What the Heck Is This Computer Chip Doing in My Credit Card

Sunday, February 22, 2015

I have to admit, I got a sick feeling in my stomach the first time I saw a credit card with a computer chip. I knew that European financial institutions had been using this “new technology” for more than 20 years. And I learned that a credit or debit card embedded with a chip is called an EMV card — EMV stands for Europay, MasterCard and Visa. The EMV consortium collaborated to create the chip technology and standard in an effort to make payment card transactions more secure. The first time I spotted an EMV card, it simply appeared to me that the credit card issuers were putting more personal data on a card by way of the microchip.

So why was an EMV chip card more secure than a traditional card? I had no idea, but I consider myself to be a bit of a techie and I’ve worked within the Internet security industry in the past, so a computer chip embedded within a credit card was of keen interest to me. I set out to Google my way through the World Wide Web in order to learn more about these new microprocessors and to understand how they increased the security of a credit card transaction.

One of the more interesting threads I followed stemmed from a “theory” that an EMV chip emitted a radio frequency identifier signal (RFID) similar to the chips used in warehouses for inventory management. With this type of chip, inventory is counted by walking down an aisle with an RFID reader picking up signals from RFID chips attached to the cartons and cases of products. The vision of a computer chip chirping out my credit card information into thin air was a disturbing one. Imagine some hacker slinking his way down a public sidewalk with a secret scanning device, inhaling personal credit card data from each person he passed. I needed to learn more.

By pure coincidence, while learning about EMV, I was having lunch at a sushi bar one afternoon. The gentleman sitting next to me presented the waiter with his credit card. As he did, I couldn’t help noticing that his card had a dime-sized hole punched out of it… torn out may be a better description. Curious, I asked him, “What’s up with that hole in your credit card?” In his thick Chicago accent, he replied confidently, “I just read an article on the Internet that people are buying these machines on eBay that can read these new credit card chips. So I punched it out to make sure no one could steal my information.” Aside from being amazed that the waiter would actually take a defaced credit card, which he did, my gut was telling me that something was not quite right. After all, it seemed that credit card companies had thought through the security aspects as evidenced by the reduction in credit card fraud in European countries. I find conspiracy theories to be entertaining at best. This theory/myth was one I was interested in ferreting out for myself.

I developed a short list of basic questions that needed to be answered.

First, how does an EMV card work? Put very simply, the chip on an EMV card communicates with an EMV-compatible credit card terminal in one of two ways — either by inserting the card into the terminal or by way of radio frequency (more on this in a bit). When a transaction is initiated, the chip and the terminal work together to create a unique transaction session and to secure the data in the event that the data is illegally intercepted electronically. This leads to the first point of why EMV transactions are more secure. In the event that transaction data is captured or intercepted by a thief, the only prize they would have is a large mess of meaningless and unusable numbers. Next, unlike the static personal card information found on the magnetic stripe on the back of a credit or debit card, the EMV chip is nearly impossible to counterfeit. Data found on traditional magnetic stripe cards can be easily replicated and used to create multiple credit cards. These cards are then sold on the black market to thieves who quickly use the cards to make purchases before the fraudulent activity is reported. But, for the security to work, an EMV card must be used in conjunction with an EMV-compatible terminal. EMV terminals require the card to either be inserted during the transaction, similar to an ATM transaction or by using a form of radio communication (see below). Interestingly, EMV cards will still have magnetic stripes so that non-EMV terminals can still process a payment.

Now, what happens if my EMV credit or debit card is lost or stolen? The same rules apply as they do today. Call your credit card company immediately and report the missing card. There is nothing to prohibit someone from using an EMV card fraudulently. If your EMV card is a debit card, you have the same protection that you have today because a thief would need to know the PIN in order to complete a transaction. Remember, the enhanced security of an EMV card is really found within the way the card data is processed along with the nearly impossible way to replicate them. In the hands of a thief, the physical card itself is no more secure than a normal credit or debit card.

Back to the magic chip reader question. Is it possible to read the data on an EMV chip from a distance?
The short answer is “not likely.” EMV cards do use RFID. Similar to AM and FM radio bands, EMV chips utilize specific bands to communicate. It’s called Near Field Communication (NFC). NFC radio signals degrade very quickly, and as a result, they can only be transmitted within a very short distance, measured in centimeters. The requirement of close proximity practically eliminates the risk of a device communicating with an EMV chip from a distance.

Finally, why don’t you have an EMV credit card yet? Up until recently, the reason has been kind of a chicken and the egg thing. Credit card companies have been hesitant to produce the cards for two main reasons. First, EMV cards are more expensive to produce than a traditional card. But more importantly, up until recently, retail merchants did not have EMV-compatible terminals. An EMV card without an EMV-compatible terminal defeats the purpose of EMV. With the meteoric rise of credit card data breaches, card issuers are now moving quickly towards EMV. While larger merchants have followed, small to mid-sized merchants have been slower to adopt because of the cost of putting new terminals in place. However, there is a major compelling event in 2015 that has begun to motivate merchants of all sizes to install EMV- compatible terminals.

Beginning October 1, 2015, in the event that a merchant accepts payment for goods from a stolen EMV card on a non-EMV-compatible terminal, the liability for covering losses shifts from the card issuer to the merchant. For example, imagine that your chip card is stolen and used to purchase a television at Big-Buy. The merchant accepts payment for the TV using your stolen EMV card, but the merchant uses a non-EMV-compatible terminal to process the transaction. When you report your card stolen, the credit card issuer will review all of the transactions on your credit card to identify fraudulent and non-EMV-compliant transactions. In order for you to get your money back, the credit card company will charge back the amount of the purchase to the merchant’s bank account. Ouch. Now you can see that it’s in the best interest of the credit companies to issue EMV cards and it’s in the best interests of retail merchants to use EMV-compatible terminals.

So, this is why there is a computer chip in my credit card.