Once a new technology rolls over you, if you’re not part of the steamroller, you’re part of the road.”
—Stewart Brand, Editor of the Whole Earth Catalog
“New and improved” credit cards are appearing in wallets of consumers across the United States. Designed for additional security for consumers and businesses, the new cards command the attention of consumers, merchants, and financial institutions. They look like the traditional old cards with one difference: a small, square, metallic computer chip appears on the front of each card. The card is known by several names, including smart card, smart-chip card, chip-enabled smart card, chip card, chip-and-signature card, chip-and-PIN (personal identification number) card, and EMV (named for Europay, MasterCard, and Visa) chip card (see the table).1 Given all these names, it’s understandable that the transition to the new card has prompted questions and even some confusion. For simplicity, this essay primarily refers to the new cards as smart cards or chip cards.
For a point-of-sale (POS) transaction, the smart card functions the same as the traditional magnetic stripe card but some procedures and processes have changed. When a magnetic stripe card is swiped for a transaction, unencrypted data stored on the card are read by the terminal. The terminal processes and sends the uncoded information to the card issuer. Within seconds, the issuer’s computer verifies and either approves or declines the requested transaction.2 In a smart card transaction, the card is not swiped but is inserted, or “dipped,” into a chip card reader terminal. Payment data are embedded on the chip3 and the terminal enables the chip to process information. The payment application embedded on the chip completes processing, stores encrypted (coded) data, and generates a new code for each transaction. During a transaction, encoded data flow between the smart card and the issuing institution for account authorization to approve or decline the transaction.
As the forerunner of the smart card, the magnetic stripe card was the hub of the credit card market for years. In 2011, the magnetic stripe was listed as one of IBM’s top 100 contributions to society as part of the company’s 100-year anniversary celebrations.4 Since the 1970s, this development has boosted rapid growth in the credit card market. Federal Reserve statistics validate the impact of the magnetic stripe: U.S. credit card balances grew from $9 billion in early 1973 to $890 billion in October 2015.5 But as the saying goes, “All good things must come to an end.” After decades of low-cost efficiency in the credit card market, new technologies and security concerns demanded a change in card design and the magnetic stripe era began its descent into history.
Although new to the United States, chip cards have coexisted with magnetic stripe cards for several years. Because the magnetic stripe card was already successfully in use, the chip card industry enjoyed the benefit of time to test, improve, refine, and perfect the new technology. Invented in the early 1970s, chip cards were first tested in France in the 1980s. By 1994, a French-developed chip was used for all credit cards issued by French banks. That same year, as more countries became interested in using the chip card, three international payment systems—Europay, MasterCard, and Visa—began a global partnership to develop specifications for a chip card that could be used worldwide. Several versions evolved, with improvements made before the most recent chip specifications were released.6 Finally, in 1999, a separate company—EMVCo—was created to manage and oversee EMV chip specifications.7
At least for some time the new smart cards will include the traditional magnetic stripe on the back. This dual-technology is necessary since some businesses have not yet upgraded to the new chip card reader terminals.
As much of the world embraced the EMV global standard chip technology, the United States resisted and became the last developed country to rely on magnetic stripe cards.8 The United States already had advanced fraud management methods in place for magnetic stripe cards and the perceived benefit of migrating to the smart card, with inherent cost and investment by issuers and merchants, did not seem justified.
However, as more cases of credit card hacks surfaced and the number of high-profile data breaches swelled, the growing fraud problem garnered increased attention. Concerns regarding fraud involving card-present (CP) transactions included credit card counterfeiting, skimming of personal and financial data, and fraudulent transactions made with lost or stolen credit cards. In each case, fraudulent transactions are made with an altered, stolen, or cloned card.9 The smart card, designed specifically to reduce fraud and significantly improve security for POS payment transactions, offered a solution. Because smart cards generate a new security code for each transaction, the specifications make cloned, stolen, or skimmed data useless to fraudsters. The unique and changing security code is the key for addressing CP fraud and providing a more secure payment system.
To strongly encourage merchant participation in the chip card solution, the major U.S. credit card issuers—MasterCard, Visa, Discover, and American Express—established October 1, 2015, as the date for merchants to establish responsibility for CP fraud. After this date, if merchants had not upgraded to accept the new chip cards, they would be responsible for any fraud liability and risk the high costs of possible data breaches. Liability-shift dates are set for October 2016 for ATMs and October 2017 for fuel pumps. This extended time allowance was granted because of the increased cost and complexity of the transition.10
Although the government did not mandate the switch to the new chip card, it did endorse the change through an executive order signed in late 2014. In early 2015, the federal government began to use chip cards through its SmartPay program.11 This program provides credit cards to government employees for use in conducting government business. The government-issued cards are designed as chip-and-PIN cards, which provides an additional layer of security, although most other U.S. issuers are implementing primarily the chip-and-signature card initially. Additionally, upgrades have been initiated for all government-owned POS terminals to become chip card reader terminals.12 These actions clearly illustrate the U.S. government’s commitment to adopt smart card technology.
Migration schedules for the smart card rollout vary by issuer. While some issuers have committed to issuing the new cards to all customers as quickly as possible, others have issued the cards first to customers who are new, have requested new cards, travel internationally, or have greater fraud risk. Regardless of the rollout plan, the number of smart cards continues to increase substantially. An estimated 50 percent to 70 percent of U.S. cards had undergone the transition to chip cards by the end of 2015.13 For comparison, a Federal Reserve study reports that as recently as 2012 only 74 of every 100,000 CP credit card transactions were made with a chip card.14
The transition to the smart card is a huge task in terms of investment, cost, and procedural changes. First, it is a tremendous task for issuers to update the vast number of credit cards in circulation. At the end of 2012, the Federal Reserve reported approximately 333.6 million credit cards in force15 and the number continues to increase. And card issuance bears its own cost: The average cost for issuing a new smart card is $3.5016 compared with slightly more than $1.00 for issuing a magnetic stripe card.17
A substantial cost is involved for retailers as well to install an estimated 12 million new POS terminals to accept the new cards. The estimated cost of each EMV-compliant POS terminal is between $500 and $1,000.18 And of course, employees need training for the new procedure, which also requires time and can be costly. Smart cards slow the transaction process by a few seconds, which affects the checkout process. But more importantly, each retailer must weigh the cost and benefit to its business of changing to the smart card technology. Upgrading may be expensive, but the liability for any fraud and possible data breaches could be disastrous. As mentioned earlier, the party that does not support EMV technology will bear the liability for counterfeit and lost/stolen (MasterCard, Visa, American Express, Discover) cards.
Finally, the transition will likely be viewed as a short-term inconvenience for consumers. First, the smart-card transaction process takes a few seconds longer than the magnetic-stripe process to transmit the data and complete a transaction. Second, breaking the habit of swiping the card may be initially awkward and require practice. The smart card terminal prompts the customer to insert, or dip, the card into the terminal and leave it there until the transaction is completed. The terminal may instruct the consumer visually and/or with a beep when the card should be removed. There may be a PIN required rather than a signature, a possible inconvenience, but most smart cards will continue to require a signature.
The history of credit cards is already defined; the future is under construction. The huge task of transitioning to the smart card is underway, so what’s to be expected in the future? First, as the migration progresses, an increase in fraud related to card-not-present (CNP) transactions—such as for e-commerce—is anticipated.19 The smart card does not change anything for CNP transactions. As fraudsters move the focus of their attacks to the CNP environment, more changes in the smart card may evolve to address both CP and CNP transactions. Also, most initial smart cards are designed to require a signature. Future changes may include the requirement of a PIN as another layer of security. Overall, there appears to be consensus that the transition to smart cards is on the right track. Staying on the right track means monitoring, adjusting, and making changes. Even though the magnetic stripe card worked well for decades, changing technology and security concerns prompted adjustments and changes—just as they will for smart cards.