Chip cards gain steam, forcing hackers to get crafty

Love to hate them or hate to love them, the chip card just had a birthday.

Nearly half of all credit cards in circulation, 600 million cards, now have small computer chips according to the Electronic Transaction Association, and data from Visa and Mastercard shows about a third of all merchants are using readers that can accept chip cards.

While the chip card technology has been around since the 90s and used in other parts of the world, the cost and complexity of the transition postponed adoption in the United States.


Since last October's rollout, however, the switch from traditional "swipe" cards to this more secure method has not been entirely smooth.

"We've certainly had our bumps, which most of us expected," said Julie Conroy, a research director covering fraud, data security and compliance issues at Aite Group, a global research and advisory firm.

The industry got a rude awakening from Target, when the retail giant suffered a massive breach in 2013. At the time, Target said 40 million credit and debit card information was stolen during the holiday season of that year.

On top of that, an additional 70 million people had personal information, such as email addresses, compromised.


Although shoppers complain about the longer wait time per transaction, nearly 4 in 5 Americans, or 78 percent, said they have positive feelings about chip charge cards, according to a new report by NerdWallet.

There's little doubt using chip cards provides much greater security. The switch to smart technology (known as EMV, which can process card transactions with embedded smart chips) means that a customer's payment method includes a tiny microprocessor. The chip creates a unique code for each individual transaction and can't be easily duplicated by thieves the way a magnetic stripe card can.

The only problem is that consumers are often confused about whether to dip or swipe, said Sean McQuay, a credit card analyst at NerdWallet. Some stores' terminals have a chip reader but haven't been certified, which means they aren't ready to read chips, he explained.

"The confusion of whether to swipe or dip is an ongoing frustration," McQuay said. (McQuay said he prefers a mobile wallet over both chip and magnetic cards because that payment method is faster and even more secure without the uncertainty at checkout.)

Still, that confusion is likely to subside as more businesses make the switch. By the end of this year, it is estimated that about half of all merchants will have migrated to chip technology and the majority by the end of 2017, according to Jason Oxman, CEO of the Electronic Transactions Association, the group representing payments and technology companies.

MasterCard said 88 percent of its credit cards have chips and that 2 million retail locations were accepting the cards. Visa reported that it has 363 million chip cards that are accepted at 1.5 million locations.

"Given the enormous complexity of the market, we have done remarkably well," Oxman said. But, "we have a lot more work to do."

Credit card chip
Nicholas Rigg | Getty Images

Counterfeit fraud at businesses that have completed their transition to chip terminals fell 47 percent year over year, according to Visa's most recent data. At Mastercard, it was a 54 percent decline.

Retailers that choose to put it off, likely to defer the cost, now assume the liability if a credit card transaction is counterfeit. (Before October, the banks ate that cost).

At the same time, hacked credit card fraud will reach a record $4 billion this year as the window of opportunity narrows for hackers to cash in on stolen credit card data from magnetic strip cards, according to a study from Aite Group.

Old school phishing scams are also on the rise. "If you can't steal someone's magnetic information as they are using it, you ask them for it," said security expert and CEO of cybersecurity site Sndr.com Shaun Murphy of the emails baiting consumers to enter their information. "Hackers go for what works."

These days, "criminals can send very personalized, targeted letters," Aite's Conroy said. "They're getting very good, that's something consumers should be aware of."

Conroy advises consumers never to click on a link in an email, rather, open a new window, go to the bank's website and log on to your account or call the number on the back of your card.

She also recommends regularly checking your credit and debit statements online to make sure all of those transactions are yours, and setting up alerts on large purchases, over $500 for example, or foreign transactions.

--CNBC's Erin Barry contributed to this article.