Original article from Newsday writer Aisha Al-Muslim
New credit and debit cards with embedded computer chips that are bringing greater security to cash register purchases are coming your way.
Businesses of all sizes — retailers, restaurants and even doctors’ offices — will be liable for fraudulent card charges made in their establishments if they don’t install payment processing systems to handle the new chip cards by Oct. 1. Currently, banks or credit card companies usually eat the cost of fraudulent transactions.
Credit card giants Visa, MasterCard and American Express instituted the new rules to push merchants to accept the new chip cards, which are designed to protect account information better than traditional magnetic-strip cards. The intent is to rein in rampant credit card counterfeiting.
Customers, who are gradually being sent replacements for their old cards, will have to learn a new way of paying with plastic. They have to insert their new cards into a reader and leave them there during the transaction — rather than swipe them, which the new chip-enabled machines won’t allow for cards with a chip. The new cards still have magnetic strips for use on older terminals, which may confuse some shoppers.
“Customers don’t understand how to use it,” said Shahrokh Safaii, owner of the restaurant Tasty American Coo Coo in Huntington. He paid $195 for a new chip-card reader and will pay $10 a month to his payment processing company, Heartland Payment Systems.
“When the person swipes a card and it doesn’t read, the person says, ‘What happened? My card is good.’ But it is because it has the chip in it,” Safaii said.
Meanwhile, banks are sending out new cards to consumers.
“We have close to 200,000 cards that we are reissuing,” said Robert Hoppenstedt, senior vice president of Bethpage Federal Credit Union, adding that letters will be sent to customers explaining how to use chip cards. “We have to phase it in. The production people can’t handle issuing 200,000 cards at once.”
The introduction is lasting from August to November at Bethpage.
Credit card theft
The purpose of all this change is to cut down on credit card theft and fraudulent charges.. The United States accounts for almost half of all credit card fraud, even though the country makes up only about 25 percent of all credit card transactions worldwide, according to a report by Barclays bank.
The reliance on old magnetic-strip cards, a technology adopted in the United States in 1969, makes it easier for thieves to use stolen data that can be printed onto other cards and used to make fraudulent swiped card payments, experts say.
“Magnetic-strip cards are like cassette-tape technology,” said Brendan Ivory, Smithtown-based Northeast director of sales for Card Connect, a payment processing and credit card security company. “It is static. The information on the credit card does not change. It always identifies the credit card account.”
The information put out by chip cards keeps changing, so the account information is more difficult to duplicate.
Counterfeit credit card fraud at the cash register is forecast to grow in the United States from $3 billion in 2014 to $3.6 billion by the end of the year. But with the use of chip cards, fraud perpetrated at cash registers is expected to decline to $1.8 billion by 2018, according to research and consulting firm Aite Group. U.S. online card fraud, which isn’t addressed by chip cards, is projected to more than double from $3.1 billion this year to $6.4 billion in 2018. Online transactions have different security parameters, such as requesting the card’s expiration date, 3-digit security code and the customer’s billing address.
Chip cards are built to thwart counterfeiters. When a chip card is inserted into the terminal, a metallic contact plate allows the chip to connect to a reader. The connection gives the chip an electrical charge, which allows it to validate the authenticity of the card and create a unique, one-time code needed for the transaction to be approved.
The card will stay in the slot during the transaction while the cardholder follow prompts on the screen. The cardholder will sign if a signature is required and remove the card when prompted.
“If someone steals that transaction information, they can’t use it again” because the authorization is only good for one transaction, said Chad Horal, chief executive of MetroBPS, a merchant services provider based in Ronkonkoma with a majority of customers on Long Island and in Florida. “That information is useless for them.”
Mega data breaches at retailers such as Target, where information on 40 million U.S. credit cards was stolen, and Home Depot, which affected 56 million cards, capture the headlines.
But data breaches also affect small businesses. The cost of a breach to small merchants averages $36,000 and can exceed $50,000, according to First Data, a global payment technology solutions company headquartered in Atlanta.
Small business can face out-of-pocket costs for an outside examiner to investigate the breach — a process that may take days or weeks — as well as for notification of customers, credit monitoring for affected customers and other expenses.
On Long Island there were 94,828 small business establishments with fewer than 100 employees in 2013, according to latest data from the U.S. Census Bureau.
Technically, the new credit card payment processing standard is referred to as EMV, which stands for Europay, MasterCard and Visa, the three companies that created it.
“In theory, it should benefit everyone — cardholders, merchants and issuers,” Ivory said. “There should be a drastic reduction of face-to-face fraud.. Skimmers would be out of business with a chip card until they find a way to duplicate it.”
ATMs are exempt from the guidelines until October 2016 under MasterCard’s guidelines and October 2017 for Visa. Automated fuel dispensers at gas stations will have until Oct. 1, 2017, because they are more costly to upgrade.
More than 80 countries have already upgraded their payment card security to the EMV standard, including Australia, Brazil, Mexico and Canada. The United Kingdom is considered an EMV pioneer with its nationwide rollout in 2004.
In the United States, however, “there is not a big rush from merchants to get EMV yet,” Horal said. “They are waiting until October because it is not a mandate.”
Not all chip-card terminals are working yet. Target has already installed the readers but is still rolling out the software for acceptance. About 850 out of the retailer’s 1,800 stores are accepting chip cards, with the rest expected to be working in advance of the deadline, Target spokeswoman Molly Snyder said.
Home Depot is testing chips and signatures for credit cards used in stores, and using encryption technology to protect payment data, Home Depot spokesman Stephen Holmes said.
At Walmart, the world’s largest retailer, all terminals at its U.S. stores and Sam’s Clubs were EMV-activated in November, Walmart spokeswoman Betsy Harden said.
Nationally, for merchants and banks, “the expectations [for EMV implementation] are 47 percent of terminals and 63 percent of cards by the end of the year,” said Stephanie Ericksen, vice president of risk products at Visa. “We know that it takes several years to get 90 percent.”
Card processing experts estimate transition costs for retailers can vary from $100 to $600 per terminal if purchased. Merchants can also lease terminals.
Amanda Peppard, owner of Suite Pieces, a vintage furniture and home decor do-it-yourself boutique with locations in Huntington, Massapequa and Brooklyn, said her current payment processing company, Axia Payments, is asking for a $30-a-month leasing fee and a $60 one-time fee, she said.
“It is kind of a big investment,” said Peppard, adding she has never had a charge dispute. “I am still weighing my options as far as where to get my terminal from. I am even considering whether or not I will have to change merchant services and maybe see if there is another company that is willing to give me a better deal.”
Dominick Foresto, owner of Foresto Tuxedo, a family-owned and -operated men’s clothing and formal wear business in Mineola, found out about the liability shift last year from his new payment processing company, Appstar Financial. The new terminals in the 75-year-old business are equipped to accept the chip card, and Appstar will upgrade its software before Oct. 1, he said.
“The reason we upgraded our system is to protect our customers and ourselves against any credit card fraud,” said Foresto, who signed up with Appstar in June because it provided two free terminals in exchange for a monthly processing fee. “I want everyone who comes through here to know that their credit card information is safe.”
Some chip-enabled terminals also handle what are known as contactless payments made with services like Apple Pay or Google Wallet. Only 13 percent of smartphone users have downloaded a mobile wallet, and only 2 percent use it, a recent Gallup survey found. By 2019, these mobile proximity payments will make up only 1 percent of all retail transactions, according to Javelin Strategy & Research, a financial consulting company based in Pleasanton, California.
Still, some merchants like having equipment that can handle contactless payment like Apple Pay, which in theory is even more secure than chip cards because it goes through an additional process called tokenization, which replaces the account number with a surrogate value called a token. The token makes it unfeasible to determine the original account number by only knowing the surrogate value.
“It makes me feel more protected, and it is good that we can accept more types of payments and be a little more cutting-edge for consumers, especially since we added craft beers,” said Courtney Citko, co-owner of locally made product store A Taste of Long Island in Farmingdale. She has been saving $100 a month since October with her new payment processing company, Mainstream Merchants Services, due to a better priced contract.
“The craft beers really bring in consumers who are more likely to have the Apple Pay technology. They are more of the technology-driven generation.”