Isn’t it wonderful? Now that October is behind us, all our credit card security problems have been solved! But wait — why did I get a call from one of my credit card companies informing me that my account had been compromised? How can that be?
In October, the U.S. went through the “Payment Networks’ Liability Shift,” the first significant milestone toward full rollout of Europay MasterCard Visa (EMV) chip technology here. So what has actually changed?
EMV is chip-based technology that is being deployed on credit and debit cards to replace the long-antiquated magnetic stripe system. It’s already been deployed throughout most of the world, but the U.S. has been slow to implement it. One of the long-term goals of EMV is to enhance the security of credit card transactions. For example, it significantly increases the cost (to attackers) of cloning a credit card account. It is supposed to keep a consumer’s account number more private, so that an adversary can’t easily steal one’s account number and make fraudulent transactions.
The Payment Networks’ Liability Shift was a big step, but largely symbolic, at least from the perspective of us consumers. Before the shift, merchants charging an account were not financially liable for account compromises. Instead, it was the credit card issuers’ liability. Now, however, merchants that have not complied with the milestone by deploying EMV-compatible payment terminals will be responsible for fraudulent transactions on their equipment. This, of course, places a potential financial burden on merchants, and the belief is that they’ll comply rather than risk the loss.
But even if they do comply, not everything is unicorns and rainbows, at least not yet. Why not? Well, if you happen to have an EMV card in your wallet, take a look at it. Do you see your account number on it? Of course you do. Do you see a magnetic stripe on the back? Of course you do. Well, then, how on earth can we protect account information if we’re going to stick it right there on the card? Good question. The short answer is that we will — eventually. But we’re in a transitional stage of things now, and so credit cards will remain a hybrid of magstripe and EMV for a while.
The reason for the slow transition on the card end is that merchants are also transitioning slowly. Despite the incentive to make the change, an awful lot of merchants haven’t made the move. In my unscientific observations, I’d estimate that, at best, 50% of the merchants I have patronized have gone EMV. And being very interested in the technology, when I see an EMV terminal at a merchant, I always try it out. More than half of the payment terminals I experimented on actually functioned with an EMV-based card, even if the hardware had the EMV slot in place.
Oh, and not all merchants are required to comply yet. Some, like gas stations, have additional time to comply. Plus, not all consumers even have EMV cards yet.
So was the whole October 2015 thing just a bunch of malarkey? Not entirely. It’s the first of several milestones in which the credit card industry is nudging U.S. merchants and consumers toward a more secure world, but it’s really just the first step. There are other milestones coming along in 2017 and 2018, but as of today, consumers can’t point to many major changes.
In some countries, like Australia, consumer payment cards no longer have magnetic stripes on them, and starting in August 2014, Australian merchants stopped allowing signatures to be used to authenticate transactions. Instead, consumers there must use a PIN entered on a payment terminal to authenticate and authorize a transaction.
So what’s a U.S. consumer to do? Sadly, we don’t have a great deal of leverage. If our accounts are compromised, we rely on our credit card issuers to replace the cards promptly, but we’re still faced with the unfortunate inconvenience of updating our card information everywhere we use and store those accounts. I should point out that when I got the call in October, my card issuer got a replacement to me, at no cost, the very next morning.
So here’s what I suggest:
- Whenever possible, avoid storing your account data on online sites. It’s not convenient to re-enter your card information every time you purchase something from a merchant you frequent, but keeping your information off of that merchant’s site is actually a good practice. Plus, there are excellent password and account number manager programs that help automate entering your account information when you need to.
- Use EMV, Apple Pay or other contact-free payment options when they’re available. If a payment terminal supports EMV, try it. If it doesn’t work, let the merchant know of your displeasure. (Yeah, I know that’s not likely to have much effect.)
- Consider a separate account for high-risk transactions (e.g., online sites where you store your account, or restaurants where the wait staff take your card out of your direct sight for payment).
- When your credit card issuer gives you the option of getting an EMV card, do it. I saw in an online advertisement that my favorite card had EMV, and I immediately called the issuer’s customer support and asked for one.
Apart from that, we can only dream of a more secure financial transaction future. I’ve had to go through the credit card compromise process now about five or six times, and I for one will be very happy when we’ve solved that problem.
This story, "U.S. is still tiptoeing toward EMV credit cards" was originally published by Computerworld.