American shoppers, adept at swiping the stripe, soon will learn to dip the chip in malls and strip centers across the land.
We’re talking about credit cards, specifically high-tech ones with microchips inside to make plastic money more secure. Chip cards are everywhere overseas and finally emerging here in response to massive credit card data breaches such as the one at Target in 2013.
Expect to find chip cards in your wallet by year-end as card issuers roll them out, if one’s not there already. Chip cards have a small gold or silver rectangle on the front of the card just above the first four digits of the card’s number. It’s not the hologram of a dove found on many stripe cards.
It will help if someone shows you how to use them. Shoppers shouldn’t slide a chip card through the machine at checkout lines. They should insert, or dip, the chip card into a slot — and let it sit.
“When you put it in there, it kind of clicks. You can feel it,” said Bobbie Kuhns, who used her chip card last recently at a Wal-Mart grocery store in Kansas City, Kan.
More of us would be dipping chip cards already if this seemingly simple change weren’t so disruptive, and it certainly creates potential pitfalls such as leaving your card behind.
Experts, however, say retraining consumers will be worth it. Chip cards are nearly impossible to counterfeit even with stolen account information, in contrast to normal credit cards.
“America got a big wake-up call with Target, and everybody in the industry is very keen on fixing this problem,” said Carl Bradbury, director of consumer cards at Commerce Bank.
And if a chip card is lost or stolen, a second security measure can render it useless. Few American-issued cards, however, are set to deploy this second safety step, and that has some security advocates howling.
“We’re just not taking advantage of the technology given to us,” said John MacAllister, a semi-retired consultant to the payments industry.
New tech, new pitfalls
Big-store chains, notably Wal-Mart, are leading the retail industry toward chip cards.
As of Nov. 1 last year, every register at more than 5,000 U.S. Wal-Mart and Sam’s Club stores accepted chip credit cards. And every Wal-Mart and Sam’s Club brand credit card has a chip in it.
Target has set the goal of having chips in all its Target-branded RED cards this year.
Some smaller retailers are ready now.
Bob Jones Shoes in Kansas City has had chip card readers at its registers for more than a month.
Cashier Sharon Breshears admits she crumpled under the pressure of repeated calls from the company that sells the readers. Each day, a few customers with chip cards come into the store.
“Very few of them have used it as a chip card,” Breshears said.
That’s because credit card makers are still adding the magnetic stripe on the back of chip cards. It allows one card to work at merchants ready to handle chip-cards as well as those still stuck on swiping.
For now, Breshears shows customers how to use the new kind of card. Processing the sale takes a couple of minutes, supposedly no longer than processing a card transaction by swiping a normal card.
That’s true unless the customer inserts the card and then pulls it out right away, as he’s supposed to do with stripe cards at many gas pumps and automatic teller machines. Chip credit cards are different; they need to stay inserted until the sale is complete.
“This is going to take a long time to train the humans,” said MacAllister, the consultant.
By humans, MacAllister means clerk and consumer alike. His own run-in with a chip card came last September.
A shopper ahead of him at a self-check-out line swiped a chip card, and the register indicated the card needed to be inserted. He said the machine also wouldn’t read the chip, and the store clerk didn’t know what to do.
“There was no way she could get out,” MacAllister said of the shopper. “The line started getting longer and longer.”
How it works
Crooks have pretty much figured out the old credit cards that just swipe. And they’re creating financial mayhem.
A report from the Federal Reserve Bank of Kansas City last fall put the total for credit and debit card fraud at $3.8 billion.
Thieves have lots of ways to steal account information, and it’s relatively easy to put the coded information onto the stripe of a blank card or re-code an existing card with the new information.
Stripe cards are vulnerable because every time you swipe one it gives up key information crooks need to do their dirty work. Hackers have found many ways to intercept or steal this information, collecting data on millions of cards and card holders.
For example, Overland Park police are seeking help identifying two men suspected of putting a card reader inside a bank’s ATM, hoping to copy the stripe’s information every time customers withdrew cash.
Microchips make credit cards virtually impossible to counterfeit.
Chip cards do more than spew the standard account information that stripes deliver. The chip also generates and sends out a “cryptogram” that changes with each sale and is needed to complete the transaction with the bank that issued the card.
Even counterfeiters holding vital account information for a chip card would have no chip, no cryptogram and no chance for fraud.
“So far, the bad guys haven’t been able to crack this, and in Europe they’ve been going at it for a couple of decades,” Commerce’s Bradbury said.
Thieves still have a reason to steal account information on chip cards because so many merchants still don’t have chip card readers and allow shoppers to swipe the card’s stripe rather than dip its chip.
Merchants will want chip readers come October.
That’s when a new rule imposed by credit card companies Visa and MasterCard hits. It has to do with who’s liable when thieves get away with fraudulent transactions using a counterfeit card.
Visa has declared that banks that fail to get chips into customers’ cards by Oct. 1 will be on the hook for fraudulent transactions that involve using a counterfeit stripe card. Similarly, merchants who let customers swipe the stripe of a chip card after Oct. 1 will be stuck for those transactions that turn out to be counterfeit frauds.
Currently, banks generally are on the hook for fraud when counterfeit cards are presented to merchants and merchants generally are on the hook for online credit card fraud, which means no card is physically presented to the merchant.
Still, not all consumers will have chip cards in hand by the October deadline.
UMB Bank, for example, has no chips to offer new card customers today and expects to need all of 2015 to complete its switch.
“Everybody’s doing it, and the issuers have built queue lines,” said Mike Hagedorn, president and chief executive of UMB Bank.
Regional and smaller bank card issuers are behind the biggest banks.
Banks generally have waited to switch because it’s costly. A new card means plastic and mailing costs, plus the chips add to the expense.
The switch also has been delayed because merchants and bankers know their customers don’t know how to use chip cards yet.
“A lot of retailers are concerned that this is going to be too much of a learning curve for customers. They’re putting this off as long as possible,” said Brian Krebs, whose blog KrebsonSecurity.com tracks computer and Internet security. “And none of the banks want to be the hardest card to use in the wallet.”
PIN or sign?
The chip is only half the security. And many say it’s not enough.
Overseas, for example, consumers who dip the chip typically enter a four-digit number to confirm the charge. This PIN, or personal identification number, adds a second layer of security.
A lost or stolen card becomes useless because the finder or thief won’t have the PIN to enter.
The alternative is to handle chip card transactions the same way as regular card transactions, and require consumers to verify the transaction by signing their names.
Clerks are supposed to compare that to the signature on the back of the card, and ask for some identification. Of course, many don’t.
Wal-Mart’s chip card readers now ask for a signature to verify the transaction, spokesman Randy Hargrove said. This isn’t the giant retailer’s choice.
Hargrove said the bank that issues Wal-Mart and Sam’s credit cards isn’t ready to handle PIN verification. He said PINs are coming to Wal-Mart sometime this year.
“It’s just a more secure transaction,” Hargrove said.
Target has said it’s going with PINs for its chip cards.
Most banks are going with chip-and-sign cards. The concern many have is that card users won’t remember their PINs. This claim seems plausible once wallets fill with PIN cards and shoppers have to remember multiple PINs and which go with which card.
Some issuers are taking a chip-first, PIN-later approach to ease shoppers’ transition and keep them focused on one change at at time.
Given a choice, consumers “absolutely” should look for both a chip and PIN with their credit cards, said Odysseas Papadimitriou, founder of CardHub.com, which compares features of cards.
“And most importantly you want the merchants to start accepting them,” he said. “If you have a chip card and you’re swiping it everywhere it doesn’t help at all.”
To reach Mark Davis, call 816-234-4372 or send email to firstname.lastname@example.org.