Chip-n-Dip (It’s About Security, Not Guacamole)

The move to EMV is in process in the United States. EMV is short for Europay, MasterCard, and Visa’s global standard for chip-equipped credit/debit cards, chip-enabled point-of-service (POS) terminals, and the technology used to authenticate transactions. Sometimes called “chip-n-dip” technology, the updated system provides more protection against fraud for consumers and card-issuers by making it more difficult to steal information from a debit or credit card.

During the holiday shopping season a few years ago, a Target customer breach affected 40 million card holders, since the old magnetic swipe transactions stored each customer’s name, account number, card expiration date, and security code, which was then stolen. Fortunately for Target, Visa, Mastercard, and the issuing banks were responsible for the fraudulent charges, not the retailer. The issuing banks, however, sued Target, and a settlement was reached.

This particular fraud appeared to be the impetus for U.S. banks to revise their practices and security policies and move to the European model of using chip-enabled cards. A more secure method of conducting transactions, chip technology does not pass your actual card number to the retailer’s system. Instead, the chip on the credit/debit card, used with POS terminal that is chip-reader enabled, creates a unique, one-time-use number that authenticates the transaction, preventing the card number and other identifying information from being hacked and stolen. (Online fraud is another matter, and the chip-enabled cards do not work in the same manner to protect fraud for these types of card-not-present transactions,).

At the moment, chip-enabled credit/debit cards also have the outdated magnetic strip used for swiping. Some POS terminals are chip-reader equipped, but many are not. There’s no hard and fast rule, and no new laws have been passed requiring chip-enabled credit/debit cards. The change is originating from financial institutions (the card issuers) with the intent of reducing in-store fraudulent transactions that cost them millions of dollars every year. The encouragement to move to a chip-reader system is based on who is responsible for reimbursing the fraud victim. Is the card-issuer responsible? The retailer? The answer depends on the circumstances: The party who is least compliant bears the burden of the fraud. For example, if you use your card for a purchase at a retailer that has not updated its POS terminals to accept chip-enabled cards, the retailer is responsible to reimburse any consumer losses that may occur, provided the card-issuer has made the technology available to the retailer. But if the retailer has purchased the new systems and updated its POS terminals to accept chip-enabled cards, the card issuer, backed by the credit card company, shoulders the responsibility for any fraud. Merchants of all sizes are undertaking formal and informal risk analyses to determine if the expense of upgrading to the new systems is worth the additional protection of not being responsible for making consumers whole for fraudulent transactions.

It is expected that U.S. cards will continue to rely on signatures at POS terminals, which are not as secure as PINs. This has been the subject of much debate, as credit card companies and issuers have studied American consumer habits. Studies have shown that requiring a PIN to complete a transaction diminishes the chances that consumers will reach for that particular card in their wallet. For now, be prepared to insert your card at retailers if prompted, or swipe your card as usual if the POS terminals have not been updated. During this transition period, you will likely encounter the different options on a regular basis, provided your card has both the chip and the magnetic strip. In a few years, U.S. cards will likely be solely chip-equipped, and the perils of the magnetic strip will be over.