Recently, you may have received a new credit or debit card from your bank with an embedded microchip and been wondering what that new chip does. In the last year, more U.S. banks have been issuing EMV (Europay, MasterCard, Visa) credit cards. Much has been written about this fairly obscure change, but I am not sure just how much of this information has filtered through to the average consumer. While this is not strictly a travel issue, because I cover reward credit cards and because there are definite advantages to EMV cards for Americans traveling overseas, I feel compelled to touch on this shift in the payment landscape. Also, since my day job is in the FinTech industry, this is a topic of interest to me. So, today I want to offer a primer on the background of this change and how the new cards will impact and benefit you, the user.
Why U.S. cards are being replaced with EMV versions
EMV credit cards are not new technology. Chip cards were introduced in France in 1992. In fact, the United States is one of the "few industrialized nations that have not fully transitioned to this technology standard." The goal of EMV technology is to combat fraud. Because magnetic stripe technology that we have used for years has very weak security. The EMV standard plugs this hole by means of a far more robust authentication process that enables banks to verify the authenticity of the credit card itself. In the UK, since 2004, the value of fraud from counterfeit cards, the type of fraud often resulting from stealing card data from magnetic stripe cards and using that data to make counterfeit cards, was down 63% from 2004 to 2014 (though there has been an uptick in recent years). Since EMV is a superior standard for card data security, you may be wondering why U.S. banks haven't been on-board with EMV long before now? Let's take a look at the motivators driving this transition.
Why is the US beginning to roll out EMV cards now?
The U.S. has issued EMV cards before this year, but the number of U.S. bank-issued EMV cards is set to surge by 500% in 2015 (see infographic to the right). This acceleration is due primarily to a change in how liability is apportioned for credit card fraud. It's important to understand a little bit about how credit card payments are accepted and processed to understand how this "liability shift" is pushing this migration.
There are three main players in a credit card transaction: the merchant, the card processor and the bank that issued the card. The merchant is responsible for choosing a processor and obtaining the necessary credit card readers for their point-of-sale locations. Before October 1, 2015, the issuing bank bore the responsibility for chargebacks resulting from fraud. While EMV cards could have made a dent in fraud long before this date, most merchants did not have the necessary payment equipment or infrastructure to handle EMV cards, nor were they financially incented to change to this equipment since they were not on the hook for fraudulent charges. However, that all changed on October 1 when liability began to fall "to the party, either the issuer or the merchant, who does not accept EMV." All of a sudden, banks had incentive to issue EMV cards knowing that many retailers, facing higher fraud exposure, would upgrade their payment terminals to accept the more secure standard.
How does EMV make transactions more secure?
So how does this new card create a more secure transaction environment? The video below from the EMV Migration Forum provides an overview of the new authentication process. The explanation is a bit technical but in a nutshell the scheme revolves around a cryptogram key stored on the EMV chip that is not shared with the merchant at the time of purchase.
The microchip on the new cards contains all the card data that formerly was stored on the magnetic stripe. When a purchase is made, certain data from the card is combined with the purchase information. Using this combined data and the card's cryptogram key, a cryptogram is created and sent, with all of the card and transaction information, to the payment processor. Note, the cryptogram key is not sent with the other card data. The next step is for the card issuer to verify the authenticity of the EMV chip.
The card issuer has a copy of the cryptogram key and uses this with the data transmitted from the merchant to verify the authenticity of the request as well as the credit card that was used for the transaction. Taking the same card and transaction data used by the payment terminal to generate the cryptogram, the card issuer generates its own cryptogram using its stored copy of the cryptogram key. If the resulting cryptogram matches the cryptogram transmitted from the merchant, the bank knows the card is authentic and approves the transaction.
They crucial part of this process is not transmitting the cryptogram key to the merchant and payment network. Since the key is never stored by any of the systems between the credit card terminal and the issuer, even if a merchant's servers are penetrated, hackers cannot get a critical piece of information that is required to process all in-person EMV transactions. Therein lies the security improvement.
How EMV Cards Impact and Benefit Users
A new way to read your credit card
So you have a shiny new EMV card that just arrived in your mailbox. Now you understand why this card showed up there, but you are probably wondering how this impacts you. The good news is that the change to how you use a credit card is minor. The worst impact is a slightly longer check-out time with an EMV versus magstripe card. Says Owen Wild of NCR, ""If a typical transaction is three to five seconds, what we've seen with the chips is five to 10 seconds...It will have an impact on lines ... especially in high-traffic areas." Speaking from personal experience at several merchants who have already implemented new readers in recent months, the delay is barely noticeable. In fact, I never really thought about it until I read Wild's comment. More noticeable is how you interface with the card reader. The days of swiping your card are numbered.
Again, refer to the infographic above. When you use an EMV card reader, rather than swiping your card, you will insert it, chip-side up, into a slot in the bottom of the reader. You will leave it there until the machine instructs you to remove it. For most U.S. card issuers, you will still be required to sign for your charge. EMV actually supports multiple "second factor authentication" methods at the point-of-sale. (The second factor is a second verification that you are an authorized user of the card. The first is physically having the card and the second includes some indicator unique to or known by you.) Most U.S.-issued cards will use chip-and-signature which will continue to require signing a charge slip or the credit card reader. However, a few U.S. banks issue cards that require a PIN code, much as you use at an ATM, to be typed in at the card terminal. These are known as chip-and-PIN cards. Some banks have a card that uses chip-and-signature as primary but can default to chip-and-PIN when signature is not possible.
Fine, but how does any of this benefit ME, the customer?
I could not blame you if you are still asking "What's in this for me?" For most people, honestly, not a lot. Sure, there will be a minimal chance that a hacker will be able to generate a counterfeit EMV card, but it would be false to think that the risk of compromised card numbers will drop to zero in the near future. I have already had one EMV card replaced by my bank within the first few months of having opened my account. I have noticed that more and more cards are using unique designs (or painful ones...looking at you, Citibank, for always confusing cashiers with your goofy magstripe on the front of your Citi Prestige and Citi Thank You Premier cards!) but most people probably could not care less what their card looks like so long as it works. The group that stands to gain a lot are international travelers.
Though most foreign countries have long been on the EMV standard, you can still use your U.S. magstripe card in most places that accept credit cards by a human. When I was in Europe last year, I did not yet have an EMV card and I routinely was able to have a merchant swipe my card successfully. What posed a problem were automated devices such as kiosks and ticket machines that required an EMV card. In London, if I wanted to add value to my London Underground Oyster card, I had to go to the window and have the agent process my transaction, a problem if the window was closed. In theory a chip-and-signature card is not sufficient for these automated terminals as they have historically required chip-and-PIN. However, this appears to be changing. From Chase:
I successfully used my Chase Sapphire Preferred card at multiple ticket machines in the Paris metro in late June, ahead of the deadline Chase mentions on their website. In fact, I do not recall even being prompted for a PIN. I did discover that my Citi Prestige EMV card did not work on similar machines. If you are going overseas, having multiple EMV cards might not be a bad idea if you know you will have to use unattended payment terminals.
Like it or not, the next generation of credit cards are going to become the standard in the United States. If the merchants you frequent have not started using EMV-compliant readers, that will likely change soon. Change can be jarring but in this case, the changes are not dramatic and most consumers should acclimate to the new process rapidly.
Have you received new EMV cards? If you have experience using them, please share in the comments below!