It’s been a few years since the deadline to upgrade POS, cash registers, and credit card machines to accept chip credit cards, but there are still a lot of misconceptions about what exactly this upgrade means and even why chip cards are beneficial.
At CardFellow we’ve heard it all, so we decided to address these myths and misinformation to help you make the right decision for your business.
Chip cards are the next evolution of card-based payments, and it’s important to understand the differences between chip and magnetic stripe cards. If your business still hasn’t upgraded to accept chip cards (or you have, but don’t know much about why), this article will help demystify some of the most common misunderstandings about them. The myths:
- Chip Cards Are New, Untested Technology
- Chips Are Less Secure than Magnetic Stripes
- Chip Cards Are Fraud-Proof
- EMV Compliance is Required by Law
- Only Special Cards Have Chips
- Chip Cards Will Work Globally
- Small Businesses Don’t Need to Upgrade
Chip Cards are New, Untested Technology
Although relatively new to the US, chip technology isn’t new. Germany and France deployed standards in the 1980s.
EMV was designed with backwards compatibility for these other standards in order to make the transition easier, and because of this, it has been used in Europe since its development. As CBS News points out, a chip credit card can be spotted in the 1995 movie “French Kiss.”
In fact, the United States is one of the last major markets to transition to chip cards. If you travel abroad, you’ve likely noticed chip cards are already in use in many foreign countries.
Chip and PIN cards are common in Mexico, the Philippines, and several European countries, including Germany and Austria. Canada, Australia, New Zealand, and remaining European countries, such as France, Finland, and the Netherlands utilize chip and signature.
This technology has been thoroughly tested and found to be more secure than magnetic stripes. Which brings us to myth #2…
Chips Are Less Secure than Magnetic Stripes
There has been a lot of misinformation flying around about chip cards being less secure than magnetic stripe cards, mainly because of the recent rise of contactless mobile payment options.
Mobile phones equipped with NFC chips are a security risk because the chip is attached to a device with an antenna that is constantly sending and receiving signals, even when the user isn’t aware. Smartphones are designed to ping WiFi networks and cell towers and devices have been designed to intercept these transmissions.
Although EMV chip cards use similar NFC technology, the card itself can’t communicate unless inserted in a terminal. This makes the NFC devices that work on cell phones essentially worthless on chip cards.
In addition, EMV is actually an encryption standard that uses triple DES, RSA, and SHA cryptographic algorithms for authentication purposes. This makes the chips much more secure than analog information found on magnetic stripes. In turn, it helps secure information against card cloning, skimming, and other techniques.
This means with EMV, transaction information is encrypted on the card, rather than the terminal. That makes transactions much more secure. It also shifts liability to the card issuer, rather the business processing it.
Chip Cards Aren’t Secure without PINs
Along the same lines, there’s a misconception that because the US switch is mostly chip and signature cards (instead of chip and PIN) that the chip cards aren’t secure. However, even chip cards without a PIN are more secure than magnetic strip cards. Chip cards encrypt data at the point of sale, making it harder to skim or clone cards.
Digital Transactions found that implementing chip and PIN would cost more than it would save in fraud, suggesting that the US switch to chip and signature was a more prudent balance of cost and security.
Chip Cards Are Fraud-Proof
Just because transactions are more secure doesn’t mean they’re fraud-proof. Businesses still need to defend their systems against hackers, malware, and other cyber attacks. Chip cards also don’t offer protections in online transactions, so it’s important to make use of anti-fraud tools like Address Verification if you take cards online.
Your POS system is still a database that requires cell-level encryption. It houses personal customer details and proprietary information you don’t want leaked to the general public.
The Federal Trade Commission requires companies that store sensitive customer or employee information on their network to protect that information. Identity theft is a major concern these days, with over 490,000 complaints received by the FTC in 2015 (according to the agency’s 2016 report), making it the second most common consumer complaint.
If card companies determine that you’re responsible for customer information being stolen, you could face high-dollar fines and negative brand publicity.
EMV isn’t an end-all fraud-stopping solution. It makes great strides in the right direction, but regular network security, database encryption, antivirus, and anti-malware solutions are still necessary.
Also, some businesses report EMV-related scams.
Check out our EMV scams and misleading sales tactics article for more information.
EMV Compliance is Required by Law
The government actually doesn’t have anything to do with the shift to EMV. Instead, it’s the card companies (Visa, MasterCard, American Express, Discover) that push it.
Whichever entity has the lowest security (i.e. is least EMV compliant) assumes fraud liability. So if your business accepts chip payments, fraud liability shifts to either the card issuer or the payment processor. But if your business can’t accept chip cards and fraud occurs, it’s your responsibility for not being compliant.
If the government had mandated the shift, there would be additional fines and penalties. That isn’t the case at this point in time. That’s not to say the government won’t pass regulations in the future, though. It’s always better to be ahead of the curve in these cases.
Many businesses still aren’t EMV compliant, with anecdotal evidence suggesting that businesses on the west coast are less likely to have working chip readers than the east and midwest. About half of all businesses weren’t compliant by the October 2015 deadline.*
*Certain unmanned card readers, such as gas station pumps and ATMs, weren’t required to be updated by October 2015. Alternate deadlines: October 2016 (MasterCard ATMs) and October 2017 (gas pumps and Visa ATMs).
Only Special Cards Have Chips
American Express was one of the first credit card issuers to deploy chip credit cards with its Blue Optima card in the early 2000s.
However, possibly in part because of Amex’s early chip use on some cards, there’s a misconception chips are only for special cards. As more banks issue cards with chips, this misconception will die out.
Discover estimates around 70 percent of credit cards and 41 percent of debit cards are now EMV-enabled. MasterCard reports similar numbers, and that percentage is steadily increasing. By the end of 2017, nearly all payment cards will have embedded chips. However, most will still have magnetic stripes as well until businesses fully upgrade systems.
Much like the shift to magnetic stripes from the old-school, manual carbon copy credit card processing (remember when you used to have to call the issuing bank for large orders?), chip cards will simply be the way everyone uses their payment cards in the future.
Chip Cards Will Work Globally
Foreign businesses are more likely to accept US cards that have chips, but it’s not guaranteed. Chip cards are either chip-and-PIN or chip-and-signature cards, and their use varies by country.
However, more countries use chip cards that magstripe cards. As a U.S.-based business, you can accept foreign chip cards. Foreign transaction fees and other considerations may apply.
Small Businesses Don’t Need to Upgrade
Businesses large and small need to update their systems as soon as possible. Jackie Barwell, director of fraud product management at ACI Worldwide, mentioned to Business News Daily last year that fraud targets the weakest systems.
Morgan Stanley was recently hit with a $1 million fine for failing to secure customer data. The government takes data breaches seriously, and you don’t want to be in their crosshairs.
Even if government intervention of your business is unlikely, you can run into other issues, including penalties from the card brands, EMV non-compliance fees, and an increase in “friendly fraud” and losing money through chargebacks. It’s a good idea to consider upgrading to EMV capable equipment sooner rather than later.
As with all things credit card processing, if you have any questions, search our blog or contact us.