While EMV chip cards are nothing new in other parts of the world, the U.S. has only recently adopted this technology. Since October 2015, the U.S. started undergoing a significant payment technology evolution — upgrading from magnetic stripe (magstripe) cards to EMV (named for the original developers, Europay, MasterCard, Visa). This transition is also known as the EMV Liability Shift.
However, unlike other countries around the world that have transitioned to this form of payment technology, the US did not enact a “card chip law” to make upgrading mandatory. As a result of this act and non-law, many U.S. merchants have foregone updating their payment technology to accept chip cards — leaving them more susceptible to credit card fraud. Let’s take a look at the difference between a chip card vs. magnetic stripe card and discuss how modern technologies are protecting both merchants and consumers.
What is EMV Liability and Why is it Shifting?
As the name of the act implies, the EMV Liability Shift only shifts the liability from one party to another. Unlike other countries around the world that transitioned this form of payment technology, the US did not enact a “card chip law” to make upgrading mandatory. As a result of this act and non-law, many U.S. merchants have foregone updating their payment technology to accept chip cards — leaving them more susceptible to credit card fraud.
Before October 2015, the liability, or responsibility for fraudulent card-present transactions generally fell onto the card issuer. After October 2015, the liability for in-store fraud shifts to the party (the merchant, the acquirer, or the issuer) that has not adopted chip technology.
Since the liability shift went into effect, merchants without the ability to process EMV chip card transactions may have experienced chip card chargebacks. Cardholders initiate the chargeback process when they contact their issuing banks to challenge charges on their accounts.
Merchants with EMV-compliant technology may be able to dispute the claim that the cardholder was the person who made the purchase. However, merchants without chip card processing capabilities don’t have many options other than to pay back the amount of the transaction. Also, merchants will face chargeback fees and may also have to pay EMV non-compliance fees when they process a fraudulent chip card transaction.
For the first time, merchants are responsible for covering fraudulent charges — not the issuer. So for small business owners, too much fraud could spell financial ruin your business.
What are the Differences in Chip Card vs. Magnetic Stripe Card Transactions?
For consumers, the most noticeable difference when it comes to chip cards versus magnetic stripe cards is how they use them during transactions. With magstripe cards, you swipe. With EMV chip cards, you dip.
- A magnetic stripe card transaction
A magstripe transaction begins with a quick swipe of the card through a card reader. The payment terminal then sends an authorization request to the parties in the payment chain (typically the acquirer, payment processor, and issuing bank). If approved, the terminal may request a PIN or customer signature to verify and complete the transaction.
- An EMV transaction
An EMV transaction starts when the user inserts, or dips, the card into a chip card payment terminal, where it remains throughout the entire transaction. The payment terminal then sends an authorization request to the parties in the payment chain — same as a magstripe transaction.
The card will authenticate data and request the terminal to authorize the transaction. The terminal requests authorization and receives a response – and that’s the point when the customer can remove the chip card from the EMV chip card reader.
One thing customers seemingly took notice of was the amount of time it took to process a chip card transaction. For an impatient nation that was accustomed to pulling their credit card from their wallet, making a quick swipe and immediately putting it back in their pocket, the few extra seconds it took to leave the card in the payment terminal felt like an eternity.
For business owners, the concern was that impatient consumers who are accustomed to swiping, wouldn’t be patient enough to leave their cards in EMV terminals for authorizations – or that they would forget their cards in the terminals. However, EMV transactions have gotten faster through new “quick chip” technology, and dipping cards have become second nature for most consumers.
How Chip Cards and Magstripe Cards Store and Transmit Data
What may be less evident to both customers and merchants is how these two very different types of transactions communicate and transmit data.
A magstripe card gets its name from the magnetic stripe across the back of the card. This “stripe” is encoded with sensitive payment card data such as the full PAN (personal account number), expiration date, and account holder name among other things.
The magnetic stripe contains minute magnetic particles that can be oriented in different directions to write data onto the card. Magstripe data is static, meaning once the data is loaded onto the magstripe, it doesn’t change. If this readable card data falls into malicious hands, it can be easily replicated to create a new card.
On the other hand, an EMV card contains a computer microchip that stores payment card data. The chip also produces a unique, one-time-use cryptogram for each transaction to make it more secure than a magstripe card.
If a counterfeiter gets a hold of numbers from an EMV card, perhaps when the magstripe was used instead of the chip, the cloned card would not have the ability to create the unique cryptogram required for a card present EMV transaction, so the card would be declined.
Merchants should consider securing their entire payment ecosystems with encryption and tokenization.
- Encryption changes data in readable format into an encoded version that only the issuing bank can decode. If a hacker stole encrypted data, they wouldn’t be able to get any value from it.
- Tokenization replaces card data with a unique “token” that represents information the legitimate players in the payment ecosystem need but would mean nothing to an outside party that steals it.
Why Magstripe Cards Can’t Beat Chip Card Security
Combatting card fraud is the reason that card networks initiated the shift to EMV technology. Magnetic stripe credit cards and debit cards are susceptible to a fraudulent practice known as “skimming.” As easily as a merchant’s card reader can read static data from the back of a magstripe card, thieves can use a device called a card skimmer to do the same.
Card skimmers are small, inexpensive devices placed over legitimate card readers and mostly found in self-service environments like ATMs or gas stations. For transactions that require a PIN, some highly-skilled criminals will also use a tiny camera that records the cardholder punching in the PIN on the keypad.
The skimmer and the camera gives the thief everything they need to create counterfeit cards that draw from the victim’s account.
The microchip in an EMV card is much more difficult and less financially feasible to duplicate because of the sophisticated and expensive technology required.
Visa reports that counterfeit card fraud has decreased 76 percent for merchants who’ve upgraded to chip card technology.
Credit Card Fraud Shifts Too
Although card-present fraud decreased with the adoption of EMV, card-not-present (CNP) fraud is on the rise. Javelin Strategy & Research reports that CNP fraud increased one percent from 2.4 to 3.4 in 2016 — one year after the U.S. transition to EMV.
However, as a PaymentsSource article points out, we can’t blame EMV entirely. The growth of online fraud can also be attributed to hackers increasing their activity as ecommerce sales continue to surge.
EMV vs. NFC
Payment terminals, including EMV chip card readers, can also support contactless payments using near-field communication (NFC) technology. Customers only have to wave the card near the terminal to communicate secure payment data to the merchant’s POS terminal.
Rather than the physical card, customers also have the option of using their EMV cards via an NFC mobile wallet like Apple Pay, Android Pay, and Samsung Pay to make mobile payments. With an NFC mobile wallet, customers wave their phone near the payment terminal instead of the actual plastic card.
However, in this scenario, the phone, not the EMV chip, provide security, including encryption and tokenization to keep card data safe.
When a customer opts to make a contactless EMV payment, transaction processing is similar to when a customer inserts the card, and in some cases, such as large transaction amounts, the issuing bank may request that the card is inserted for a contact EMV payment.
What Payment Security Says About Your Brand
As time passes, more consumers are carrying EMV cards in their wallets and becoming familiar with how to use them and knowledgeable about the added security they provide. Some customers may begin to question why you don’t accept them in light of the fraud protection EMV provides.
EMV chip cards are becoming the new normal. A big risk a merchant takes
by not upgrading to EMV technology is allowing customers to view your business as one that doesn’t take the security of their payment card accounts seriously.
Consider your brand image, as well as how both types of cards are used and processed and the level of security each provides: In the chip card vs. magnetic stripe card showdown, the better choice for you and your customers is clear.