The company that turned every smartphone into a potential credit card payment terminal is taking a step into the future. Square’s now taking pre-orders for the newest version of its credit-card reader, which plugs into the headphone jack on a smartphone or tablet; the $29 dongle now works with the EMV standard that’s soon to become the de facto way we pay with credit cards.
You might know EMV (an acronym derived from its major backers, Europay, MasterCard, and Visa) by its more self-explanatory moniker, chip and PIN. Instead of relying on the magnetic stripes that have been a feature of credit and debit cards for decades, EMV technology instead incorporates an integrated circuit (IC)—essentially a very simple computer—that contains an encrypted version of the data needed for the payment process. EMV chips are the tiny metallic gold squares typically located on the front portion of credit and debit cards. EMV is already in use in many countries throughout the world, including Canada, Australia, Brazil, and most of Europe. However, most U.S. cards don’t have the technology yet.
To use a chip-and-PIN card, a customer inserts it into a compatible reader; the card’s chip and the reader work together to exchange secure information, which changes on a per-transaction basis, making it nearly impossible to copy or clone. The user is prompted for a PIN, similar to when you retrieve money from an ATM. The PIN confirms your identity, thus in many cases removing the need for a signature—which, let’s be honest, most vendors don’t bother checking these days anyway. (Some of the cards used in the U.S. will instead operate on a chip-and-signature basis.)
The advantages of chip and PIN are many. The primary one is that the magnetic strip used by all current credit and debit cards is hugely insecure, and there’s little difficulty for a thief to steal your pertinent details from them. Many countries that use chip and PIN cards also use wireless card readers, which allows for both greater convenience and security. In Canada, for example, waiters at restaurants will often bring the card reader over to the table when it’s time to pay, meaning that your card never leaves your possession.
With all the credit and debit card security breaches over the past several years, it’s clear that the United States payment infrastructure is in dire need of an update. Fortunately, just such a transition is in the offing.
Starting in October 2015, the major card issuers—American Express, MasterCard, Visa, and Discover—are all shifting liability of fraudulent transactions on non-EMV capable systems to merchants. That means that past that date, if a retailer can’t accept chip-and-PIN payments and charges a customer for a fake purchase, it’s the store, not the credit card companies, that will be responsible for refunding the charge. Obviously, that’s a big incentive for retailers to adopt the newer, more secure standard. (There’s an exception for pay-at-the-pump gas stations, which have until October 2017 to support EMV.)
None of this is to say that chip cards are themselves impossible to crack. For one thing, many of those distributed in the U.S. have both a chip and a magnetic strip, to ensure backwards compatibility. But they are definitely more secure than the U.S.’s existing system, which is pretty flimsy in its current state.
EMV’s not the only move afoot towards more secure transactions. Contact-less payments using Near Field Communications (NFC), which includes Apple’s recently rolled out Apple Pay system and Google Wallet, also promise to bring better security as well. But the two standards are not mutually exclusive: Most of the chip-and-PIN terminals that are currently being added in retail stores also support NFC payments. (Some merchants, such as retail giant Walmart, are pushing a competing standard based on QR codes, dubbed CurrentC, but that system sidesteps the credit card companies entirely and has become a recent source of controversy.)
Square’s chip-and-PIN reader, which ships next year, will cover only a fairly small niche of the market, mainly small and local businesses and merchants. The bigger portion of the transition will be up to the larger retailers, who are also the ones most likely to be targeted by hackers looking to score large hauls of credit card numbers.