Q: Our credit card company now wants us to upgrade our credit card terminals at considerable cost; is this just an effort to extract more money from our wallets, or are these upgrades really necessary?
A: I understand your reluctance to purchase new credit card processing equipment, but given the enormous amount of credit card fraud today, the recommended upgrades appear to be a necessary and beneficial investment. In an effort to combat credit card fraud, the U.S. credit card industry has adopted the EMV (Europay, MasterCard, and Visa) credit card standards (which are managed by EMVCo, an organization owned by American Express, Discover, JCB, MasterCard, UnionPay, and Visa), and these standards are intended to help reduce credit card fraud.
Visa reports that 2.4 billion EMV chip cards already are in circulation, with 36.9 million EMV chip-capable terminals in service. The credit card company expects 60% of all large U.S. retailers to have implemented EMV by the end of the year. Although EMV compliance is not mandated for third-party agents that process credit card information, merchants that didn't implement EMV by October 2015 may now be liable for their customers' fraudulent in-person credit card purchases.
The credit card industry claims the cards that adhere to EMV standards, called Smart Cards or EMV Chip Cards, are nearly impossible to counterfeit. The older magnetic strip cards are more vulnerable because the information contained in the magnetic strip can be easily copied to produce counterfeit cards. In contrast, the chip and terminal use a variety of cryptographic algorithms (such as RSA, SHA, and Triple-DES) to generate a unique, one-time-only number to approve the transaction. Because the specific algorithms are not publicly known, criminals cannot (easily) replicate the algorithm to produce counterfeit credit cards.
It is important to note that the new standards are not required, and most U.S. card issuers are relying on signature-based chip cards rather than chip cards that require a personal identification number (PIN), which are standard in Europe. Although both types of cards are much more difficult to counterfeit, a stolen signature-based card can easily be used by a criminal, whereas a PIN-based card cannot. As the credit card industry continues to adopt EMV standards, you will notice the following changes:
1. Smart cards rely on chips instead of magnetic strips (though many EMV chip cards will continue to include magnetic strips for use with legacy vendors who have not yet upgraded to EMV-compatible credit card terminals. An example of this newer type of terminal is the VeriFone Vx 670 all-in-one wireless handheld payment device, pictured below).
2. For those card issuers employing the highest security standards, customers will need to enter a PIN to complete each credit card transaction (much in the same way PINs are now required to complete debit card transactions).
3. EMV credit card terminals require insertion rather than a swipe to read EMV chip cards.
4. For signature-based chip cards, transactions can require electronic signatures (as opposed to signing a paper receipt).
While relatively new in the United States, EMV cards have been used for many years in other countries. A similar type of smart card was first used in Europe in 1986, and the initial EMV standards were first published in 1994. EMV chip cards have been commonplace for years in Australia, Austria, Canada, Finland, Germany, Ireland, Mexico, the Netherlands, New Zealand, and the United Kingdom.
Authorities in countries with an established track record of smart card use report fewer face-to-face fraudulent credit card transactions and say that criminals have shifted their fraud efforts toward telephone, internet, and mail-order transactions in which chip authentication isn't possible. To protect these types of non-face-to-face transactions, companies are implementing software-based approaches such as Verified by Visa and MasterCard SecureCode, which give phone and online purchasers the opportunity to enter a PIN to complete a transaction.
About the author
J. Carlton Collins (email@example.com) is a technology consultant, a CPE instructor, and a JofA contributing editor. Note: Instructions for Microsoft Office in “Technology Q&A” refer to the 2013, 2010, and 2007 versions, unless otherwise specified.
Submit a question
Do you have technology questions for this column? Or, after reading an answer, do you have a better solution? Send them to firstname.lastname@example.org. We regret being unable to individually answer all submitted questions.