Payment cards and security
Losing your wallet can cause your brow to sweat and your blood pressure to rise. Ditto for getting a call from your bank saying your credit card has been compromised. No one wants to deal with card fraud, but unfortunately, many of us do.
More than 2 out of 5 Americans with credit cards experienced some kind of credit card or debit card fraud in the past five years. About a third of card fraud in 2008 involved counterfeit cards or lost or stolen cards. That amounted to $2.44 billion in card losses that year.
No card is invulnerable to fraud. But every type of payment card, from the traditional card with the magnetic stripe to the emerging virtual cards on smartphones, comes built with security features to make it harder for someone to steal your card info at checkout.
When using one of your cards, know what its strengths and weaknesses are to protect yourself against losses.
The traditional mag-stripe card
The card with the magnetic stripe on the back is the most common type in U.S. wallets. Called a mag-stripe card for short, the card’s key to its security efforts are on that stripe.
The stripe contains up to three tracks and holds all the information that is physically found on the card, such as your name, card number and expiration date. The first and second tracks consist of basic account information to complete a transaction. The third track is rarely used, but when it is, it can include a personal identification number, country code or authorized amount.
All the information on the stripe is encrypted, but only once. That means it stays encrypted the same way for every transaction. Randy Vanderhoof, executive director of the Smart Card Alliance, calls it “static” data because it never changes. That makes it easier for fraudsters to pick up the information from the magnetic stripe using a device called a skimmer and to create a counterfeit card with that information.
Skimmers can be placed over ATMs or payment terminals and collect the information on the magnetic stripes. Or, fraudsters posing as waiters can swipe your card through handheld skimmers.
It’s not all doom and gloom. Card issuers have created sophisticated counter-fraud systems that track your transactions and will deny purchases that don’t fit with your spending patterns. The three- or four-digit CVC code also protects against online fraud.
The EMV chip card
EMV cards are trying to make landfall in the U.S., thanks to major initiatives from the payment networks — Visa, MasterCard, American Express and Discover.
Widely used abroad, these cards contain a microprocessor chip that stores the account information and communicates to the checkout computer at purchase. The chip then encrypts the purchase data uniquely each time it’s used. Vanderhoof refers to this as “dynamic” data.
This makes it harder for criminals to pick up useful payment data and use it again for another purchase, and it practically wipes out counterfeit fraud. In the U.K., counterfeit fraud fell by more than 70 percent from 2007 to 2012 after the countrywide adoption of EMV cards, according to a report from the UK Cards Association and Financial Fraud Action UK.
EMV cards come in two varieties: chip-and-PIN and chip-and-signature. The former requires a personal identification code to further verify a transaction and helps to prevent fraud from lost or stolen cards, Carolyn Balfany, senior vice president and group head at MasterCard, explained at the Card Forum & Expo in April. The second requires only a signature and is less effective against lost or stolen fraud.
But EMV isn’t ironclad. Chip cards guard only against counterfeit fraud. It doesn’t help prevent fraud that occurs when only the account information is used for a purchase, such as over the phone or online.
The contactless card
Contactless payment cards boast convenience and ease-of-use at purchase, but are they secure? A host of recent reports have called into question their security.
This type of card uses near-field communication, or NFC, to conduct payments. Card information is stored in a chip on the card or device and that data is transmitted via radio frequency to a payment terminal equipped to accept this type of tap-and-go payment. Some credit cards and gas stations offer this technology.
The technology is similar to RFID, or radio frequency identification, found in electronic toll collection tags such as E-ZPass. The key difference is the RFID technology is meant to be read at great distances, while NFC technology is meant to be read at a very close distance, no more than 4 inches.
The media reports focused on the possibility that someone could lift the information from a card while it’s still in a wallet by simply waving an NFC reader close to it. So far, the fears are unfounded because they have occurred only in demonstrations. There has been no reported fraud committed like this.
“It’s certainly not in banks’ interests to employ a technology that puts their consumers in danger,” says Michael Misasi, senior analyst at Mercator Advisory Group. “It’s my understanding that NFC cards only operate within a couple of centimeters.”
NFC cards also allow consumers to hold onto their cards throughout the entire transaction, eliminating the ability of fraudsters to skim their cards.
The virtual card
The same technology used in contactless payment cards is what powers two of the mobile wallets on the market today, Google Wallet and Isis. These virtual wallets on smartphones allow users to upload their payment cards and tap and pay with the phone.
Two other mobile wallets, Square and LevelUp, use other technology. Square makes use of a mobile app that allows users to send a picture of themselves to a retailer to authorize a payment. (Square also makes a small, square-shaped card reader that attaches to iPhones, Androids and iPads for point-of-sale purchases.) LevelUp also is an app that sends a code to users who scan it at checkout to complete a purchase.
All mobile wallet technologies can be used only at participating retailers.
Mobile payments eliminate card skimming, since the user holds onto the smartphone throughout the entire transaction. Smartphones also come with their own security features, such as PINs or passwords that lock the phone. And some smartphone providers allow owners to shut down their phone remotely, according to the Federal Communications Commission.
Vanderhoof says that if EMV cards take off, mobile wallet providers will need to alter their technology to allow EMV cards to be uploaded on smartphones to process transactions. That would make mobile wallets even more secure, he says.
Here’s some good news: Even if your credit card gets stolen, lost or cloned — no matter what type it is — your maximum liability for unauthorized charges is $50, under federal law. That goes down to zero if your credit card account information, and not the actual card itself, is used to make fraudulent purchases, according to the Fair Credit Billing Act.
Debit cards have fewer protections. If you report the card missing before any unauthorized transactions take place, you aren’t responsible for the loss. But if you report the card missing after a fraudulent transaction pops up, your losses vary depending on how much time has passed since you realized your card is gone.
- Within two business days, your maximum liability is $50.
- Within 60 days after your statement is mailed, your maximum liability is $500.
- After that, there’s no maximum liability and you could lose all your funds in the account and possibly be charged overdraft fees.
It’s always a good idea to protect your cards from fraudulent charges by monitoring your purchase history online. Contact your card issuer and credit reporting bureaus immediately if you find a suspicious transaction.
If you forget to check here and there, it’s helpful to know that your card issuer also tracks your transactions, and its security programs will flag unusual purchases, usually before you even see them.