Chips promise more security for credit cards, but signature still required

Safer, chip-enabled credit cards are coming to the US before the end of 2015, but it will be years before tougher, PIN-based security will be used nationwide.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
3 min read

Most US consumers next year will encounter chip-and-signature credit card terminals, like Square's next-generation reader. Square

New credit card technology is coming that will increase security and decrease the likelihood of theft. But you're still going to be asked to sign a receipt every once in a while.

By October 1, 2015, credit card transactions in the United States are going to require technology that has been in use elsewhere for years: a chip built into the card, promising better security against fraud. The old way, swiping a card with a magnetic stripe through a machine, will be phased out. And it will probably happen quickly; after October, retailers using the old swipe terminals will be liable for fraudulent purchases.

US credit card companies say it's about time, even though they've been among the most reluctant to adopt it.

"The chip by itself will dramatically reduce counterfeit fraud, which is the most predominant fraud type today," said Oliver Manahan, MasterCard's vice president of emerging payments.

It's been a long slog to get here, and the US is the last of the G20 countries to adopt the chip-equipped cards.

There are many reasons why. Credit card companies have been reluctant to adopt them because the cards are more expensive to produce, retailers have been reluctant because payment terminals are costly to upgrade, and the US credit card system is complex. In addition to retailers who want easy transactions and financial institutions that want secure transactions, Visa and MasterCard sit between banks and retailers as the nation's major credit card processors.

As the US has lagged behind in adoption of chipped cards, fraud has risen. Magnetic stripe cards, which have been in use throughout the US since the 1970s, are far easier to clone than chipped cards. In all, $6 billion was lost to credit card fraud in the US in 2013, up from around $4.5 billion in 2011, according to a report from industry research firm Aite Group.

The type of fraud that the financial industry is most concerned about is counterfeit card fraud, said Kim Lawrence, a senior vice president at Visa who specializes in the adoption of chipped cards. She blamed major hacks like those at Target and other retailers in which personal data including credit card numbers of tens of millions and sometimes hundreds of millions of customers have been stolen.

The new system is far safer. The most commonly used type of chipped credit card is called EMV for the finance firms Europay, MasterCard and Visa, which developed the technology. These cards could cut some types of credit card fraud in half, industry experts say. Aite Group said in the United Kingdom counterfeit credit card fraud plummeted to $67 million in 2013 from $151 million in 2004, after it was an early adopter of chipped cards. Overall, fraud from lost and stolen credit cards there fell by a third during the same period.

The chipped cards can be used in two ways. One requires buyers to enter a passcode personal identification number, or PIN, after the chip has been read, effectively protecting them against both counterfeit cards and the use of lost and stolen cards. The other type of transaction reads the chip, but then asks for a signature, much like the outdated system of today but without the magnetic stripe. Square, which revealed plans last week for its chipped-card readers for mobile devices, will be supporting the so-called "chip-and-signature" cards.

That's the system much of the US will switch to first, instead of the more secure passcode PIN.

Banking and independent analysts say that's good enough for now. Lawrence said the credit card companies don't want to change too many things at once, even if they admit it would be safer.

These new cards won't solve everything. The Internet makes it easy for criminals to use stolen credit card numbers without the physical card, rendering the chipped-card system no more secure than an old-fashioned swipe card. "We've seen criminals adjust tactics rapidly" in countries that use chipped cards, said Julie Conroy, the analyst at Aite Group who wrote the report.

So when can you expect to use a PIN instead of a signature to authorize your credit card transactions in the US? Conroy predicts it won't happen until 2018. Then, she said chip readers will be nearly ubiquitous and people should be more comfortable with the technology.

But it could happen sooner, she said. "If there is another watershed event such as the Target breach, and consumers start clamoring for the PIN, issuers will respond."