John I. Carney

Loose Talk / Charge Complete

John I. Carney is city editor of the Times-Gazette.

Chip cards lauded as more secure, but take getting used to

Wednesday, October 7, 2015

Your credit and debit cards are getting a makeover.

You either have received, or should be receiving in the next few months, new cards that have a gold symbol, roughly square-shaped, on the front left side of the card. These are called EMV cards, chip cards, or smart-chip cards, depending on who you talk to. There's a computer chip lurking beneath that gold symbol.

In your current credit cards, your account information is recorded on a magnetic strip on the back of the card. When you swipe your card through a point-of-sale terminal, or insert your card into an ATM, your account number is read from that magnetic strip, and so the ATM or the cash register knows who you are and what account to withdraw money from.

But the magnetic strip isn't as secure as it could be. Criminals can copy the information from your card and use it to wrongfully withdraw money from your account.

The new computer-chip system works differently -- it actually communicates with the point-of-sale terminal or ATM in a secure way. The chip generates a one-time-only code for each transaction, something that a magnetic strip can't do. Even if a third party were to eavesdrop on the transaction, it couldn't use that information because the special code only works once. Nothing is impossible, but it would be much harder for a scammer to duplicate or interfere with the chip than with that magnetic strip.

The chip cards make it harder for anyone to physically duplicate your credit card; they have nothing to do with online credit card fraud, where someone uses your credit card information to buy things online. That's a separate problem.

Chip cards have been used in Europe for several years now -- in fact, some American tourists have gotten the unhappy surprise of discovering while on a trip that some European businesses now can't read magnetic strips any more and are only using the chips.

American credit card issuers are now trying to phase in the new system here. Your new credit card, for the time being, will still have a magnetic strip, but it will also have a chip. And businesses are under pressure to install terminals that can read the chips.

As of last Thursday, if credit card fraud happens to a customer who has a chip card, and the merchant hadn't yet installed a chip reader, the merchant -- not the bank -- may be held responsible by Visa or MasterCard. (The bank may still be responsible if the fraud involves an old, stripe-only card.)

The general rule is that whichever party has the least secure technology -- the bank or the merchant -- will be held responsible. That risk gives merchants an incentive to install the new style chip readers, and banks an incentive to issue the new chip cards.

Merchants may also want to buy new equipment to accommodate mobile payment systems like Apple Pay and Google Wallet that are tied to phones, tablets or smartwatches. That's a separate issue from chip cards, but if the merchant can solve both problems at once by buying new point-of-purchase readers, it could be one more incentive to make a change.

Some new start-up retailers and restaurants, as well as mobile merchants like craft fair vendors, have been using Square, a small gadget that plugs into a smartphone or tablet, to read and accept magnetic strip payment cards. Square is working to address the chip-card issue and has developed a slightly-larger gadget which can read chip cards. It's making the device available for free to some of its merchants, and charging others $49 -- but giving them a $49 credit on their processing fees, so the device pays for itself once they start using it.

Eventually, the credit card companies want to do away with the strip and use only the chip, but that may be a few years down the road once the new technology has been fully implemented.

Using a chip card at a store checkout is called "dipping," not "swiping." There's a slot that you push the card into, chip end first, and in most cases you have to leave the card in place for a few seconds, which may take some getting used to after years of swipe-and-go. The delay is because, as I said, the terminal is actually communicating back and forth with the computer chip, verifying your identity.

Be warned, though, that just because the reader may have a slot for inserting chip cards does not necessarily mean the business has upgraded its behind-the-scenes software. It may be wise to ask the cashier if you're in doubt.

For now, you'll still use your signature to authenticate credit card purchases (or debit card purchases that are run as if they were a credit card). Some security experts want banks to switch over to using PINs for credit cards the way they are already used for debit cards. Busy cashiers don't always look at a signature to verify it. A PIN is automatically verified by the software and can easily be changed in case of a problem. But some customers don't like memorizing a PIN and would resist this type of system.

--John I. Carney is city editor of the Times-Gazette and covers county government.

Respond to this story

Posting a comment requires free registration: