On Oct. 1, 2015, a massive liability shift occurred across the domestic retail landscape. Before that date, when a fraudulent purchase was made using a credit card at a retail location, the card issuer was liable for the purchase. After that date, merchants that didn't employ EMV-chip-reading terminals for transactions would be liable for the damages. In other words, prior to that date, when American consumers called their credit card company to report fraudulent transactions on their credit card statement, the bank would eat the charges. After that date, the seller would have to reimburse the card-issuing bank unless they used chip-compliant processors at the point of sale.
Two years later, there's enough data to measure the effects of the change. At first glance, the results are promising. Merchants that completed the chip upgrade have seen a drop of 66% in counterfeit card and fraudulent purchases from June 2015 to June 2017, according to a recent security report from Visa Inc. (NYSE:V). Over 2.3 million U.S. merchants, or about 50% of domestic storefronts, now accept chip cards, a whopping 473% increase since the beginning of the EMV migration in the U.S. Chip payment volume across Visa cards has risen mightily as well. In December 2015, just a shade under $16 billion was facilitated using Visa chip cards. By June 2017, that number had risen to $58.4 billion, a 265% increase.
Why have EMV chips been so effective?
To understand what has made EMV chips so effective, one must first understand what they are. EMV stands for Europay, Mastercard Inc. (NYSE:MA), and Visa. In the early 1990s, these payment networks worked together to form a universal standard for card payments that would combine interoperability with security. The EMV chips embedded inside the cards was the solution these industry giants believed would combat fraud most effectively.
The magnetic stripe on the back of credit cards contains all the pertinent data needed to authorize and complete a payment using a credit or debit card. When a card's stripe is swiped at a vendor's point-of-sale terminal, crucial data is read, including the card number, the cardholder's name, the expiration date of the card, the service code, and the CVV code. The most important thing about this information is that it is all static! From the time the card is issued to the date it expires, all information on the back remains the same.
This is a significant weakness if the information on the back of that card is ever compromised. Unfortunately, in an age of data breaches, credit card fraud, and gas station skimmers, this is an all-too-common occurrence! If a fraudster gets a hold of that information, it is all too easy to produce a counterfeit card with the victim's information embedded on the magnetic stripe on the back and the fraudster's authentic information on the front. This makes identifying fraudulent transactions in real time nearly impossible. Even if a vigilant clerk asks to see the crook's identification while making the sale, the thief's identity will match the front of the card!
The EMV chip embedded in the card prevents this type of counterfeit-card fraud. The chip produces a unique cryptographic code every time for each transaction. This means that even if the information on the back of the card is compromised, the fraudster still cannot make a counterfeit card and use it at merchants that are equipped to accept chip-card payments, because the counterfeit card would have no way of producing the chip's cryptographic code.
The inherent limitations of EMV chips
That doesn't mean, however, that the EMV chip is a silver bullet designed to stop all fraud. Unfortunately, that is well beyond its capabilities. But, as the Visa report points out, it has been quite effective for the job it was designed for: to stop the fraudulent use of counterfeit credit cards. As an economic crimes detective in a suburban area known for fraudulent activity, I can attest that the cases I've seen for this type of fraud have dropped dramatically since Oct. 1, 2015.
There are still several areas vulnerable to credit card fraud in the payments ecosystem. For instance, gas station pumps are not required to accept EMV chip cards until October 2020. It is no coincidence, then, that gas station skimmers are still quite common. Another vulnerability is online retail where chips obviously offer no protection.
Credit cards still most secure payment method?
It's probably better to think of the new chips in your card as another tool in the tool box for the payments industry to use to prevent a specific, but previously prevalent, form of fraud. EMV chips definitely make credit cards safer and, sometimes, incremental improvements are all you can ask for.
Paying with credit cards is still the easiest and most effective way to avoid permanently losing money to fraud. It's far better than carrying cash, which can be stolen, or writing checks, which reveal too much personal information, and offers far more legal protection than debit cards. The EMV chips now embedded in the majority of credit cards in circulation just add another layer of security. While not a perfect solution against all fraud, it has now proven it works for what it was designed to do: prevent counterfeit credit card fraud.