(Rob Pegoraro/Yahoo Tech)
Something weird has been happening to our wallets: Computers have invaded them, one credit card at a time.
This overdue migration from cards with magnetic stripes on the back to “EMV” cards that add a tiny computer chip on the front reached a semi-important point Thursday: the “liability shift,” a rebalancing of powers between card issuers and merchants in the U.S. that may change who eats the cost of a bogus transaction.
For most of us, Liability Shift Day should be the most boring holiday ever. Only a minority of debit and credit cards have EMV chips (“EMV” stands for “Europay, MasterCard and Visa,” the three parents of the system), and the share of retailers taking chip payments is even smaller.
But over time, things will change. Here’s how:
How exactly do I pay with a chip?
Instead of swiping a card with that satisfying flick of the wrist, you pop the card into a slot in a card terminal. Then you leave it there as the chip generates a one-time code (like the three- or four-digit number on your card for online purchases), the terminal processes the transaction, and you sign to complete it.
In my experience, that takes a few seconds longer than a mag-stripe card—assuming the stripe was able to read on the first try, which we all know doesn’t always happen.
Where can I pay with the chip?
Your chip transactions may be confined to major merchants like Walmart, Home Depot, and Target. It’s not enough to see a “point of sale” terminal with an EMV slot; that part may be inactive.
For example, my neighborhood’s Whole Foods accepts Apple Pay and other phone payments but not EMV. Spokesman Michael Silverman said the chain plans to fix that across its stores… by the end of 2016.
A complete upgrade across U.S. retail will take longer. On a conference call Wednesday, Visa vice president Stephanie Ericksen said 314,000 establishments take chip payments, up from 55,000 last September—but that’s out of a total of maybe 6 million to 8 million.
How do I get EMV versions of my cards?
If you haven’t already been issued chipped versions of your cards—those in my wallet reached that blessed state in July—you’ll have to ask your issuer what the holdup is.
While you wait, you might as well use that time to shop around and see if you can switch to a card with better cash-back or travel rewards.
Will chip cards stop data breaches?
Sorry, no. With EMV, your card number and expiration date still get sent in the clear to the store and beyond. If somebody hacks the terminal or the software upstream, they can still go to town with your card.
“It does not take care of making sure that the data is protected as it travels through the various layers of payment systems,” explained Erik Vlugt, a vice president at the payment-processing firm VeriFone.
EMV cards also remain usable if lost or stolen unless they’re further secured with a PIN. That’s common with European but not U.S. cards. (More on that later.)
So what security problem does EMV actually solve?
Chip cards can’t be cloned the way stripe cards can. Counterfeiting is a huge problem, accounting for 37 percent of all U.S. credit-card fraud in 2014—second only after “card not present” theft staged online or over the phone, according to the research firm Aite Group.
Crooks have had a clear economic incentive to clone cards, security researcher Brian Krebs noted in a 2014 explainer: A counterfeiter “walks into a big box store and walks out with high-priced electronics or gift cards that he can easily turn into cash.”
Who pays with the liability shift?
Definitely not you — just like today, fraud isn’t your problem as long as you report it. But merchants can pay more, subject to various rules. As National Retail Federation general counsel Mallory Duncan summed up in an e-mail: “Whomever has the more evolved equipment (in a counterfeit situation) wins.”
That is, if the bank issued a chip card, the crook shows up with a counterfeit version of it, and the merchant doesn’t process chip transactions, the merchant is liable to eat the cost. But it can get complicated: “There are scenarios where both parties accept a certain percentage of the responsibility,” MasterCard product-delivery head Carolyn Balfany said over e-mail.
Note, too, that retailers already pay for some fraudulent transactions, as you can see in Visa’s “chargeback” rules. In turn, all of us pay in the form of slightly higher prices, same as we collectively pay for the “shrinkage” of shoplifting and employee theft.
What if a store doesn’t take EMV?
Good luck judging a store’s security, although some modern payment gadgets like Square’s card readers do encrypt card numbers automatically.
If you can use your phone to pay for things, do it. Apple Pay and Android Pay do “tokenization,” meaning they generate a new card number for each transaction. Or you could pay with cash, Bitcoin, bartered chickens, or any other mutually agreeable medium of value.
What about chip-and-PIN?
You may have read that chip-and-PIN cards are more secure because you have to type a number matching the one stored on the chip. But that’s not why they exist: When EMV cards arrived in Europe, many establishments didn’t have online access to verify transactions with issuers and so needed authentication that worked offline.
U.S. banks have avoided PIN because, hey, who wants to remember another number? (A few months ago, Underwriters Laboratories innovations director Maarten Bron said he’d seen too many chip-and-PIN holders write down their PIN on the back of their cards.)
International travelers have complained that signature EMV cards don’t work at kiosks in Europe. Visa’s rules now require those unattended terminals to waive the PIN; it says that in a recent test across five EU states, 90 percent of signature-card transactions worked.
So how do we stop online fraud?
Payment-processing systems can ensure they have nothing worth stealing by not keeping card numbers intact—what Visa calls “devaluing” that data.
In that respect, the slow adoption of EMV security could give lagging merchants a chance to jump to an Apple Pay level of security. Said PCI Security Standards Council chief technology office Troy Leach: “We’re hoping that they buy the next generation of security, which is encryption and tokenization.”
I hope he’s right. But I won’t be too surprised if five years from now, a shop with connectivity issues still has to dust off a “knuckle buster” card imprinter to take my payment on a slip of carbon paper.