FBI Warns About Chip Cards
This fall, one of the big milestones for implementing EMV chip card technology passed with a lot of fanfare, but not a ton of implementation. Merchants have been slow to upgrade their terminals, and card issuers have been slow to send out chip cards. Now an FBI Public Service Announcement (PSA) may slow these efforts further.
One of the reasons the industry wants to implement chip technology in the United States is to cut down on fraud, and there have been plenty of studies showing that once countries have converted to EMV, the amount of fraud has drastically gone down as well, as identity thieves can't easily hack into the valuable personal and account information stored on the chip at the point of sale.
However, the FBI points out that the EMV chip doesn't protect a cardholder from every type of credit card fraud. If a cardholder uses their card to make an online purchase and a hacker breaches an e-tailer, then that person's information still has been stolen, chip card or no chip card.
In its PSA, which it subsequently revised, the agency noted that EMV cards do offer more security than the magnetic stripe cards we're used to; however, just because a card has a chip in it doesn't prevent someone from successfully using a lost or stolen card, or for making card-not-present transactions, such as online or phone purchases.
The PSA also said, "Additionally, the data on the magnetic strip of an EMV card can still be stolen if the merchant has not upgraded to an EMV terminal and it becomes infected with data-capturing malware."
This means that even though the liability shift has taken place and if fraud occurs, a specific entity will get the blame. However, Joe Cardholder is still stuck with the fact that his identity has been stolen, and he has to deal with all of the typical hassle of identity theft, which at the very least involves closing his account, moving around any recurring payments and monitoring his credit history a little more stringently.
The FBI advised using the EMV chip whenever possible to pay, as that will mitigate some of the risk involved with using a credit card. If using the PIN feature, avoid inputting it in such a way that it's clearly visible to other people, as stealing PINs is another aspect of card theft that criminals use in order to use stolen cards at ATMs and get cash back on purchases used with the stolen card and PIN.
There may be other methods to help mitigate instances of fraud as well. In response to the FBI's PSA, the Electronic Payments Coalition (EPC) issued a statement with a reminder that "implementing EMV alone is not a panacea." Due to hackers' capabilities, the industry can't just think that EMV will solve all of the identity theft problems that happen with magnetic stripes. The EPC recommends using multiple layers of security, recommending that card issuers also consider adding in tokenization, encryption and biometrics in order to prevent theft at multiple points of sale, including both in person and online.
The EPC went on to say that securing card transaction data is only one half of the solution. Payment transaction networks also need to become more secure, as hackers go through them to get consumer data.
Some networks are already starting to look into these options. MasterCard has recently announced some tokenization offerings, and Visa recently started biometric authentication in relation to EMV cards.
How well EMV technology will slow down instances of fraud remains to be seen, and with its slow adoption, it may take a few years to fully realize the impact of this new technology.