The Switch to the Chip Card – One Year Later

The October anniversary of the liability shift has passed, and anniversaries are an excellent time to look back on progress…this is no exception. The U.S. EMV migration plan was set four years ago as a way to fight card fraud and to protect both consumers and merchants.

the-shift-to-chip-infographic-11-1-2016Back in the day, we had one choice when we wanted to purchase something, and that was cold, hard cash. However, a few decades ago, people began using credit cards for everyday purchases instead of for only big ticket items, such as refrigerators. Though this was certainly convenient, it also opened the door for the bad guys to not only access your credit card information, they could use this information to make purchases and even to learn more about you and steal your identity. Over the past couple of years, once again, we in the U.S. are changing things up when it comes to how we use credit and debit cards. Our new cards, the ‘chip cards,’ as in use in most other places in the world, are making it safer than ever before to make purchases.

Love ‘em or hate ‘em, these new chip cards and terminals are working to eliminate card fraud, and they are working very well. The way we pay in the U.S. needed a huge overhaul, and this security upgrade was an attempt to make things safer. Data and research confirms that this new technology has had a great impact on reducing card fraud.

Don’t get me wrong. This transformation has not been without a few headaches for merchants and consumers but believe me…things are improving, and they will continue to improve as businesses complete their shift to the chip. How much? Mastercard fraud data indicates that there was a 54 percent decrease associated with counterfeit fraud when comparing data from April 2016 to April 2015.

We Have a Strong Start, But There is Still Work to be Done

When considering everything, the U.S. is off to a solid start, but we still have work to do. When looking at the more than 150 world markets that use chips in cards, we know that more chip transactions must be done before we can see a significant drop in fraud. To do this, we will need about 60 percent of chip terminals interacting with a minimum of 60 percent of chip cards in market. If you have one or have seen chip cards, you likely know that we have gone well beyond that 60 percent mark on cards, but only about 30 percent of store terminals are set up to accept chips.

Another thing that we need to do is continue to speed up the certification process for merchants. The faster we can get chip terminals in stores, the faster we will see these card fraud levels drop.

We also need to increase the speed of which these transactions occur. If you have used a chip terminal, you know that it feels like a slower process than the ‘swipe’ we are used to. The payments industry is hard at work to address this issue, and new technologies are being created to speed up transaction times when using these payment methods. Remember, even though the process feels a bit slower right now, you are significantly safer when using a chip card.

Ultimately, if we can have a little bit of patience with the process and endure these short-term issues, we will all greatly benefit when it comes to payment security. We are already moving in the right direction, and if we keep adding terminals and encouraging the use of chip cards, we will definitely see even more improvement when we compare with next year. Before you know it, most forms of card fraud will be all but gone thanks to the switch to the chip.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Gemaltos’ “EMV For a Week Challenge,” starts now!

As part of Gemalto’s #ChipAwayAtFraud campaign, I’m being tasked with numerous tasks, some tacky, some essential to living. Gemalto, one of the world’s leaders in digital security, wants a real-world take on the EMV card experience. Which includes the security benefits EMV cards presents. You know EMV; it’s the “chip” credit card that by now, you should have. EMV by the way stands for Euro/MasterCard/Visa. The Euro part essentially means that’s where the card was first deployed.

1CIf you don’t have a chip card by now get on the phone, call your bank and in your loudest, angriest voice scream at them and politely ask why they haven’t sent you one yet.

You, Mr. and Mr.’s credit card holder should support for the new technology in your community by explaining it to people, and encourage its use.

As a Gemalto campaigner I’m deploying two articles, one introductory (this one) and one “wrap-up” piece, detailing my experience during the challenge.

The Challenge:

Complete All Ten Tasks First and Win $400 to a Charity of Your Choice: My Charity is Boston Children’s Hospital

  1. Get coffee at a local (not chain) coffee shop
  2. Make any purchase at a big-box store
  3. Get a meal inside a fast food restaurant
  4. Buy a magazine at a gas station
  5. Get $50 worth of groceries
  6. Buy a tacky t-shirt
  7. Get someone special a bouquet of flowers
  8. Hit a tourist attraction in your town
  9. Buy office supplies for your coworker(s)
  10. Mail us a postcard from your local post office

Easy. Let the games begin!

Chip and PIN, will It save Us?

Many Americans, says a recent survey by Gallup, worry about a data breach connected to the use of their credit cards. Interestingly, many people use a credit card for everything under the sun: even just a soda and bag of chips from the convenience mart. The more you use a credit card, the more likely it will be compromised by cyber thieves.

1CThe magnetic stripe technology for credit cards makes them so “hackable.” One way to help prevent credit card crimes is to implement a chip-and-PIN technology. It’s been touted as a sure way to keep crime at bay. But is it what it’s cracked up to be? After all, how could the thief, holding your credit card, know your PIN?

The magnetic stripe contains account information. This can easily be copied with a thief’s tools such as a skimming device. A chip card uses a microprocessor that’s embedded. This makes the account information non-accessible to a hacker during any point of a sales transaction.

There are additional features to chip technology that tie into keeping fraud away:

  • Every time the card is used is recorded.
  • A cryptogram lets banks view the data flow.

Chip technology will be coming out in 2015 for the States, and experts are very confident that this transition will choke a lot of life out of card fraudsters. The transition will cost around $8 billion—if done correctly. And this “roll-out phase” won’t happen overnight, either.

There has been credit card fraud involving chip technology. Here’s how it happened: The crooks stole account information from magnetic stripes via skimming. The transactions were then done EMV style, then the criminals picked up traffic from an authentic EMV chip transaction. Next, the thieves put the information they’d skimmed into the transaction, and pulled off their crime.

In short, chip-and-pin technology is not without the element of human error; EMV can still be implemented poorly. As for that human error, this happened not too long ago with Canadian banks. They were struck with a big financial loss because the counter data and cryptograms were not being checked efficiently.

We can have a really great thing here—if it’s implemented in a smart way. What good is an advancement in technology if it’s carelessly employed?

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

National Retail Federation pushes for Chip and PIN

The recent major retail breaches have fueled increased interest by the National Retail Federation to push for implementation of a chip and PIN payment card technology. This would make the magnetic strips on payment cards obsolete and no longer a calling card for hackers.

1C“We’re here today because the question of data security and cyber theft in retail has become a very important debate in Washington,” said David French, the senior vice president of government relations for the NRF.

The U.S. still relies upon the magnetic strip—buyers or employees swipe the card and sign for the transaction. The chip and PIN means a chip is embedded into the card. A “reader” reads the chip but also requires the cardholder to enter a PIN to complete the purchase: a two-ply authentication process.

Magnetic strips allow thieves to make counterfeit cards that work, but the chip technology would prevent this.

“It’s going to be a very expensive transition,” says Mallory Duncan, NRF senior VP and general counsel, referring to the switch from magnetic strip to PIN and chip. A chipped card costs 4-5x as much as a stripped card: a cost that card issuers are not crazy about investing in.

However, the retail industry isn’t off the hook. Duncan notes that “every one of the (payment) terminals has to be replaced and depending on whether you’re counting just retailers or doctors’ offices and other places that are thought of as retail, it’s going to be between nine to 15 million (pieces of point-of-sale) equipment that have to be replaced.”

That’s more than $1,000 per unit, she adds. The migration to chip technology includes software and training, and based on Great Britain’s cost to migrate, the U.S. could be looking at “$20 billion or $30 billion to swap out equipment,” says Duncan. And that’s an under-estimate.

The starting point for the swap is banks issuing the chipped cards, says Duncan. Then the retail industry will know it’s worth it to finish the job by implementing the terminals.

The banking industry isn’t taking well to the retail industry’s stand on who should make the first move. Banking leaders believe that recent big retail breaches were primarily caused by, as they responded to NRF’s media briefing, “failed computer security at major retailers.”

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

How Much Longer Does the Magstripe Have?

Every U.S.-based credit card has a magnetic stripe on the back. This stripe can be read and rewritten like a rewritable burnable CD, using card burners that are easily available online.

The simplicity of the magstripe’s design, coupled with the availability of card reading and writing technology, results in billions of dollars in theft and fraud.

EAST, the European ATM Security Team, recently released European ATM crime statistics for January through June of 2010. Apparently, skimming at European ATMs increased by 24%, with 5,743 attacks reported in the first six months of 2010, compared with 4,629 during the same period in 2009. There haven’t been so many skimming attacks since EAST began measuring these statistics in 2004.

During this same time frame, however, while incidents of skimming have risen, the associated financial losses have dropped. This is because the cards being skimmed have an additional layer of security known as chip and PIN technology, or EMV, which stands for Europay MasterCard Visa.

But because these cards still have magnetic stripes, they are still being skimmed. The stripe is there for the convenience of cardholders who travel to the United States or the handful of other countries that still rely on the magstripe technology. Chip and PIN cards without magstripes are standard in Europe.  As skimming continues, the issue of whether to discontinue the magstripe is bound to come to a head. The European Central Bank’s most recent progress report states:

“In line with Europol’s stance on the future of the magnetic stripe and in support of the industry’s efforts to enhance the security of cards transactions by migrating from the “magnetic stripe” to “EMV chip” cards, the Eurosystem considers that, to ensure a gradual migration, from 2012 onwards, all newly issued SEPA cards should be issued, by default, as “chip-only” cards.”

In the United States the United Nations Federal Credit Union has adopted  chip and PIN technology and Walmart is demanding it. Further, Travelex, the world’s largest non-bank foreign exchange currency provider, introduced America’s first prepaid foreign “currency cards” available in Euros and British Pounds that utilizes chip & PIN technology.  And based on what is happening in Europe, change is in the air.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses credit card fraud on NBC Boston. (Disclosures)