Chip Cards and Security: Technology to Fight Fraud
December 5, 2016
Credit card fraud is a problem worldwide, but especially in the United States.
In 2015, according to research from Barclays, the U.S. accounted for 24% of total worldwide credit/debit card volume, but a whopping 47% of payment card fraud.
The reason for the discrepancy, security experts maintain, is that the U.S. was the last major world economy to transition to the latest in payment card technology: EMV or chip cards. Common in the rest of the world, EMV (which stands for Europay, MasterCard, and Visa, the three companies that originally developed the technology) has been responsible for a dramatic decrease in payment card fraud/counterfeiting — as much as 70%, for instance, in the United Kingdom between 2005 and 2013. Australia has reported a 38% drop in counterfeit fraud, while in Canada the figure is 49%.
Behind the chip
Until October 2015, most American consumers were still relying on outdated magnetic stripe technology. In a move to mitigate point of sale fraud, U.S. financial institutions implemented the EMV Liability Shift, which transfers fraud liability to merchants in certain cases unless they switch to chip-enabled cards.
The familiar magnetic stripe card is easy to hack. Several pieces of data, including the cardholder’s name, the card number, and the Card Verification Value (CVV), are encoded on the stripe. When a consumer swipes the card, the card reader extracts the data and sends it to the card issuer for validation. The route is not a direct one: data passes through the merchant’s point of sale (PoS) system (and sometimes the back office), the merchant acquirer system such as First Data or Heartland (and sometimes third-party processors), and payment networks such as Visa or MasterCard.
Because the information is static, hackers can easily intercept it and use it to make a duplicate card. They then use the fake cards to shop online or buy items such as gift cards or smartphones that can be sold for cash. Stealing the information off the magnetic stripe is known as counterfeit fraud, and it accounts for 37% of all credit card fraud in the United States, according to CreditCards.com.
By contrast, EMV cards contain a microcontroller that not only stores data, but it also executes logic the way a computer does. Data transfer is dynamic — purchase validations occur only between the card and the payment terminal, and the chip creates a unique transaction code that can’t be used again.
The cards also store a counter with each transaction. Duplicate or skipped counter values indicate potential fraud activities.
Hackers may try to steal the chip information, but typical duplication strategies won’t work. Like an expired password, the transaction number from a specific point of sale cannot be used again and a hacker who tried to use a fake card would find his purchase declined.
Fraud rates fall
As in other nations, fraud rates have begun to decline in the U.S. where chip cards are used, even though only 20% of card terminals were chip-compliant as of April 2016 and 60% of credit cards had been updated with chips, according to NerdWallet.com
Nevertheless, CreditCards.com reports that Visa’s numbers for chip-enabled merchants for May 2016 showed a 47% drop in counterfeit fraud — stealing information off of the magnetic stripe – compared to the previous year. MasterCard recorded a 54% decrease among its chip-ready merchants for the one-year period between April 2015 and 2016.
By contrast, MasterCard merchants who were still depending on the stripe saw a 77% increase in credit card fraud year over year for the same period.
If the cards work so well, why has the U.S. been slow to adopt them?
Cost is a significant factor. Sending consumers new cards and revamping the payment systems — everything from ATMs and registers to vending machines and ticket terminals — is expected to cost between $8 billion and $12 billion. With credit card fraud estimated at more than $5 billion a year, most banking and security experts consider the changeover a worthwhile investment.
Outwitting the chip
Chip cards are a big improvement, but no panacea in the fight against credit card fraud.
One reason that chip cards have been so effective in Europe is that consumers there use what are known as chip-and-PIN cards. Most American financial institutions have issued chip-and-signature cards, which are not as safe. Hackers can more easily forge a signature than find out a PIN, but banks thought using a signature would mean less confusion and a smoother transition for consumers. American shoppers were not used to using PINs with credit cards, the banks argued, and issuers did not want to be at a competitive disadvantage.
Many shoppers also complain the longer transaction time slows them down at the register. Chip cards, because of their more complex processing, require an average of fifteen seconds per transaction — nearly eight times as long as the magnetic stripe card readers. Fifteen seconds multiplied by all of the people in front of you in line can add up to a considerable amount of wasted time.
Finally, EMV cards can’t prevent all types of fraud. Phone or online purchases are not affected by chip technology. “Card not present” fraud – someone stealing your card and using it to buy things online – actually jumped 168% in the U.K. between 2004 and 2014, Time magazine reported, even as in-person fraud dropped.
About Maryville University’s online degree in cybersecurity
Maryville University offers both undergraduate and Masters degrees in cybersecurity, studying topics such as cryptography, cloud security, incident handling, and mobile device handling. Students can learn from anywhere, on any device, with the Maryville Virtual Lab as their training ground.