It’s a payment ritual as familiar as handing over a $20 bill, and it’s soon to go extinct: prepare to say farewell to the swipe-and-sign of a credit card transaction.
Beginning later next year, you will stop swiping the credit card. Instead, you will insert your card into a slot, just like people do in much of the rest of the world, where the machine will read a microchip, not a magnetic stripe. You’ll still be signing for the time being, but the new system also enables the use of PIN numbers, if card issuers decide to add them to their cards.
The U.S. is the last major market to still use the old-fashioned swipe-and-sign system, and it’s a big reason why almost half the world’s credit card fraud happens in America, despite the country being home to about a quarter of all credit card transactions.
The recent large-scale theft of credit card data from retailers including Target and Neiman Marcus brought the issue more mainstream attention, leading to a Senate Judiciary Committee hearing this week. Executives told the senators that once the country transitions to the new system — which includes credit cards embedded with a microchip containing security data — these kind of hacking attacks will be much more difficult to pull off.
The shift is coming though: both MasterCard MA +0.71% and Visa V +0.78% have roadmaps for the changeover, and both have set October, 2015 as an important deadline in the switch. But why has it taken this long, and how will the changeover work for card users and businesses?
We spoke with MasterCard’s Carolyn Balfany, the company’s expert on all things related to the new payment system, known as EMV, that will lead to the end of the swipe-and-sign and the beginning of the chip-and-PIN. Here’s what she had to say.
Much of the rest of the world switched to chip and PIN cards years ago. Why has it taken the U.S. so much longer?
There’s a historical view to this. In the past, other markets migrated for two reasons. First, there were higher fraud rates in some other markets, and they wanted to make this move to combat fraud. Second, this system can operate in offline mode – the card and the terminal can authorize a transaction independent of communication with the bank’s systems. In some other markets they struggled with robust telephony networks, so this offline capacity was attractive.
Both those factors were not driving factors here in America. Fraud was more prominent in some other markets, but what has happened since then is that as other markets migrated to EMV and became more secure, fraudsters migrated their activity to markets with less security. We saw fraudsters move over to the US market – they are looking for the path of least resistance.
There were also some more specific challenges to US migration to the new system. Because the US is one of the largest and most complex markets, the business cases for the costs had to be established. And there were requirements of the Durbin amendment, mandating all us debit transactions are able to go across at least two networks, which took some time for the industry to sort out.
It seems now like there is agreement on the switch. So when will the changeover happen?
For Mastercard, now is the time, and we’ve been very consistent on that message for years. We introduced our roadmap for migration in 2012, and that roadmap says that for face-to-face transactions, where a consumer uses their card at a merchant’s location, the liability shift will happen in October, 2015.
The “liability shift” is a big moment in the changeover. Can you explain what it means?
Part of the October 2015 deadline in our roadmap is what’s known as the ‘liability shift.’ Whenever card fraud happens, we need to determine who is liable for the costs. When the liability shift happens, what will change is that if there is an incidence of card fraud, whichever party has the lesser technology will bear the liability.
So if a merchant is still using the old system, they can still run a transaction with a swipe and a signature. But they will be liable for any fraudulent transactions if the customer has a chip card. And the same goes the other way – if the merchant has a new terminal, but the bank hasn’t issued a chip and PIN card to the customer, the bank would be liable.
The key point of a liability shift is not actually to shift liability around the market. It’s to create co-ordination in the market, so you have issuers and merchants investing in the migration at the same time. This way, we’re not shifting fraud around within the system; we’re driving fraud out of the system.
How will the change over to the new system actually happen?
One important thing to know is that it’s not as if everybody just got to the starting line just now, there has been a lot of work on this that has already happened. For merchants, the terminals in many cases are readily available or already there, they already have the equipment ready to handle the new cards. Banks who issue cards in many cases already can issue cards with the chip, and they have been issuing them to customers who travel overseas.
U.S. consumers are already pretty aware of the chip and PIN system, because most of the rest of the world has already migrated. And we would expect in the wake of these latest breaches and the media coverage that awareness is now even higher. And as banks issue consumers their new cards, they will get information explaining the system and all the benefits, and obviously how to use it.
Aside from the security of the system, are there any other benefits for consumers?
One thing to remember is this migration really isn’t about a single device or technology, it’s about establishing a technological platform for the next generation of payments. So the EMV standard that we are moving toward isn’t limited to chip and PIN cards, it also includes things like contactless payments, where you can tap the card against the reader, all with the same level of security.
Card issuers will probably always issue a card, but in this system an account can be resident in multiple places – so you can have the card, but also maybe a tag affixed to your phone for mobile payments, or a fob on your key ring.
There are lots of different use cases and it depends on the venue, and the devices and what interaction method makes the most sense. In a transit location, contactless interfaces make a lot of sense. We’ll continue to see interactions broaden and evolve as this migration happens.