US consumers are about to get a new defense against cybercrime. The armor will take the form of credit and debit cards with a built-in chip, which retailers must be able to read as of Thursday.
Short for EuroPay, MasterCard and Visa, EMV chips create a one-time-use code needed for each purchase, which makes stolen card numbers less valuable on the black market. Consumers may see slightly longer transaction times as in-store readers run the EMV cards, assuming merchants have set up the new payment terminals in time.
Industry watchers don't expect every merchant to meet Thursday's deadline, which was set last year by MasterCard, Visa, Discover and American Express. Retailers do have an incentive to act quickly, though. Stores that don't have EMV-reading terminals will need to make good on in-store purchases made with counterfeit cards. ATMs and gas pumps will face the same liabilities in 2017.
The card companies wrote that rule after cyber criminals stole about 40 million credit and debit card numbers from the payment system of retailer Target during the 2013 holiday-shopping season. Currently, the banks that issue cards are on the hook for fraudulent charges.
There are two ways hackers steal sensitive information. They can use card skimmers to read a card's magnetic stripe at an ATM or gas pump. They can also penetrate retailers' corporate information systems, as they have with Target, Home Depot, Neiman Marcus and many others, to copy card numbers. Those stolen numbers can be used on fake cards to make fraudulent purchases. Two-thirds of fraudulent purchases inside stores are made with counterfeit cards, said Stephanie Ericksen, Visa's vice president of risk products. Authentic cards that were stolen account for the other third.
That's where these new chip cards can help. Because the chips send encrypted, one-time codes for each transaction, the cards are harder for fraudsters to read and duplicate, experts say. While the cards are just rolling out in the US, the technology isn't new. Europe started using cards with embedded chips in 2005. Apple Pay and Android Pay mobile payments work on the same underlying rules.