Over the next few months, South African banks will begin to replace plain, magnetic-stripe credit cards with chip-enabled smart cards. The exact timing of the launch is still up in the air as the banks sort out last-minute details and technologies, but Absa and Standard Bank appear to be the front-runners with FNB and Nedbank only expected to start issuing towards the end of the year.
The roll-out will take place according to the natural cycle of credit cards. As cards expire they will be replaced with the new smart card and the process should be completed by the end of 2008, so expect your next credit card to sport a microchip on the top left of the card. You will have to know how to use it before you land up ranting and raving at shop assistants.
A smart card has a microchip embedded in it that acts like a mini-computer and can run multiple applications and hold enough information to correctly identify you. The main change in using the card will be that you will need to enter a PIN rather than simply providing your signature, which is a similar procedure to your debit card. In addition, you will not swipe your card through the reader but rather insert it. The smart card will validate your PIN immediately.
The new system will change the way you pay. In a restaurant, for example, currently the waiter takes your card and returns with a slip for you to sign. This is one of the times your card is most vulnerable and is a major opportunity for fraud. With the card out of your sight it is very easy to copy the information off the magnetic stripe on the card using a simple device that fits easily into a pocket. The information obtained can be used to clone a new credit card and you don’t even know your card has been compromised. This type of fraud is called skimming.
However, once the smart card is in place, the waiter will be forced to bring the reading device to your table, where you will insert the card and enter your secret PIN. Not for one moment will your card be out of your hands.
The main reason behind the implementation of smart cards is to combat the high levels of counterfeit and lost/stolen cards. Last year alone, South African banks lost more than R100-million to credit card fraud.
In France, the Carte Bleu chip was fully implemented at the beginning of 1990 and in the first year that all cards were chip-enabled, domestic fraud levels dropped by 78%. Significant fraud declines in the areas addressed by smart cards have been reported by Visa International in Britain, which has just completed the launch of Chip and PIN. This can be compared with South Africa, where fraud levels are increasing by around 20% to 30% a year.
The absolute levels of card fraud may appear to be relatively low, with global figures showing around 9c lost for every $100 spent. However, this represents significant losses in monetary terms. That the losses are not higher is mostly due to the security measures that surround credit card transactions.
For example some banks, such as FNB, offer customers an SMS service (inContact) to notify them when their cards are being used. The card-holder is able to notify the bank immediately if it is a fraudulent transaction.
The banks and card associations also monitor usage and flag any unusual activity. For example, on a recent trip overseas my bank contacted me after one transaction to ensure that I was actually overseas. Nevertheless, people are still understandably concerned and nervous about credit card fraud, and the fraud numbers are growing.
Fraud is also migrating from countries that have implemented smart cards to those that are a softer touch. Credit cards are an easy target as they give fraudsters the opportunity to wipe out your entire credit limit, which is usually higher than the amount of money sitting on your debit card.
Counterfeit fraud, which is when someone clones your card, combined with card theft makes up 55% of fraud in the African, Asian and Central European regions.
The smart card is designed to make this type of fraud virtually impossible. Firstly, the chip cannot be copied without significant investment of time and resources. According to Visa, the encryption technology in use is also very difficult to break and would require an extremely determined attack over many years to crack.
If thieves steal your new card they will have to know your PIN. As long as you keep your PIN secret the card is pretty useless to them. Visa International is already working on protecting the card using fingerprint biometrics to do away with any reliance on a PIN.
There is, however, one catch, and that is that cards will still be issued with a magnetic stripe. This is because not every terminal in South Africa can read the chip (roll-out is about 90% complete) and because not all countries have implemented the technology, so you could have a card acceptance problem while travelling.
The presence of a magnetic stripe means that if your chip is damaged the shop teller will be able to complete the transaction by defaulting to reading the magnetic stripe. This gives criminals the opportunity to damage the chip to force the magnetic stripe to be used.
But the good news for card-holders is that the banks will be monitoring for situations like this and ultimately the liability will lie with the shop owner’s bank and not with the card-holder. So even if your card is stolen and compromised in this way, you will not be responsible.
While this is all well and good, smart cards are a lot more expensive to make and cost from about R18 upwards to issue compared with R3 for a magnetic-stripe card. While the banks argue that they are footing the bill, they will be more than compensated by the reduction in fraud. What it really means is that part of the cost of fraud already built into your bank charges will go towards smart card implementation.
Ways to prevent fraud
You need to ensure that you keep your PIN confidential because if you claim that your card has been used fraudulently and your PIN was used, the liability falls to you not the bank.
As a rule it is important to destroy all copies of receipts, airline tickets, travel itineraries and anything else that shows your card numbers.
Another favourite trick by fraud syndicates is called ‘phishing”. This is when you receive an e-mail from your bank or even Visa or MasterCard explaining that you need to change your password on your account. You are then asked to submit all your details on to what looks like a very valid website and to type in your current password. Hey presto, your account is now fully compromised. The message from the banks and payment systems is that they would never, ever contact you via e-mail or SMS to change your account details — so just delete the e-mail as soon as you get it.
Do not give out personal or financial information over the telephone unless you are sure that the person on the other end is who they say they are.
Make sure that you keep your card within sight at all times and ideally don’t let it leave your possession.
If using the Internet for shopping look for a site that uses Visa’s Verified by Visa or MasterCard’s 3D-secure software as this provides protection.
Query anything suspicious on your statement with your bank as soon as possible to prevent any potential further abuse of the card.