Dip, Dip, Hooray. How EMV chip cards protect merchants & consumers.Gateway Guru
By now, we’ve all experienced the hassle that the new security chips in credit cards introduced to retail shopping. The checkout line at the convenience store will forever be, well, less convenient. What used to be a quick swipe of the card, now turns into a much longer ordeal – dipping the chip into the reader, waiting for a response, and dealing with many before you in line that still can’t remember which way to insert their card.
Being directly involved in the industry, I am frequently asked how exactly the new EMV chip works, and why it really helps fight fraud. So I thought I would spend a few minutes to explain.
Background of Fraud
There are 2 primary ways consumers shop – with a physical card and without.
When consumers shop online or by phone (referred to in the industry as CNP -Card Not Present), there are many safety checks that are used to stop fraud. The most common is the 3 or 4 digit CVV code. Since websites are not allowed to save the CVV code, if a website is hacked, the thieves only get the credit card numbers – not the CVV. This limits hacked cards from being used online. In addition, shipped goods have an added protection of matching billing and shipping addresses. If those 2 match, in most cases, the order is legitimate.
But there are other safeguards as well, including wrong billing phone numbers, billing zip code, ip address from other countries, and even scripts on websites that can detect fraud based on the visitors interactions (someone that comes onto a luxury website, immediately sorts the price from high to low, and attempts to checkout with the highest priced items is a big red flag). Finally, there are verification services offered by the credit card companies that require a cardholder to answer a security question prior to completing the transaction. While too many safeguards cause legitimate shoppers to abandon their shopping carts and go to less stringent websites, the fact remains that online transactions, which are most susceptible to fraud, have many deterrents in place.
When a consumer shops in a physical store, there are less safeguards. There’s no zip code requested, no CVV and all that is left is matching the signature on the card and receipt, and that is hardly foolproof. A cashier can ask for a photo ID, but the fact that someone doesn’t have it on them is not a reason to decline the purchase (and interestingly enough, Visa prohibits merchants from requesting an ID unless the card is not signed, so that it doesn’t ruin the customer experience of paying with credit cards).
The the black strip on the back of traditional credit cards have the card number magnetically printed. When the card is swiped, the terminal simply reads the numbers and sends it to the bank for approval. Fraudsters love this. They can simply hack a database of credit cards (remember the Target breach?) and magnetically print the credit card numbers onto fake credit cards. They then send an army of fraudsters to retail stores. It’s also interesting how they ensure the cards are active. The most common is making a small online donation at a charity that has no fraud detection on their website. If it’s approved, they know the card is valid.
Another problem with the old system is that the live credit cards passes through the merchant’s software, and in many cases, are databased as well. That makes every store vulnerable to hacking and the less sophisticated ones easy prey.
The EMV Chip Card Solution
The chip cards serve many purposes, chief among them is protection against duplication. Since the chips can’t be duplicated, it ensures that the card that is inserted is the original. Even though there is still fraud with stolen and lost cards, those are typically reported and deactivated, and in general, the overall issue with fraud is high-volume “manufactured” fraud. And if a consumer attempts to swipe a credit card with a chip in an EMV-ready terminal, it is programmed to recognize that there is a chip and require that the consumer dip the card instead.
A second benefit of chip cards is that the credit card number never passes through the merchant’s software. EMV regulations require that an EMV terminal send the credit card number directly to the processor or gateway without the merchant’s system ever seeing the number. After a transaction is processed, the merchant simply receives a reference number called a token, which they can use to invoke further transactions. If their system is hacked, only tokens will be found – no credit card numbers.
In other countries, they implemented a pin together with the EMV card, similar to debit cards, which further protects from fraud. In the US however, there are currently no plans by the card issuers to implement pin numbers on credit cards. As with many other considerations, the goal is to make the consumer experience as frictionless as possible, and the introduction of a pin would mean that transactions are further slowed.
So while the introduction of chip cards can be annoying, fraud negatively affects both merchants and consumers, and the added protection makes using credit cards safer for all.