You’ve likely seen this major, recent addition to your credit cards and debit cards. You might’ve suddenly had your bank reissue every card, and the new ones have a shiny, little square. And when you use them at certain stores, you have to insert your card into the reader instead of swiping it.
Those little shiny squares are called EMV chips, and they’re already on almost 400 million cards in the United States. That means three out of four cards in the U.S. are already chip-enabled.
Chip-enabled cards are the standard in most of the world, with big-name financial institutions behind them, including American Express, Discover, Mastercard and Visa. These companies have one big incentive to do a better job securing your card transactions: Money. In 2016 alone, an estimated $4 billion will be stolen from U.S. citizens by criminals duplicating the information on the standard magnetic strip found on the back of every card.
Plus, some of the worst credit card crimes in recent years exploited the payment machines where you swipe your card. Remember a few years ago when criminals hacked Target’s in-store credit card readers to steal information from up to 70 million people? Criminals used that same method over a five-month stretch at The Home Depot in 2014 to compromise credit card information for 56 million people.
EMV chips are intended to make it a lot tougher for criminals to steal your information and exploit retailers’ payment systems. Here’s how it works — and why it still isn’t as safe as you might hope.
The EMV chip in your card protects you from criminals in a number of ways. If you’ve tried swiping a credit or debit card with an EMV chip in it, you know it doesn’t work with standard credit card readers, which read the magnetic stripe. The chip is different, and that includes the way your information is stored on them.
With a magnetic stripe, for instance, all your information is coded on it. If a counterfeiter steals it and copies it, he or she can use your information over and over. The EMV chip, however, doesn’t store your information; instead, the computer chip creates a unique transaction ID each time you use it. It uses encryption to securely hide your personal information, so even if hackers get the ID, it’s worthless to them.
Second, in most of the world, credit card issuers require cardholders to also input a PIN. That’s commonly referred to as the “chip-and-PIN” method. It’s a great way to keep your cards and information safe. When you use chip-and-PIN, the EMV chip creates a unique ID for that transaction. On top of that, you have to unlock your card with your PIN. Even if a criminal did get his or her hands on your card, they’d have a really tough time getting past your PIN.
Third, some EMV cards use near-field communication (NFC) to make financial transactions. You wave your card past an NFC reader or insert it into one and your money is transferred using radio wave technology from your card to the retailer. For criminals to steal your information, they’d have to be within a few inches of you and have an NFC reader with them. That’s doable, but it’s not something everyday criminals will take on.
While credit and debit cards with EMV chips will better protect your information from theft, EMV, for the moment, is an imperfect system. Or, more precisely, it’s an imperfectly executed system. Here’s why:
- While most cards are chip-enabled, a lot of retail point-of-sale systems still don’t have their chip readers enabled, leaving customers exposed. In fact, automated gasoline pumps — one of the easiest places for thieves to swipe card data — don’t have to be compliant until October 2020.
- The chip-and-PIN method isn’t really going to be used in the United States — at least, not as widely as it is elsewhere. Here, you’ll most likely use your EMV cards by inserting them into a reader or waving them over one and providing a signature instead of a PIN. That means the EMV cards will be safer than current cards with magnetic stripes but not as safe as they could be.
- If you travel overseas, where the chip-and-PIN method is used, you may run into some problems if you don’t have a PIN. Plus, in the United States, there will be a transition period where cards have both a magnetic stripe and an EMV chip. EMV readers in some countries may not read a card with both a stripe and a chip.
- Criminals are clever, but you already knew that. If they steal your EMV card and use it to make an online purchase or place an order over the phone, they don’t need to scan your chip. It’s called a “card-not-present,” or CNP, transaction. It’s a growing problem in countries that use the chip-and-PIN method.
Despite this, using your card’s EMV chip is still safer than swiping its magnetic stripe, and total adoption should be the goal. It’s about time cardholders and retailers took security seriously.