted by banks and card companies just isn't up to snuff, at least not yet. "Retailers are making a multi-billion dollar investment to protect customers and reduce credit card fraud," says Brian Dodge, executive vice president of the Retail Industry Leaders Association. "Unfortunately, retailers are only one-half of the equation, and at present, banks and credit unions are not meeting the retail investment with the same commitment to consumer protection."
Dodge says banks may be pulling a fast one by noting that chip-based payment card technology is safer than older, point of sale cards (studies show that is the case), but cards could even be safer with a chip-and-PIN technology, much like exists in the U.K. and some parts of Europe right now, where the combined technology has reduced fraud by 67%.
Chip-and-pin technology, says Dodge, adds an extra layer of security, and makes it even more difficult - if not impossible - for cybercriminals to replicate counterfeit cards. "Chip-and-PIN has been proven to combat fraud dramatically," added Dodge. "But that's not what American consumers are getting, and thus far, banks have gone to great lengths to blur the lines between the two distinctly different transactions."
Banks, however, say chip-only cards should be enough to do the job, protection-wise, and that they'll be ready to protect consumers with more secure cards by October 1.
So who's right and who's wrong? On the topic of how many actual U.S. consumers have the new chip cards, industry trade groups get the nod. "We found that 62% of U.S. consumers still don't have a chip card from their bank or card issuer," says Ike Jablon, a spokesperson for SoftwareAdvice, which is tracking the rollout. "Retailers are even worse off, since 78% of small business merchants aren't yet EMV compliant."
As for card security, experts seem to side with banks that the cards are safe in face-to-face transactions, but there are some caveats.
"EMV (Europe, Mastercard, Visa) cards are more secure than regular cards," says Sushil DaSilva, co-founder of Hiighline Software, a technology firm that provides point-of-sale systems to retailers. "Unlike regular credit cards, EMV cards have a chip with a computer in the card. Whereas the data on a magnetic card is easy to copy and clone, a chip card generates a unique code for each transaction -- a code that can only have been produced by your card. The card issuer uses this code to verify that the card isn't a copy."
Others agree but point out some discomforting limits on chip card protection. "Without doubt, payment data in retail and point of sale environments are better protected with chip cards -- card holders have much greater security at the point of sale with their own card data," says David Schoenberger, chief innovation officer of CertainSafe, a Colorado Springs, Colo.-based software security services firm. "It will be much more difficult for thieves to steal card data at the point of swipe."
Unfortunately, this doesn't help one bit with the e-commerce shopping cart experience, or even a recurring payment model, Schoenberger says. "While much attention has been given to retail and point of sale, many of the largest payment breaches are from stored card values sitting in a database," he says. "Even with the current tokenization techniques provided by the payment processor, thieves are still able to take these stolen data pieces and reassemble card values to make fraudulent transactions. This is happening often, even with security compliant cards."
For consumers, the new chip cards should be helpful, at least in part, in protecting their personal financial data.
"EMV cards aren't perfect, and they do have issues," says John Nesler, a web developer and SEO specialist for Creative California, an online marketing firm based in Sacramento, and a frequent global traveler who uses chip cards. "But in the last few years, there haven't been any major data breaches involving chips, while in the meantime customer data breaches involving stealth card readers, security hacks, and so on, have become ubiquitous."
If someone promises that EMV cards will be perfect and 100% effective against preventing theft, that's over-promising, Nesler states. "However, they are a vast improvement over the incredibly dated technology that we have been using," he says. "When you research EMV chips and how they work, and concerns how security weaknesses, a lot of the issues were dealt with years ago, and won't be an issue with the modern versions rolling out in the U.S."
"Even though people are going to be concerned by dealing with an unfamiliar technology, the recent problems should make it clear that anything is an improvement over our current system, thus it's a step in the right direction," he adds. "Just don't expect perfection."