What you need to know about chip-embedded credit cards

Facing an Oct. 1 deadline, many U.S. merchants are taking steps to prepare for new, more secure, credit and debit cards.

emv chip and pin

Banks have been sending millions of Americans credit and debit cards equipped with computer chips to improve the security of in-store purchases.

Meanwhile, banks and credit card companies are pushing merchants to upgrade their payment terminals so they can read the chips on the cards and bring the U.S. in line with credit card security used in much of the rest of the world.

The conversion process from older magnetic stripe cards to chip cards has sped up in recent months because of an Oct. 1 deadline. That's the day when liability for credit card fraud will shift from banks to merchants or the party using the least-secure technology. Credit card users, who won't bear liability for fraud, are unlikely to notice the deadline at all.

[ ALSO ON CSO: Is EMV the silver bullet to credit card fraud? ]

However, card users might want to know what's happening so they'll be ready when lines form at checkout lanes this holiday shopping season because merchants will have begun deploying chip-card readers. Some industry analysts say chaos will ensue because chip cards take a few seconds longer to read than magnetic stripe cards, and some customers and store clerks will be unfamiliar with how to use them.

The following is information you can share with other shoppers (after Oct. 1) if you happen to be (patiently) waiting in line at the checkout counter.

What's a chip card?

A chip card, also called a smart card, is a credit or debit card with a computer chip embedded in the face of the card. That's the only difference in its appearance. Nearly all of the chip cards that banks are sending their customers still have magnetic stripes that will be used by stores that don't have chip-card readers. Magnetic stripe technology is decades old and is still widely used in the U.S. even though it is relatively easy to hack.

According to industry estimates, about half of the 12 million card readers at payment terminals in the U.S. will be converted to support chip cards by the end of 2015. Meanwhile, there are about 1.2 billion debit and credit cards in circulation among the 335 million people who live in the U.S. Eight major banks account for half of the U.S. card volume; they estimate that nearly two-thirds of their cards will be reissued as chip cards by the end of the year.

There are 3.4 billion chip cards in use worldwide, primarily in 80 countries, according to the EMV Connection website. EMV stands for Europay, MasterCard and Visa, the companies that originally developed chip cards.

The numbers are important because there won't be a complete conversion to chip cards for many years. It took Canada about eight years to reach 90% conversion to chip cards. Major retailers like Wal-Mart have been converting payment terminals to support chip cards for years.

How do I use a chip card?

GoChipCard.com, a website supported by major banks and credit card companies, posted a three-step illustration for how to use a chip card. Step 1 is to insert the card at the bottom of the terminal, with the chip toward the terminal facing up. That's instead of swiping the magnetic stripe along the side of the machine.

Many new terminals will support both methods, as well as NFC payments via smartphones and smartwatches such as the latest iPhones or the Apple Watch, which use Apple Pay. NFC payments are usually done by just touching, or nearly touching, a device to a payment terminal and entering a confirmation on the phone. In addition to “touch and pay” with a smartphone, some retailers like Rite-Aid will support the ability to touch the terminal with a chip card to pay.

123 chip screenshot GoChipCard.com

Credit card companies have posted this graphic on GoChipCard.com to describe how to use a chip card.

As the GoChipCard graphic notes, a key detail of the first step is that users should not remove the card from the reader "until prompted." Analysts have noted that, on the first few tries, U.S. shoppers who are accustomed to swiping magnetic stripes may be likely to remove their chip cards quickly. Sales clerks will have to be ready for this -- and patient enough to remind users to leave the cards in place until the terminal beeps or a light goes on, or until the clerk gives the customer the thumbs up. There are more than 20 vendors of payment terminals, and they have varying methods for confirming that a sale is complete and that a card can be removed.

There are a wide variety of chip card payment terminals, but they mostly look alike, as indicated in the GoChipCard.com illustration. Some will be attached to a pedestal, just as older magnetic-stripe card readers are today. The terminals will almost all have a keypad to capture a PIN (personal identification number) and a screen and a digital pen to capture a signatures.

Step 2 in the graphic is to "provide your signature or PIN as prompted by the terminal." Many retailers won't require either, especially if the transaction is for a small amount, usually under $25. There's disagreement in the industry about whether a signature or a PIN will be required for larger purchases, but the decision will be made by the banks issuing the cards. (More on that below.)

Step 3 is to remove your card when the transaction is complete. As mentioned above, different terminals may have different ways to indicate that it's OK to remove the card.

Are chip cards really more secure, and are they necessary?

Yes. Chip cards are light years ahead of magnetic stripe cards in terms of security. The main thing to know is that the chip in the card is communicating with the network behind the terminal to enhance security instead of just forwarding your card number and related data to the network, as with the magnetic stripe approach.

The chip can communicate a unique encrypted token (or an alias) with the network instead of your actual credit card number. That way, the network, and even the store, won't know your card number. When the token reaches your bank, it is decrypted so the bank can verify your account and then authorize payment. This all happens in a few seconds or less.

As to whether the security is necessary, the answer is again, yes, especially for banks, but not necessarily for card users. Obviously, it is in everyone's interest to reduce fraud where possible, and banks have long said that customers aren't held liable for fraud. That policy of keeping customers harmless will continue with chip cards. Enhancing security helps banks reduce the cost of paying for stolen card numbers and stolen merchandise, which theoretically keeps costs in check for average bank customers. In countries where chip cards have been used for years, as in Europe and Canada, fraud rates have dropped dramatically.

So if the chip makes the card so secure, why do I need a PIN or a signature?

The main reason for a PIN or signature is to provide the merchant (and the bank behind the card) further evidence that the user of the card is the actual owner of the card. If your card is lost or stolen, even with a chip, it can still potentially be used by someone else.

1 2 Page 1
Page 1 of 2
7 hot cybersecurity trends (and 2 going cold)