Those annoying, beeping and longer stays at the checkout counter when inserting a chip credit card into a clunky machine that may or may not work are paying off in one big way — less fraud.
Chip cards, also known as “EMV” cards for the three companies that developed the technology: Europay, MasterCard and Visa, have decreased counterfeit fraud, according to Visa. Most U.S. consumers became familiar with chip cards for their debit or credit cards in 2015, when U.S. banks started requiring retailers to have them or be held liable for in-store fraud.
Counterfeit fraud at U.S. chip-enabled merchants is down 70 percent from December 2015 to September 2017, Visa reported in December 2017. During that time, the number of Visa chip cards in the U.S. has increased 202 percent to more than 481 million cards, which is about 67 percent of all Visa credit and debit cards.
Though not everyone with a credit card or debit card has a chip card, those who do have that little metallic square on their cards use it often. In December alone, EMV chip cards accounted for 96 percent of all U.S. payments, Visa says.
Chip cards replaced magstripe technology from the 1960s that was less secure and could be copied or “skimmed” more easily by thieves. Chip cards prevent fraud by generating a unique one-time code every time they’re used. The feature is virtually impossible to duplicate in counterfeit fraud, according to Visa.
Some chip readers require users to enter a PIN, or personal identification number, to verify their identity. Others require a signature, which is less secure.
The annoying part of chip cards
Most cards have both chips and magnetic stripes, allowing consumers to use both the new and old technologies. Why have both? Because some chip readers at merchants don’t work. And not all merchants accept EMVs. Nearly two-thirds of U.S. stores use chip cards, Visa says. And if they do have them, the new machines don’t always work.
You’ve probably experienced the frustrations of using an EMV chip card: After wondering if you should swipe or insert, you insert the chip into a machine that may wobble around, waiting for what seems like eons for the transaction to go through.
Like a dog waiting for a treat, you’ll watch for the “Do not remove your card” message on the credit card reader to change to “Remove your card.” Wait for half a second too long for the message to remove your card, and it will start beeping at you like you’ve just robbed a bank.
But there aren’t chip readers online
While chip cards seem to be doing their job at physical stores in preventing “card present” fraud, they can’t do anything to prevent online theft in CNP fraud, or “card not present” fraud.
If you’ve ever gotten an email or alert from your bank or credit card provider telling you that your personal information may have been hacked and possibly compromised online, then you could be the victim of CNP fraud.
CNP fraud is taking up much of the slack that chip cards created by lowering counterfeit fraud. By stealing payment card information online, hackers have moved data breaches to an all-time high last year, up 45 percent from 2016, according to the Identity Theft Resource Center.
Nearly 20 percent of the 179 million records exposed last year resulted in exposed payment card information.
In October 2015, when chip cards started gaining wide use in the U.S., the FBI issued a warning that EMV cards could still be lost or stolen and used in stores or for online or telephone purchases when the chip isn’t physically provided to the merchant, or a CNP.
“Additionally, the data on the magnetic strip of an EMV card can still be stolen if the merchant has not upgraded to an EMV terminal and it becomes infected with data-capturing malware,” the FBI said. “Consumers are urged to use the EMV feature of their new card wherever merchants accept it to limit the exposure of their sensitive payment data.”
In CNP fraud, criminals steal all of the card details except the data stored on the chip. These are details used in online forms when shopping online: card number, holder’s name, expiration date of card, and the CVV code.
Web-based malware installed on online stores is the most common method of stealing identifying data.
Another type of CNP fraud is account takeover attacks, or ATO. Breaches at third-party services allow crooks to use leaked passwords to shop online fraudulently. Payment card details that are saved in an account profile can be used to fraudulently buy something without having the card data in hand.
The FBI recommends reviewing statements for irregularities, promptly reporting lost or stolen credit cards to the issuing bank, and shielding the keypad from bystanders when entering a PIN.