September 2015 – New Credit Card Chip Technology

Posted on Sep 29, 2015 in Cyber Security Newsletters

Click here to download the Newsletter in PDF format

Maybe you’ve gotten a new credit or debit card in the mail or heard something about the U.S. moving to the “Chip and Signature” or “Chip and PIN” standard.  The U.S. is moving toward adopting these standards, and October 1st, 2015, is a major deadline for U.S. payment companies and merchants.

What is Chip and Signature/Chip and PIN?
The Europay, MasterCard, Visa (EMV) standard uses payment cards with a chip and requires either a PIN (Chip and PIN) or a signature (Chip and Signature) to authorize a payment.  The chip is a small metal square, typically silver or gold, on the payment card that stores encrypted, dynamic data.  After payment approval during a transaction, the data on the chip will change.  This is different from the older magnetic strip cards, where the data on the magnetic strip never changed, which made it easy for malicious actors to copy.  With the new chips, it will be more much difficult for malicious actors to read the data on the chip and then, because it constantly changes, to counterfeit it.

Chip and Signature/Chip and PIN cards are only new to the United States.  Many countries around the world already use these new technologies because they help to reduce credit card fraud through the use of authentication, verification, and authorization.

  • Authenticating a card through its chip helps to prevent counterfeit cards.
  • Verifying the card holder through the signature/PIN helps protect against lost or stolen cards.
  • Authorization of the transaction indicates that both the merchant and buyer agree to the transaction.

When you purchase an item using a chip card, the credit card may be swiped, like you are used to, or it may be placed into a slot, placed on a sensor, or waved over the sensor.  The merchant will direct you on what to do.

To ensure backwards compatibility with existing payment systems, the magnetic strip will remain on the new payment cards and store static data.  During the transition period, this static data can be stolen and used to commit fraud.  After the transition period, the magnetic strips will probably be phased out.

Which is the U.S. using – Chip and Signature or Chip and PIN?
While there is no law that forces credit card companies in the United States to use one or the other, most credit card companies are electing to issue Chip and Signature payment cards to U.S. consumers.

Will this change my online purchases?
No, the change to Chip and Signature should not change how you purchase items online.  However, if you are issued a Chip and PIN card, you may need to enter the PIN number to complete the purchase.  And as with any new payment card, if you have pre-authorized charges for monthly expenses, such as the gym or an online website, you will need to update your payment card information with the merchant because your account number will change.

Will this change my purchases while traveling overseas?
No, the change to Chip and Signature/Chip and PIN should not change how you purchase items overseas.  However, some U.S. citizens are reporting difficulties in using magnetic strip-only credit cards overseas, where Chip and Signature/Chip and PIN has already been implemented.

Why change credit cards?
Malicious actors know how to read the magnetic stripe on the back of magnetic stripe cards and because that information never changes, they can copy it onto a new payment card and fake the card holder’s signature.  As long as the real payment card is valid, the fake card will be valid, too.  Once there is wide spread adoption of the chip technology, the magnetic stripe will no longer be included on the cards subsequent cards.

Two-factor Authentication:
If your bank, email account, or social media account sends a “passcode” to your phone when you try to login, you’re already using two-factor authentication.  The passcode sent to your phone requires you to have your phone (something you have) and the website’s password (something you know).

What if I’m still the victim of Identity Theft?
Even with the new payment cards you or someone you know may still be the victim of identity theft.  If you think you are a victim, file a report with your local police department, and notify the three credit reporting agencies:  Equifax, Experian, and Transunion.  Also check IdentityTheft.gov, the Federal Trade Commission’s (FTC) website for more resources.  It contains free information about recovering from identity theft, as well as information regarding the most current scams and frauds.  Complaints may be filed at ftccomplaintassistant.gov.

More information on EMV and the transition is available at:  http://www.emv-connection.com/.

For more monthly cyber security newsletter tips visit:

http://www.msisac.org/awareness/news/