The US is in the midst of a major financial transition: swapping out our old-fashioned magnetic strip credit cards for ones equipped with a security chip. Card issuers have said chip-enabled cards provide much better protection against fraud than traditional magnetic strip credit cards. But…how? What makes the new cards superior and how can it protect you from getting scammed?
"The first thing is the existence of the chip itself makes the card extremely hard to counterfeit," Doug Johnson, a payments and cybersecurity expert at the American Bankers Association, explained in a phone call.
Johnson said with traditional magnetic stripe cards, it's pretty simple for criminals to skim your card and use the data to make their own at home—the equipment required only costs about $100. But manufacturing a card with a working EMV chip (which stands for Europay, Mastercard, and Visa, the companies that originally developed the technology) is a much harder feat. This is partly due to the second layer of protection: how the chip actually works.
The chip works like a very tiny computer. Unlike a magnetic strip, which holds a static amount of data about the card and account, the chip is "smart" enough to produce a unique code each time it's used. It works like this: when you go to use your chip credit card at a store, you'll dip the card into the bottom of a point-of-sale unit, kind of like what you do at an ATM. When that happens, the chip starts a "dialogue" with the POS unit, according to Philip Andreae, vice president of field marketing at at Oberthur Technologies, one of the world's largest card manufacturers.
"At the end of that dialogue, the card creates what we call an application cryptogram: a dynamic number," Andreae explained.
Each transaction will produce a unique string of numbers that is sent to the financial institution to verify that the card being used is the same one that was issued for that account (and, in some cases, to verify that enough funds are available for the transaction). Since it's different for each transaction, it makes it basically impossible to skim the data on the card. After that, either a pin code or a signature is required to add an extra layer of identification, which is up to the card issuer.
"Right now, because we're early days, the issuers are saying 'let's keep it the same. My card users do signature so I'll keep it the same so we don't add a new layer of change," Andreae said.
Andreae said a pin code is slightly more secure because if someone steals your physical card, but doesn't know your pin, they can't use it—as opposed to faking a signature, which we all know no cashier ever checks. Of course, neither method is useful if the person has your card and uses it for online purchases, but as long as you report a missing or stolen card right away, the risk of fraud with chip cards is much lower because they're so hard to skim and replicate, he said.
As of October 1, MasterCard and Visa required all of its banks and retailers to be able to process chip cards or risk liability for fraud, while American Express's deadline is October 16, but it will probably take another year or so for everyone to switch over to the new system, Johnson said. He said the best estimates are that 70 percent of US credit cards will have chips by the end of the year, with about half of retailers equipped to handle the new cards by then.
And while it will likely add a few extra seconds onto your purchase transactions, the new cards mean the US is finally exiting the dark ages of credit card security and joining Europe and Canada, where chip cards have been the norm for a decade. Maybe we'll finally stop seeing regular reports of major credit card breaches at retailers and finally be able to make credit purchases (somewhat) free of anxiety.