As Mainers head out to do their holiday shopping this week, they will notice that many retailers are offering more payment options than ever before.

The added options, which include scanners for chip-embedded credit and debit cards, and “tokenization” apps such as Apple Pay and Android Pay for mobile devices, are designed to protect consumers, banks and retailers from fraud and theft.

The change to more secure payment technologies can’t happen fast enough for Maine banks, which have expressed frustration over retailers’ slow adoption rate of new hardware and software. At the same time, many banks and credit unions have yet to issue chip-embedded cards to all of their customers.

However, hundreds of retailers have implemented the new technologies in time for the holiday shopping season, and banking industry analysts estimate that 40 percent of debit cards and 70 percent of credit cards will be chip-embedded by the end of the year.

While no system is foolproof, security experts say chip readers and tokenization will dramatically reduce losses from fraudulent in-store purchases and make it far more difficult for criminals to profit from stolen payment card information.

“If you’ve used a chip card at a chip machine, and there’s a data breach, it’s harder to counterfeit,” said Nicole Wentworth, card services team leader at Kennebunk Savings in Kennebunk.

Advertisement

When a criminal steals card information from a traditional magnetic-stripe purchase, the exposed data includes the cardholder’s name, card number, expiration date and three-digit card verification value. All of the information is unencrypted and easy to read.

However, if data from a retailer’s chip-card readers were to be compromised, all the thief would see is a big jumble of alphanumeric code, with no key to decrypt it. Picture a grid of hundreds of character pairs for each card that read: “5A 7D 1C 04 26 6B 00 BF 12,” etc.

Tokenization is even more secure than chip cards, said Dennis Byrd, senior executive vice president and chief operating officer at Kennebunk Savings. When a customer uses a tokenized system such as Apple Pay, the retailer never accesses the card information at all. Instead, it sees a one-time, 16-digit code that can never be used again. In a data breach, information left over from tokenized purchases would be useless to the thieves, Byrd said.

There is one downside to tokenization, he said: The cardholder must entrust his or her card information to the app-maker, such as Apple or Google.

“Now if Apple gets compromised, I’m screwed,” Byrd said.

TARGET GOES A STEP FURTHER

Advertisement

One of the leaders in the push to offer more secure payment options to customers is retail chain Target Brands Inc.

Target, which suffered a massive data breach during the 2013 holiday shopping season, has gone a step beyond most other retailers by offering store credit and debit cards that contain microchips and require the cardholder to enter a four-digit personal identification number, or PIN.

Chip-and-PIN cards were developed in the mid-1990s and have been in use in Europe, Australia and other regions of the world for a decade. They are often referred to as EMV cards, which stands for Europay, MasterCard and Visa – the three credit-card transaction processors that developed the standard.

For years, banks and retailers in the United States resisted upgrading to the newer, more secure standard. Even now, the U.S. is only getting a watered-down version of it.

The new cards that most consumers are receiving contain the embedded microchip, and also the traditional magnetic stripe. They will be treated as chip-embedded cards by chip-reading point-of-sale devices, and as magnetic-stripe cards by systems that can’t read chips. Most point-of-sale devices will not require the cardholder to enter a four-digit PIN.

However, Target is one of the exceptions. Holders of Target store cards will get the same level of security offered in Europe: chip and PIN. In other words, a stolen Target card will be effectively useless to the thief.

Advertisement

The Target store in South Portland has had its chip readers up and running for about four months, said store team leader Cara Sandberg. Anyone can get a store card with the chip-and-PIN technology, she said. Those who don’t want a store credit card can get a debit card that is tied directly to their checking account. Both cards offer 5 percent off on all purchases.

Sandberg said all store employees have been trained on the new system, and that the transition has gone smoothly.

“It takes an extra second or two” to process each transaction, she said. “Our systems are extremely fast with the chip card technology.”

PHASING IN BY TYPE OF BUSINESS

The switch to chip readers is not a legal requirement. Rather, it is the result of a shift in liability from card issuers to retailers in certain instances of fraud.

Most Maine retailers remain in some stage of the upgrade process, whether it’s installing the new hardware, configuring the back-end software or waiting for a licensed vendor to certify the new system before it can be used.

Advertisement

As of October, most merchants are liable for fraudulent purchases made in their stores with chipped cards if they don’t have chip readers. Banks continue to cover all losses from magnetic-stripe cards, as well as all fraudulent purchases made online.

There are future liability-shift deadlines for different types of businesses. For instance, businesses with ATMs don’t have to upgrade them until October 2016 to escape liability, and gas station owners don’t have to upgrade their pumps to read chips until October 2017.

The cost to upgrade a gas pump can be anywhere from $5,000 to $25,000, depending on whether the entire pump must be replaced, said Jamie Py, president of the Maine Energy Marketers Association.

For some independent station owners, that cost is simply too high, Py said. So far it’s moot, because the oil industry has yet to finalize the chip-reading software that gas stations will be required to use – even the cash registers inside convenience stores are awaiting upgrades.

“Even though you’re required to, the software’s not ready yet,” he said.

SOME BUSINESSES MAY HOLD BACK

Advertisement

Byrd said every merchant will have to decide for itself whether freedom from liability is worth the high cost of upgrading to new systems. Some simply will choose not to upgrade until it becomes a hard-and-fast requirement, which could take another decade, he said.

For instance, restaurants will have to purchase hand-held chip-card readers for each server, because the new technology requires the card to be authorized after the customer adds a tip. Byrd said a lot of restaurant owners would rather lose money from a few fraudulently purchased meals than pay for the new equipment.

Kennebunk Savings operations manager Wendy LeBright said consumers should not worry too much about whether the merchants they patronize have chip readers, Apple Pay or Android Pay, because they will not be liable for fraudulent purchases on their cards under any circumstances.

“They’re going to get their money back either way,” she said.

 


Only subscribers are eligible to post comments. Please subscribe or login first for digital access. Here’s why.

Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.