Chip Cards: What You Need to Know
That little 3″ x 2″ piece of plastic in your wallet is getting an upgrade. That’s right, your debit card is getting a facelift.
Honestly, most of us don’t give a lot of thought to how that debit card works on a daily basis. For years, we’ve just swiped the card, typed in our PIN number, and headed home with our stuff.
Beginning late in 2015, that process started to change. Banks and financial institutions began rolling out the new chip debit cards. These MasterCard and Visa cards look like the ones you’ve used for years—the same numbers, logos, security number on the back and magnetic strip. So what’s new?
The real difference with these new cards is the small computer chip embedded in the front just above the first set of numbers. That little metallic microchip allows your card to “talk” to the latest chip-enabled point-of-sale terminals at your favorite stores.
Why All the Fuss About This Little Chip?
The standard magnetic strip cards we typically use in the U.S. are based on a 50-year-old technology. The magnetic strip stores your name, account number, the card expiration date and the security code from the back of the card. If someone stole your card or even just swiped it through a card reader, all of that information could be used for illegal purposes and even full-blown identity theft.
The new EMV chip cards, however, have been used in Europe since 1994 as an attempt to battle the high rates of fraud and counterfeiting. EMV stands for Europay/MasterCard/Visa—these companies have worked together to implement new, more secure technology. The card’s microchip creates a unique one-time-use code for each transaction. This makes the cards more difficult to counterfeit and makes them useless for onsite retail purchases if someone steals your card without knowing your PIN. It also prevents hackers from getting your account number in the event of a store’s data breach.
The unique one-time-use code created with each transaction makes the cards more difficult to counterfeit and makes them useless for onsite retail purchases if someone steals your card without knowing your PIN.
This has significantly reduced counterfeit card fraud, saving Europeans hundreds of millions of dollars. As a result, EMV chip cards have almost completely replaced the magnetic-strip cards in Europe and they’re gradually replacing them in Asia, South America, Canada and Mexico. In 2015, the U.S. started transitioning to the new EMV technology and has already seen a reduction in card fraud figures.1
It’s About Data Protection
You may think, But I’m super careful with my card. Why do I have to jump through these new hoops? Fair question. The problem is, though, that retailers may not be as careful with your personal information.
Take the recent Target data breach, for example. During the Christmas shopping season of 2013, hackers gained access to Target’s customer database. Over 60 million people had their personal information accessed including 40 million card numbers used by Target customers.2 That means all you had to do to put your personal information in jeopardy was buy one Christmas present using your debit card at Target.
If you were one of the victims, the good news is that Visa, MasterCard or the issuing bank was responsible for protecting you from fraudulent charges per their different protection plans. That was bad news for the banks, because they were out tens of millions of dollars in losses from covering those charges. In the end, the banks sued Target, and Target agreed to a $39 million settlement with several U.S. banks to reimburse them for their losses.3
That was the last straw for the U.S. banks who were tired of being on the hook for fraudulent charges because of outdated card security. In response, they started revising their policies and security practices, looking to use the European EMV model here in the states. Banks set a date of October 2015, and they encouraged American retailers to replace the outdated swipe-only card readers for the new chip-and-PIN terminals. That’s when things started getting confusing for all of us!
Who’s Responsible for Your Protection?
As of October 2015, the liability for card-present (a physical card used in a store) fraud shifted to whichever party is the least EMV-compliant at the time of the transaction. Three players could be liable:
- The retailer (where you shop)
- The card issuer (your local bank)
- The credit card company who backs the debit card (like Visa or MasterCard)
For example, if you use your debit card at a retail store that hasn’t updated its card terminal for the new chip-enabled security, the retailer is now responsible for any losses you incur if your personal data is stolen. The card issuer figures they’ve done their job in making the new security systems available, so if the retailer doesn’t take advantage of them, they’re on the hook for any mishaps.
However, if the store has updated their payment technology and your information is hacked, the card issuer (backed by the credit card company) assumes responsibility just like they always have.
These kinds of Target-style data breaches shouldn’t happen anymore if you’re using a new chip-enabled debit card at a chip-enabled point-of-sale register. The chip on your card doesn’t pass your actual card number to the retailer; instead, it creates a one-time-use number that’s only good for the transaction you’re making at that moment. Even if someone hacked the store’s database, your card number wouldn’t be on file, so you wouldn’t be in danger.
The chip on your card doesn’t pass your actual card number to the retailer; instead, it creates a one-time-use number that’s only good for the transaction you’re making at that moment.
Online fraud is another matter. Since the new chip cards have an actual card number printed on them, that’s the number you’d use to make purchases online. So, if someone stole your card number, they could make fraudulent online purchases on your account. In that case, the card issuer (backed by the credit card company) is liable for any illegal charges.
The Bottom Line
Generally speaking, your debit card issuer (your bank) assumes the main responsibility for your account and it provides fraud and purchase protection backed by Visa and MasterCard. Any debit charges you make are processed only by your bank—they aren’t processed through Visa or MasterCard whether you use your PIN at the point of sale or not.
If you file a fraud claim, though, the bank will probably check to see if the retailer bears the burden. That’s a fight between the bank and the retailer, however. On your end, the bank should refund any money lost due to fraud.
It’s also worth noting that this change is not the result of any new laws. There have been no new laws passed regarding chip-enabled cards. This is all coming from the banks trying to eliminate the fraud that costs them millions of dollars every year. The new EMV chip debit cards are the first step in that process.
This is all coming from the banks trying to eliminate the fraud that costs them millions of dollars every year. The new EMV chip debit cards are the first step in that process.
The Messy Middle
The most confusing part of this transition is that we’re currently in the “messy middle” of the chip-card transition. European banks have fully transitioned, so their cards have no magnetic strip at all. American cards, however, have both the chip and a magnetic strip right now. In a few years, American cards will also drop the magnetic strip and we’ll be fully transitioned. For now, though, not knowing when you should swipe or when you should insert the card into the chip reader is a pain, and there’s a good chance the clerk behind the counter won’t be informed enough to help you.
Knowing that, here are a few things to keep in mind during the chip-card conversion:
- If you’re using your chip debit card at a chip-enabled retailer, you probably won’t have the option of choosing “credit” at checkout. That’s good, though, because chip debit cards are much more secure when used with a PIN.
- If someone steals your physical card, they won’t be able to use it in a chip-enabled physical retail store unless they also know your PIN.
- Retailers are already supposed to have chip-enabled terminals in place, but gas stations have until late in 2017 to update their hardware.
- The microchip produces a unique one-time digital authentication code for each transaction when the card is verified with the user’s PIN. That means the retailer won’t even know your actual account or card number, meaning it can’t be hacked and stolen later.
Stay on Guard
Get in the habit of checking your account activity weekly to monitor transactions. As soon as you see something suspicious, call the bank that issued your debit card and alert them to possible fraud. Many card issuers, as well as Visa and MasterCard, provide extra measures you can use to protect your card information when making online purchases. If you shop online often, check into that information.
Of course, the rules for chip debit cards are likely to change as the technology changes, so you should always check with your bank to see exactly what their policy is and how you can best protect yourself. In general, you should have confidence when using your EMV chip debit cards because they provide the most secure transaction when used in combination with your PIN.