In October, the U.S. went through the “Payment Networks’ Liability Shift,” the first significant milestone toward full rollout of Europay MasterCard Visa (EMV) chip technology here. So what has actually changed
EMV is chip-based technology that is being deployed on credit and debit cards to replace the long-antiquated magnetic stripe system. It’s already been deployed throughout most of the world, but the U.S. has been slow to implement it. One of the long-term goals of EMV is to enhance the security of credit card transactions. For example, it significantly increases the cost (to attackers) of cloning a credit card account. It is supposed to keep a consumer’s account number more private, so that an adversary can’t easily steal one’s account number and make fraudulent transactions.
The Payment Networks’ Liability Shift was a big step, but largely symbolic, at least from the perspective of us consumers. Before the shift, merchants charging an account were not financially liable for account compromises. Instead, it was the credit card issuers’ liability. Now, however, merchants that have not complied with the milestone by deploying EMV-compatible payment terminals will be responsible for fraudulent transactions on their equipment. This, of course, places a potential financial burden on merchants, and the belief is that they’ll comply rather than risk the loss.
But even if they do comply, not everything is unicorns and rainbows, at least not yet. Why not Well, if you happen to have an EMV card in your wallet, take a look at it. Do you see your account number on it Of course you do. Do you see a magnetic stripe on the back Of course you do. Well, then, how on earth can we protect account information if we’re going to stick it right there on the card Good question. The short answer is that we will — eventually. But we’re in a transitional stage of things now, and so credit cards will remain a hybrid of magstripe and EMV for a while.
The reason for the slow transition on the card end is that merchants are also transitioning slowly. Despite the incentive to make the change, an awful lot of merchants haven’t made the move. In my unscientific observations, I’d estimate that, at best, 50% of the merchants I have patronized have gone EMV. And being very interested in the technology, when I see an EMV terminal at a merchant, I always try it out. More than half of the payment terminals I experimented on actually functioned with an EMV-based card, even if the hardware had the EMV slot in place.
Oh, and not all merchants are required to comply yet. Some, like gas stations, have additional time to comply. Plus, not all consumers even have EMV cards yet.
So was the whole October 2015 thing just a bunch of malarkey Not entirely. It’s the first of several milestones in which the credit card industry is nudging U.S. merchants and consumers toward a more secure world, but it’s really just the first step. There are other milestones coming along in 2017 and 2018, but as of today, consumers can’t point to many major changes.
In some countries, like Australia, consumer payment cards no longer have magnetic stripes on them, and starting in August 2014, Australian merchants stopped allowing signatures to be used to authenticate transactions. Instead, consumers there must use a PIN entered on a payment terminal to authenticate and authorize a transaction.
So what’s a U.S. consumer to do Sadly, we don’t have a great deal of leverage. If our accounts are compromised, we rely on our credit card issuers to replace the cards promptly, but we’re still faced with the unfortunate inconvenience of updating our card information everywhere we use and store those accounts. I should point out that when I got the call in October, my card issuer got a replacement to me, at no cost, the very next morning.
So here’s what I suggest:
Apart from that, we can only dream of a more secure financial transaction future. I’ve had to go through the credit card compromise process now about five or six times, and I for one will be very happy when we’ve solved that problem.