The introduction of EMV, chip-based cards in the U.S. has been somewhat bumpy. Although the cards are intended to reduce fraud and merchants are required to integrate payment terminals that handle the new technology, in some merchants haven't provided the new terminals. Other merchants have the new terminals but haven't enabled the chip readers, requiring consumers to swipe their cards.
Even when the technology is in use, merchants aren't happy with it. The chip-based card transactions take longer to process, slowing the movement of lines. And because the US adoption of the cards is chip-and-signature, rather than chip-and-pin, the technology doesn't prevent the use of stolen cards, only the use of counterfeit cards. In fact, Walmart is suing card providers that prohibit it from asking for a pin when customers use chip-enabled debit cards.
But criminals find ways around even the best controls. Chip-and-pin has been in use in Europe much longer than in the US. There have been incidents where criminals were able to tamper with card readers before they reached the merchants in order to steal card information.
There's also the problem of card-not-present (CNP) fraud. CNP was expected to rise after the additional controls were introduced, and PYMNTS.com reported an increase of 11 percent in online fraud after EMV went live.
Card-Not-Present Shouldn't Mean Security-Not-Present
The problem with CNP transactions is that the security features of the new chip cards aren't used. Rather than inserting cards into a reader to generate a unique identifier for each transaction, valid, reusable information is still typed in manually. This information remains vulnerable to malware on the consumer's computer or to being stolen from a database if the merchant's security is breached.
Some online merchants attempt to solve the problem by adding 3D secure (3DS) technology. With 3DS, merchants check with the card issuer if the customer is enrolled; if they are, the customer is directed to their issuer's site to enter a password for additional validation. This process can lead to shopping-cart abandonment at rates of 10 to 12 percent.
Having to remember an additional password to use their cards isn’t very friendly for customers. Could one alternative be to provide chip readers for use at home? That’s the new solution one company, Chip Shield, has proposed.
Their new product will allow consumers to connect a chip reader to their PC or mobile device through either a USB or audio port. The device then uses the chip card's encryption technology to create a private key signature that unlocks the user's information. Because the device eliminates manual data entry into payment forms, the risk of keylogging malware stealing data is reduced. Merchants don't need to make any changes to work with the product, meaning customers aren't dependent on the merchants for security.
Additionally, the card reader will choose the strongest security available, depending on the features offered by the website, the card, and the issuer. This can protect data further through the use of virtual account numbers or end-to-end encryption that means data is never exposed during the payment process.
Built-In Card Readers
It's possible that chip reader technology will eventually be built into computers and mobile devices, similar to the way these devices now have slots to read the memory cards used by digital cameras. This shouldn't add much to the cost of the device; Chip Shield plans to sell their reader for only $20.
Until this technology is widely available, though, card users and merchants should take precautions when using cards online. Always shop at an "https" site, not an "http" site. Sites that require users to login before purchasing offer additional security. The last line of defense is to review bills carefully. It may not be completely possible to block fraud, but that doesn't mean the card user needs to pay for it.