Why You May Start Seeing More Chip Card Readers Soon

chip-credit-card-readers

The switch to chip-enabled credit cards last year came with a serious deadline: New rules went into effect in October making merchants more liable for fraud.

As is obvious to everyone who’s swiped when they should have inserted their card at a checkout line, the changeover hasn’t gone as smoothly as hoped. So, quietly, the credit card associations have taken steps to roll back the rules surrounding the changeover. The steps should be welcomed both by merchants, who will see their liability for fraudulent charges reduced, and consumers, who will soon see more chip-card machines as a result.

The new EMV credit cards were designed to take a bite out of credit card fraud. But in some cases, they’ve taken a bite out of merchant profits instead.

As of October of last year, merchants hit with fraud who weren’t using chip cards were declared responsible for counterfeit fraud by credit card associations Visa and MasterCard. The rule was intended to be the ultimate motivator to shift to EMV, encouraging stores to spend the $1,000 or so to upgrade their point-of-sale terminals.

Hundreds of millions of EMV chip cards have been put in the hands of consumers in the past year, and many are working as advertised at 1 million-plus merchants. But some stores have been slow to turn on chip card readers – they blame banks for a backlog in certifying the machines — which has led to huge fraud bills. One lawsuit alleged that some merchants have seen fraud rates rise 20-fold while they are waiting for new chip readers they purchased to get the green light from bank partners.

Other reporting by Credit.com found that in March, four out of five chip card readers weren’t turned on. (Again, a backlog in certification was blamed.) Perhaps in response, Visa announced in June that it was placing limits on the amount of fraud that non-EMV merchants could face. They also said they were working to streamline certification.

Effective July 22, Visa said it would temporarily prevent banks from forcing merchants to pay for counterfeit card frauds less than $25. Starting in October, banks will be limited to 10 counterfeit chargebacks per merchant account.

“These two changes together will significantly reduce the number [of] chargebacks that merchants are seeing,” Visa said in its statement. “Following these changes, merchants can expect to see 40% fewer counterfeit chargebacks, and a 15% reduction in U.S. counterfeit fraud dollars being charged back.”

The blocks will remain in effect until April 2018, when, theoretically, the kinks in the EMV conversion will be fixed. Visa also promised to give banks greater discretion in certifying EMV terminals, which should help merchants turn on all those chip readers.

“Visa recognizes the importance of having the industry help merchants get their chip terminal solutions up and running quickly so that everyone, especially consumers, can benefit from the powerful security protection of chip technology,” said Oliver Jenkyn, Group Executive North America, Visa Inc. “We’ve taken steps to simplify the process as much as possible and help reduce any challenges so merchants can move forward with chip adoption quickly.”

Fraud analyst Avivah Litan from consultancy Gartner Group applauded the move. “This is really meaningful,” she said. “The merchants must be getting totally slammed with every chargeback on the books.”

Also in June, MasterCard announced a similar program to speed up point-of-sale certification. In a statement, the association said it “continuously evaluates thresholds” relating to chargebacks.

“The whole industry wins when action is taken against counterfeit card fraud. Reducing terminal certification-testing time to a couple of hours from as long as a couple of weeks is one positive step we can take in a more mature market,” said Chiro Aikat, senior vice president of product delivery, EMV, for MasterCard.

Remember, EMV chip cards can help reduce fraud, but they’re not a fail-safe. In fact, the chip doesn’t protect your payment information when you’re shopping online, so it’s still a good idea to stick to trusted websites and monitor statements regularly for unauthorized charges. And, if you ever have reason to believe your personal information was compromised alongside your payment cards, it’s a good idea to monitor your credit for signs your identity has been stolen. You can do so by pulling your credit reports for free each year at AnnualCreditReport.com and viewing two of your credit scores for free each month on Credit.com.

Image:Rostislav_Sedlacek

The post Why You May Start Seeing More Chip Card Readers Soon appeared first on Credit.com.

Do You Really Need a Special Case to Keep Your Credit Card Safe?

rfid-blocking-card

By now you’ve probably heard of RFID blockers — those wallets, purses and other gadgets offering protection from hackers who can pluck your personal information out of thin air.

RFID, or radio frequency identification, chips are growing in popularity. But there’s something you need to know about those blockers before you buy them.

The rise of this industry coincides with the conversion of America’s credit cards to EMV, which will ultimately put a computer chip on every piece of plastic in your wallet. That’s no coincidence, according to the EMV Migration Forum, a group created by trade group the Smart Card Alliance to promote education and adoption of EMV cards.

“The ‘RFID blocker’ sales people are using the new cards with EMV chips to confuse cardholders into thinking that all EMV cards have RFID, and you need to block them,” said Adrian Riley, a spokesman for the EMV organization.

The fact is, you don’t. The new chips on your credit card almost certainly don’t emit radio waves. You can’t pay with your new chip credit card by waving it over a sales terminal; you have to insert it in the machine. So no one can listen to your personal information on such a card with a wireless snooping device. To put it more bluntly: EMV is not RFID.

When I set out to confirm this, I was surprised to find a lot of confusion online. That’s because there is a similar-sounding technology called contactless credit cards, which do use RFID and send a signal that an RFID blocker might defeat. There is also such a thing as “dual interface chip cards” that have both EMV and this contactless RFID capability.

But I’m willing to bet you don’t have one.

I was unable to find a precise number for how many of these are in the wild, but it’s a low number. (Some estimates I found suggest less than 1%.) The Smart Card Alliance notes in a 2015 white paper that contactless credit cards, first issued back in 2004, have suffered “sluggish adoption rates.”

I’ve never seen a contactless credit or debit card used by a consumer in the U.S. (They’re more common in Europe.) Some banks are thinking about adding RFID now that the EMV conversion is well under way, but other wave-and-pay systems like Apple Pay seem to have made contactless credit cards a technology that few Americans really seem to want.

I asked an RFID blocker company for help with understanding the prevalence of RFID, and a representative of the firm sent me to a blog post at Heartland Payment Systems, which says:

“Back to the magic chip reader question. Is it possible to read the data on an EMV chip from a distance? The short answer is, ‘not likely.’ EMV cards do use RFID. Similar to AM and FM radio bands, EMV chips utilize specific bands to communicate.”

This is all incorrect, according to the EMV Migration Forum. EMV does not equal RFID. Just because there’s a chip in your wallet doesn’t mean someone can sniff the data off it with wireless technology. (I asked Heartland about the post, written by a former employee last year, and didn’t get an immediate response.)

Here’s the bottom line: Some items you may carry do emit RFID signals under the right circumstances. Your newish passport does. Your employee badge might. If you carry them around all the time and are hyper-vigilant, perhaps you’ll enjoy RFID blocking technology.

Just know it does nothing to protect your new EMV credit card from hackers. And most important, while security researchers have demonstrated that RFID payment signals can indeed be hacked wirelessly, no one I know has found an example of this occurring on any scale in the real world. You have to be very close to the victim, and the data a hacker would steal is “disposable” and not very valuable, making this a very slow way to make money compared to all the other quick ways hackers make money today.

“I …want to emphasize that contactless payment technology doesn’t pose any risk to consumers,” said Riley. “Like contact chip cards, contactless chip cards generate a one-time-use code that can’t be reused. So even if a criminal managed to get their hands on the info, any captured data couldn’t be used to execute new transactions.”

How do you know if your credit card can broadcast data wirelessly? It has a logo called a wave that looks like radio waves. If your cards don’t have it, you don’t need an RFID blocking gadget to protect them.

Remember, it’s still important to monitor your credit or debit card statements regularly for fraud. And if you’re concerned about deeper identity theft, consider putting a freeze on your credit, which will prevent anyone from pulling your credit report, unless you thaw it. You can also monitor your credit for signs of identity theft, like a sudden drop in credit scores. (You can see two of your credit scores, updated each month, on Credit.com.)

More on Identity Theft:

Image: ronstik

The post Do You Really Need a Special Case to Keep Your Credit Card Safe? appeared first on Credit.com.

Do You Really Need a Special Case to Keep Your Credit Card Safe?

rfid-blocking-card

By now you’ve probably heard of RFID blockers — those wallets, purses and other gadgets offering protection from hackers who can pluck your personal information out of thin air.

RFID, or radio frequency identification, chips are growing in popularity. But there’s something you need to know about those blockers before you buy them.

The rise of this industry coincides with the conversion of America’s credit cards to EMV, which will ultimately put a computer chip on every piece of plastic in your wallet. That’s no coincidence, according to the EMV Migration Forum, a group created by trade group the Smart Card Alliance to promote education and adoption of EMV cards.

“The ‘RFID blocker’ sales people are using the new cards with EMV chips to confuse cardholders into thinking that all EMV cards have RFID, and you need to block them,” said Adrian Riley, a spokesman for the EMV organization.

The fact is, you don’t. The new chips on your credit card almost certainly don’t emit radio waves. You can’t pay with your new chip credit card by waving it over a sales terminal; you have to insert it in the machine. So no one can listen to your personal information on such a card with a wireless snooping device. To put it more bluntly: EMV is not RFID.

When I set out to confirm this, I was surprised to find a lot of confusion online. That’s because there is a similar-sounding technology called contactless credit cards, which do use RFID and send a signal that an RFID blocker might defeat. There is also such a thing as “dual interface chip cards” that have both EMV and this contactless RFID capability.

But I’m willing to bet you don’t have one.

I was unable to find a precise number for how many of these are in the wild, but it’s a low number. (Some estimates I found suggest less than 1%.) The Smart Card Alliance notes in a 2015 white paper that contactless credit cards, first issued back in 2004, have suffered “sluggish adoption rates.”

I’ve never seen a contactless credit or debit card used by a consumer in the U.S. (They’re more common in Europe.) Some banks are thinking about adding RFID now that the EMV conversion is well under way, but other wave-and-pay systems like Apple Pay seem to have made contactless credit cards a technology that few Americans really seem to want.

I asked an RFID blocker company for help with understanding the prevalence of RFID, and a representative of the firm sent me to a blog post at Heartland Payment Systems, which says:

“Back to the magic chip reader question. Is it possible to read the data on an EMV chip from a distance? The short answer is, ‘not likely.’ EMV cards do use RFID. Similar to AM and FM radio bands, EMV chips utilize specific bands to communicate.”

This is all incorrect, according to the EMV Migration Forum. EMV does not equal RFID. Just because there’s a chip in your wallet doesn’t mean someone can sniff the data off it with wireless technology. (I asked Heartland about the post, written by a former employee last year, and didn’t get an immediate response.)

Here’s the bottom line: Some items you may carry do emit RFID signals under the right circumstances. Your newish passport does. Your employee badge might. If you carry them around all the time and are hyper-vigilant, perhaps you’ll enjoy RFID blocking technology.

Just know it does nothing to protect your new EMV credit card from hackers. And most important, while security researchers have demonstrated that RFID payment signals can indeed be hacked wirelessly, no one I know has found an example of this occurring on any scale in the real world. You have to be very close to the victim, and the data a hacker would steal is “disposable” and not very valuable, making this a very slow way to make money compared to all the other quick ways hackers make money today.

“I …want to emphasize that contactless payment technology doesn’t pose any risk to consumers,” said Riley. “Like contact chip cards, contactless chip cards generate a one-time-use code that can’t be reused. So even if a criminal managed to get their hands on the info, any captured data couldn’t be used to execute new transactions.”

How do you know if your credit card can broadcast data wirelessly? It has a logo called a wave that looks like radio waves. If your cards don’t have it, you don’t need an RFID blocking gadget to protect them.

Remember, it’s still important to monitor your credit or debit card statements regularly for fraud. And if you’re concerned about deeper identity theft, consider putting a freeze on your credit, which will prevent anyone from pulling your credit report, unless you thaw it. You can also monitor your credit for signs of identity theft, like a sudden drop in credit scores. (You can see two of your credit scores, updated each month, on Credit.com.)

More on Identity Theft:

Image: ronstik

The post Do You Really Need a Special Case to Keep Your Credit Card Safe? appeared first on Credit.com.

Retailers Have Chip Card Readers. Why Aren’t They Using Them?

dip_your_chip

What are you supposed to do when you pull out plastic to buy something at a store these days? You’ve probably noticed that plenty of stores have terminals that obviously have a slot for inserting a chip-enabled credit card, but when you try to do that, an anxious store clerk yells something like, “Nope, we don’t take chips yet. Please swipe.”

Back in October, a much-ballyhooed deadline marked the great switch from old-fashioned magnetic stripe cards to newer EMV chip credit cards. Well, that was the plan anyway. Despite some slow, steady progress, most of us are still swiping our stripes instead of dipping our chips several times each week.

The Dipping Delay 

Initially, the bottleneck was thought to be caused by the large investment stores had to make in new point of sale terminals, which run about $500 for each checkout line.

But anyone who’s done any shopping in the past few weeks might be left with the impression hardware isn’t the problem: chip readers seem to be everywhere, but the switch hasn’t been flicked yet.

The impression is accurate. According to the industry group EMV Migration Forum, there are roughly 5 million EMV-ready terminals at U.S. stores right now, but only 1 million have started accepting chips. In other words, when you see a chip reader, odds are 4 out of 5 that you won’t be able to use it.

What’s the holdup? While it might seem obvious to blame stores for not enabling the devices, some merchants are blaming the banking industry, and a lawsuit filed last week in a California federal court claims that the banking industry collaborated to hand the bill for fraud to store owners.

Back in October, new network rules went into effect that essentially require merchants who haven’t upgrade to EMV terminals to cover the cost of fraudulent transactions. (Prior to the shift, financial institutions generally covered the cost of fraud.)

Last week, two small Florida stores filed a lawsuit seeking class action status, saying their bill for fraudulent transactions has increased perhaps 20-fold since the October deadline and the EMV delay — playing out in smaller stores across the country — is costing them big money. The lawsuit names payment networks like Visa and Mastercard, along with large payment processing firms. Both Visa and Mastercard said they were reviewing the claims in the lawsuit.

Not Just a Hardware Issue

It turns out that getting new hardware into stores was just the first step in the conversion process, and in many cases, the easier step. New software comes next, and that’s been causing holdups, experts said.

“Just because you see an EMV slot on a terminal, doesn’t mean it works,” said Michael Moeser, director of payments at Javelin Strategy and Research. “Getting the terminal to accept EMV cards is a two-part process. First, the merchant either needs to load newly developed software or integrate new software from a third party into its back office systems to allow the terminal to accept EMV. Second, then the new terminals and the merchant need to undergo a certification process with each of the card networks, typically done in combination with its merchant acquiring bank. The certification queue is currently very long as you can imagine that there are a number of merchants seeking to roll out EMV at the same time.”

While that delay is annoying to shoppers — “what do I do, swipe or insert?” — some merchants say it’s killing business. According to the merchant lawsuit, Milam’s Market and Grove Liquors in Florida faced 88 chargebacks for fraudulent transactions totaling $9,200 from MasterCard and Visa since the Oct. 1 liability shift, plus $5 chargeback fees for each item. During the same span last year, the firms faced only four chargebacks, the lawsuit said.

The stores say they purchased EMV hardware long ago, and are simply waiting for their terminals to be certified. The lawsuit says the stores have been told the queue for certification is so long they have no idea when it might come.

“Tellingly, nothing Milam’s Market could have done – short of making the business-crippling decision to stop accepting Visa cards – could have prevented this outcome,” the lawsuit says. “Class members such as the plaintiffs here, could not timely comply with the standard, no matter what they did, because the Defendants refused to, or were unable to, ‘certify’ the new equipment by the deadline – or, indeed, the ‘certification’ process would take years after the … Liability Shift was imposed.”

The Debit Sticking Point

Shifting the way America uses plastic was bound to encounter snafus, but Randy Vanderhoof, EMV Migration Spokesman, said the American payment market faced particular challenges because of the way debit cards are processed. Federal law designed to promote competition in debit card processing requires that merchants have a choice of networks for processing payments, but that made writing software for EMV debit cards much more complex.

“We have a regulatory environment which requires that every card issued has to support at least two unrelated payment networks for processing,” he said. “So software and certification testing on debit was more complicated and later to arrive.”

Since the specifications for EMV debit card processing came late in the game, some in the payment industry decided to delay their conversion work. Otherwise, stores and processors would have found themselves supporting EMV for credit cards, but magnetic stripes for debit cards, potentially frustrating consumers and causing two hardware and software conversions.

“That is not an ideal consumer experience,” Vanderhoof said. “You could have the same customer using debit in one transaciton (and swiping) and then credit in another (and inserting a chip card). You can start to appreciate it is not a simple thing.”

The merchant lawsuit makes this point too, quoting Terry Crowley, CEO of TranSend, which makes EMV software. He says that writing code to make the terminals work has become infinitely more complex in recent years. According to the lawsuit:

“Crowley said that while software code for card-accepting devices was historically simple enough to be written on the back of a business card. ‘Now with EMV, that same software wraps around the walls of a room three times … hundreds of thousands of lines of code.’ With the Liability Shift deadline having passed, Crowley says, suddenly there is a ‘fire drill’ to replace all of this simple software, compounded by the facts that the EMV code is hard to write, harder to certify and that few EMV software developers understand the U.S. market.”

Mobile in the Mix

Complicating matters more, the switch to chip cards is hardly the only change happening in the way consumers pay for things at checkout. Stores are trying to be ready to accept mobile payments, like Apple Pay or Samsung Pay, also.

“A number of merchants have decided to rollout other payments technologies at the same time of an EMV rollout which creates a more complex — time consuming — deployment,” Moeser said.

Vanderhood is optimistic that the problem is temporary, and the payment industry will work through the backlog in fairly short order. The EMV Migration Forum believes 50% of terminals will be enabled by the end of this year, and 90% by the end of 2017.

But for now, many merchants are blaming the banking industry — and the Florida store lawsuit accuses banks of knowingly conspiring to hand them the bill for fraud.

“What defendants knew, but Milam’s Market, Grove Liquors and the rest of the Class did not and could not know, was that purchasing new (point of sale) equipment and training their staff was not going to be enough,” the lawsuit says. “Requiring working EMV hardware and software by the Oct. 1 deadline were conditions, it would turn out, which were impossible for the Class members to meet and which the Networks, the Issuing Banks and (industry) knew were impossible to meet.”

Consumers generally aren’t held liable for unauthorized charges, but that doesn’t mean you shouldn’t monitor your financial accounts regularly for fraud. You can also monitor your credit if you have reason to believe your personal information was compromised alongside your payment information. A sudden drop in credit scores can be a sign identity theft is occurring. (You can keep an eye on your credit by viewing your two free credit scores each month on Credit.com.)

More on Credit Cards:

Image: RL Productions

The post Retailers Have Chip Card Readers. Why Aren’t They Using Them? appeared first on Credit.com.