In the aftermath of a security breach at Target that compromised more than 40 million credit and debit cards and an attack on Neiman Marcus that affected 1.1 million cards, banks, credit card providers and merchants have renewed efforts to protect payment information. As a result, the differences among magnetic stripe, chip-and-PIN and chip-and-signature credit cards have come to the forefront of discussion. The big question is this: Would U.S. consumers be safer if the country transitioned from magnetic stripes to "smart" chip cards?
The U.S. has long relied on "magstripe" credit cards, which require nothing more than a swipe and signature to purchase goods. During a swipe, the merchant gets your name, credit card provider, card number, expiration date and CVV number. However, in the wake of the breach, Target accelerated a $100 million program to develop chip-and-PIN "smart" credit cards, which come embedded with a microprocessor that encrypts personal data. These are also known as "EMV cards" as they were developed by Europay, MasterCard and Visa. Even if a robber or hacker gets the card number or physical card, they cannot use them without knowing the four-digit PIN.
These chip-and-PIN cards have been around since the early 1990s, and much of the world has adopted them with impressive results. According to a report by the Federal Reserve Bank of Atlanta, the 2004 introduction of EMV cards in the UK precipitated a sharp drop in fraud. While the fraud losses on lost or stolen UK-issued cards dropped 61 percent between 2004 and 2010, the fraud rate on bankcards issued in the United States increased 70 percent between 2004 and 2012. After rolling out chip-and-PIN in 2008, Canada saw a 30 percent reduction in fraud losses over the following two years.
The Federal Reserve Bank of Atlanta concluded that for chip-and-PIN to reduce fraud, all card-based products within a country must embrace the new technology. Otherwise, the country may see increased fraud levels with products that haven't transitioned. However, EMV cards are not a bomb-proof solution for protecting payment card information in cyber-attacks. According to Forbes, the Target hackers went after unencrypted data inside point-of-sale (POS) devices' memories. Were customers using chip-and-PIN cards, the hackers may have still stolen the card number, PIN and other information they would need to make fraudulent purchases.
In the U.S., MasterCard and Visa have set an October 2015 deadline to implement chip-and-PIN technology. However, the migration is facing several challenges including disagreement among merchants, issuers, banks and networks about how to share the costs. The National Retail Federation estimates that new chip-and-PIN card reader could cost merchants $1,000 apiece, while the new cards would cost $2 apiece. According to the New York Times, the total estimated cost of adopting the technology range from $15 billion to $30 billion, which is more than the cost of paying for fraud -- roughly five cents for every $100 spent with card cards.
A switch to chip-and-PIN cards and readers would also shift the liability of fraud from banks to merchants in certain cases. Businesses would still be able to run transactions with a swipe and signature, but they would be liable for fraudulent transactions if the customer has a chip-and-PIN card. Conversely, if a merchant has the new POS system but the bank has not issued a chip-and-PIN card, the bank would be liable.
As an in-between solution, some U.S. card issuers have come up with chip-and-signature credit cards. Abroad, they function like chip-in-PIN cards, but in the U.S., they don't actually enhance security because you still verify purchases with a signature. Until the U.S. switches over to chip-and-PIN, chip-and-signature cards may only appeal to international travelers who visit chip-and-PIN countries. But travelers should be warned: the chip-and-signature cards will not work at the type of automated payment kiosks you might find in train stations, parking garages or vending machines. In reality, your standard magstripe credit cards will work just about anywhere abroad your chip-and-signature card works.
Today, virtually all EMV cards offered in the U.S. are chip-and-signature. Many of these are travel cards like the Chase Sapphire Preferred, Citi AAdvantage and BankAmericard Travel Rewards. While their EMV functionality might not do much for your security, the opportunity to accumulate travel reward points, avoid foreign transaction fees (in the case of the Sapphire and BankAmericard) and avoid baggage fees (AAdvantage) are noteworthy perks if you travel often.
Here's the bottom line: Magstripe cards are on their way out and chip-and-PIN is on the way in thanks to the added security benefits and protection against fraud. Disagreements among banks, card issuers and merchants may slow the process, but the transition now seems inevitable. While EMV cards are still vulnerable to cyber-attacks, the physical card is safe if lost or stolen. Chip-and-signature is available now in the U.S., but it's not a great reason to choose a card. Look at the travel advantages of chip-and-signature cards rather than the fact that they are EMV-friendly. And whatever card you use, don't rely on business to protect your card information -- review your purchases regularly and keep an eye out for fraudulent activity.
Follow Eric Adamowsky on Twitter: www.twitter.com/cardinsider