New payment technology is coming this year to the US, in a big way.
In 2015, credit card companies and banks are finally starting to introduce chip-and-PIN, or chip-and-signature technology, more broadly throughout the US. Chip technology is touted as a more secure alternative to the magnetic stripe on the back of your credit or debit card. The US is the last of the G20 nations to move to more secure chip-based cards.
Even more exciting (or confusing, according to your point of view) Apple’s new mobile Apple Pay system is starting to make inroads with merchants and stores across the US. Apple claims its system is even more secure than the chip cards and hopes to switch millions of people over their new mobile payment system.
Will any of this technology really make consumer transactions more secure? According to most experts, the answer is probably yes in the short term and probably no in the long term.
Robin Sidel, a senior special writer at the Wall Street Journal, says the biggest advantage of the chip-based system, as opposed to the familiar magnetic stripe, is that it creates a unique code for each transaction.
“The magnetic stripe that we're all used to has static information,” Sidel explains. “It's got a ton of information about you, your account number, your expiration date. With the chip, there's a code…and since there's a unique code for every transaction, the information on the card has pretty much no value to thieves.”
Europe has used the chip-and-PIN system for almost two decades — in fact, stories abound about US travelers having trouble finding merchants or banks that can even process their magnetic-striped cards, although this appears to be improving. Analysts say they typically see a small drop in lost-and-stolen credit card fraud when a country introduces the new technology, but thieves invariably catch up.
"In the UK, the lost-and-stolen fraud is now back above where it was before the migration [to chip-and-PIN], says Julie Conroy, a fraud analyst with The Aite Group. "The criminals there have adjusted, and that increased focus on capturing the PIN gives them more opportunity, because if they do figure out ways to compromise that PIN, then they can perpetrate ATM fraud and get more bang for their buck."
And while even the federal government, through President Obama’s BuySecure Initiative (which mandates the new chip technology at all government payment terminals), is pushing chip-and-PIN, most banks in the US prefer the chip-and-signature format: they still want people to have to sign something. “Most of the banks in the U.S are using chip and signature because they think that a pin is going to be too difficult, too much of a disruption for consumers, and they want them to use a technology that they're used to,” Sidel says.
Retailers, on the other hand, prefer chip-and-PIN, because it strengthens the security and lessens the chance of fraud at the point-of-sale transaction.
Security analysts note that the magnetic stripe will remain on most cards as a backup for the next couple of years, as it will take merchants time to change over to chip-only transactions. The changeover to chip technology likley won't be complete around 2018. Meanwhile, Apple Pay is ready to roll, except for the fact that is accepted at only about 220,000 registers throughout the US — a tiny fraction — and merchants seem wary of too many changes all at once.
From a security standpoint, the most important difference between Apple Pay and a traditional card — with or without a chip or PIN or signature — is that no card information is stored on your mobile phone. Apple created a way of coding credit cards so that the information on your phone is not the same as your credit card number.
“With the Apple pay system, merchants don't get your card information, they get what's called a token that's held by the bank or by your card network. So the merchants won't have your data. If they don't have your data, the bad guys won't break in,” Robin Sidel explains.
Also, instead of requiring a signature or PIN, Apple Pay uses fingerprint technology, which, again, proponents say is more secure because it adds a second level of authentication right at the point of sale. Banks are also trying to move to a multi-factor authorization system, using things like location services, but at this point Apple Pay is ahead of the game.
And people love convenience, right? “There are a lot of people who like the thought of only going out with their phone and not carrying a wallet, not carrying cash and not carrying plastic,” Sidel says. “For them, something like Apple Pay or any kind of mobile payment-like technology is helpful.”
But is, Apple Pay, in fact, more secure? Again, yes and no. In one respect it is, because it helps avoid the problem of merchants storing your data every time you make a purchase. On the other hand, hackers will always be hackers.
“One of the questions security experts bring up, I think wisely, is as more people move to mobile, the bad guys will start to focus more on trying to figure out how to hack that technology,” says Nanette Byrnes, the Senior Editor of Business Reports at MIT Technology Review. “And that’s when we'll really learn what the potential weaknesses are. “
It’s always going to be a ‘spy-versus-spy’ sort of thing, with businesses and banks trying to stay one step ahead of the criminals. And so far, the criminals seem to be winning. The list of large corporations, businesses and insurance companies getting hacked seems to be growing daily. But the question is this: will criminals still bother hacking into companies like Home Depot and Target, which they still theoretically could do, if there is nothing for them to steal?
So, how is this all going to shake out? Is there eventually going to be a a ‘winner” in the technology/security race? Will one system take over and shove all the others aside? Nanette Byrnes thinks that’s unlikely.
“First of all cash is still used in a majority of retail transactions in the U.S today and 85 percent of the transactions around the world,” she says. “I do think that as people move towards mobile payments, they will be using cards less, but I don't think cards are going to go away entirely. They're so convenient and people are so used to using them. So if you can make them more secure with the chip-and-PIN or the chip and signature, then you know that's a big improvement, and I think many people will feel comfortable with that.” mmm