There’s a good chance that if you’ve added a new credit card to your wallet this year, you’ve noticed something a little different. Many of them are now equipped with chip technology known as EMV. As the threat of data breaches intensifies, card issuers have been slowly rolling out these chip-enabled cards to customers because they — along with retailers and cybersecurity experts — believe the technology is far more secure than the magnetic stripe cards that Americans have been swiping for decades.
This technology has been in place in Europe for years, and so the conventional wisdom has been that American consumers will enjoy the same fraud protection as their overseas counterparts as soon as the shift to EMV is complete. But in many cases, that’s not quite true.
In Europe, merchants and banks rely on a system known as “chip and PIN.” The chip provides one measure of security by producing unique codes for each transaction that make it tough for fraudsters to counterfeit your card. Then, shoppers are required to input a PIN number for each transaction, providing an added layer of security.
But in the United States, many of the EMV-enabled cards that are showing up in your mailbox are “chip and signature” cards, meaning the second layer of security is simply the purchaser signing on the dotted line. And that’s where some experts say the problem lies.
“We all know that nobody verifies signatures,” said Martin Ferenczi, president of Oberthur Technologies, a company that manufactures EMV cards for card issuers.
So while everyone agrees that your new chip card is much more secure than what you had before, it still may not be the safest system possible.
Stephanie Ericksen, vice president of risk products at Visa, said the majority of card issuers — which include banks and retailers with private label cards — are opting to keep the same verification steps customers are used to. That means debit cards with EMV chips will require PINs, but credit cards will require only signatures.
“That’s primarily to keep the consumer experience as consistent as possible,” Ericksen said.
Chip cards will require slightly different action at the checkout counter than a magnetic strip card. Instead of swiping your card, you’ll insert it into a slot and leave it in place for a moment, like you do at an ATM. If you add on top of that the new step of using a PIN for credit card transactions, experts say, issuers might be worried about frustrating consumers with too many new steps.
“I think it’s a genuine concern over changing too much at the point of sale too quickly,” said Nicole Skogg, chief executive of Spyderlynk, a firm that aids banks with cybersecurity.
Another factor could be that card issuers are scrambling to update their cards by October, when a crucial liability shift goes into effect. Ferenczi said that for many financial card issuers, it could be a heavy lift to update their back-end technology systems to accommodate accepting a PIN.
“In many countries around the world, as they moved to EMV, they started with chip and signature and evolved to chip and PIN,” Ferenczi said. “So it’s a complex transition time.”
The use of chip and signature instead of chip and PIN is frustrating retailers and other merchants. Mallory Duncan, a senior vice president at the National Retail Federation, said merchants are poised to spend more than $30 billion to upgrade their cash registers to accept chip and PIN cards.
But for retailers, the PIN component of the system has a particular value. They could be on the hook to cover fraud costs if they have failed to verify that the person making a purchase in their store is the same as the one named on the card. They would typically not have to reimburse for the kinds of fraud that the chip helps with.
“It means that the merchants will be spending billions of dollars and see they get very little benefit from this investment,” Duncan said.
American Express says on its Web site that it is using chip and signature but not chip and PIN cards in the United States at this time. MasterCard and Visa are each creating cards that can accommodate either a chip-and-PIN or chip-and-signature set-up; each company says it will be up to the banks that issue the card to decide which configuration is used.
Ultimately, the chip-and-PIN vs. chip-and-signature conundrum may be relatively short-lived.
“The long-term thinking, really, is that we need to get rid of any technology that depends on static numbers,” said Doug Johnson, the American Bankers Association’s senior vice president of payments and cybersecurity policy.
With the arrival of new payment technologies such as Apple Pay, which use biometrics, more verification options are on the horizon.
“The really important part is that no one get anchored to that there is a [single] cardholder verification method,” said Carolyn Balfany, a senior vice president at MasterCard.