Posted by on April 17, 2015

Pay for Stuff Safely

chip-n-pin-image-of-credit-cardPay for Stuff Safely: a reader asks…

Hi Chris, I just received a new credit card with a microchip embedded in it. Can you tell me how this makes for safer purchasing? Are there other options that are safer? Thanks!

These new credit cards are rolling out in the US to meet an October 2015 deadline by the major credit card issuers for increased security. This is similar to the EMV smart card that’s been in use for many years outside the US (for example, France has had this system in place since 1992). As of October 2015, the credit card issuers will transfer liability for fraudulent use to businesses that have not instituted either Chip & PIN or Chip & Signature (or other secure payment methods like Apple Pay, Google Wallet and the forthcoming Samsung Pay).

The first thing you should check is if your new credit card is a Chip & Signature, or a true Chip & PIN card. The latter are in common use outside the US, but many US credit card issuers are giving out Chip & Signature cards, which is a poor compromise in security – anyone can forge a signature when using a stolen credit card. And your new card still has the magnetic stripe for use when the store you visit doesn’t have the new chip-enabled credit card terminals. That stripe still contains the same credit card information as your old card. For online and telephone purchases there’s no difference from the old cards, you’ll still read out or type in the same information you’ve always done.

fair-credit-billing-act-cover-image-from-ftcdotgovIs it safer? Not for you: Your credit card has been protected from fraudulent use ever since the Fair Credit Billing Act was passed in 1974 and updated in 1986. That limits your personal liability to $50 as long as you notify the credit card issuer to dispute a transaction. Most issuing banks won’t even charge you anything as long as you report a stolen card promptly. Your new chip-enabled credit card doesn’t change that basic protection. This new technology is primarily intended to reduce fraud, which helps issuing banks and businesses, not you.

Presumably, the new card will reduce fraudulent use, but given the spotty way this new technology is being implemented in the US, I don’t have high hopes. Crooks are always finding creative new ways to circumvent security. Since our credit card issuers are keeping these new cards backwards-compatible with older systems (i.e., magnetic stripe), crooks will take advantage of that. Even if it does work to reduce fraudulent use overall I don’t expect this savings to be passed onto the consumer. Sorry to be pessimistic, but I look at this measure as a great way to improve the credit card issuing banks’ bottom lines.

It will change your experience with using credit cards, and not necessarily for the better. If you use your new credit card at a business that has the right equipment, instead of swiping your card you’ll insert it into an ATM-like slot which will read data from the microchip and verify that with your issuing bank to approve the transaction. You’ll either have to type in a PIN on the keypad, or provide your signature, depending on the card you have and the business’s equipment. I’m sure this will take longer than the simple swipe you’ve always used.

You’ll have to look at the credit card terminal when you check out at a store, as they may or may not have the new equipment needed to read chip-enabled cards. If there’s no slot to slide it in (looks like an ATM slot), then you’ll swipe your card the old way. But even the newer credit card terminals will have a swipe feature, so you’ll have to be alert to how you need to use your card at checkout.

For telephone and online shopping, I don’t expect much to change, you’ll still have to read or type in your credit card number, expiration date, probably the CVV code on the back, and some name and address information. As always, you should be careful when you use online shopping, check the URL address for the checkout pages to make sure there’s an https:// (not the plain http://) at the beginning, and stick with well-known online shopping sites.

Advertisement

Credit card fraud has been around as long as there have been credit cards. The magnetic stripe on the back of your credit card contains the critical information needed to complete a transaction – the type of card (VISA, MasterCard, Amex, etc.), your issuing bank, the card number and expiration date. That information is absurdly easy to obtain illegally including:

  • as it is entered into a business credit card system (think the Target, Home Depot and so many other successful hacking attacks)
  • stealing the credit card itself
  • using a 2nd card reader to record the information (think crooked waiters/waitresses who have your credit card for minutes out of your sight)
  • as you enter it into an unsecure or fake website (a website with http:// versus https:// in the URL bar when you’re on the payment pages, and websites that look exactly like a legitimate business but the URL is slightly different)
  • using a sensitive magnetic device that gets within a foot or so of your credit card (think crowded areas or street sidewalks) to read the data off the magnetic stripe.
  • a holdup artist who accosts you at an ATM or forces you to go to an ATM to withdraw money

A chip-enabled card isn’t going to make much of a difference in any of these examples. But you don’t need to worry much, you’re still protected from fraudulent use as you’ve been since 1974. This new technology doesn’t weaken that.

apple-pay-on-an-iPhone-image-from-appledotcomSafer alternatives to purchasing with a chip-enabled credit card are a trade-off. Using cash can be risky because your purchases aren’t protected like they are with most credit cards, and any thief can steal your cash as easily as a credit card and with total impunity when using it. I have high hopes for new mobile payment solutions where you use your smartphone instead of the credit card itself. I last wrote this article about Apple Pay, and sooner or later you’ll see Samsung Pay being accepted. But for right now, you can’t use mobile payments everywhere, so you’ll still need that credit card. There are two great things about mobile payments (particularly the way Apple Pay is implemented) that make things a lot safer for you:

  1. Mobile payments require 2-factor authentication (something you have and something you know or are) in order to work. If your smartphone is stolen, the thief can’t use mobile payments because a fingerprint or PIN is required for every transaction.
  2. Mobile payment apps on your smartphone don’t have your actual credit card information stored – instead it creates a ‘one-time-use token‘ , a code that is authenticated by the mobile payment system. This is a unique code for each transaction that’s useless once it’s been used. So stores and businesses will not have your credit card information. If they get hacked, the thieves won’t get usable credit card information.

Chip & PIN cards will at least have that 2-factor authentication feature going for them, although it’s still to be seen if a PIN will be required when that card is used on an older magnetic stripe card reader. The real way to deter fraud in credit card use is to replace credit card numbers with one-time-use codes, which prevents fraud at the point of sale. There are still vulnerabilities, such as how credit cards are added to a mobile payment solution, so there’s no magic bullet. But I believe mobile payments are the best solution to credit card fraud today.

It’s going to take a number of years for mobile payments to go mainstream, and for true Chip & PIN cards to become the norm here in the US. So for now, you can continue to depend on the Fair Credit Billing Act (you can read it here) to protect you from fraudulent credit card use. In addition, you should practice safe ways to monitor your credit card use so you can report fraud immediately, I have some tips in this article.

This website runs on a patronage model. If you find my answers of value, please consider supporting me by sending any dollar amount via Click or tap to open a new browser tab or your Venmo app and send money via Venmo to @positek (send to @PosiTek), Click or tap to open a new browser tab or your Paypal app to send money via your Paypal account to support@positek.net (send to Support@PosiTek.net), Click or tap to open a new browser tab or your Paypal app to send money using your credit card to support@positek.net (no Paypal account required) using any credit card (no Paypal account required), using Zelle, Apple Pay or Google Pay, or by mailing a check or cash to PosiTek.net LLC 1934 Old Gallows Road, Suite 350, Tysons Corner VA 22182. I am not a non-profit, but your support helps me to continue delivering advice and consumer technology support to the public. Thank you!

Go to Top of Page

Share This

Author: Your Tech Coach at PosiTek.net
There are currently 1277 reader comments on published articles, care to join in? Use the Leave a Comment form below/at the bottom of any existing comments. This is a good place to ask follow-on questions on this subject.

Leave a Comment

Your email address will not be published. Required fields are marked *

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

This site uses Akismet to reduce spam. Learn how your comment data is processed.