My wallet now hides three different computers. But what’s more intriguing—or perplexing or annoying—is how rarely I use the tiny chips in my three principal credit cards that can confirm purchases via an encrypted exchange of data with credit-card terminals in stores.
More than six months after a long-heralded milestone that was supposed to make “EMV” a core part of paying with plastic, most of my transactions still entail swiping the card’s magnetic stripe instead of dipping its chip into a point-of-sale terminal.
Big numbers but big hold-ups too
Statistics cited by card companies paint an optimistic picture of chip adoption since the Oct. 1 “liability shift” that held merchants liable for counterfeit-card transactions if they hadn’t updated their terminals for EMV.
A recent Visa (V) infographic, for instance, boasts that with 265 million Visa chip cards in circulation, the U.S. leads every other country, and that the volume of chip payments soared to $18.4 billion in March.
Problem is, Visa’s total U.S. payment volume in the three months ending March 31 was $823 billion. Visa doesn’t break down that total on a shorter timeframe, but the math is bad for EMV (named after the “Europay, MasterCard and Visa” parents of this system) in any plausible division of it.
In the same way, boasts about how many U.S. stores take “EMV” cards, like last month’s report by MasterCard (MA) of chip-compatible locations increasing by 121% to 1.2 million, understate the work remaining. A mid-February survey by the Strawhecker Group, a payments-focused consulting firm, found that only 37% of U.S. merchant locations were ready for EMV.
Many retailers, meanwhile, complain that they bought new terminals but are still waiting for outside vendors to update various subsystems—and now must eat counterfeit transactions that EMV could have stopped.
“Grocers invested, had the hardware installed, but their vendors, software providers, etc., could not, and many still cannot get them EMV enabled,” e-mailed Hannah Walker, senior director of technology and nutrition policy at the Food Marketing Institute in Arlington, Va. She wrote that one “midsized regional chain” belonging to the trade association lost $1 million in chargebacks in a week.
Attempts to speed this up
Individual shoppers, meanwhile, have a different complaint about EMV: waiting for a chip card and a terminal to finish their exchange before they can remove the card. And since they aren’t liable for other people’s fraud anyway, why should they care about EMV?
From that perspective, the only obvious benefit of chip cards is easier spending overseas, where EMV has been the standard for years.
Visa and MasterCard say they’ve heard those complaints. Two weeks ago, Visa announced Quick Chip, an add-on to EMV that cuts the time to confirm a transaction to two seconds or less. Then last week, MasterCard announced a similar upgrade called M/Chip Fast.
Your next credit-card purchase could benefit from either one, since each involves just a software upgrade to the terminal. But representatives for each said that there’s no plan to identify these souped-up terminals with a sticker or any other label; you can only hope you’ll be pleasantly surprised.
They also say that other card brands could adopt either technology, but it’s up to them to do so. An American Express (AXP) spokesman would only say Amex was “evaluating” those systems.
The problem EMV—even “chip and PIN”—can’t solve
Having a chip in your credit card doesn’t magically immunize your account. I know that firsthand, because one of my chip cards has already been re-issued after that account was used in a fraudulent purchase at some Ukrainian site.
EMV should stem the leading cause of U.S. credit-card fraud—counterfeit cards—but a research firm says that’s happening slower than expected. Aite Group predicted counterfeiting would cost $3.1 billion in 2016 but now projects $4.5 billion in losses before EMV adoption suppresses that to $3 billion in 2017, then $1.8 billion in 2018.
“We’re seeing a flurry of activity right now as the fraudsters try to monetize their vast stores of compromised card data before the window of opportunity closes,” wrote research director Julie Conroy in an e-mail.
The “chip and PIN” EMV most of the rest of the world uses—where you authorize a purchase by entering a four-digit code at a terminal—would also thwart the abuse of lost or stolen cards. That’s why PIN routinely gets held up as a solution to our EMV woes.
But lost or stolen cards are a small part of the problem, amounting to $800 million in losses in Aite’s earlier 2016 estimates and set to fall behind “account takeover” hacks in its 2017 forecast.
Meanwhile, revised card-acceptance rules have chip-and-signature cards routinely working at unattended kiosks overseas that once demanded a PIN.
And even PIN can’t stop “card not present” fraud in phone or online transactions like what I experienced—a $4 billion loss in 2016, per Aite’s forecast—unless those retailers all started requiring PINs. Good luck with that.
The best way to keep your card number safe is to keep it secret. And the best way to do that is through another computer you already carry: the smartphone running mobile-payment apps like Apple Pay, Android Pay or Samsung Pay that only give retailers a “tokenized” number good for that one purchase.
Alas, the figures for mobile-payments adoption make those for EMV transactions look good.