Have you received your new chip-protected credit card yet? The new cards are supposed to eliminate fraud by requiring a PIN, stored in the chip, at every purchase. As Barataria reported last year, the credit card system has to be considered completely compromised after a large number of security breeches at nearly every retailer. The largest ones are reported, but we it is wise to consider every use of the traditional “swipe” credit cards which are easily duplicated once the numbers and names are stolen.
That’s why the new cards were mandated to be in use by 1 October. But the system is plagued by delays at all ends – and may not be as secure as promised. That’s a big problem for merchants who, as of the deadline, assume responsibility for a lot of credit card fraud.
The problem with the traditional “swipe” credit card is that it contains absolutely no security at all. When you swipe, all you are doing is providing the number on your account for the transaction to be processed. That’s why a retailer with a dodgy machine can also type in the credit card number – it’s the same thing, but it takes a bit longer.
The security is entirely your possession of the card.
Such cards are easily duplicated once you know the number that has to be encoded on the magnetic strip, so simply having a card is not good enough. The new cards have a small chip in them on which is stored an encrypted PIN. There is no way to back the PIN out of the chip – you simply have to know it in order to use the card. Like any other password it’s completely secure as long as you keep it to yourself.
Like any new system this is taking a lot of time to roll out. I know of no one who has received a new card, nor do I know of any retailers with the systems to handle them. The rollout is far behind schedule and at this point is unlikely to be common before Christmas shopping.
The agreements between credit card companies changed right on schedule, however, meaning that merchants are now responsible for a lot of fraud. This is why it’s much harder to get cash back on purchases, for example, which had become a staple at many grocery stores. When the consumer notes fraud from a swiped card or any other non chip card use a “charge back” can be approved by the credit card issuer and the merchant is simply stuck. It’s that simple.
But are the new cards really that good? There have been many reports of hacked chip cards, but the process appears to be much more difficult. The most notorious case in 2011 appears to have had a new chip soldered on top of the old one which approved any PIN entered into the system – but again, the physical card was stolen. The system overall has to be considered far from foolproof, but it may slow down credit card fraud and at least dramatically reduce the value of a big database of numbers.
The introduction of the new cards in Canada has seen dramatically lower levels of fraud all around. While these cards, like any system, are still hackable they are at least more difficult.
Merchants who do not use a physical card should have in place an encrypted system for handling the PIN that does not in any way store it on their system. But the new agreements to not seem to spell out their liability as clearly and it’s unclear how a secure system is approved by the credit card issuing companies. Like any good legal setup, it will probably take a few test cases to know exactly how far liability for credit card fraud reaches.
So where do we stand now that everything has changed for credit cards? It seems that little has changed, at least until we see some significant charge backs to merchants who allow fraud to occur with the new chip cards. That won’t come until there are a lot more chip cards in the works, which is probably another year away.
Meanwhile, we still have to presume that all cards are at risk for the time being. The largest reason sited for a reduction of fraud in 2014 is that consumers are watching their cards very carefully. That is still the only solution.