For decades, Americans have been paying for things by swiping the magnetic strip on their credit cards through an electronic card reader. But that's about to change. Today, October 1, is the official deadline to switch to a new, more sophisticated payment technology that replaces that magnetic strip on the back of your credit card with a tiny computer chip. If you have one or more credit or debit cards, you probably got replacements recently that looked like this:
On the left-hand side of the picture, you can see metal contacts that allow a card reader to communicate with a tiny computer chip embedded in the card. This chip is capable of authenticating financial transactions in a way that's much more fraud-resistant than the old-fashioned magnetic strip.
From the user's perspective, the change will be a fairly minor one: Instead of swiping the card through a reader, you'll slide it into a slot and leave it there for several seconds. But behind the scenes, the switch could produce a dramatic reduction in credit card fraud.
America's credit card networks are old and busted
In the past few years, US retailers have suffered from a seemingly endless series of security breaches that led to the loss of customers' credit card information. A big reason for this is that our technology for processing credit card transactions — specifically, the magnetic strip on the back of the card — is decades out of date.
That magnetic strip contains a machine-readable version of the same information that's printed on the card itself: the account number, account holder's name, and the card expiration date. The credit card terminal uses this information to contact the bank that issued the credit card and verify that the card is valid.
The key thing to notice about this scheme is that it effectively works on the honor system. Your account number and expiration date work as a de facto password for your account, and you share that "password" every time you buy something.
This works surprisingly well because the overwhelming majority of merchants have no interest in defrauding their customers. But if the information falls into the wrong hands — say, because hackers infiltrate a major retailer like Target or Home Depot — then exploiting it is easy. Criminals simply have to copy the information onto a new credit card, then hire people to go on shopping sprees with the new cards, buying valuable items like iPads and designer handbags that can be unloaded at a profit later.
This might be why the United States suffers disproportionately from credit card fraud. In 2013, the US accounted for 23 percent of all credit card transactions but 47 percent of credit card fraud.
The rest of the world is way ahead of us
This problem has been obvious for decades, and indeed the financial industry figured out how to solve it decades ago. The solution: Replace that magnetic strip with a tiny computer chip that is capable of authenticating itself in a more sophisticated way. The chip card can prove it's legitimate without supplying enough information for a criminal to clone the card.
The global standard for doing this is called EMV, after the Europay, MasterCard, and Visa networks that developed it. The EMV standard was developed in the early 1990s, and most of the developed world has been using the technology for years. In Europe, chip-based credit card transactions accounted for 96 percent of transactions in late 2014, compared with less than 1 percent in the United States. Latin America, Asia, and even Africa are ahead of the US in adopting the technology.
Upgrading is a big project
The transition has been so slow because switching to a new payment system requires simultaneous upgrades by many different parties. Banks have to send out new credit cards. Retailers have to upgrade to new equipment. If banks upgrade and merchants don't — or vice versa — the investments will be wasted.
And these upgrades are expensive. New chip cards cost as much as $4, compared with less than 50 cents for old-fashioned magnetic strip cards. New card readers can cost hundreds of dollars, compared with less than $100 for the old ones.
To prevent companies from dragging their feet, major American payment networks set a hard deadline — October 1, 2015 — for switching to chip card technology. Starting today, they're going to change credit card liability rules to give merchants and card-issuing banks an incentive to switch. Right now, merchants and card-issuing banks split liability for credit card fraud. But if a fraudulent transaction occurs after October 1, liability will fall more heavily on companies that haven't upgraded to the new technology.
This is why you may have gotten a bunch of replacement credit cards in the mail in recent weeks. By upgrading promptly to the new technology, major banks can not only reduce fraud, but can also shift liability for fraud that does occur onto merchants.
Retailers — especially smaller ones — have been slower to make the switch. But starting today, they'll have powerful incentives to do so.
The new standards will reduce fraud but won't eliminate it
The switch to chip-based credit cards will dramatically reduce one specific type of credit card — the kind where criminals steal the data off the magnetic strip and use it to make a new, fraudulent card.
The fact that the United States is the last major economy to switch to chip-based cards means that we're likely to see the benefits more quickly than other countries did. When other countries switched to EMV cards, criminals responded by cloning cards and using them in countries, including the United States, that hadn't yet made the switch. But once the US transition is complete, criminals won't have anywhere else to turn.
However, two other major avenues for credit card fraud will remain open.
One is to steal the cards themselves. A purse snatcher will still be able to take a stolen credit card and go on a shopping spree. Some other countries have adopted an approach called chip-and-PIN, which requires customers to enter a four-digit PIN to authenticate transactions. But most US credit card companies have adopted a less secure chip-and-signature approach that provides no real protection for stolen credit cards (debit cards are more likely to require a PIN to make payments).
The even harder problem is remote transactions. A chip only helps with face-to-face transactions. Online orders will still work by typing in a customer's credit card number and other details, which means it will still be possible for bad guys to steal a customer's credit card information and then make fraudulent transactions online.
Credit card companies have tried a wide variety of ways to beef up the security of online transactions. All three credit card networks have experimented with systems where users are redirected to a third-party website to prove their identity before a transaction is approved. But the process is glitchy, and users hate the extra hassle, so it hasn't caught on.