Chip-based credit cards are a decade old; why doesn’t the US rely on them yet?
Square is pushing forward with a new credit card reader for the 2015 transition.
By Megan Geuss
Aug 2 2014
<http://arstechnica.com/business/2014/08/chip-based-credit-cards-are-a-decade-old-why-doesnt-the-us-rely-on-them-yet/>
Earlier this week, mobile payments company Square announced that it had developed a credit card reader that will verify purchases from an embedded chip on the card. Currently, US consumers primarily rely on swipe-and-sign credit cards, which give card details to a merchant through the magnetic stripe on the back. But because the swipe-and-sign system became overburdened with instances of fraud, MasterCard, Visa, and other financial groups decided in 2012 that they would transition their systems to a chip-based setup called EMV (eponymous for EuroPay, MasterCard, and Visa, the three primary developers of the standard) by October 2015.
Square is hoping to capitalize on this transition by being one of the first companies out of the gate in the US to offer small and medium-sized business owners a smaller, less-expensive alternative to buying a whole new set of credit card terminals.
The EMV standard works using a chip that’s embedded in a credit card, which effectively acts as a mini-computer. Instead of swiping quickly and having your card give its details to a merchant’s point of sale (POS) system, an EMV card creates a unique code for each transaction and (ideally) requires the consumer to enter a PIN associated with the card instead of relying on a signature. Because of this, EMV is often called chip-and-PIN. Making a purchase with an EMV card also requires the card to be present in the card reader throughout the transaction.
But this technology is not new. The EMV standard was first developed in 1994 as a way to reduce magnetic stripe credit card fraud. Most of Europe, as well as Australia, Brazil, and other major countries, have been using EMV for years. So what’s taken the US so long? And now that the standard is decades-old, do we even want it anymore?
The inevitable
Although moving to a chip-and-PIN system in the US had been in the works for years, the end of 2013 was a particularly bad year for high-profile credit card fraud—Target specifically saw breaches that lead to the loss of 40 million credit card numbers as well as information belonging to 70 million customers. Similar scams were soon uncovered at Neiman Marcus, Michaels, and a host of other big-name retailers. Regulators, banks, and retailers themselves were in a position to push hard for a transition to chip-and-PIN. Even if the system wouldn’t necessarily have prevented the credit card breaches, it was still an alternative that could reduce fraud in general. In February, Target’s CEO, as well as some payments experts, appeared before the Senate Judiciary Committee to promise that big-name banks and merchants alike would adopt EMV by late 2015.
As Ars reported in January, Target’s breach was likely the result of malware on the retailer’s POS systems that watched the systems’ memory, searching for “credit card data before it has been encrypted and sent to remote payment processors.” Julie Conroy, research director for Aite Group’s Retail Banking practice, wrote in a June paper that “While EMV would not have stopped the [Target] breach, it certainly would have impeded the criminals’ ability to monetize it,” because EMV makes it more difficult to counterfeit cards after the cards’ information has been stolen.
[snip]