NEW YORK (MainStreet) – The new, high-tech generation of credit cards calls for a contactless dip motion rather than a swipe of the plastic. That's because a small, metallic computer chip carries a unique transaction code that cannot be duplicated and can communicate with a register reader without touching it. This process may take a few minutes longer, holding you up in line for that morning Starbucks coffee, but at least you won't have to worry about credit card fraud. Right?
Not so fast. The threat of data skimming actually remains a significant one even for these advanced cards, because the method used by Europay, MasterCard, Visa (EMV) terminals to read the chip data is still similar to the method used for magnetic stripe cards, said Eran Kahana, a technology and intellectual property attorney in Greater Minneapolis-St. Paul Area.
"Thinking that EMV cards are tamper-proof helps create a false sense of security," Kahana said. "EMV cards offer no extra protection for web-based purchasing, which means users and merchants must remain vigilant as if they were using traditional magnetic stripe cards."
Josh Pauli, associate professor of cyber security at Dakota State University, agrees.
"The technology doesn't help with data breaches at all -- those will still happen," he said." But what it does provide is a much more robust solution to credit cards being re-created after being stolen."
The false sense of security is exacerbated in web-based purchasing.
Since 2011, consumers who have been issued a new bank card are receiving one with an EMV chip, but it turns out the infrastructure for ATMs and point-of-sale card readers has not kept apace: the United States deployed 101 million EMV cards, but only 7.3% of retail locations can support this technology. ATM providers are not being forced to migrate to the EMV wave, but the fact that stolen information from ATMs is the highest in decades as well as the existence of stringent liability rules for ATM providers, means a strong incentive to do so.
Change, though, is glacial.
The United States is one the last major markets to use the magnetic-stripe card system.
Kahana says late adoption is largely attributed to three factors: "A high expense associated with the production of EMV cards, the deployment costs of compatible point of sale terminals and the card brands have only recently began pushing to have it in place by October 2015."
So far, issuers of EMV cards include American Express, Bank of America, Barclays, Chase, Citi, Wells Fargo and USAA.
According to EMVCo, an EMV-promoting outfit formed in February 1999 and managed by six member organizations (American Express, Discover, JCB, MasterCard, UnionPay, and Visa), the percentage of EMV card-present transactions in the U.S. went from 0.03% (July 2013- June 2014) to 0.12 % (January 2014-December 2014). That's a tiny percentage increase considering the fact that foreign competitors in Western Europe, where almost 100% of terminals are EMV-equipped.
EMV chips have become the standard in most parts of Western Europe like the U.K., Germany, Spain, France, and Italy. Residents in the region hold 794 million EMV credit cards, according to EMVCo reporting on 2013 data.
How much did total card fraud decline in other parts of the world? EMV cards dropped counterfeit and lost or stolen card fraud by 47% in the U.K., 30% in Canada, and 15% in Australia. However, total card-not-present-transactions -- where the cardholder cannot physically present the bank card for a merchant's visual examination, including telephone and internet transactions -- increased in various countries such as 25% uptick in France since 2003 and a 39% boost in Australia since 2006. EMV cards do not protect consumers in these instances.
The risks involved with EMV cards in the U.S. center on the difference between chip-and-PIN cards compared to chip-and-signature signature ones, according to Robert Siciliano, personal security and identity theft expert speaker with TheBestCompanys.com. Whereas chip-and-PIN cards allow for a safe contactless transaction and transfer of encrypted data, a chip-and-signature card requires the consumer to sign his signature physically. The problem with chip-and-signature, Siciliano said, is that a signature can be forged and the card can be intercepted prior to transaction completion.
"Chip-and-PIN technology is better than chip-and-signature," he said." However, the chip-and-signature is taking a much stronger root in America than the PIN version. The signature version's most obvious drawback is that it's useless in all the other nations where PIN technology rules."
Siciliano says it will cost an arm and a leg to implement chip-and-PIN on a universal scale, and unfortunately, funds are already being diverted to switch over to the signature technology rather than the chip.
It will also cost more to convert the current magnetic stripe technology to signature, but the investment will not offset the cost due to the inherent weaknesses in signature-based technology.
"Consumers thinking that the 'chip' part of the signature version means great security, will be miffed once they realize how vulnerable signature actually is," he said.
Just last year on March 26, retailers lobbied the Senate for a more secure debit and credit card transaction system. Since all the information is right there on the card, fraud to some hackers is simple. Retailers have now been warned to be active about making the upgrade to EMV accepting terminals. October 1 will be the new deadline for retailers who have not done so.
The key component in the EMV switch is its additional liability terms for retailers who do not make the terminal switch by October 1, 2015. This means issuers and merchants using non-EMV compliant devices that accept transactions made with EMV cards are liable for all transactions found to be fraudulent. Being held liable for fraud, depending on its scale, can be a financial burden to companies.
Small businesses may be particularly vulnerable.
According to a recent study by the Association of Certified Fraud Examiners (ACFE), fraud losses continue to wound privately held organizations with 5% of all revenues lost annually.
Some 28.8% of all companies with less than 100 employee are victims of fraud with an average loss of $154,000, according to a 2014 Fraud and Forensic Services report. Of those victimized by fraud, 40% of all financial fraud is related to credit cards. Larger organizations tend to have hotlines and anti-fraud measures in place that detect fraud sooner, thus reducing the average fraud loss.
Since the majority of the breaches are most likely to occur at small businesses that don't have the resources to protect card information, Pauli advises consumers to be aware of whether merchants have an EMV friendly terminal.
"Even though you have an EMV card, the point-of-sale system may be a traditional swipe-and-PIN (debit) or swipe-and-sign (credit) system," he said. "Your EMV card will work regardless of the system in place at the small business, but it's important to realize what system you are using to complete your transaction."
Pauli says it will take some time to get every cardholder and merchant completely switched over to the new technology. He anticipates at least another six to nine months after October 1 deadline until consumers see a mass adoption of EMV cards."Until all the merchants are fully compliant, the new EMV cards will behave like a traditional swipe-and-pin or swipe-and-sign card that we're all used to," Pauli said.