Tracking inflation What to do with yours Best CD rates this month Shop and save 🤑
MONEY
EMV Technology Mandate

Where is the EMV card 10 months later?

Steve Weisman
Special for USA TODAY

It has been ten months since the October 1, 2015 deadline for credit card companies and retailers to switch to smart chip EMV credit cards in order to avoid liability for fraudulent card use and now is a good time to evaluate the change.

Credit card with a EMV chip.

A good place to start is by looking at the magnetic strip cards, which the EMV chip cards were designed to replace.  The technology used in magnetic strip credit cards was initially developed in the 1960s, but was not widely used until the 1980s when MasterCard and Visa adopted the technology for their credit cards. With magnetic strip technology, the account number for the particular card as well as other personal information is stored on a magnetic strip on the back of the credit card.  Transactions were processed by the simple swiping of the card through a card reader which would transmit the information electronically to the credit card processor.

Unfortunately, through a variety of methods, hackers were able to steal the credit card information from the processing equipment or the computers of the retailers using the equipment and steal massive amounts of credit card data which they would then sell to other criminals on a part of the Internet called the Dark Web where criminals do business.  These criminals buying the card information would then use the cards to make fraudulent purchases.  The vulnerability of magnetic stripe credit card information being stolen was dramatically brought to the public’s attention in 2013 when Target was hacked, losing credit and debit card information of forty million people.

Fighting sophisticated criminal technology of the 2000s with security technology of the 1960s was not much of a match. Data breach after data breach at other companies soon followed the Target hacking, which increased the motivation to switch to the more secure EMV cards.  EMV stands for Europay, MasterCard and Visa. EMV cards are more secure than magnetic strip cards because a computer chip located on each card generates a unique token each time the card is used such that stealing the processing information for a particular transaction would be useless to a hacker.

In an effort to encourage more widespread use of EMV cards, the banks and the companies that process credit card payments set a date of October 1, 2015 for credit card issuers and retailers to switch to EMV card technology.  These banks and credit card processing companies, however, did not have the authority to mandate that all credit card companies and retailers switch to the EMV technology, but, they did have the authority to pass the liability for fraudulent credit card use to either the credit card companies not issuing EMV credit cards or the retailers if they did not upgrade their card processing equipment to EMV terminals.  Previously, the liability for fraudulent credit card use ultimately rested with the banks.

The transition to EMV cards has been slow although some companies, such as Walmart and Target were early converts.  Recently MasterCard announced that 80% of credit cards are now EMV chip cards, however, only 30% of retailers have installed approved EMV processing equipment.

One reason that so many merchants have resisted switching to EMV card processing equipment is the cost.  The hardware, software and other related costs can run into tens of thousands of dollars.  Testifying last year before the House Small Business Committee last year, Jared Scheeler of the National Association of Convenience Stores testified that the cost to convenience stores to upgrade its gas pumps and point of sale terminals to EMV standards would be about $26,000 while the average profit at a convenience store is only about $47,000.

While the decision to switch to EMV card processing equipment for some businesses, particularly jewelry and electronics stores which are often preferred targets of credit card fraud to purchase goods that can more readily be turned into cash, is simple because the risk of not switching would be too great, other businesses, particularly small businesses that rarely encounter credit card fraud, switching to EMV processing equipment may not be cost effective.

Another major issue that has arisen in the implementation of EMV technology in the United States is that, unlike most of the rest of the world, EMV cards in the United States do not require the use of a PIN when the card is used. Instead only a signature is required for verification, which as shown by the researcher who routinely signs his transactions “Donald Duck” is not very effective verification. Just last May, Walmart sued Visa arguing that Visa is preventing Walmart from requiring shoppers to use PINs as extra security when customers pay with a chip debit card.  Then in June, Home Depot sued Visa and MasterCard alleging that they implemented chip and signature technology rather than the safer and more secure chip and PIN technology merely to get the higher fees they receive when processing signature-based transactions.

Meanwhile, at the recent Black Hat security conference, Nir Valtman and Patrick Watson, researchers for NCR, a company that makes point of sale terminals disclosed how sophisticated hackers could steal the credit card number from an EMV chip enabled card’s magnetic strip when retailers, as many still do, fail to utilize encryption capabilities in their card processors.

We have come a long way in the last ten months, but there is still a long way to go to achieve better credit card security.  In an upcoming column I will discuss what can and should be done.

Steve Weisman, an expert in preventing cyberscams and identity theft, is a lawyer and professor at Bentley University. He writes the blog scamicide.com, where he provides daily update information about the latest scams. His new book is Identity Theft Alert.

Featured Weekly Ad