emv_credit_card

Valerie Potapova/Shutterstock

Security


As Congress gets ready to hold hearings starting Tuesday on the credit card security breaches at Target and Neiman Marcus, and how they were carried out, expect a lot of discussion about EMV cards.

EMV cards, or Europay, MasterCard and Visa — more commonly referred to as “chip and PIN” cards — are new, more secure credit cards that are widely adopted outside of the U.S. The card includes a chip like the one you see in the image above that protects transaction data in a way that magnetic strips on existing credit cards do not.

Last week I chatted with Carolyn Balfany, Senior VP at MasterCard and head of its EMV technology efforts, for a quick download on what to expect. In the U.S., EMV card technology is being phased in between now and the fall of 2016. And while it won’t necessarily eliminate credit card fraud, it will help curb the kinds of fraud that are common now.

There’s a chip on the card that adds an extra layer of security to the transaction itself. Magnetic stripe cards are trivially easy for criminals to copy. Chips are much more costly to fake. “We’ve never see mass-market scale counterfeit activity happen with chip cards,” Balfany told me. “When chip cards are rolled out, we tend to see fraud activity simply migrate to less secure markets.”

So when is it coming? The first big step occurs in October of 2015. That’s when the liability for covering the cost of fraud shifts away from its current system, where it generally falls to the bank issuing the card. “Under the new system, whoever has the least secure technology, whether it’s the bank or the merchant in the store, is the one who bears the burden for the fraud,” Balfany says.

The point, she says, is to encourage merchants to invest in new EMV-ready payment terminals on their checkout counters. If the merchant is still using old mag strip gear, it will be liable for paying for the fraud. If the merchant has upgraded, then the issuing bank is liable.

The next deadline, October of 2016, is when a second practice called “tokenization” gets rolled out for e-commerce transactions. Since no one wants to buy a specialized card reader for shopping online, an individual credit card number will be tokenized.

What this means is that every time you use your card with a particular online store, it’ll create a new number that’s both linked to your credit card number and unique to that vendor. So when you use the same card to buy something on Amazon, and then order dinner on Seamless, neither will be storing your actual credit card numbers, but their own individual tokens that stand in for your credit card number.

If someone were to obtain that token and use it for fraud, since it’s unique to a particular merchant, you’d have an easier time tracking the problem back to its source. This also means the bank doesn’t have to automatically issue a new card, bypassing the headache of updating every merchant you buy from with a new card number.

Best of all: The process is hidden from the consumer, so you don’t have to do anything different.




3 comments
spacnv8r
spacnv8r

Let's say a certain percentage of cc fraud is done with fake cards, and a certain percentage with CNP (card not present).  If you make the cards harder to copy, won't more bad people just shift to CNP transactions?


Marc (DarcFlii LLC)
Marc (DarcFlii LLC)

Amidst all of these issues, this is the perfect time for Coin to make its introduction right? *laughs*

Mog
Mog

You can wait until 2016 for the tokenization part of this if you like, or you can have something very much like it right now.  I use "Virtual Account Numbers" that I create for each online merchant with whom I create transactions.  After the initial charge, only that vendor will ever be able to use the number.  In addition, I can set the expiration date or dollar limits for each virtual account number.  It is a little bit of a hassle to create them, but I like the protection.  I know this is available on CitiBank cards, it may also be available with other providers.  (I don't work for Citi or any other bank, but I worked on a transactional SaaS site with lots of money moving through it, which prompted me to look for something like this...)  Its been working pretty well for 3+ years.

Follow

Get every new post delivered to your Inbox.

Join 292,703 other followers