Have you received your new chip-protected credit card yet? The new cards are supposed to eliminate fraud by requiring a PIN, stored in the chip, at every purchase. As Barataria reported last year, the credit card system has to be considered completely compromised after a large number of security breeches at nearly every retailer. The largest ones are reported, but we it is wise to consider every use of the traditional “swipe” credit cards which are easily duplicated once the numbers and names are stolen.
That’s why the new cards were mandated to be in use by 1 October. But the system is plagued by delays at all ends – and may not be as secure as promised. That’s a big problem for merchants who, as of the deadline, assume responsibility for a lot of credit card fraud.
The problem with the traditional “swipe” credit card is that it contains absolutely no security at all. When you swipe, all you are doing is providing the number on your account for the transaction to be processed. That’s why a retailer with a dodgy machine can also type in the credit card number – it’s the same thing, but it takes a bit longer.
The security is entirely your possession of the card.
Such cards are easily duplicated once you know the number that has to be encoded on the magnetic strip, so simply having a card is not good enough. The new cards have a small chip in them on which is stored an encrypted PIN. There is no way to back the PIN out of the chip – you simply have to know it in order to use the card. Like any other password it’s completely secure as long as you keep it to yourself.
Like any new system this is taking a lot of time to roll out. I know of no one who has received a new card, nor do I know of any retailers with the systems to handle them. The rollout is far behind schedule and at this point is unlikely to be common before Christmas shopping.
The agreements between credit card companies changed right on schedule, however, meaning that merchants are now responsible for a lot of fraud. This is why it’s much harder to get cash back on purchases, for example, which had become a staple at many grocery stores. When the consumer notes fraud from a swiped card or any other non chip card use a “charge back” can be approved by the credit card issuer and the merchant is simply stuck. It’s that simple.
But are the new cards really that good? There have been many reports of hacked chip cards, but the process appears to be much more difficult. The most notorious case in 2011 appears to have had a new chip soldered on top of the old one which approved any PIN entered into the system – but again, the physical card was stolen. The system overall has to be considered far from foolproof, but it may slow down credit card fraud and at least dramatically reduce the value of a big database of numbers.
The introduction of the new cards in Canada has seen dramatically lower levels of fraud all around. While these cards, like any system, are still hackable they are at least more difficult.
Merchants who do not use a physical card should have in place an encrypted system for handling the PIN that does not in any way store it on their system. But the new agreements to not seem to spell out their liability as clearly and it’s unclear how a secure system is approved by the credit card issuing companies. Like any good legal setup, it will probably take a few test cases to know exactly how far liability for credit card fraud reaches.
So where do we stand now that everything has changed for credit cards? It seems that little has changed, at least until we see some significant charge backs to merchants who allow fraud to occur with the new chip cards. That won’t come until there are a lot more chip cards in the works, which is probably another year away.
Meanwhile, we still have to presume that all cards are at risk for the time being. The largest reason sited for a reduction of fraud in 2014 is that consumers are watching their cards very carefully. That is still the only solution.
So the new liability only applies to people with new cards?
That is my read of it, yes. The new cards come with a promise of better security, and fulfillment of that falls partly on merchants.
Stores here in Colorado, USA slowly rolling out – lots of glitches in system back in August/September time frame –
“Swipe your Card – No, instead, why don’t you now insert into Chip Reader – there ya go, …now wait for 3 minutes and make everyone in line behind you think you’re a moron, while we try to figure out if you’re a thief or not….Okay, we’ve approved it, but you can’t remove your card, just yet – wait till we tell you too…, ….waiting….waiting….seriously? someone just beat you up, cuz they thought you were writing an out-of-town check? Oh! OK, you’re good to go! OMG! Beep! Beep! Beep! YOU MUST Retrieve your Card from reader, like right now, cuz we’re gonna sound the siren until you remember too – Not our fault if everyone else things you just tried to shoplift something….”
Yes, think it’s funny that ‘agreements’ change, long before those responsible for rolling out infrastructure actually make agreements ‘possible & Customer Friendly’ to do – 🙂
Until further notice, I figure, just another ruse to slam small biz and reward big biz, although – one of the two ‘big’ stores I haven’t found ‘local suppliers’ replacements for, just yet, still don’t have their system for chips on line – 🙂 I, now well trained over the past 2 months, was looking for the bottom slot – and held up line by being confused –
And have two small customers who have quit taking smart-phone-swipes on-location, cuz they fear fraud and being cheated out of legitimate sales, just cuz if not chip read, they are liable – –
Sigh – My Cynicism knows no bounds –
“Heads We Win, Tails You Lose” – 🙂
This is the first report I’ve seen on the system. Seriously. They are very rare here and I have yet to see anyone use a new card in a new machine.
I started, “Feeling the Pain of Updates” in early August – first store said, “Swipe, click approve, then stick in bottom slot, click approve – now wait and don’t remove until the screen tells you so” AND one time, I waited while a supervisor came over to instruct cashier how to hit the right key to move the process along –
6 weeks later? I’m there again – I swipe, and I’m greeted with exasperated expression, “You need to insert in the bottom….” WHAT?!? I JUST GOT TRAINED and You’re Changing the Steps!?!
LOL – – – I work with customers who are trying to understand tech upgrades from 20 years ago, but if I have to be retrained on every visit to a biz that I’m supporting – something is wrong – Tech will implode upon itself – sooner or later – the trend for coupling functionality/improvement updates along with security updates is starting to reach a crescendo, even for me –
To easy to roll out a security update, roll out some handy-dandy interface/function update at same thing, and, traditionally, humans are reluctant to change – and need time to adjust – – so, once again, Tech World will lose the ground they’ve gained by their new ‘friendly face and patient answers” and will be hated, once again….LOL – – been about 10 years since last major paradigm shifted – they’ll flounder and fix, just like they always do – even if they tick everyone off, during their transition (why do you think I was so long absent from WP? I didn’t like the ‘revamps’ getting rolled out – LOL
The initial system I went through the gauntlet with is now functional – check out, (either in self-check out or cashier manned line) – Insert card in bottom when asked – wait, remove – so some are getting there with new hardware/systems….
Target rolled out chip readers before the “deadline.” It’s no surprise they’ve been quicker than others. I’ve seen chip readers at lots other stores, but not all. All of my cards except my primary have been update to chip cards. I’ve yet to actually use a chip transaction, so I can’t comment on how slow it is.
It’s my understanding that the US is switching to “Chip and Signature,” not “Chip and PIN.” I believe a PIN is only required for debit card transactions, same as always.
You may be right – the PIN is the European standard, we seemed to have gone our own way. I think some will have a PIN but the standard for the new liability is apparently signature – and I have no idea how it checks that the signatures match. This is more confusing than I thought.
I thought it was chip and signature too, but I also have not yet gotten a single card with a chip! Does that mean that the new liability agreement does not apply?
My understanding is that the new cards have the new liability but the old cards have the old liability. That appears to put the onus on the merchant to get the new machines to process them properly, but some of the things I read suggested that this was not the case – a new card in an old machine does not change liability to the merchant. That doesn’t make sense to me so I assume it is wrong.
So, basically, they’ve done nothing except shift the liability?
Pretty much. But this means that the Free Market will sort it out, which is not necessarily a bad thing. But yes, there is no comprehensive solution introduced all at once that encompasses everything.