A credit card with EMV (for Europay, MasterCard and Visa) chip security. Credit: Shutterstock
Last Thursday was the deadline. Finally, the United States is switching from the old-fashioned swiping method for credit card transactions to the more secure chip-based system scheme dubbed EMV (for Europay, MasterCard, and Visa, which together originated the technology).
The chip is harder to counterfeit, and unlike magnetic stripes, it can't be easily read and duplicated, which is what credit-card counterfeiters have long done. In other countries, the chip is coupled with a PIN, so if someone steals the card, they can't use it unless they also know your PIN -- a form of second-factor authentication U.S. debit cards have long used, but not U.S. credit cards. However, U.S. banks are not requiring the use of PINs with chip cards; the old-fashioned, security-irrelevant signature will still be used here.
The EMV secure payment technology has been ubiquitous in Europe and Canada for years, but it failed to gain traction in the United States because banks and merchants were reluctant to make the necessary changes. They not only had to change their card readers but also their back-end systems to accommodate chip-based cards, and they decided the fraud cost was less than the switching costs.
However, the massive breach at Target in 2013 and resulting fears that criminals would flood the market with counterfeit cards drove some of the momentum to switch to the EMV payment technology. Congress even threatened to act, and President Barack Obama mandated last fall that federal agencies use EMV terminals, to spur industry change.
But the switchover is not law or regulation. It's a decision that the credit card processors imposed on their member banks and the merchants who accept their cards. No actual penalty looms for merchants that didn't finish deploying the new readers by the Oct. 1 deadline, nor for those with no plans to do so.
Chip-enabled credit and debit cards still have the magnetic stripe, so merchants can continue to process payments the old-fashioned way. What's changed is that businesses will be held fully liable for any fraud that occurs as a result of not being EMV-compliant. It's a ticking time bomb for merchants that don't switch. (Apple Pay and Android Pay transactions are even more secure than chip transactions, so merchants aren't liable for fraud when using these payment systems.)
"This is a liability mandate," said Prakash Santhana, a director at Deloitte's Payments Integrity practice for Cyber Risk Services. If the criminal uses a counterfeit card, the merchant will "eat the costs" arising from the fraud if it had not adopted EMV.
Sign up for CIO Asia eNewsletters.