Banks in the United States are undergoing a major transformation in credit card technology, a process similar to the one Europe successfully completed several years ago. Despite the technological advances in mobile payment that have already rendered plastic cards obsolete, the financial industry wants to replace every magnetic stripe credit card in every wallet.
When I received a business credit card in the mail last week, in an envelope anyone paying attention would recognize as a new credit card delivery, it featured a new security measure: a chip. The embedded computer chip stores information, like the magnetic strike, that ties the card to my identity and my bank account (and in this case, my business credit card account).
Credit card issuers are going through the process of replacing magnetic stripe credit cards with embedded chip cards because they are supposedly less prone to fraud. For instance, there’s a chance that using a chipped credit card would have prevented a different credit card number of mine from being stolen a few weeks ago and used in places which I had never visited.
But are these cards really less prone to fraud? No. Is the banking industry wasting millions of dollars replacing credit cards before they expire? Yes. Is the banking industry using this as a way to earn more money from retailers? Yes. Will the credit card issuers raise consumers’ fees to cover the increased cost of producing and distributing these cards? Probably.
Here’s why these chip-embedded credit cards are a waste of time, money, and effort for the industry and offer no more protection for the consumer.
1. The new cards still contain a magnetic stripe. If the magnetic stripe makes it easy for cards to be duplicated, the only way to eliminate that vulnerability is to eliminate the stripe! But without the magnetic stripe, billions of card readers currently in use by merchants would be rendered useless.
The banking industry wants retailers to “upgrade” all card readers to those that read chips at a significant cost to the retailers. But stripe readers will still be around for a while.
2. The new cards don’t require a PIN. In Europe, chip-and-PIN cards have a better chance of reducing fraud, because they can only be used with knowledge of a secret code. Because PIN transactions in the United States are less profitable for credit card issuers than signature transactions, issuers will stick with the more profitable signature requirement.
A PIN involves a second layer of protection, while a signature provides no protection at all. Signatures aren’t checked when credit card transactions are processed.
3. The credit card numbers are still stored digitally. Regardless of the card type — chip or magnetic stripe — all credit card numbers in the United States are fifteen or sixteen digits long with a simple algorithm to determine which numbers are valid and which are invalid. These numbers are stored in a database or a computer’s memory the same way.
If a hacker is able to access a database of credit card numbers, those customers are vulnerable regardless of the type of credit card they own.
4. Chip duplicators already exist. These devices may be more expensive than credit card duplicators with magnetic stripe technology, but they’ve been in use in Europe for as long as chip-and-PIN credit cards have been around. If a hacker does retrieve your credit card number from a database, he or she can print a credit card with a chip that duplicates that card for in-person use.
5. Fraud is moving online. Even with a chip, when you want to use your credit card for a transaction over the internet, you’ll still need to type your card number into a website. Companies that do not protect those databases (or for some reason accept credit card information over an unencrypted connection) will allow your credit card number to be exposed regardless of whether the physical credit card has a magnetic stripe or a chip.
Perhaps the chip-embedded credit card is a small piece of overall “security theater.” Consumers will feel more protected because their plastic contains something new and novel, but there’s no real improvement for the avoidance of fraud. In fact, by feeling more confident about using plastic, some consumers may feel emboldened to use the credit card in a situation where they might not be safe.
The production and distribution of credit cards with the chip seems to be nothing but a bridge between today’s current method for payments and newer card-less technology that is all ready becoming more widespread. Mobile payments like Apple Pay represent the future, and plastic with or without a chip is getting in the way. The obstacle here is that the banking industry controls the plastic, and outside companies control mobile payment schemes.
To eliminate fraud in the payments industry or to reduce it by a significant amount, the industry must eliminate static credit card numbers. Some banks all ready offer software that will address this issue for online purchases. Consumers can click a button to receive a single-use credit card number that they can use for a transaction of a certain amount, and after that transaction is processed, the credit card number will no longer be valid.
Other technology replaces credit card numbers or accompanies the numbers with a token — another code, but secure and unknown to the purchaser and the retailer — which must be verified through a separate system to confirm the transaction is valid. This token is unique for every transaction.
The unique identifier, whether a separate credit card number for each transaction or a token, is the only way to significantly reduce credit card fraud. Until these are required for every transaction and the magnetic stripe is eliminated, fraud problems will continue to grow.
The chip-embedded card is no solution. When Europe switched to a chip-and-PIN credit card, which in theory should be safer than a card with a chip that doesn’t require a PIN like these in the process of being released in the United States, fraud increased.
This is not a solution. This is a way for banks to force retailers to buy expensive equipment. The financial industry wants to shift the burden of fraud to the retailers. Today, banks pay for unauthorized use of a stolen credit card or credit card number. The companies are now telling retailers that if they don’t upgrade their devices to handle chip-embedded credit cards, those retailers will be responsible for paying for fraudulent transactions — even though the chip does little to prevent fraud.
In addition, retailers pay higher fees per transaction for processing chip-embedded cards, just like they pay higher fees for processing cash back rewards cards and other premium credit cards over basic credit cards and debit cards with PINs.
Well, there’s always cash. Until you want to buy something online, anyway.