Honoring the commitment made in this week’s prior blog entry, this post addresses a couple of questions posed to panelists at last week’s IT GRC Forum webinar, that we did not have time to answer – namely, “Most cardholders will not be aware that they may have a chip card. If they go to a chip terminal with the chip card and swipe, what will happen?” Another participant phrased it as “Will Chip & PIN terminals know that the card is chip & PIN if the card is swiped? What happens if the cardmember swipes the card? Will the terminal prompt the cardholder to dip?” The questions alertly center attention on one of the largest US concerns with migration to EMV – the cardholder experience. I’ll respond to the question as it was posed here, and look for a future post that will discuss the broader concern of consumer resistance to the change.
If you are familiar with the webinar mentioned above or its context, feel free to skip on to the next paragraph. For those interested in that context, we are addressing questions posed to the panel of last week’s IT GRC Forum webinar “Why EMV is Not the Only Answer to Payment Security”. Panelists including Bob Russo, General Manager of the PCI Security Standards Council, my humble self, and others responded to questions from the audience live. If you missed the session, click here for access to an on-demand replay – there were some very good discussion. However, more questions submitted than could be answered in the time allowed and I’m looking to address many of them via this blog over the coming weeks. That said, on to the question at hand….
With the introduction of EMV-compliant smart credit and debit cards, US cardholders’ experience at the point of sale is, necessarily, changing. In the briefest summary, cardholders will have to shift from the familiar transient swipe of the card along the side of a point-of-sale (POS) device to inserting the card into the device and leaving it there until the transaction is authorized. Many who have traveled internationally will already be familiar with the new interactions at the point of sale, either directly or by vicarious experience of watching others, because EMV is adopted broadly outside the US. I remember seeing this constantly while living in London in 2006. At the end of a meal at a pub, the wait person presented the bill, accepted the customer’s card and slid it short-side first into the wireless POS, then presented the POS and its keypad to the patron to enter their PIN. (Look for a future post in this series discussing what role PIN may or may not play with EMV in the US.)
I remember thinking then that this was a much better way of doing things – no one disappears out of sight with a credit card taking who knows how long, and doing who knows what with the card (look for another future post that recounts an episode in card fraud criminal investigations – you may never want to let anyone walk away with your card again…). Everything is done right in front of you, a receipt is printed, and it’s all over. I equally remember the consternation waitstaff had when I would hand them my “dumb” credit card that only had a magnetic stripe – I can still see my mates fading off into the fog while I sat waiting to clear the bill….
The card issuing banks are already providing customers with EMV cards, and more will join them in the coming months. Many of these cards will be both integrated chip and magnetic stripe enabled, as the great body of payment card merchants must go through migration, too, replacing magnetic stripe only card readers with readers that support chips. There will inevitably be a period when some merchants are EMV-compliant and others are not, and the card issuing banks don’t want to miss any transaction because only one format or the other is supported by their cards. Equally, many of the readers are anticipated to support both chip and magnetic stripe since there will unavoidably be a period where both smart and dumb” cards will be presented, until the US is finally fully migrated to EMV, and the merchants don’t want to miss a sale.
This long description sets the stage for the question posed to our panel -- what will happen when a cardholder, holding a “hybrid” card with both magnetic stripe and smart chip, attempts to swipe that EMV-compliant card, out of habit or inattention, through a hybrid card reader that is equipped to read the chip? Fortunately and predictably, that scenario has been anticipated by the standards groups and is addressed. Payment cards issued with both a magnetic stripe and the EMV-compliant chip will carry a value in the magnetic stripe that, when read, declares the card’s state of compliance to the EMV-compliant card reader. The card reader will prompt the user to insert the card into the device, much as many of us insert debit cards into ATM machines, to complete the transaction. Clearly, for a period of transition, this will occur with some frequency and have impact on the speed of check out in some locations. Still, the benefit that consumers and the industry at large receive from reduced counterfeit card fraud has to be recognized as a worthwhile offset to the momentary frustrations many of us will experience.
Be sure to look for another post in this series next week, when I expect to respond to another question to the panel “What other specific solutions exist besides 3-D secure for Internet transactions?” If you want to be notified when that post is available, click on the image below to subscribe to the blog.