Editor’s Note: This rollout of new credit card technology will be gradual. The Town Crier will follow it as it progresses and will be interested to hear from both merchant and card user issues as they develop.
Beginning Thursday, Oct. 1, in order to tamp down credit card fraud, United States credit card giants MasterCard, Visa, Discover and American Express will begin transitioning to a system currently in place in Europe – a system that has dramatically reduced fraud costs to credit card issuers.
Rather than swipe and sign in face to face transactions, a ritual as familiar to U.S. consumers as handing over cash, MasterCard, Visa, Discover and American Express credit card users will transition to what is called the EMV system (“Europay, Mastercard, Visa”).
The new system is hinged on three key factors: use of credit cards with an embedded microchip containing security data, not a magnetic stripe; a credit card reader into which credit card users insert their card – a reader that can authorize the transaction independently from having to communicate with the issuing bank’s systems; and entry of a customer’s pin number. During the transition in the U.S., even with EMV cards, both chip and pin and chip and signature transactions will be allowed, depending on the verification method tied to the EMV card. The mandatory entry of a pin, standard in Europe, will not be required immediately in the United States.
The reason for the change, which adds new key security factors to purchases, is that the United States currently accounts for more than half of credit card fraud world-wide – fraud charges that credit card issuers have largely had to assume.
The key difference with the two cards is that data in magnetic strips can be copied, allowing counterfeiters access to information that can be used repeatedly for fraudulent transactions. With a micro-chipped card, every time the card is used for payment, the microchip creates a unique transaction code that cannot be used again. If a hacker stole the chip information from one specific point of sale transaction, a subsequent transaction would not work because the coded transaction number could not be used again. The new transaction would be denied.
The shift on Oct. 1 is called in the industry “the liability factor.” Beginning on that date, according to Mastercard’s Carolyn Balfany, head of product delivery, whoever has the lesser technology will assume financial responsibility if there is fraud in face to face transactions. For instance, if a retailer is still using the old system, they can still run a transaction with a swipe and signature. But they, the merchant, will be liable for any fraudulent transaction if the customer has used a micro-chipped card in a face to face transaction. The opposite is also true. If the merchant has a new terminal, but the credit card bank has not issued a chip and pin card, the issuing bank would be liable for any fraudulent transaction.
The “liability shift” is designed to move retailers and merchants to invest in the new technology as well as move card issuers to switch to chip and pin cards. As banks issue new chip and pin cards to consumers, they will explain use and benefits.
For merchants and financial institutions, the change to EMV entails adding new in-store technology with internal processing systems and complying with new liability rules. For consumers, it means activating new microchip cards when issued and understanding new payment processes.
Smart Card Alliance estimates that 120 million American consumers have already received an EMV chip card. That number of cards is projected to reach 600 million by end of 2015. The chip is a small metallic square on the card.
EMV card use is not as rapid as magnetic strip swiping. When the card is inserted into the reader, data flows between the card chip and the issuing financial institution to verify the card’s legitimacy and create the unique transaction code.
For now, what is reasonably clear is the liability shift. If an in-store transaction is conducted using a counterfeit or stolen card, the loss has in the past usually fallen on the payment processor or issuing bank. Starting Oct. 1, for MasterCard, Visa, Discover and American Express cards, the liability for “card present fraud” (used in face to face transactions) falls on whichever party is the least EMV compliant.