Chip-and-PIN debit and credit cards won’t stop fraud.

New Security Measures for Credit Cards Might Just Shift the Fraud Online

New Security Measures for Credit Cards Might Just Shift the Fraud Online

The citizen’s guide to the future.
Aug. 4 2015 4:16 PM
FROM SLATE, NEW AMERICA, AND ASU

Passing the Buck

New measures are supposed to keep credit and debit cards safer from fraud. But they may just be shifting the crime elsewhere.

Chip-and-PIN credit card
It’s harder, but not impossible, for criminals to commit fraud with this card.

Photo by iStock

When one of my credit cards expired this summer, my bank sent me a replacement with a microchip. This wasn’t my first credit card with a chip—in fact, credit card companies have long been heralding 2015 as the year when all of the old magnetic stripe cards for U.S. cardholders will be replaced with high-tech EMV-compatible cards. (EMV stands for the first three companies that developed the technical standard for chip cards: Europay, MasterCard, and Visa.) This was supposed to be the year when the United States was finally going to catch up to Europe and Australia, which transitioned to EMV technology in the mid-2000s and 2013, respectively, and implement state-of-the-art payment card technology that would make it harder for criminals to steal credit card numbers and perpetrate fraud. EMV cards generate single-transaction codes instead of relying on reusable card numbers and usually require people to input personal identification numbers to process transactions—making it harder (though not impossible) for criminals to commit fraud with them.

But transitioning to ubiquitous chip-and-PIN technology is a very slow process, with lots of backward-compatibility measures (to allow the new cards to work with older terminals) that continue to enable traditional kinds of fraud. Perhaps even more discouraging is the continuing uncertainty about whether it will actually effectively reduce fraud. A report released late last month by the European Central Bank showed an 8 percent increase in fraud for 2013 cards issued in the Single Euro Payments Area. The increase came from a spike in card-not-present, or CNP, transactions, which accounted for 66 percent of the value of fraudulent transactions.

Advertisement

This finding suggests that new card technology may do more to shift how fraud happens and who has to pay for it than actually reduce it in the long term. The ECB report does show reductions in ATM and point-of-sale fraud—but those are outweighed by the increase in CNP fraud. So what’s the point in making the switch? It all comes back to liability.

CNP transactions, such as online or phone purchases, essentially undercut all of the EMV technology—no chip is read, no PIN is entered—so it’s no surprise that they’re a fertile target for fraudsters. For years, countries that have implemented EMV cards have been seeing mixed results when it comes to security, typically witnessing decreases in card-present transactions within their borders—but also seeing increases in CNP and cross-border fraud.

Of course, cracking down on cross-border fraud requires EMV technology to be used just about everywhere, so that there are fewer regions where criminals can get away with the less well protected transactions. But in the U.S., the mere fact that credit cards have chips in them has made very little difference in how we actually pay for things: We still routinely swipe those magnetic stripes instead of inserting the cards into machines that can read their microchips, still find ourselves verifying charges with a signature instead of a PIN. Even when a merchant is equipped to read the chips on our cards, we still often get away with signing for purchases, rather than entering PINs, thanks to the peculiar hybrid chip-and-signature card technology that falls somewhere between a magnetic stripe card and a chip-and-PIN card in terms of security.

Ideally, chip-and-PIN cards make it harder to commit fraud for a couple of reasons. First, if your card requires a PIN, then someone can’t just steal it and immediately start buying things with it—they also need to figure out your PIN (just as they would with a debit card). Chip-and-PIN cards also provide another layer of protection by generating a unique ID number for each transaction. So, in the event of a data breach, thieves don’t access your credit card number—which they can then reuse for other purchases. Instead, they get a one-time code specific to a particular transaction, a number that cannot be used to buy anything else.

Advertisement

For card-not-present transactions, we’re still pretty much reliant on the old system—entering card numbers and expiration dates—though there may be some other barriers for criminals. For instance, when you buy something online or over the phone, often you’re either ordering an ongoing service (say, Netflix) or you’re ordering a physical product that has to be sent to you, which means you need to provide a shipping address. If you’re doing either of those things with a stolen card number, then you face the risk that when the legitimate cardholder notices the fraud, the service may be canceled or law enforcement may try to trace the shipping address you provided. (There are, of course, ways around these obstacles for the determined criminal—for instance, providing the shipping address of an abandoned house in your neighborhood where you can easily pick up deliveries.)

If, as the recent European Central Bank figures suggest, there’s still room for considerable growth in CNP fraud, however, it’s unclear how helpful our new credit cards will be—even assuming we eventually start using them properly and stop treating those fancy chips as mere decoration. In fact, the transition to EMV cards is less about improving our security than it is about shifting liability for fraud.

By issuing cards with EMV technology, the credit card companies and issuing banks can shift the responsibility for covering the costs of fraud to merchants. Until October 2015, if someone puts fraudulent charges on your credit card, you won’t have to pay for any of those charges and the issuing bank will likely be responsible for covering the costs (though they can—and sometimes do—sue merchants for inadequate security to recoup some of those losses). Beginning in October, however, if a merchant doesn’t have the necessary equipment to process EMV cards and instead treats them just like the old magnetic stripe ones, then that merchant will be responsible for fraudulent transactions that they process. On the other hand, if a merchant has the necessary equipment but a bank has failed to issue an EMV card to a customer, then the bank will be responsible for fraudulent charges, because it is responsible for forcing the merchant to process a less secure transaction.

This creates an incentive for merchants and banks alike to upgrade their technology, regardless of whether those technology upgrades reduce fraud overall. And from the point of view of individual credit card holders, it may not matter very much who covers the costs of fraudulent charges—so long as it’s not us. Still, it’s notable that many security efforts center on trying to figure out who should bear the costs of crime. That’s an important question, but it’s not the same as asking how we can most effectively reduce the crime itself.

This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.

Josephine Wolff is an assistant professor of public policy and computing security at Rochester Institute of Technology and a faculty associate at the Harvard Berkman Center for Internet and Society. Follow her on Twitter.