I’m one of those people who practically lives at Target. Groceries, toiletries, pet food, office products — they all land in my shopping cart at Target. Then they wind up on my Visa card.
When news of the Target data breach started hitting the headlines in December, I started watching my credit card statement like a hawk.
I was lucky, and surprised, to find I’d come out unscathed (at least so far). Then talk of the security provided by chip-enabled credit cards started making the news, and I chalked up my good fortune to the fact I’d switched last year to a chip-enabled card to ease my European travels. I figured that must have saved me from a world of hurt.
The next surprise came from learning that despite all the hoopla over chip-enabled cards, these kinds of cards currently do nothing to help consumers in cases like this.
Because most U.S. companies have yet to adopt point-of-sale devices that can read the chips, chip, new chip-enabled cards such as mine still have the old magnetic stripe on them. The new chip on my card isn’t used for U.S. transactions; the old readers (like the ones at Target) pull my data from the old magnetic stripe.
In short, I thought I was bulletproof, but I’m not.
And even once credit card companies and merchants make the transition to the new cards and devices, if you shop online, a chip-enabled card offers no more protection than a traditional credit card with a magnetic stripe.
It’s still not clear exactly how many consumers have been hit by the Target data breach. Initially, the company said thieves hacked 40 million accounts, and swiped customers’ names, credit and debit card information and PIN numbers. Later the company said names, mailing addresses, and phone numbers or email addresses for up to 70 million customers were stolen. They’re unsure how much overlap there is between the two groups.
The extent of fraudulent activity from the data breach also isn’t yet known, but the Consumer Bankers Association says its members spent more than $170 million simply replacing credit and debit cards.
I’d jumped on the chance to get a chip-enabled card when the offer came in the mail from Bank of America. I was getting ready to head to London last spring, so the bank expedited the new card.
Not that I’ve had problems with my old Visa card in Europe, but I always had to explain my card was American. Unlike standard cards in the United States, which use magnetic stripes to store credit card information, European cards store data on microprocessor chips. The chips make it far more difficult to counterfeit or copy cards.
The cards used in Europe and much of the world also typically require a PIN. My new chip-enabled credit card doesn’t have a PIN, but instead requires a signature, so that still can take a bit of explaining overseas.
If I use the card overseas now, there’s an extra layer of security with a chip-enabled card, or EMV-enabled cards, which stands for Europay, MasterCard, Visa, which is the international standard for cards with a built-in chip.
But here, they’re of no help.
Doug Johnson, vice president of risk management policy with the American Bankers Association, says many credit card issuers are automatically sending out chip-enabled cards as customers’ current credit cards expire. But they won’t offer any more protection than cards with magnetic stripes until more credit card machines can read the new technology.
Because of the costs of changing over to the new technology, only about 10 million to 15 million chip-enabled cards are now in use in the United States, or less than 2 percent of the credit card market. Only about 10 percent of the point-of-sale devices in the United States now support EMV transactions.
The uproar over data breaches looks like it will light a fire under the transition. Target has already announced plans to handle EMV technology early next year.
And in October 2015 major credit card providers will start holding banks and merchants liable for fraud. If a merchant uses the old system, and the customer uses a chip card, the merchant will be responsible if fraud occurs. On the flip side, if the merchant has the new technology, but the bank hasn’t provided the customer with a new card, the bank will be liable.
My card uses a chip and signature. In Europe and other places chip and PIN technology is used, but Johnson says the PINs create their own risk. If your credit card is linked to your bank account and the bad guy gets your PIN, the card could be used at an ATM to drain your account. ATMs don’t have to switch to the new technology until October 2016.
And even after that time, the chip-enabled cards will do nothing to protect you from fraud if you shop online because no device actually reads your card.
In fact, a February 2014 report from the Smart Card Alliance, “Card-Not-Present Fraud,” found that in countries such as the United Kingdom and France, which have already embraced EMV-enabled cards, fraud still flourishes in situations where consumers use their cards to make purchases online or over the phone.
It leaves you wondering if there’s any safe way to make purchases these days.