Soon merchants who cannot process chip-enabled MasterCard and Visa cards could become liable for fraudulent transactions at their stores. American Express will shift liability on Oct. 16.

Share story

Amid the hustle and rush of New York, some diners at the Stage Door Deli in Manhattan may not even notice the extra three or four seconds it takes to buy their lunch.

To pay for their Reuben sandwiches and tuna melts, customers with a small metallic square on the front of their charge cards — an increasingly common fraud-prevention chip — will have to dip instead of swipe. For several seconds, slightly longer than most people may be used to, cards are inserted and left in the cashier’s payment terminal, which uses the chip to determine whether the card is legitimate.

“It’s going to be a pain in the butt for consumers initially,” said Kennet Westby, the president of the cybersecurity firm Coalfire. “What we’ve become very accustomed to as consumers is quick credit-card transactions.”

The change from a swipe to a dip may be the only sign many consumers have of an enormous behind-the-scenes shift in the payment industry, as banks and retailers tussle over who should be blamed for fraud.

On Thursday, merchants who cannot process chip-enabled cards could become liable for fraudulent transactions at their stores. MasterCard and Visa set the deadline for the new rules, which are part of their agreements with the retailers and banks that use their networks. American Express will shift liability on Oct. 16.

Consumers, however, will not be caught in the middle. Federal law requires banks to reimburse consumers for various types of fraud. The only difference is that, come Thursday, banks could go after retailers that have not properly updated their equipment.

Not everyone will have chip-enabled cards by the deadline. While most customers at the big banks like JPMorgan Chase and Bank of America will receive their cards by the end of the year, some will not get new cards until 2016. Some issuers will also wait until customers’ existing cards are close to expiring.

Credit and debit cards without chips will continue to work until they expire, or until consumers activate their new cards. And they will still work at payment terminals that have been updated to accommodate chips.

But new machines will prompt users who swipe a chip card to dip it instead.

“You should always use the chip device, not the swipe device,” said Ed Mierzwinski, the consumer program director of U.S. PIRG, the federation of state public interest groups.

The new chip is intended to make in-person purchases safer, and, in a matter of seconds, works as follows:

During each transaction, the chip creates a one-time code. The payment terminal then sends the code to the bank over a network like Visa or MasterCard. The bank matches it to an identical one-time code and sends verification back to the terminal.

European consumers and retailers have used the chip system for years, and it is commonly referred to as EMV, which stands for Europay, MasterCard and Visa, the technology’s early advocates.

The industry says chip cards are safer because they cannot be duplicated effectively or as easily as a magnetic stripe. That means criminals will have a tougher time making counterfeit cards using stolen data.

With the older cards that do not have a chip, anyone “can buy the equipment and in a matter of hours be proficient in creating fraudulent cards,” Westby said.

Still, the retail industry and some consumer advocates say that banks and payment networks could do more to prevent fraud. Having a chip and a four-digit PIN, as many European merchants are accustomed to, would help validate both the card and the person using it. Most of the new chip cards in the United States will require only a signature.

“In security, it’s what you have plus something you know,” said James Wester, a research director with IDC Financial Insights.

In the United States, thieves use fake cards more often than stolen cards, according to data from the Boston-based consulting firm Aite Group. Counterfeit cards make up about 37 percent of all fraud, according to a report from Aite last year, compared with 14 percent for lost or stolen cards.

But chip technology will not help with “card not present” fraud, such as online purchases. It also will not help with the kinds of data breaches that have embroiled retailers like Target and Home Depot.

“EMV is not the silver bullet for card security,” said Gregory Boardman, the chief technology officer at Ingenico, which makes payment terminals. “Some of the breaches that have happened may still have happened if EMV had been implemented.”

The retail industry is also concerned that cutting down on counterfeit fraud will just push fraudsters online.

“It’s like closing the front door but leaving the back door open,” said Mallory Duncan, senior vice president and general counsel at the National Retail Federation. “The thieves will figure out that the back door is unlocked.”

Retailers and the banks disagree about why banks are not transitioning to the chip-and-PIN cards that are widely used in Europe. Banks say that the process would be too confusing to the consumer, but Duncan said the answer was much simpler: money.

Credit-card transactions typically cost merchants more than debit-card transactions, which often require a PIN, Duncan said, in part because there are more debit networks competing for a retailer’s business.

“They’ve asked us to go out and spend tens of billions of dollars to buy chip-and-PIN readers,” Duncan said. “It’s with no small amount of dissatisfaction that the retail industry discovered, after they began to spend all this money, that they weren’t issuing chip-and-PIN cards, they were issuing chip and signature.”

Under federal law, consumers should never have to pay more than $50 for a fraudulent credit-card transaction, regardless of how the fraud occurred. But debit-card fraud can be more problematic.

“With a debit card, the problem is that many people don’t have a lot of money in their checking account, and when they’re a victim of fraud, they have to wait for the bank to put their money back,” Mierzwinski said. “The law protects you, but the system doesn’t.”

A consumer’s liability is still $50 for fraudulent transactions that are made when a card is not lost or stolen — in the case of a data breach, for example — so long as the fraud is reported within 60 days from when the statement was sent.

Lost or stolen debit cards, however, must be reported more promptly to limit the costs. Within the first two months, consumers can be on the hook for up to $500, depending on when they report that a card has been lost or stolen.

Banks have no obligation, however, to reimburse consumers who report the fraud more than 60 days after a card statement has been issued.