The big moment is just a few days away.
For several years Oct. 1, 2015, has loomed as a turning point in the U.S.'s migration to EMV chip-and-PIN cards — the cards with computer chips that have already been deployed in most parts of the world.
Rules set by Visa and MasterCard suggest that by Thursday, ideally, banks will all be issuing EMV-compliant cards and retailers will have the technology to accept them. If one party is supporting EMV and the other is not, the delinquent entity will have to cover the cost of any fraud that ensues.
It is an enormous change, with the potential to disrupt bank card issuers, retailers and consumers as everyone learns to deal with the new technology that requires consumers to insert their cards and leave them in the store machines throughout a payment transaction, rather than swipe.
Here's what we can expect to see on EMV migration day:
Most credit cards (about 70%) will have chips on them. But most of these cards will be chip-and-signature cards, not chip-and-PIN.
Some criticize banks' adoption of chip-and-signature, arguing that signatures are useless as a fraud deterrent.
"Our position in the U.S. has been that the chip helps eliminate the vast majority of fraud, and we wanted to get the chip deployed as fast as possible," said Mark Nelsen, senior vice president of risk products and business intelligence at Visa.
For Visa, that means replicating the current environment for consumers, which means debit cards will have PIN numbers associated with them, and credit cards will have a signature.
"We felt that was the fastest way to get chip deployed," Nelsen said. "We absolutely support issuers who want to deploy a PIN on their credit card."
Many small merchants won't be ready. Depending on which study you believe, somewhere between 20% and 30% of merchants have purchased and deployed the EMV-capable point-of-sale terminals and software they will need to handle EMV chip cards. Big-box stores like Target that have suffered data breaches have done this work.
But most small stores and restaurants have not. New EMV equipment is expensive and sometimes difficult to implement, and many seem unaware of the dangers of not adapting.
"A big portion is because the merchants don't understand the risk associated with this," said Wade Barnes, director of retail banking at 1st Mariner Bank in Baltimore. The $850 million-asset bank has about 25,000 debit cardholders and 10,000 on credit cardholders.
"Target, Walmart, they get it, they've been involved with enough card issues that they understand the risk it presents," Barnes said.
One of his bank's customers is a bar that is not going to upgrade because its owner sees no reason to do so since the business has not experienced any losses.
"We remind them that, you wouldn't know of any losses because in today's world, it comes directly back to the bank," Barnes said. "Moving forward, that liability will be on the merchant if the customer presents an EMV card. They don't realize what the impact is going to be to them. I don't think most merchants understand the amount of fraudulent transactions that actually happen."
Counterfeit card fraud should drop. For years, criminals have had a relatively easy time of "skimming" the data off traditional magnetic-stripe cards, using easily obtained devices that cost about $20. About $3 billion worth of counterfeit credit card fraud took place at the point of sale last year, according to Aite Group's estimates. That was out of $16 billion in total card fraud.
Duplicating the chip on a chip card is difficult if not impossible. Most new cards are being issued with both a magnetic stripe and a chip and the new EMV terminals accept both the chip and the stripe. So theoretically you could duplicate just the magnetic stripe on the chip card, create a new magnetic stripe card and try to use that. However, if an EMV card is swiped on an EMV-compliant merchant terminal, the system will reject the transaction and force the consumer to insert the chip.
However, in the scheme of things, counterfeit card fraud represent only about 37% of overall card fraud in the U.S.
Online card fraud is expected to rise. So-called "card not present" fraud — where someone uses a card but does not physically present the card (this could be over the phone, over a fax machine, on a mobile device or a computer, but most people equate "card not present" with using a card on a website) — represents the bulk of card fraud in the U.S.: 45%, according to Aite Group. The analyst group expects online card fraud to more than double from $3.1 billion in 2015 to $6.4 billion in 2018.
Many point to the U.K.'s experience in switching to EMV cards: online e-commerce fraud rose 79%. Other countries have experienced similar post-EMV effects.
However, as Nelsen points out, the U.K. adopted EMV in 2006, when online e-commerce was just getting under way. So the escalation of Internet fraud was natural as everyone, including fraudsters, recognized all the possibilities of website commerce.