Banks in the United States are undergoing a major transformation in credit card technology, a process similar to the one Europe successfully completed several years ago. Despite the technological advances in mobile payment that have already rendered plastic cards obsolete, the financial industry wants to replace every magnetic stripe credit card in every wallet.
When I received a business credit card in the mail last week, in an envelope anyone paying attention would recognize as a new credit card delivery, it featured a new security measure: a chip. The embedded computer chip stores information, like the magnetic strike, that ties the card to my identity and my bank account (and in this case, my business credit card account).
Credit card issuers are going through the process of replacing magnetic stripe credit cards with embedded chip cards because they are supposedly less prone to fraud. For instance, there’s a chance that using a chipped credit card would have prevented a different credit card number of mine from being stolen a few weeks ago and used in places which I had never visited.
But are these cards really less prone to fraud? No. Is the banking industry wasting millions of dollars replacing credit cards before they expire? Yes. Is the banking industry using this as a way to earn more money from retailers? Yes. Will the credit card issuers raise consumers’ fees to cover the increased cost of producing and distributing these cards? Probably.
Here’s why these chip-embedded credit cards are a waste of time, money, and effort for the industry and offer no more protection for the consumer.
1. The new cards still contain a magnetic stripe. If the magnetic stripe makes it easy for cards to be duplicated, the only way to eliminate that vulnerability is to eliminate the stripe! But without the magnetic stripe, billions of card readers currently in use by merchants would be rendered useless.
The banking industry wants retailers to “upgrade” all card readers to those that read chips at a significant cost to the retailers. But stripe readers will still be around for a while.
2. The new cards don’t require a PIN. In Europe, chip-and-PIN cards have a better chance of reducing fraud, because they can only be used with knowledge of a secret code. Because PIN transactions in the United States are less profitable for credit card issuers than signature transactions, issuers will stick with the more profitable signature requirement.
A PIN involves a second layer of protection, while a signature provides no protection at all. Signatures aren’t checked when credit card transactions are processed.
3. The credit card numbers are still stored digitally. Regardless of the card type — chip or magnetic stripe — all credit card numbers in the United States are fifteen or sixteen digits long with a simple algorithm to determine which numbers are valid and which are invalid. These numbers are stored in a database or a computer’s memory the same way.
If a hacker is able to access a database of credit card numbers, those customers are vulnerable regardless of the type of credit card they own.
4. Chip duplicators already exist. These devices may be more expensive than credit card duplicators with magnetic stripe technology, but they’ve been in use in Europe for as long as chip-and-PIN credit cards have been around. If a hacker does retrieve your credit card number from a database, he or she can print a credit card with a chip that duplicates that card for in-person use.
5. Fraud is moving online. Even with a chip, when you want to use your credit card for a transaction over the internet, you’ll still need to type your card number into a website. Companies that do not protect those databases (or for some reason accept credit card information over an unencrypted connection) will allow your credit card number to be exposed regardless of whether the physical credit card has a magnetic stripe or a chip.
Perhaps the chip-embedded credit card is a small piece of overall “security theater.” Consumers will feel more protected because their plastic contains something new and novel, but there’s no real improvement for the avoidance of fraud. In fact, by feeling more confident about using plastic, some consumers may feel emboldened to use the credit card in a situation where they might not be safe.
The production and distribution of credit cards with the chip seems to be nothing but a bridge between today’s current method for payments and newer card-less technology that is all ready becoming more widespread. Mobile payments like Apple Pay represent the future, and plastic with or without a chip is getting in the way. The obstacle here is that the banking industry controls the plastic, and outside companies control mobile payment schemes.
To eliminate fraud in the payments industry or to reduce it by a significant amount, the industry must eliminate static credit card numbers. Some banks all ready offer software that will address this issue for online purchases. Consumers can click a button to receive a single-use credit card number that they can use for a transaction of a certain amount, and after that transaction is processed, the credit card number will no longer be valid.
Other technology replaces credit card numbers or accompanies the numbers with a token — another code, but secure and unknown to the purchaser and the retailer — which must be verified through a separate system to confirm the transaction is valid. This token is unique for every transaction.
The unique identifier, whether a separate credit card number for each transaction or a token, is the only way to significantly reduce credit card fraud. Until these are required for every transaction and the magnetic stripe is eliminated, fraud problems will continue to grow.
The chip-embedded card is no solution. When Europe switched to a chip-and-PIN credit card, which in theory should be safer than a card with a chip that doesn’t require a PIN like these in the process of being released in the United States, fraud increased.
This is not a solution. This is a way for banks to force retailers to buy expensive equipment. The financial industry wants to shift the burden of fraud to the retailers. Today, banks pay for unauthorized use of a stolen credit card or credit card number. The companies are now telling retailers that if they don’t upgrade their devices to handle chip-embedded credit cards, those retailers will be responsible for paying for fraudulent transactions — even though the chip does little to prevent fraud.
In addition, retailers pay higher fees per transaction for processing chip-embedded cards, just like they pay higher fees for processing cash back rewards cards and other premium credit cards over basic credit cards and debit cards with PINs.
Well, there’s always cash. Until you want to buy something online, anyway.
Updated July 17, 2015 and originally published March 27, 2015.
{ 7 comments… read them below or add one }
The single-use card technology sounds interesting. Otherwise, I agree with you that we’re paying (inadvertently) for the illusion of security.
Sort of like the TSA, huh? I was surprised to find recently that I was cleared to walk through the “pre-check” line, e.g., I didn’t have to take off my shoes. The TSA couldn’t really know if I were some crazed shoe bomber biding my time, or a recently radicalized convert. Those kinds of people are clearly ALL in the other line.
There is one thing that can be done with a chip card that would improve security. The chips can be embedded with software that produce a one-time use card number every time you use the card. I’ve not hear of any company using the technology for credit cards. I have seen the technology used in security industries so i know it is out there.
I see this not as a move to push liability to the retailer. I see it as a step in pushing liability to the customer. Imagine chip&pin cards are out. The retail has the system for chip&pin and the system for chip w/o pin. They give you the option to checkout quick and you take it (using chip w/o pin). Credit card liability falls to the party that utilizes the least secure technology. Because you opted for the less secure (and faster checkout) you are now the party utilizing the least secure part of the process. You are now the liable party.
There is a move to use a unique cost per transaction, which is called a token. Tokenization is the big jump forward in security with smart phone based payments.
The chips actually do exactly what you are suggesting to some extent. In the past you could easily skim a card number and create a new mag stripe card or just use the card number with a CVV for fraud. With a chip for in-person transactions you need the physical card for fraud, not just the number.
Though I’m pretty sure Canada has been using these exclusively for a few years now, there’ a whole other ball of wax which concerns me. Everyone got their new chip credit cards–great. Then a year later they come out with “tap-and-go”. Most retailers are using this now. You don’t have to enter a PIN, sign, or do anything else–just tap your card and you’ve paid. Why in the name of hell put all these security things on a card if somebody can just walk around town tapping your card everywhere? The official line is, “Well, there are $25 or $50 limits per purchase on tap-and-go. And the transaction itself is more secure.” That’s not what I’ve heard–I’ve heard that thieves can make a whole lot of $25 taps using your stolen card before it gets cancelled. I cannot for the life of me understand even having a PIN number on your card if you’re going to allow tap-and-go.
Great Article! Anything we can do to keep credit card fraud contained should be fully pursued and backed by the U.S Gov. The cost to the consumer continues to rise and it has an affect on small business owners. Fraud also causes Insurance rates to climb which ultimately hurts everyone.
Very important information here. I’d heard a little about chip credit cards, but I wasn’t sure what it fully entailed. I definitely agree in that these don’t seem to be a smart move on anyone’s part and probably just make the card SEEM more secure. I wouldn’t mind switching to a chip-and-PIN system, but just a chip? No thank you!
I agree with the author, all this stuff sounds great and will make customers feel safer but I don’t see any great moves that actually means customers really are safer. When using your card you are very reliant on the security measures a retailer has in place and we all know they can be lacking.