You’ve probably had a chip credit or debit card for several years at this point. But do you know how that card is different than the old one with just a magnetic strip?
Let’s look at the security of credit cards to understand how cards work to keep your transactions safe.
Magnetic Stripes: The Least Secure
Traditionally, credit cards have stored data in a magnetic stripe on the back of card. This is an older technology, developed in the 1960s, that’s very similar to how cassette tapes work. There are microscopic magnetic particles on the stripe, which have their magnetism adjusted to write data to the card. Tape readers, like those inside terminals, can pick up this data when you scan the card.
While these cards work well enough, they have security flaws. The data contained in the magnetic stripe is not protected by any form of encryption, and never changes. This means that criminals can employ tactics like skimming, where they install devices inside legitimate scanners, and then steal card details from unsuspecting people.
By placing a skimming device inside an ATM or gasoline pump, they can read the data on the stripe, clone it onto a duplicate card, and then make fraudulent transactions. In addition to skimming the card details, these schemes usually include a way to steal your PIN to complete transactions.
Skimming isn’t the only way that the old card stripes are vulnerable, though. Data breaches can occur through malware attacks, too. One of the most infamous examples of this is Target, which suffered a massive data breach in late 2013. That breach happened when crooks stole credentials to Target’s network, then installed malware that stole credit card details and other information from store terminals.
Card stripes having all the information needed to complete transactions in an unprotected form is clearly a bad idea. Thankfully, a better solution exists.
Chip Cards: Much More Secure
Today, most cards include a chip inside them. These “chip cards” are properly known as EMV cards (from Europay, Mastercard, and Visa, which were the companies that created this standard). Chip cards have been rolling out since the late ’90s across the world, but in the US, they’ve only come onto the scene in the last few years.
The biggest security upgrade with chip cards is that they don’t contain all your vital card data in the chip. Instead, when you make a payment with the chip, it generates a one-time code for that transaction. If an attacker were to steal this, they would have a useless number instead of your card details.
The terminal can do whatever it needs with this number, including verifying your card with the provider. But it would be nearly impossible for someone who took your card to duplicate this chip.
For additional security, many parts of the world use a chip-and-PIN setup. With this, you’re required to type a PIN each time you make a purchase. This hasn’t happened much in the US, though. Here, we still use chip-and-signature in most cases, which only asks you to verify your purchase by signing a slip and comparing signatures.
In October 2015, card companies shifted most of the liability for fraudulent transactions to the party that hadn’t implemented chip technology. So if your bank didn’t issue you a chip card, or if a store didn’t take chip cards, they would be liable for fraud.
For backward compatibility purposes, most chip cards still include a magnetic stripe on the back, allowing them to work with older terminals.
Contactless Payments and Apple Pay
The US has also been adopting contactless payment cards after they have been standard in other regions. These cards, and terminals that accept them, are marked with contactless symbols, like the one below:
These cards use near-field communication (NFC) to start a transaction without you having to physically insert your card. While they’re protected in the same way that EMV chips are, contactless payments typically don’t require a PIN or signature. Thus, they’re often limited to small purchases.
Finally, mobile payment platforms like Apple Pay provide yet another option, and with more security. Once you add your card to Apple Pay, the service never actually provides it to merchants when you pay. Instead, it provides single-use codes for each transaction, keeping your actual credit card number safe.
The other major security advantage of Apple Pay is that it requires you to authenticate purchases using your usual device security. So when you want to buy something in a store, you have to scan your fingerprint or use Face ID to authorize it.
Credit Card Security Isn’t Perfect
Now you know more about what happens in the transactions we make every day. While technologies like EMV cards and Apple Pay have made large strides, credit cards still aren’t bulletproof. You’ll notice that we left out a major area in this discussion: online purchases.
While chip cards have greatly reduced in-person fraud, these security measures don’t do anything for online purchases. To buy something with a credit card online, you only need the card information that’s printed right on the back. These are called “card-not-present” transactions and make up a large amount of credit card fraud today.
The best ways to protect yourself from online credit card fraud are to keep your card physically safe, and be careful when entering your card somewhere online. Don’t type your card into a merchant’s website unless you’re certain that it’s genuine. This is just one of the many ways to stay safe when shopping online.