By Paul Muschick
The Morning Call (Allentown, Pa.).
You may not have noticed much difference if you used your credit card at a store Thursday, but it was a big day for banks that issue cards and for merchants that accept them.
This is related to the new cards you may have received in the mail from your bank. They have a computer chip embedded in the front and are designed to reduce fraud stemming from data breaches.
As of last Thursday, with a few exceptions, businesses that aren’t equipped to read the new cards will eat the cost of fraudulent retail purchases, instead of banks automatically accepting that responsibility. Banks still will cover fraud on cards that don’t have chips until those cards are phased out.
For cardholders, nothing changes in that department. You still won’t be liable for unauthorized charges. But you will have to get used to the new technology.
Instead of swiping the magnetic stripe on your card through the edge of the machine, you must insert a chip card into the machine and leave it there until it’s read, and then sign.
“It’s going to take a little bit longer,” said Doug Johnson, senior vice president of payments and cybersecurity policy at the American Bankers Association.
Tami Cohorst, chief operating officer at Abtek, a credit card processing and merchant account servicer in Detroit, told me it will take about eight seconds for a chip transaction compared with about three seconds for a swipe transaction.
While that doesn’t sound like a big deal, she foresees the potential for checkout lines to back up, as more chip cards and readers are rolled out amid the holiday shopping season and cardholders and clerks adjust to the new technology.
Wells Fargo is sending customers instructions with their chip cards and working with retailers to help them understand the new technology, said Heidi Detweiler, a retail small business credit consultant for the Lehigh Valley in Pennsylvania. The bank also has guidance on its website.
Don’t expect every store to have new card readers in place immediately, though, or for your mailbox to be full of updated chip cards.
This change is being driven by the marketplace, not by a law, and will proceed at whatever speed banks and businesses deem necessary. With the liability shift, there are consequences for both banks and merchants that lag behind.
Cohorst believes banks and businesses will move faster if they hear from cardholders who are concerned that chip cards or readers aren’t available. While cardholders aren’t liable for fraudulent charges, they still suffer the headache of canceling compromised cards or recouping drained bank accounts. So they have an interest in making sure the best technology is used, she said.
I’ve seen varying accounts about where retailers and banks stand in rolling out that technology.
Johnson said about 70 percent to 75 percent of credit cards and about 30 percent to 40 percent of debit cards are expected to have chips by the end of the year.
A study by Wells Fargo a few months ago found that only 31 percent of business owners surveyed had chip-compatible card readers in place. Of those that didn’t, only 29 percent intended to get them by Thursday, while 21 percent said they don’t ever plan to upgrade.
The National Retail Federation says most major retailers and many smaller merchants have installed the equipment, but many haven’t been able to get it activated because of bottlenecks such as delays in the certification process by card companies.
The federation said many retailers and consumers consider the chip cards to be an inadequate response to fraud because the cards don’t come with a second layer of security common in other countries, a personal identification number.
“The chips partially address the issue of counterfeit cards, but do nothing about lost or stolen cards because thieves will still be able to sign any illegible scrawl to ‘prove’ that they are the cardholder,” Mallory Duncan, a senior vice president at the National Retail Federation, said in a statement a few weeks ago. “More importantly, sophisticated criminals can circumvent the chips, so a chip alone is not foolproof.”
The haphazard rollout of the new cards and terminals may have you wondering whether the card you have will be compatible with the equipment at the stores where you shop. Don’t worry about that.
The new chip cards also have a magnetic stripe, so you can swipe it in the old readers if new ones aren’t in place. If the store has a chip-reading terminal but your card doesn’t have a chip, the terminal will read the stripe.
The goal is for cards eventually not to have magnetic stripes, because that’s the component manipulated by identity thieves. But don’t expect stripes to disappear from cards for a while, until updated terminals are widely in place.
Card information is stored on the stripe. When a checkout terminal reads that stripe, the information is transferred into the merchant’s system. If that system is breached, your card data are stolen and can be used to create a counterfeit card.
Chip cards are designed to prevent fraud because the updated terminals will process your purchase on the chip, not the stripe. The chip creates a unique numeric code to represent the transaction, and that number is what’s stored by the merchant. That information is useless to a data thief because the code doesn’t contain any pertinent data.
The cards won’t prevent data breaches, The thinking is that hackers won’t get away with as much.
“Cards with chip technology are extremely difficult to counterfeit or copy,” Detweiler said.
This won’t mean the end of credit card fraud, though.
The updated terminals won’t block counterfeit or stolen cards from being used to make purchases. All that changes is who is responsible, the bank or the retailer, for covering those charges.
The new cards also aren’t any safer when used to make purchases online or by phone, as those transactions still require you to provide your card number.
Paul Muschick of The Morning Call (Allentown, Pa.) helps consumers fight errors, incompetence and arrogance by businesses, governments and institutions.