‘Chip’-ing Away at Identity Theft
February 2016
Cheryl Payson is the chief support officer for MAX Credit Union. She was recently interviewed by the Montgomery Business Journal’s David Zaslawsky.
What is your responsibility as chief support officer? • I manage five different areas of the credit union, but the one that we’re talking about today would be card services.
What are the other areas you oversee? • All of our facilities; our loss prevention; records; electronic funds; purchasing; and card services. We service and support the credit card and ATM functions here.
Let’s talk about the new credit card chip. It’s officially called EMV for Europay, MasterCard and Visa, which created it. What is it? • It’s an enhanced security feature on credit and debit cards. It allows a higher level of security. It’s not going to eliminate fraud, but it’s going to close the loop for the opportunity for fraud to happen. It’s dynamic instead of static. The current cards are static.
Would you please explain dynamic vs. static? • If you swipe your card now you have a little mag strip on the back – that data is constant and static. It doesn’t change so it’s susceptible to be captured and counterfeited and copied, but with that chip it’s dynamic. So every time that card is used it creates a transaction authorization. It varies every time you use your card.
The card with the strip never varied? • The information that’s on the back is constant. When the (chip) is inserted into the machine that chip generates unique codes for that transaction. It’s only valid for that transaction.
Are there common misconceptions about the credit card chip? • From our customer member bases, we don’t really hear that. It’s positive: “We’re glad to see it. We’re anxious to get this enhanced security on our cards, too. Glad you’re doing it.”
What are some of the basic things that a business needs to know about the new credit card chip? • It’s more secure. If they have card readers that accept those cards it’s going to protect them more. Financially, major stores already know this, but smaller stores may not know this – if they don’t upgrade their readers to accept the chip they’re exposing themselves to greater liability.
We’ll get back to that because it’s one of the most significant changes. I thought the deadline was Oct. 1 for issuers to send out the new cards with the chip. • Most of the major financial institutions have rolled it out. There are some that are probably in the midst of doing it (late December). I think it’s more on the merchants’ side where rollout is going to be slower than card issuers based on what I’ve seen and based on what I’ve read.
Is it an expense issue? • Yes.
I read that it could cost more than $1,000 to update a register. • Of course, it depends on how large a merchant you are and how many readers you have. But if you look at this way – if you don’t do it, then you’re exposing yourself to losses unnecessarily to these transactions that are not authorized. You have the card and you have the reader and whoever has the least amount of security is going to end up bearing the financial cost of that. If I have a chip card and I go to a merchant that can’t read that chip and that’s a fraudulent transaction that merchant now bears the cost of that transaction and not the card issuer.
That is a huge, huge change in liability. • Correct.
I’m not sure that all merchants are aware of that because it was the card issuers who were responsible for fraudulent transactions. Did that actually change Oct. 1 or is it being phased in? • The requirement was Oct. 1, 2015. The exception is gas pumps – gas pumps are not subject to (the deadline).
But the convenience store would be liable. • Yes.
Are there other exceptions to the Oct. 1 deadline? • ATMs are not subject to the liability shift until 2016. It is being phased in.
What is the potential burden for merchants who are not used to having the liability from fraudulent use of credit cards? Are they liable for each fraudulent transaction? • Yes, in theory.
Was it costly for MAX to issue new credit cards with the chip? • In general, it costs us twice as much to issue a chip card as it does a mag strike card. When you aggregate how many cards we issue, it’s pretty expensive, but then again if we don’t ... No. 1, our biggest concern is giving our customers the greatest amount of protection that we have. The cardholder is never going to be subject to any financial loss, but who wants to be bothered by that and who wants to have that sense of “my stuff has been stolen.” First and foremost, we want assurance on our customers’ part that we’re doing all that we can. Secondly, if we don’t, we’re still going to be liable for the losses anyway.
The new transactions take longer, and can that impact a company’s revenue if you are a high-volume merchant with a lot of registers and locations? • It could depending on the size and their volume. Two things about that: One, the technology that is being used in the United States is in (its) infancy. If you go to Europe, you’re going to see the tap and go – the NFC (near field communication), which is faster. This is the beginning (stage).
Will the tap-and-go technology be here within five years? • Probably.
Isn’t the potential liability fairly great for businesses that do not upgrade for the new chip credit cards? • If I was a business owner I would certainly be considering things like, “How often do I experience a fraudulent transaction to begin with?” A small, single owner, self-proprietor – a small gift shop or something of that nature – I would ask myself, “How many times am I experiencing fraud?” If I’m experiencing it very often then I have to go, “OK, I am going to start being liable for that stuff and maybe it would be in my best interest to go ahead and buy that card reader.” On the other hand, you’re going to have some businesses to go, “I don’t ever experience fraud. I’m not going to make that investment right now.” They are kind of self-insuring, saying, “I’ll take care of that because the cost of what I would pay in fraud losses is less than buying new card readers.”
In addition to the fraud, can there be identity theft issues? • Potentially, the business owner could be exposing themselves to other lawsuits. Let’s look at it from the Target perspective. Target had that great big loss. They had more to be concerned about than just those card losses to their customers. Sales. Trust, definitely, although people are still flocking to Target. My thought would be as a business owner – if I had enough angry people that were subject to losses as a result of my not upgrading, then they could say, “Look, Mr. shop owner, you had at your fingertips the ability to buy the device that would reduce this risk. I’m going to sue you because you’ve caused me pain and suffering from identity theft.”
I’ve read that some have criticized the new technology because it does not go far enough. • With EMV, there is card and there is card and signature, and what’s rolling out in general in the United States is card and signature. What that means, as you have probably experienced yourself – you put the card in the machine and then you’re signing for the transaction. There is also a card and pin, which is a higher degree of security.
The card and signature is not the end-all–be-all because it doesn’t have the pin. Some have said that’s a huge missing link. • That is correct. I could have the card stolen out of my wallet and somebody could still go and use it because there is not a pin required. A lot of comment from people in the United States that just have a card and signature (is), if they go to Europe or just international travel – sometimes they have difficulty because in Europe and internationally, they are using the pin and chip more than the chip and signature.
These are different times when the U.S. is so far behind in technology. • Europay, MasterCard and Visa have to force this issue. Merchants and issuers weren’t excited about the increased expense to do this. This past Oct. 1 deadline wasn’t mandated by government. It was mandated by Europay, MasterCard and Visa.
Did MAX meet the Oct. 1 deadline? • We got our credit cards out. We started rolling them out in August. We, along with others, did not mass-reissue. We are issuing our cards as they naturally renew. We are in the midst of (rolling out) our debit cards.
How long does it take to replace the old credit cards and debit cards? Is it two- or three-month process? • It’s closer to six months. If there is no chip reader at the merchant, then the mag stripe still works.
I have to use it at some places, but you do feel better when you use the chip because it is safer. • Absolutely. Well, I’m glad to have it.