Chipping away at credit card fraud

As part of their anti-fraud battle, major credit card issuers Visa and MasterCard are rolling out new cards across Canada that contain memory chips.
If you presented your newly issued credit card at a store recently and were surprised to be asked to enter a personal identification number as if you were using a debit card, you're not alone.

Major credit card issuers Visa and MasterCard are rolling out new cards that contain memory chips across Canada. The chips store information used to prevent fraud.

As old-style MasterCard and Visa cards that have just a magnetic strip expire, they're being replaced with the new chip cards. You can spot these new cards at a glance — on the front is a small silver square, a little less than a centimetre each way, with lines on it. That's the chip.

On the chip are stored the card number, expiry date and security code and your personal identification number (PIN). All this information is encrypted so that only an authorized card-reading device can decode it.

The chip could also be used to store other information, such as your credit limit, says Shirley Matthew, director of chip platforms at Visa Canada. When a card is used fraudulently, a card issuer could send a message to the card to disable it, and that information would also be stored on the chip.

Don't confuse these new cards with "contactless" payment systems, though.

Card issuers expect it to take a couple of years to replace all old-style cards and readers.

The chip cards use a chip standard — called EMV after Europay, MasterCard and Visa, the three credit-card companies that developed it — that requires the reader to make contact with the chip. That's unlike some payment cards now coming into use in Canada — MasterCard's PayPass and Visa's payWave, for instance — that are contactless and will work as long as the card gets within a few centimetres of the reader. MasterCard is issuing cards that combine both functions in one chip.

And even if you have a chip card, you won't always be asked for a PIN. Merchants that don't yet have chip-card readers still use the cards in the old way. Card issuers expect it to take a couple more years to replace all cards and readers.

How it works

A chip card reader scans the card and requires the customer to input a personal identification number, the same way they would enter a PIN to use a debit card. ((Courtesy Visa Canada))
When you present a chip card to a merchant who has one of the new card readers, the sales clerk inserts the card in a slot in the reader and leaves it there while you enter your PIN on the keypad, just as you would enter a PIN to use a debit card.

When you enter your security number, the reader checks it against the PIN stored on the chip. If it checks out, your transaction goes ahead. If not, you'll usually have at least one more chance to enter the correct PIN, but repeated wrong PINs will eventually lock up the card — the exact policy is up to the card issuer.

One big advantage of the chip is that a PIN can be used for security without the PIN having to be transmitted to a central computer to check if it's correct. That's what happens when you enter a PIN for a debit-card transaction. Although a PIN can be encrypted, not having to transmit it to the credit card company's server makes the transaction that much more secure, says William Giles, vice-president of acceptance at MasterCard Canada.

Chip cards don't eliminate the need to talk to the credit-card issuer's computers, though, because the merchant still must make sure the card hasn't been reported lost or stolen and that you have enough credit available to cover the purchase.

So why are these chip cards more secure?

The main reason is that a PIN is more secure than a signature. While merchants are supposed to check the signature on each credit-card slip against that on the back of the card, it doesn't always happen and it's not too difficult to forge a signature well enough to fool an untrained eye. But with a chip card, if someone doesn't know your PIN then they can't use your card.

Also, chip cards get around the classic horror story in which someone takes your card into a back room or otherwise out of sight (think of a waiter or gas-station attendant who usually takes the card away and returns it) and imprints an extra credit-card slip or two. All that person has to do is fill in that slip and copy your signature and you'll be charged for something you didn't buy.

With a chip card, if someone doesn't know your PIN then they can't use your credit card.

With a chip card, you have to enter your PIN for each transaction, and nobody but you knows that number.

Chip cards aren't perfect credit protectors, though — they don't address purchases you make by phone or on the internet. You won't be asked for your PIN when you use your card this way. Asking you to give your PIN verbally or type it into a website would compromise its security.

So the credit card companies are dealing with these transactions in other ways. Visa has a program called Verified by Visa, in which you set up a password for online purchases. MasterCard has a similar setup called SecureCode. Asking for the additional three- or four-digit security code printed on your card also provides some extra security, though not if someone has your card who shouldn't.

That's not to say chip cards won't eventually be used for remote purchases. Giles says MasterCard has developed a calculator-sized device that, when you insert your card in it, will generate a passcode for one-time use. You would use this like a SecureCode passcode. MasterCard will make this technology available to other card issuers, Giles says. He expects it to be widespread by 2015.

So in a few years, entering a PIN to use your credit card may be the norm even when you're shopping on the internet — and signing a credit card slip will seem as old-fashioned as, well, paying cash.