Chip-driven credit cards bring new tech, new questions
Historically, banks that issue credit cards have usually been on the hook for payment card fraud, not consumers or merchants. Nothing is changing for consumers. But now merchants are at risk of getting stiffed if they don't use chip card readers, which can block a sale to a fraudster.
Firms relying on swipe-only card readers might not be paid for goods or services bought with counterfeit cards, which crooks can produce with relative ease.
That prospect was just a little too scary for Heppner's Auto Body, which started converting a year ago to chip readers at its six shops.
Heppner's Vice President Laura Klatt Jacobson said she didn't want her shops getting slammed for big repair bills that people might stick on counterfeit cards.
Create a More Connected Minnesota
MPR News is your trusted resource for the news you need. With your support, MPR News brings accessible, courageous journalism and authentic conversation to everyone - free of paywalls and barriers. Your gift makes a difference.
"I figured get protected now and give our customers a more secure transaction," she said. "They're not charging $4 or $5. They're charging their deductible, from $500 to $1,500. Or maybe they're paying out of pocket and they're spending a few thousand dollars."
Other merchants aren't in any hurry to get chip-card readers.
Andy Remke, one of the owners of the Black Dog Coffee and Wine Bar in St. Paul's Lowertown neighborhood, hears daily from companies urging him to spend hundreds of dollars to upgrade his card readers.
"It's a lot of, 'Oh, the whole world is changing on Oct. 1,'" he said. "They want to create a sense of urgency, a security concern."
But as Remke sees it, small, independent operations like his aren't going to be main targets of people committing credit card fraud. Big box retailers are the most likely targets, he says.
Those companies know that.
"We're seeing every day more large retailers announcing they're capable of accepting these chip cards," said Brian Dodge, spokesperson for the Retail Industry Leaders Association, a trade organization representing the nation's largest retailers. "Retailers are estimated to be making an investment of more than $8 billion to accept these cards."
Best Buy says it'll have new card readers in virtually all of its some 1,400 stores on Thursday. The remaining stores will be brought online within a few days.
Target, which endured an expensive and embarrassing data breach in 2013, has installed chip card readers already. The company's replacements for Target-branded credit and debit cards not only contain chips but also require customers to enter personal identification numbers to authorize transactions at Target stores.
Big retailers would like to see all card issuers do the same.
"Adding a chip to a credit card is a half-step," said Dodge, with the retail leaders association. "It will secure the cards in a way that the mag stripe does not. But with sophisticated criminals behind cyber-crime we need to have the best security in the world in order to stay ahead of them."
Banks and credit unions contend most consumers don't want PINs and they wouldn't add much protection against fraud.
The payment card industry is working on other security measures that it says would be just as, if not more, effective than PINs in combating fraud. Those initiatives include using a cell phone to match up a cardholder's location with the location of an attempted purchase.
Counterfeit cards account for two-thirds of in-store fraud, according to Visa. It's easy to make the cards. The encoders and other equipment required are for sale on the Internet, and there is a steady stream of stolen card account information that can be copied to counterfeit cards.
Card issuers argue fraud from counterfeit cards will plummet once the vast majority of consumers and merchants switch to chip cards.
That's what happened in Europe, said Stephanie Ericksen, vice president of risk products with Visa.
"We've seen counterfeit go down by 60, 70 percent or more once we get a critical mass of actual chip transactions running through the system," she said.
Ericksen believes consumers will readily adjust to dipping the chip.
"When you insert your card into the terminal, the terminal will prompt you please leave your card in the terminal," she said. "When the transaction is done, sometimes they'll flash some lights or make a beep sound to let you know, in addition to the message on the screen, that it's OK to remove your card."
Cards will continue to have magnetic stripes for transactions with merchants lacking chip card readers. But if those old-style transactions are fraudulent, the merchant could be responsible for the rip-off.
Banks and other card issuers have made it a priority to send chip cards to high-spending customers and those who travel overseas. But it's estimated that at best maybe only a quarter of cards in circulation in the U.S. have chips.
"Issuers are betting they are not going to get hit that hard, and they will just take their time and re-issue cards in the normal reissuance cycle," said David Robertson, publisher of the Nilson Report, which tracks the payment card industry.
Robertson says chip cards will shift credit fraud from stores to online merchants. The security features of the new cards don't protect online transactions, since the physical cards are not involved, just account information. One firm, Javelin Strategy & Research, has projected that online payment card fraud will rise by about half by 2018, forcing the payment card industry to ramp up defenses on the Internet.
Crooks will also focus on tricking card issuers into giving them legitimate accounts and genuine cards, good anywhere until the deceptions are discovered.
"That is why there are so many breaches that have to do with stealing personal data," Robertson said. "By actually getting a complete profile and then applying for a credit card, they have a real credit card."