7 Common Misconceptions About Chip Cards
It’s been almost two years since the deadline to upgrade POS, cash registers, and credit card machines to accept chip credit cards, but there are still a lot of misconceptions about what exactly this upgrade means and even why chip cards are beneficial.
At CardFellow we’ve heard it all, so we decided to address these myths and misinformation to help you make the right decision for your business.
Chip cards are the next evolution of card-based payments, and it’s important to understand the differences between chip and magnetic stripe cards. If your business still hasn’t upgraded to accept chip cards (or you have, but don’t know much about why), this article will help demystify some of the most common misunderstandings about them. The myths:
- Chip Cards Are New, Untested Technology
- Chips Are Less Secure than Magnetic Stripes
- Chip Cards Are Fraud-Proof
- EMV Compliance is Required by Law
- Only Special Cards Have Chips
- Chip Cards Will Work Globally
- Small Businesses Don’t Need to Upgrade
Chip Cards are New, Untested Technology
Although the implementation of EMV only recently occurred here in the US, the standard was initially written in 1993. Prior to that, several other standards existed and were deployed in France and Germany in the 1980s.
EMV was designed with backwards compatibility for these other standards in order to make the transition easier, and because of this, it has been used in Europe since its development. As CBS News points out, a chip credit card can be spotted in the 1995 movie “French Kiss.”
In fact, the United States is one of the last major markets to transition to chip cards. If you travel abroad, you’ve likely noticed chip cards are already in use in many foreign countries.
Chip and PIN cards are common in Mexico, the Philippines, and several European countries, including Germany and Austria. Chip and signature cards are used in Canada, Australia, New Zealand, and remaining European countries, such as France, Finland, and the Netherlands.
This technology has been thoroughly tested and found to be more secure than magnetic stripes. Which brings us to myth #2...
Chips Are Less Secure than Magnetic Stripes
There has been a lot of misinformation flying around about chip cards being less secure than magnetic stripe cards, mainly because of the recent rise of contactless mobile payment options.
Mobile phones equipped with NFC chips are a security risk because the chip is attached to a device with an antenna that is constantly sending and receiving signals, even when the user isn’t aware. Smartphones are designed to ping WiFi networks and cell towers and devices have been designed to intercept these transmissions.
Although EMV chip cards use similar NFC technology, the card itself can’t communicate unless inserted in a terminal. This makes the NFC devices that work on cell phones essentially worthless on chip cards.
In addition, EMV is actually an encryption standard that uses triple DES, RSA, and SHA cryptographic algorithms for authentication purposes. This makes the chips much more secure than analog information found on magnetic stripes, securing information against card cloning, skimming, and other techniques.
This means with EMV, transaction information is encrypted on the card, rather than the terminal, making these transactions much more secure and shifting liability to the card issuer, rather the business processing it.
Chip Cards Aren't Secure without PINs
Along the same lines, there's a misconception that because the US switch is mostly chip and signature cards (instead of chip and PIN) that the chip cards aren't secure. However, even chip cards without a PIN are more secure than magnetic strip cards. Chip card information is encrypted at the point of sale, making it harder to skim data and clone cards.
Digital Transactions found that implementing chip and PIN would cost more than it would save in fraud, suggesting that the US switch to chip and signature was a more prudent balance of cost and security.
Chip Cards Are Fraud-Proof
Just because transactions are more secure doesn’t mean they’re fraud-proof. Businesses still need to defend their systems against hackers, malware, and other cyber attacks. Chip cards also don't offer protections in online transactions, so it's important to make use of anti-fraud tools like Address Verification if you take cards online.
Your POS system is still a database that requires cell-level encryption. It houses personal customer details and proprietary information you don’t want leaked to the general public.
The Federal Trade Commission requires companies that store sensitive customer or employee information on their network to protect that information. Identity theft is a major concern these days, with over 490,000 complaints received by the FTC in 2015 (according to the agency’s 2016 report), making it the second most common consumer complaint.
If your business is found to be responsible for customer information being stolen, it could lead to high-dollar fines, negative brand publicity, and possibly closure of your company.
EMV isn’t an end-all fraud-stopping solution. It makes great strides in the right direction, but regular network security, database encryption, antivirus, and anti-malware solutions are still necessary.
Also, it’s important to note there have been some EMV-related scams reported that affect businesses.
Check out our EMV scams and misleading sales tactics article for more information.
EMV Compliance is Required by Law
The government actually doesn’t have anything to do with the shift to EMV. Instead, it’s the card companies (Visa, MasterCard, American Express, Discover) that require it, and it’s more of a soft requirement than anything.
Specifically, fraud liability lies with whichever entity has the lowest security (i.e. is least EMV compliant). What this means is that if your business is setup to accept chip payments, fraud liability shifts to either the card issuer or the payment processor, which at that point is not your problem.
If your business isn’t setup to accept chip cards and fraud occurs on a chip card, it’s your responsibility for not being compliant.
If the government had mandated the shift, there would be additional fines and penalties for companies not in compliance, and that isn’t the case at this point in time. That’s not to say the government won’t pass regulations in the future, and it’s always better to be ahead of the curve in these cases.
Many businesses still aren’t EMV compliant, with anecdotal evidence suggesting that businesses on the west coast are less likely to have working chip readers than the east and midwest. About half of all businesses weren’t compliant by the October 2015 deadline.*
*Certain unmanned card readers, such as gas station pumps and ATMs, weren’t required to be updated by October 2015 and have deadlines coming in October 2016 (MasterCard ATMs) and October 2017 (gas pumps and Visa ATMs).
Only Special Cards Have Chips
American Express was one of the first credit card issuers to deploy chip credit cards with its Blue Optima card in the early 2000s. Until last year, this was one of the only chip credit cards on the American market, but that’s quickly changed.
However, possibly in part because of Amex’s early chip use on some cards, there’s a misconception that only certain special carts have chips. As more cards are issued with chips, this misconception will die out.
Discover estimates around 70 percent of credit cards and 41 percent of debit cards are now EMV-enabled. MasterCard reports similar numbers, and that percentage is steadily increasing. By the end of 2017, nearly all payment cards will have embedded chips, though most will still have magnetic stripes as well until merchant payment systems are fully upgraded.
Much like the shift to magnetic stripes from the old-school, manual carbon copy credit card processing (remember when you used to have to call the issuing bank for large orders?), chip cards will simply be the way everyone uses their payment cards in the future.
Chip Cards Will Work Globally
While having a chip credit card will greatly improve your chances of a U.S. card being accepted abroad, it’s not 100% guaranteed. Chip cards are either chip-and-PIN or chip-and-signature cards, and their use varies by country.
However, the chip cards are much more widely used than magnetic stripe cards. As a U.S.-based business, you can accept foreign chip cards, so long as your POS is set up to do so. Foreign transaction fees and other considerations may apply.
Small Businesses Don’t Need to Upgrade
Businesses large and small need to update their systems as soon as possible to avoid being the weak link in the chain. As Jackie Barwell, director of fraud product management at ACI Worldwide mentioned to Business News Daily last year, fraud targets the weakest systems. Just like locking your door doesn’t guarantee your business won’t be broken into, it’s less likely to be broken into than a business with unlocked doors.
Morgan Stanley was recently hit with a $1 million fine for failing to secure customer data. The government takes data breaches seriously, and you don’t want to be in their crosshairs.
Even if government intervention of your business is unlikely, you can run into other issues, including penalties from the card brands, EMV non-compliance fees, and an increase in “friendly fraud” and losing money through chargebacks. It’s a good idea to consider upgrading to EMV capable equipment sooner rather than later to protect yourself and your customers.
As with all things credit card processing, if you have any questions or concerns that aren’t addressed here, feel free to search our blog for answers or contact us to walk you through everything you need to know about keeping your business EMV-compliant.
Brian Penny is a former Business Analyst and Operations Manager at Bank of America turned freelance writer focused on business and technology. His work appears in Huffington Post, Fast Company, and The Street.