No More Signatures! Am I Still Safe?

For National Cyber Security Awareness Month, we are re-sharing some of our most popular cyber security blogs from the past year to ensure you are staying #CyberAware online - whether at home or in the office.

person entering credit card into machine

If you have used a credit card in North America in the last month, you may have noticed that you were not asked for a signature. That may have come as a surprise. It turns out to be a good thing!

In a March 2018 Infographic, Visa says that that the dollar amount of counterfeit fraud is down 76% from December 2015 to December 2017. In other words, the move to chip cards was a significant success. The infographic also shows that 63% of US storefronts now accept chip cards. That's significant progress and I hope the trend continues. Most interestingly, though is that 97% of overall US payments in March of this year were on chipped cards. (Chipped cards are often called EMV cards after the EMV standard created by Eurocard, Mastercard, and Visa.)

network & security introduction training

Each of the four major issuers (Visa, Mastercard, Discover, and American Express) has different rules. The rule for American Express is the least restrictive: they are eliminating signatures worldwide.

If there is no more signature requirement, are the transactions safe? The Visa data makes it clear that they are. Signatures are an old method for verifying that the person using the card is actually the cardholder.

I can remember when my father showed me his first credit card there were no raised numbers and no magnetic stripe. The signature was the only method of verification. Even when raised numbers were first added and "knuckle buster" machines imprinted the numbers on the receipts, signatures were still an essential part of verification. In those days merchants manually looked at booklets of invalidated card numbers to verify that the one being used was legit. The magnetic stripes made that more efficient, but not foolproof.

The chips are active devices and do a much better job of preventing fraud. So good, in fact, that the effort required for the merchant to compare the signature on the card to the one on the receipt is not justified. Customers can complete their transactions more quickly and may thus be more pleased with the experience. In most other countries, users enter a PIN number when they use the card. The US is slowly transitioning to that model.

The chips cannot be cloned by bad guys: each has a unique secret code in addition to the familiar CVC on the back of the card and on the magnetic strip. There is also an imbedded CVC code (or iCVC) in the chip, too.

Signatures have not been required for some transactions for a long time. Small transactions made via mobile devices, for instance, do not require signatures. The Near-Field Communication or NFC part of the mobile device allows the customer to hold the phone near the terminal to make the transaction. The card issuers believe that the risk is so low compared to customer satisfaction with the convenience that more people use that service. That seems to be the case.

Cardholder satisfaction with the use of electronic payments makes card issuers happy because they hope it will bring them more business. While they may only take a small portion of each transaction, the amounts can add up very quickly. That's why payment companies advertise so heavily.

Card issuers are moving to cards that support NFC in addition to the EMV chips. This will likely increase security even further.

Whether you choose EMV or NFC, it is still prudent to check your statement each month for unauthorized transactions. The chips make it safer, but bad guys are always looking for ways to ply their trade.

To your safe shopping,
John McDermott

Related Training:
Cyber Security Training