The US began its transition to chip-based credit cards in earnest in October 2015, after high-profile credit card hacks in the previous years at Target, Home Depot, Michaels, and other big-box retailers. Today, although only 59 percent of US storefronts have terminals that accept chip cards, fraud has dropped 70 percent from September 2015 to December 2017 for those retailers that have completed the chip upgrade, according to Visa.
There are a few ways to interpret those numbers. First, it seems like two years has resulted in staggeringly little progress in encouraging storefronts to shift from magnetic stripe to chip-embedded cards, given that in early 2016, 37 percent of US storefronts were able to process chip cards.
On the other hand, fraud dropping 70 percent for retailers who install chip cards seems great. Chip-embedded cards aren’t un-hackable, but they do make it harder to use stolen credit card numbers en masse as we saw in the Target’s 2013 breach. Chip cards also can’t prevent against Card-Not-Present (or CNP) fraud, which takes place when card information is stolen online, by mail, or over the phone. If retailers upgrade to terminals that accept chip-embedded cards but leave their online marketplaces insecure, they can still leave customers open to fraud and leave themselves open to processing fraudulent payments.
Though chip-embedded cards offer a concrete way to reduce brick-and-mortar fraud, it’s unclear whether the transition will reduce fraud overall as shopping occurs at brick-and-mortar stores less and less often in the US. Between Q3 in 2015 and Q3 in 2016, US online shopping as a total of all shopping in the US ticked up four percent (and quarters beyond that out to September 2017 likely followed that growth trend). Accordingly, CNP fraud has also showed signs of increasing.
The transition to chip-embedded cards in the US started a full decade after retailers and credit card companies transitioned away from magnetic stripe credit cards in Europe, Australia, Brazil, and several other countries. That was because the benefits of changing systems (that is, avoiding the high cost of fraud) didn’t quite outweigh the costs of replacing terminals and mailing out new cards, or at least that was the reasoning given by the the stewards of the EMV standard (specifically, MasterCard and Visa). Today, the US is finally catching up, just in time for contactless and mobile payments to make physical credit cards less and less necessary.
Correction: Clarified that while the numbers on chip-embedded cards can still be still be stolen en masse, the chip makes re-use of those numbers more difficult.