Isn’t it wonderful? Now that October is behind us, all our credit card security problems have been solved! But wait — why did I get a call from one of my credit card companies informing me that my account had been compromised? How can that be?
In October, the U.S. went through the “Payment Networks’ Liability Shift,” the first significant milestone toward full rollout of Europay MasterCard Visa (EMV) chip technology here. So what has actually changed?
EMV is chip-based technology that is being deployed on credit and debit cards to replace the long-antiquated magnetic stripe system. It’s already been deployed throughout most of the world, but the U.S. has been slow to implement it. One of the long-term goals of EMV is to enhance the security of credit card transactions. For example, it significantly increases the cost (to attackers) of cloning a credit card account. It is supposed to keep a consumer’s account number more private, so that an adversary can’t easily steal one’s account number and make fraudulent transactions.
The Payment Networks’ Liability Shift was a big step, but largely symbolic, at least from the perspective of us consumers. Before the shift, merchants charging an account were not financially liable for account compromises. Instead, it was the credit card issuers’ liability. Now, however, merchants that have not complied with the milestone by deploying EMV-compatible payment terminals will be responsible for fraudulent transactions on their equipment. This, of course, places a potential financial burden on merchants, and the belief is that they’ll comply rather than risk the loss.
But even if they do comply, not everything is unicorns and rainbows, at least not yet. Why not? Well, if you happen to have an EMV card in your wallet, take a look at it. Do you see your account number on it? Of course you do. Do you see a magnetic stripe on the back? Of course you do. Well, then, how on earth can we protect account information if we’re going to stick it right there on the card? Good question. The short answer is that we will — eventually. But we’re in a transitional stage of things now, and so credit cards will remain a hybrid of magstripe and EMV for a while.
The reason for the slow transition on the card end is that merchants are also transitioning slowly. Despite the incentive to make the change, an awful lot of merchants haven’t made the move. In my unscientific observations, I’d estimate that, at best, 50% of the merchants I have patronized have gone EMV. And being very interested in the technology, when I see an EMV terminal at a merchant, I always try it out. More than half of the payment terminals I experimented on actually functioned with an EMV-based card, even if the hardware had the EMV slot in place.
Sign up for CIO Asia eNewsletters.