NEW YORK (MainStreet) -- Back-to-school shopping season is going to be some consumers' first test run for their chip-enabled credit cards and stores' new card readers. Shoppers and retailers alike are definitely about to get an education.
Back in 2011, Visa, MasterCard, Discover, American Express and their banking partners agreed on a October 1, 2015, “liability shift” that, for the first time, would make merchants liable for any fraudulent charges that result from using point-of-service readers that can't read chip-enabled cards. Despite the new, dire stakes for retailers and continued liability for card issuers who can't get chip cards to their customers in time, nobody's been treating that October 1 date like a deadline.
According to the Payments Security Task Force -- an industry group formed in 2014 to push new payment technology, with members including American Express, Bank of America, Capital One, Chase, Citi, Discover, First Data, MasterCard, US Bank (Elavon), Visa and Wells Fargo -- 63% of credit and debit cards will be chip-enabled by the end of 2015, while 47% of all merchant terminals will be able to read those cards. Many other countries have already implemented chip-enabled cards, with Visa seeing that chip-authenticated transactions abroad are approved 98% of the time, compared to little more more than 91% for transactions involving a card with a magnetic stripe.
“What we've seen from other countries such as Australia, Brazil and Canada -- which are three of the countries that have most recently moved to chip -- is that at the time of those countries' liability shift date, they were at about 45% of their transaction volume being chipped transactions,” says Stephanie Ericksen, vice president of risk products for Visa. “We are on pace with that, and it took those countries three or four years to get to 97%, so there was never an expectation that we'd be at 100% by October 1. That's kind of the incentive date to get the market moving.”
Ericksen notes that the liability shift for fuel pumps and ATMs to accept chip-enabled cards isn't until October 2017, largely because of the expense and difficulty involved with upgrading that equipment.
However, even when those upgrades happen, the chip-enabled payment technology in the U.S. still won't resemble the global technology that inspired it. Used in Europe since the early 1990s, EMV cards -- which take their name from Europay/MasterCard/Visa -- contain an embedded microchip that is authenticated using a personal identification number. A reader detects the chip and asks the card user for a PIN that matches the one found on the chip. However, the U.S. version of this technology has been chip-and-signature, which foregoes a pin for a cardholder's signature or abandons authentication altogether for transactions below a certain amount.
Matt Schulz, senior credit card industry analyst for CreditCards.com, notes that chip and signature is still a major step forward for credit card security in the U.S. However, he is disappointed that issuers are stopping there.
“Simply put, chip-and-PIN cards are more secure, because it’s easier to forge someone’s signature than to know their PIN,” he says. “And I do understand banks’ reluctance to add another layer of change into transition by adding a PIN, but the truth is that Americans are already accustomed to using PINs. Everyone already uses them with their debit card, so adding them on to a credit card purchase wouldn’t exactly be taking people into uncharted waters.”
Merchants haven't all embraced chip-and-signature as a permanent solution, either. Last week, the California Retailers Association, Latino Consumer Federation and California Grocers Association sent a letter to California Governor Jerry Brown urging him to adopt chip and PIN for all transactions that involve the state government.
“While chip-enabled cards are certainly a step in the right direction,” Bill Dombrowski, president and chief executive of the California Retailers Association explained, “they are merely a half-measure, since the cards continue to rely on signatures for verifying transactions – an outdated security measure that thieves can easily forge."
Credit card companies have taken somewhat divergent approaches to chip and PIN and chip and signature. Jon Kruass, as spokesman for Discover, notes that his company is now only issuing chip cards and hopes to make the U.S. part of a seamless global payment system. However, it's sticking with chip and signature during the early goings.
"Discover is currently evaluating the chip and PIN model for EMV, but for the initial migration, we will be using the chip and signature approach,” he says. “We will continue to explore every avenue to protect our cardmembers and merchants from fraud, while maintaining a seamless customer experience.”
American Express, meanwhile, notes that it has been in the chip and PIN card business for more than ten years and has supported that technology in the U.K., France, Spain, Germany, Australian, New Zealand, Canada and other countries where the infrastructure supports it. However, in the U.S., its newest consumer, small business and corporate cards all use chip-and-signature.
“In the U.S., there is still work that must be done and investments that need to be made across many industry stakeholder groups, including issuers, acquirers and merchants, to ensure the usability of chip and PIN for credit cards at the point of sale,” says American Express spokeswoman Molly Faust. “It’s also important to note that chip and pin will not prevent all types of fraud, including online fraud. We believe the most effective way to combat fraud is to deliver a multi-layered detection and prevention strategy.”
“We are committed to offering safe and secure payment solutions to our customers, and that really transcends cards and other devices,” Balfany says. “The migration to EMV is a big part of it and we often talk about chip as the platform to the next generation of payment, because it is the transition from magnetic stripe, which is flat and static, to the data set on the chip, which is dynamic.”
MasterCard, which has given roughly 30% of its cardholders chip-enabled cards, is also looking at a broader strategy. Carolyn Balfany, senior vice president of product delivery for MasterCard, notes that while some consumers may not be able to remember a PIN and some banks may not have the capability to let consumers choose a PIN of their own, a PIN is just one of the options available. Balfany points out Apple Pay's use of a smartphone holder's fingerprint to secure data and MasterCard's own experiments with facial recognition software (selfies for security, if you must) as other avenues under consideration as payments drift away from cards alone.
Visa's Ericksen points out that 60% of the transactions Visa handles already don't require a signature or PIN of any kind. Those are typically everyday purchases under $25, grocery purchases under $50 or -- in countries including Australia, Canada and the U.K. -- any contact-free payment from a mobile device of $100 or less. She also notes that fraud involving lost, stolen or skimmed PINs accounts for roughly 9% of all card fraud, while counterfeit fraud involving a card's magnetic stripe is roughly two thirds of all fraud Visa sees in the U.S. Though unattended payment points around the world, including train ticket terminals and bicycle rental kiosks, are being upgraded this year to accept both chip and PIN and chip and signature cards, it doesn't mean we've seen the last of the magnetic stripe.
“All Visa chip cards around the world also have magnetic stripes on them, so even in countries where chip is a prevalent form of payment, they still have a mag stripe on the back,” Ericksen says. “Even in countries that have been doing chip for 15 years or more, there's still the occasional small business merchant in a small town who hasn't upgraded their terminal. In order for the consumer to get the best and most accessible experience at home or when they travel to other countries where chip may not be as pervasive yet, the mag stripe is still on the card, so it can be accepted and the payment can go through.”
However, card issuers who rely on the magnetic stripe and merchants who haven't gotten around to upgrading their card readers are acting at their own risk. Issuers who don't replace current cards with chip-embedded versions -- which cost roughly four times as much to produce -- are still on the hook for fraudulent transactions. Meanwhile, while merchants don't have a deadline for equipment upgrades hanging over their heads, they'll be responsible for any fraudulent purchases made on readers that can't detect a chip. And those merchants that have a slot for a chip reader on their current terminal that just isn't activated right now? They're still liable for fraudulent charges.
“There are a lot of terminals across the U.S. with a chip slot that aren't using them, and that's easily explained: the terminal manufacturers, because the rest of the world migrated to EMV, began manufacturing what we call world terminals and, through normal upgrade cycles, if you got a new terminal two years ago, you were getting one with a chip slot,” Balfany says. “Now you weren't going to turn it on, because there was other software coding that needed to be done, but the hardware just became sort of de facto over time. It helped place the hardware in advance of the migration, but being there doesn't count: it has to be turned on.”
Ideally, all of these changes are supposed to make consumers' information safer and their lives easier. However, until the infrastructure is in place to accept more secure chip and PIN cards and mobile payments, everybody is going to default to whatever makes it easiest to make a purchase. Sure, issuers and merchants will swap liability for data breaches, but the October 1 liability shift isn't doing all it could to prevent your data from being breached in the first place.
“While it's true that the average consumer doesn't want to hassle with entering a PIN, the bigger story here is that it's a proven fact that the less complicated the point of sale process is, the more consumers will spend,” says. Curtis Arnold, founder of CardRatings.com and BestPrepaidDebitCards.com. “So, it's a double-edged sword and chip and signature is seen a good compromise. Card issuers hope the chip and signature will get rid of most fraud, but many acknowledge that it's not as secure as chip and PIN.”