New Chip-Based Credit Cards Offer More Protection

Stan Rose, Managing Director, Tax Practice
November 2015

Many of us recently received, long before our old ones expired, new credit cards that have a suspicious-looking shiny square on the front side.  We also have been forced to endure the agony of waiting in line at stores for an extra 5 seconds while a new card reader processes our charges. Our April 2015 BNN Briefing contained an article quantifying the pros & cons of credit cards vs. debit cards. This article will explain why we received new cards, and what they will do for us.

Millions of these new credit cards automatically were issued to cardholders in recent months as part of an industry-wide attempt to reduce credit card fraud.  They are known as “EMV” cards, which stands for Europay, MasterCard and Visa.  They represent the next generation of cards, and function technically very different from the ones they succeed. 

Out with the old
The older generation card contains only a magnetic strip, which carries evergreen data – material applicable to every transaction.  Because the information does not change, any thief who gains that information can use that card’s account.  That information can be accessed in a number of ways.  One way is to hack the computer records of a vendor.  Another is to use a “skimming” device, as often has been used at ATMs or gas stations.  Once the magnetic data is copied, criminals easily (and inexpensively) can re-encode that information on other magnetic strip cards, including gift cards.  This activity is not all that uncommon, and is not limited to large cities.  (It recently occurred in the small coastal Maine town of Damariscotta.)

In with the new
The new EMV cards do not necessarily make it harder for criminals to steal card data, but they make it much harder for that theft to result in a phony charge, which is of course the point of the theft. The front of each of these cards contains a small shiny rectangle-shaped chip. While they still have magnetic strips, instead of swiping these cards, they usually are inserted into a slot and left in place for just a few seconds. In that time, the merchant’s equipment communicates with the issuing bank, and unique identifying information is generated that is specific only to that one transaction. Also, the authentication involves verifying that the card associated with the account number contains the card-specific chip. Each chip is unique, and if it is missing, the transaction will fail.  This makes the new cards very hard for hackers to overcome. In theory, a hacker trying to use a card number, like those that were swept up in the large Target or Hannaford thefts in recent years, would not be able to use it, because the authentication process would reveal that (1) the card involved is supposed to have the card-specific chip in it and (2) that chip is missing from the attempted transaction. 

Deployment
Merchants who plan to use the new cards are facing some high costs to upgrade, as each EMV-capable terminal is estimated to average between $500 and $1,000.  However, the industry has created an interesting “forcing mechanism” to encourage their use.  They have done so with a shift in who will bear the cost of a fraudulent charge.  Generally, a card holder (the customer) is responsible only for the first $50 of phony charges if the charge is caught within a reasonable period of time.  The issuing bank must cover the balance of the cost.  Under new rules applicable last month, some of that responsibility can shift to the merchants if they choose not to upgrade their equipment, and continue to use the older technology.  That shift is delayed until 2017 for “pay at the pump” gas station card readers, which explains why most of us have not seen them there.

Debit cards are also getting in on the action, but a much smaller percentage of debit cards have been outfitted with chips.  Interestingly, a type of two-way authentication has been used with debit cards to a lesser degree for many years, because the merchant’s system utilizes real-time communication with the issuing bank to determine whether the customer has a large enough balance to support the new charge.  As debit cards are issued with chips, the authentication will accomplish even more.

Conclusion
In layman’s terms, the credit card industry essentially provided us with updated cards sprayed with a big can of Fraud-be-Gone.  If history is a guide (and it should be!) hackers in time will figure out a way to frustrate this new protocol.  In the meantime, these new EMV cards are far more secure and hopefully will allow us to remain one step ahead of the hackers!

Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.