US consumers are about to get a new defense against cybercrime. The armor will take the form of credit and debit cards with a built-in chip, which retailers must be able to read as of Thursday.
Short for EuroPay, MasterCard and Visa, EMV chips create a one-time-use code needed for each purchase, which makes stolen card numbers less valuable on the black market. Consumers may see slightly longer transaction times as in-store readers run the EMV cards, assuming merchants have set up the new payment terminals in time.
Industry watchers don't expect every merchant to meet Thursday's deadline, which was set last year by MasterCard, Visa, Discover and American Express. Retailers do have an incentive to act quickly, though. Stores that don't have EMV-reading terminals will need to make good on in-store purchases made with counterfeit cards. ATMs and gas pumps will face the same liabilities in 2017.
The card companies wrote that rule after cybercriminals stole about 40 million credit and debit card numbers from the payment system of retailer Target during the 2013 holiday-shopping season. Currently, the banks that issue cards are on the hook for fraudulent charges.
There are two ways hackers steal sensitive information. They can use card skimmers to read a card's magnetic stripe at an ATM or gas pump. They can also penetrate retailers' corporate information systems, as they have with Target, Home Depot, Neiman Marcus and many others, to copy card numbers. Those stolen numbers can be used on fake cards to make fraudulent purchases. Two-thirds of fraudulent purchases inside stores are made with counterfeit cards, said Stephanie Ericksen, Visa's vice president of risk products. Authentic cards that were stolen account for the other third.
That's where these new chip cards can help. Because the chips send encrypted, one-time codes for each transaction, the cards are harder for fraudsters to read and duplicate, experts say. While the cards are just rolling out in the US, the technology isn't new. Europe started using cards with embedded chips in 2005. Apple Pay and Android Pay mobile payments work on the same underlying rules.
Despite the impending retailer deadline, many consumers still don't know about the new kinds of cards. In an August survey by electronic payments company ACI Worldwide, 59 percent of consumers reported they hadn't received credit cards with EMV chips. Only a third knew the United States is shifting toward chip readers. What's more, only 27 percent of merchants are prepared for the October deadline for card reader technology, according to a report released in mid-September by the Strawhecker Group, a consulting firm for the payments industry.
Experts say the slow rollout could be due to the cost of new card-reading equipment. Merchants must weigh the expense of buying new payment systems and training employees on that gear against the unknown hit from fraudulent charges. Some may even consider their new liabilities the cost of doing business.
Consumers will need to adapt to the new system too, experts said.
"There may be some initial inconvenience at the point of sale," said TJ Horan, vice president of product management at FICO, which helps banks determine a consumer's credit risk.
Despite the increased security, industry watchers don't expect card fraud to disappear. Horan likens it to squeezing a water balloon: If you push fraud out of the system in one place, it will simply shift somewhere else.
Clarification, 8:55 a.m. PT: The name of parent company ACI Worldwide has been added.