Could EMV cards have foiled Target breach?
The Target breach is highlighting the security protection of the EMV card. Although its adoption would reduce fraud, don't mistake it for a panacea or a big benefit to you.
What is it?
- EMV stands for the developers of the technology standard: Europay, MasterCard and Visa.
- These cards contain microchips that encrypt transaction and card data uniquely each time they're used.
- They are widely used in Europe, Asia and Canada and are fast becoming the standard abroad.
The EMV card's security is superior to magnetic-stripe cards traditionally used in the U.S. because of its microprocessor chip.
The chip produces unique coding for each transaction. So, if a fraudster picks up the coding, it cannot be used to authenticate another transaction.
Magnetic-stripe cards store encrypted coding that never changes. Once fraudsters break the encryption, they can create counterfeit cards.
Some chip cards also use a personal identification number to complete a transaction. They protect against lost or stolen card fraud better than chip cards that require just a signature. That's because it's easier to forge a signature than to guess a PIN.
Compare credit card rates to get the best deal.
Chip card limitations
EMV cards protect only card information that is processed at a physical checkout. It doesn't protect against online fraud because the chip is not part of the authentication process.
An online transaction uses the same information to verify a purchase made by both chip and magnetic-stripe cards:
- Name on the card.
- Billing address.
- Card number.
- Expiration date.
- Security code.
If hackers steal online transaction data of chip cards, including the security code, they can use that information to make fraudulent online purchases. The chip doesn't prevent this.
When will EMV show up here?
Despite these security holes, the payment networks -- Visa, MasterCard, Discover and American Express -- are eager to bring EMV chip cards to the U.S.
They set a 2015 deadline for U.S. retailers to be able to accept chip cards. Gas stations have until 2017. Those retailers who don't make the change will have to pay for fraud losses that occur on their watch.
Credit card issuers already have started issuing new chip versions of existing cards, mostly those that cater to business and leisure travelers. But that should pick up as the 2015 deadline nears.
What's in it for you?
Not much, really. The security features of chip cards mainly benefit the payment networks and banks, which pay for the majority of fraud losses now. They want to pass that on to retailers.
Credit card holders are not liable under federal law for any losses if their card information is stolen. Debit card holders have more exposure, but the recent Target breach showed that their losses often are covered after breaches, too.
What consumers get is convenience. They won't have to wait for a card that is compromised in a breach to be reissued. And they may find their chip cards are accepted in more places abroad.
So, the chip card hoopla is not really about consumer security, but rather a fight between banks and retailers over who picks up the fraud bill.