The General Services Administration will begin rolling out microchip-enabled charge cards to federal employees this month in compliance with the president’s October executive order on improving consumer security.
By the year’s end, GSA’s SmartPay program expects to issue 1 million of what it calls “chip and PIN” charge cards to its purchase, travel, integrated and fleet card users under its GSA SmartPay 2 master contract.
“[S]tarting next year, we’re going to begin making sure that credit cards and credit-card readers issued by the United States government come equipped with two new layers of protection: a microchip in the card that’s harder for thieves to clone than a magnetic strip, and a PIN number you enter into the reader just as you do with an ATM,” President Barack Obama said during a speech announcing his executive order last fall. “We know this technology works. When Britain switched to a chip-and-PIN system, they cut fraud in stores by 70 percent. Seventy percent.”
The chip cards will feature dynamic data authentication standards, which means each time they are used, they generate unique, encrypted verification codes to ensure they aren’t fraudulent duplicates. This should cut back on the amount of consumers falling victim to fraudsters and cyber attacks when using the cards.
“The new cards will employ what’s known as EMV technology, which stands for Europay, Mastercard and Visa,” said Dave Shea, director of GSA’s SmartPay program. “It’s a standard that was first rolled out in Western Europe and is now coming to the United States. It involved a computer chip that is actually embedded in the plastic credit card that plays a role when it’s used with a chip-enabled terminal.”
“What is different about these cards is they generate a unique code for each transaction,” he said. “They will communicate with the payment terminal, and that code in and of itself, if it were to be stolen by someone, is useless independent of the other information.”
While typical charge cards feature magnetic stripes, or magstripes, that you swipe during a transaction, the EMV technology will introduce a completely new user experience, Shea said.
“You actually insert the card in the slot, and the card has to remain in that slot while it’s processing the payment,” he said. And as the name chip and PIN name suggests, the cards will also require a PIN code during a transaction, what Shea called a second line of security.
While merchants roll out the use of EMV terminals — in the federal government, that responsibility falls to the Treasury Department — the new cards will still feature magstripes to be used during the transition.
The major reason for the move to EMV cards, which have been slow to reach American banks and consumers, is how easy it has become to duplicate the current, ubiquitous magnetic charge cards.
“Fraudsters can duplicate magstripe plastic,” Shea said. “They’re not able to duplicate the chip technology at this point.”
Distribution of the cards in government will be random for the first few months. GSA’s three partnering banks — Citibank, JP Morgan Chase and U.S. Bank — have already begun naturally reissuing cards that are set to expire in February, and they will continue to send them to other cardholders whose cards will expire throughout the year.
Around summertime, Shea said, “we’ll go into another [distribution] mode called forced reissue. This is where we’ll actually start to replace cards regardless of what the expiration date is.” That’s because in October, there will be a liability shift so that parties involved in a fraudulent transaction that have not upgraded to EMV technology will be found liable for any losses.
“Whoever is the weakest link in the security chain is liable for any external fraud if it occurs,” he said. “So getting the chip-enabled cards out there is one way for card issuers to meet this date.”