Banks across the US are in the middle of rolling out a new type of secure credit and debit card to customers, while retailers are installing new card readers to process them. By October, all credit and debit card purchases must use a technology called chip and PIN or the card issuer or retailer would face fines if card data is stolen and used by thieves. The dictum comes from Visa and MasterCard in the wake of high-profile bank card breaches at Target and other businesses over the years. The new EMV, or so-called chip and PIN cards, have an embedded microchip that authenticates the card as a legitimate bank card.
The chip contains data that was traditionally stored in a card’s magnetic strip. For every in-store purchase, it generates a one-time transaction code that is cryptographically signed. This, in combination with a customer-entered PIN, is intended to make stolen data less useful to card thieves. Even if a thief hacks a retailer’s network or installs a skimmer on an ATM terminal to steal card data and PINs, the thief won’t have a transaction code needed for in-store purchases. Moreover, they won’t be able to generate a transaction code without the cryptographic key.
The cards have already been implemented widely in Europe and Canada, beginning in 2003. But the US rollout has been slow. Visa and MasterCard only established their roadmaps for migration to chip ‘n’ PIN cards in 2011 and 2012. By the end of 2013, an estimated 17 to 20 million chip cards had been issued, according to the EMV Migration Forum, but this was still only a small fraction of the cards issued in the US.
Initially, banks mainly supplied primarily well-to-do US customers with chipped cards—customers who would be more likely to travel to Europe where chip and PIN readers are used. But those cards still came with a magnetic strip on the back so they would be compatible with older US card readers that aren’t capable of reading chips. As a result, these cards still had the same vulnerabilities that other bank cards have. Hackers can install rogue readers in Europe to extract data from the mag strip when cards are used there, then use the swiped data in the US for fraudulent transactions where the chip and transaction codes are irrelevant.
To eliminate mag strip cards altogether and pressure US companies into installing card readers that can only process chip and PIN cards, Visa set a card and card reader installation deadline for October 1, 2015. Any company that accepts credit and debit card payments but doesn’t have chip and PIN readers in place by then could face increased liability for fraudulent transactions incurred if card data is stolen from them. And the same goes for an issuer who hasn’t distributed secure cards to accountholders.
Retailers have also been dragging their feet about adopting the new technology because it’s expensive. But adoption finally picked up last year after the massive Target and Home Depot hacks, which brought unwanted attention to the retail industry from Capitol Hill.
But the new cards won’t stop card fraud altogether. The history of hacker ingenuity shows that when one method is blocked, hackers simply shift their focus and find another. After retailers like Target moved to improve their internal network security years ago by encrypting all card transaction data as it traversed their network, hackers simply designed malware to grab the data inside point-of-sale terminals as customers swiped them through a reader, before the data could be encrypted. This is precisely how the Target hack went down. At least for a while, chip and PIN cards will fix that problem.