U.S. Chip Credit Cards-Secure?
U.S. Chip Credit Cards-Secure? A reader asks…
Hi Chris, I just got a replacement credit card from my bank, this one has what looks like a circuit board embedded in it. Is this new card more secure than my old one?
I could also title this article “Think Chips and Dip are Secure?” The answer to your question is: for today, a flat-out no. The answer for the next few years is going to be little, if any. Eventually your chip card might enhance your security, but the way the U.S. banks and merchants are implementing this new technology pretty much assures us that it’s not being done to improve our credit card security – at least in the short-term. Here’s the skinny:
Look on the back of your new credit card – is there still a magnetic stripe? Of course there is! Your card has to be backwards-compatible so you can still use it where the new terminals aren’t (which is still many places), or where they haven’t been activated for anything but swiping. Anytime you use your card by swiping it, your card info is at risk. That’s because the card info is recorded by that merchant. And we all know that pretty much every merchant you buy from has been hacked – some multiple times.
When will this new technology benefit you? When the only way you can use your credit card is by ‘dipping’ it into a new credit card terminal and when you also have to enter a PIN to complete the transaction. At that point, your security is going to be significantly improved, since your card info won’t be held by merchants. Even a stolen credit card will be useless without the PIN. Since the chip method creates a one-time-use transaction code, the merchant never has your card number in their system, so hackers can’t steal it. As long as you can use your credit card in any other way, your account info is at risk:
- telephone and online transactions – if you can call a merchant and order goods and services over the phone or on their website and complete the transaction by simply giving them your card number, expiration date, CCV code, and perhaps your billing address or zipcode. If a transaction can be completed with this information and the merchant gets hacked, your credit card can be fraudulently used.
- Swipe transactions – if you can swipe your card at a merchant to purchase goods and services in person, your credit card info can be stolen and fraudulently used.
- Chip & Signature – if you can use a chip terminal but simply sign to complete the transaction, your card could be stolen from you and used fraudulently.
-
Brush-pass and embedded readers (think crowded trains and buses, busy sidewalks, malls, etc. and ATMs or any unattended terminal) – with the right equipment which a hacker can buy online for less than $100, they can read the magnetic stripe from your credit card from as much as three feet away, and then use that info to create a fake credit card with your info.
So who’s going to benefit from these new cards now? The issuing banks and credit card companies. That’s because on October 1, 2015, the rules change for fraudulent use of credit cards. Before, if a card was used fraudulently, the credit card company (Visa, AmEx, MC, Discover) absorbed the loss. Starting in a few days, the merchants will be liable for those losses unless they use a new chip-enabled terminal (or your bank if they haven’t issued you a chip card).
The only way a merchant can avoid loss due to fraud is by paying a lot of money to replace their existing credit card terminals with new chip-enabled credit card terminals, and then making sure that chip-enabled credit cards can’t use the old swipe method of charging. Only then will the credit card company absorb the loss of a fraudulent transaction. Of course, the new chip-enabled credit card terminals are very expensive, so merchants may have a tough financial decision to weigh – buy the new terminals or take the risk of paying for fraudulent use. You’ve probably noticed that many smaller merchants haven’t upgraded their terminals, and many may simply not do so right away.
Are you wondering why the U.S. banks and merchants aren’t pushing for more solid credit card security? A spokesman at MasterCard says Americans will have trouble remembering a 4-digit PIN. That’s laughable as all our debit cards have PINs. I’ve also heard that banks and merchants aren’t confident that Americans will accept such a drastic change to their purchasing habits and it would depress sales. Crap argument I say, give us Americans more credit (sic)! The reality is that many merchants just aren’t ready or willing to invest in the new equipment yet. So it will be some years before the adoption gets to the point that banks can drop the magnetic stripe.
It’s true that the process for using a chip card in a chip-enabled terminal is not as simple and quick as swiping. You have to insert your card and leave it in place till the transaction is complete. I predict that folks will get reminded to remove their cards till they get into the new habit. But that shouldn’t take too long, and really isn’t going to slow us down since we’re not leaving till the transaction is complete anyway.
One other problem with credit card security – your bank. Even if we all have only Chip & PIN cards and the magnetic stripe goes away, banks which hold our money are still vulnerable to hacking. There’s no such thing as 100% security, sorry. But with a Chip & PIN card (only used in chip-enabled terminals and with a PIN, not a signature), you’ll be a lot further ahead of where you are now.
I haven’t mentioned other mobile (aka contact-less) smartphone or watch transactions (Apple Pay, Samsung Pay and Google Wallet), because the security is already stronger than current methods (swiping your card). These mobile payments already use one-time-use transaction codes instead of your credit card number. So if you’ve got an NFC-enabled smartphone, by all means start using the mobile contact-less transactions everywhere you can.
This website runs on a patronage model. If you find my answers of value, please consider supporting me by sending any dollar amount via:
or by mailing a check/cash to PosiTek.net LLC 1934 Old Gallows Road, Suite 350, Tysons Corner VA 22182. I am not a non-profit, but your support helps me to continue delivering advice and consumer technology support to the public. Thanks!