In recent years, some American tourists travelling through Europe encountered a strange phenomenon whenever they tried to pay for something. The cashier would stare at their credit card, not quite sure what to do.
"Some younger cashiers would say: 'I don't know what to do with a card that doesn't have a chip on it,'" says Oliver Manahan, vice-president of emerging payments at MasterCard Worldwide. That's because, in Europe, chip-enabled credit cards have been the norm for more than a decade.
In the United States, however, they are the norm as of this Thursday.
For years, consumers in Canada and Europe have committed to muscle memory the rites of credit and debit card purchases – insert a payment card, enter a pin number and wait for the cryptic mechanics of digital verification to assure the cashier that you really are the card's rightful owner. But in the United States, chip-based credit and debit cards are still a new and exotic thing. Most consumers don't have them, instead relying on the decades-old system of swiping and signing.
Weary of fraud, the corporations that issue most American payment cards have issued an ultimatum: As of Oct. 1, any merchant who hasn't adapted chip-based cards could be held liable for fraudulent transactions in their stores. Till now, it was banks and credit-card issuers who paid.
The shift fundamentally alters the country's commercial landscape, while bringing the U.S. in line with most advanced economies in the world.
Global payment card fraud has soared over the past two decades – from less than $2-billion (U.S.) to more than $16-billion.
Consumers are largely protected from liability for credit-card fraud (in the U.S., a user's liability is generally capped at $50). And, even though card fraud constitutes more than a third of all card-related losses for the companies that issue payment cards, covering those losses is still largely manageable for the industry's biggest players.
Instead, what prompted the card-issuers' push for chip technology appears to be a fear of what the future may look like otherwise. In recent years, a number of high-profile data breaches at companies such as Target have, sometimes overnight, resulted in a flood of fraudulent charges.
"There's nothing you can do right this moment to ratchet down fraud e-commerce without responding to every risky online transaction by rejecting it," says David Robertson, publisher of the Nilson Report, which monitors the payments card industry. "But you do have the technology to guard against counterfeit card fraud. If you put chip cards and terminals [in retail stores], you can really ratchet that down."
Compared with what consumers in Canada and elsewhere are used to, however, the new U.S. security standards are a half-measure. Instead of using a chip-and-pin system, where consumers have to enter a numerical code to complete the transaction, U.S. card users will only have to insert the chip card and then sign for a purchase in the same way that has been the norm for decades.
So why not simply employ the full chip-and-pin system in the U.S., rather than just the chip? The answer, it seems, is fear of overwhelming the average American consumer, who uses between four and five credit cards.
"Unless everybody's all in with the pin system at once, the issuer who goes to pin in advance risks their customers not using the card because they can't remember their pin," Mr. Robertson says.
Another reason the U.S. card-issuer market has been reluctant to adopt chip-and-pin technology is sheer complexity. While Canada has a handful of banking players and payment networks, the U.S. has more than a dozen payment networks, and roughly 10,000 card-issuing entities of one kind or another. As such, getting all of them on board for chip-and-pin technology – which helps with stolen cards but is less useful in other areas, such as fraudulent online transactions – has been difficult. The chip technology alone appeared to be a workable compromise.
"We've already seen in the U.K. and the EU that once the chip was put in place, fraud migrated to online transactions," says Doug Johnson, senior vice-president of payments and cybersecurity policy at the American Bankers Association. "And so we recognized that the chip is good for preventing people making fraudulent cards; it's not effective at all in an online environment."
Indeed, there's a good chance the American marketplace will largely bypass pin codes on credit cards in favour of investing in technology that generates one-time "tokens," or temporary identification numbers at the point of sale. The purpose of such tokens is to limit and eventually end the use of "static" credit card numbers, such as the ones embossed on every card – which is commonly the weakest link in the security chain.
"We need to look to these kinds of technologies," Mr. Johnson says, "as opposed to looking in the rear-view mirror."