The new, high-tech generation of EMV cards -- which take their name from Europay/MasterCard/Visa -- contain an embedded microchip that is authenticated using a personal identification number or a signature. A reader detects the chip and asks the card user for a PIN that matches the one found on the chip or, in a less secure scenario, a signature. Since there isn't a magnetic stripe with all a user's data embedded involved in the transaction, there's a far lesser chance of a chip-and-PIN user's data being stolen.
The key component in the EMV switch is its additional liability terms for retailers who have not make the terminal switch by October 1. Back in 2011, Visa, MasterCard, Discover, American Express and their banking partners agreed on a October 1, 2015, "liability shift" that, for the first time, would make merchants liable for any fraudulent charges that result from using point-of-service readers that can't read chip-enabled cards. Despite the new, dire stakes for retailers and continued liability for card issuers who can't get chip cards to their customers in time, nobody's been treating that October 1 date like a deadline.
But there's a lot of confusion about the new card and the new protections the individual consumer will be afforded.
Here we've rounded up the best of our MainStreet EMV coverage to provide you with the answers to your most burning questions?
How prepared are we?
According to the Payments Security Task Force -- an industry group formed in 2014 to push new payment technology, with members including American Express, Bank of America, Capital One, Chase, Citi, Discover, First Data, MasterCard, US Bank (Elavon), Visa and Wells Fargo -- 63% of credit and debit cards will be chip-enabled by the end of 2015, while 47% of all merchant terminals will be able to read those cards (as a point of reference, the EMV adoption rate for merchant terminals in the U.S. at the end of 2014 was 7.3%).
Is the liability shift just retail stores or anywhere I use a card?
The liability shift for fuel pumps and ATMs to accept chip-enabled cards isn't until October 2017, largely because of the expense and difficulty involved with upgrading that equipment.
Dick Mitchell, solutions director at Randstad Technologies, notes that magnetic stripes will endure in a widespread fashion until gas stations are forced to convert to EMV card readers in October 2017.The cards in the U.S. are chip-and-signature, not chip-and-PIN
The risks involved with EMV cards in the U.S. center on the difference between chip-and-PIN cards compared to chip-and-signature signature ones, according to Robert Siciliano, personal security and identity theft expert speaker with TheBestCompanys.com. Whereas chip-and-PIN cards allow for a safe contactless transaction and transfer of encrypted data, a chip-and-signature card requires the consumer to sign his signature physically. The problem with chip-and-signature, Siciliano said, is that a signature can be forged and the card can be intercepted prior to transaction completion.
"Chip-and-PIN technology is better than chip-and-signature," he said." However, the chip-and-signature is taking a much stronger root in America than the PIN version. The signature version's most obvious drawback is that it's useless in all the other nations where PIN technology rules."
Siciliano says it will cost an arm and a leg to implement chip-and-PIN on a universal scale, and unfortunately, funds are already being diverted to switch over to the signature technology rather than the chip.
The chip-enabled payment technology in the U.S. still won't resemble the global technology that inspired it. Used in Europe since the early 1990s, EMV cards contain an embedded microchip that is authenticated using a personal identification number. A reader detects the chip and asks the card user for a PIN that matches the one found on the chip. However, the U.S. version of this technology has been chip-and-signature, which foregoes a pin for a cardholder's signature or abandons authentication altogether for transactions below a certain amount.
Matt Schulz, senior credit card industry analyst for CreditCards.com, notes that chip and signature is still a major step forward for credit card security in the U.S. However, he is disappointed that issuers are stopping there.
"Simply put, chip-and-PIN cards are more secure, because it's easier to forge someone's signature than to know their PIN," he says. "And I do understand banks' reluctance to add another layer of change into transition by adding a PIN, but the truth is that Americans are already accustomed to using PINs. Everyone already uses them with their debit card, so adding them on to a credit card purchase wouldn't exactly be taking people into uncharted waters."
The threat of data skimming actually remains a significant one even for these advanced cards, because the method used by EMV terminals to read the chip data is still similar to the method used for magnetic stripe cards, Eran Kahana, a technology and intellectual property attorney in Greater Minneapolis-St. Paul Area, told MainStreet.
"Thinking that EMV cards are tamper-proof helps create a false sense of security," Kahana said. "EMV cards offer no extra protection for web-based purchasing, which means users and merchants must remain vigilant as if they were using traditional magnetic stripe cards."
EMV cards offer no further protection for online purchases. EMV cards dropped counterfeit and lost or stolen card fraud by 47% in the U.K., 30% in Canada, and 15% in Australia. However, total card-not-present-transactions -- where the cardholder cannot physically present the bank card for a merchant's visual examination, including telephone and internet transactions -- increased in various countries such as 25% uptick in France since 2003 and a 39% boost in Australia since 2006. EMV cards do not protect consumers in these instances.
But with new EMV readers just trickling into retailers, your chip-and-PIN card is reduced to chip-and-signature on a magnetic strip reader.
That makes cards every bit as vulnerable as they were when Home Depot's breach put 56 million credit card numbers and 53 million email addresses into jeopardy last year or when 70 million Target shoppers had their data stolen in 2013. However, those companies could afford quick upgrades. According to market research firm Javelin Strategy & Research, there are 15 million card readers, 360,000 ATMs and more than 1.1 million credit and debit cards that would have to be replaced at a cost of roughly $8.7 billion. That cost falls a lot heavier on small businesses, but it's still less expensive than the cost of another breach. Without chip-and-PIN card readers, however, everyone is still at risk when a card is accepted as a form of payment.
"The technology doesn't help with data breaches at all -- those will still happen," said Josh Pauli, associate professor of cyber security at Dakota State University."But what it does provide is a much more robust solution to credit cards being re-created after being stolen."
Small businesses may be particularly vulnerable
Small businesses are the most vulnerable and most ill-prepared. Some 28.8% of all companies with less than 100 employees are victims of fraud with an average loss of $154,000, according to a 2014 Fraud and Forensic Services report. Of those victimized by fraud, 40% of all financial fraud is related to credit cards. Larger organizations tend to have hotlines and anti-fraud measures in place that detect fraud sooner, thus reducing the average fraud loss.
Small-business website Manta, which hosts 2.5 million businesses, conducted a survey that found 28% of small business owners don't know what EMV technology is or how it impacts their business.
According to a recent study by the Association of Certified Fraud Examiners (ACFE), fraud losses continue to wound privately held organizations with 5% of all revenues lost annually.
Even though you have an EMV card, the point-of-sale system may be a traditional swipe-and-PIN (debit) or swipe-and-sign (credit) system. Your EMV card will work regardless of the system in place at the small business, but it's important to realize what system you are using to complete your transaction.
Sure, issuers and merchants will swap liability for data breaches, but the October 1 liability shift isn't doing all it could to prevent your data from being breached in the first place.
"While it's true that the average consumer doesn't want to hassle with entering a PIN, the bigger story here is that it's a proven fact that the less complicated the point of sale process is, the more consumers will spend," says Curtis Arnold, founder of CardRatings.com and BestPrepaidDebitCards.com. "So, it's a double-edged sword and chip and signature is seen a good compromise. Card issuers hope the chip and signature will get rid of most fraud, but many acknowledge that it's not as secure as chip and PIN."
Robert Harrow, credit card analyst at ValuePenguin, notesthat while consumers are still protected from fraudulent charges by the CARD Act of 2009, their personal data and ability to use their card is still at risk as long as banks continue to issue chip-and-signature cards with magnetic stripes rather than the more-secure chip-and-PIN EMV cards.