When you transact with a credit, cheque or debit card that has an embedded memory chip (known as a chip-and-PIN card), sometimes a point-of-sale machine can’t read the chip and your card is swiped. In these instances, on a chip-compliant terminal, you should still be required to enter your PIN. If the card is swiped and you are not asked to enter your PIN, or the merchant does not obtain authorisation from your bank, you, the consumer, are protected.
Walter Volker, the chief executive of the Payments Association of South Africa, says that, under normal circumstances, if a chip-and-PIN card is swiped on a chip-compliant terminal, the terminal will force you to input your PIN.
For a chip-and-PIN card to be swiped, the chip on the card needs to be faulty or damaged, Volker says. The PIN is still required, which is what makes the chip-and-PIN cards so much safer, he says, adding that this is true even if the card is skimmed (see “Bank card fraud”, below).
The reason the new-generation cards still have a magnetic strip, Clive Pillay, the Ombudsman for Banking Services, says, is that not all merchants’ point-of-sale devices are chip-compliant and not all banks have issued chip-and-PIN cards on all their accounts. The magnetic strip serves as a fall-back option, he says.
“The practice varies from bank to bank, but if a card has a chip and the merchant is chip-compliant, the merchant is obliged to phone for authorisation if the merchant proposes to override the chip and only swipe the card,” Pillay says.
“In circumstances where fraud has occurred following the merchant overriding the chip, the merchant may very well be liable. This will, however, depend on the specific circumstances of the transaction, including the point-of-sale device and the merchant agreement with that specific bank.”
His words are echoed by Volker: “If the terminal is not working properly, the liability moves from the issuing bank to the merchant. The consumer, in fact, is very well protected in such instances.”
Volker points out that not all debit cards are chip-and-PIN cards. Banks have been slower to upgrade all their cards because of the number of cards in issue. He expects banks to upgrade the remaining cards within the next year.
The big four banks and Capitec all issue cards that have chips and magnetic strips. According to the South African Banking Risk Information Centre (Sabric), nearly 90 percent of all credit cards and 65 percent of all debit cards are chip-and-PIN cards.
“We still include the magnetic strip on the card, because some countries do not offer chip readers. However, most ATMs and point-of-sale devices in South Africa are chip-compliant,” Charl Nel, spokesman for Capitec, says.
“It is up to the issuing bank to decide the level of security they offer with their cards. We at Capitec do not allow fall-back transactions [using the magnetic strip]. This means that if one of our cards is inserted into a chip machine, the chip must be read [with the PIN]. This prevents cases where stolen cards are used without the PIN.”
BANK CARD FRAUD
When bank cards with an embedded memory chip became the norm in South Africa, there was a general feeling that fraudulent point-of-sale transactions on credit, cheque and debit cards would drop.
And drop they did – at least on credit cards. Bank losses due to fraud on credit cards issued in South Africa decreased by 28.6 percent, from R353.3 million in the period from January to September last year to R252.2 million in the same period this year, according to Sabric’s 2015 Card Fraud Report, released last month. On debit cards, fraud increased by 8.3 percent, from R237.4 million in the 2014 period to R257.1 million in the 2015 period. In this case, there was an increase in lost or stolen card fraud and card-not-present fraud (when only your card details are used). The provinces most affected were Gauteng, Western Cape and KwaZulu-Natal.
Sabric attributes the increase in lost and/or stolen debit card fraud to criminals reverting to previously common activities, such as “shoulder surfing”, card jamming and card swopping at ATMs.
Another type of fraud is cloning, whereby criminals make counterfeit cards using your card data and your PIN, which they have watched you input. In this instance, there have been positive moves, with Sabric reporting a decrease in counterfeit credit card fraud of 45.6 percent between 2014 and 2015, from R89.2 million to R48.5 million. Counterfeit debit card fraud decreased by 29.5 percent, from R114.9 million to R81 million.
“Skimming, be it with handheld or ATM-mounted devices or the new point-of-sale skimming, is still a common modus operandi used by criminals to obtain cardholder information,” Sabric says.
Handheld skimming devices are usually small black objects that fit into the palm of your hand and can easily be hidden in a pocket. Some 892 of these devices were recovered by the police or bank investigators between 2010 and September this year, and 93 point-of-sale skimming devices were recovered between 2013 and September 2015, with 27 found this year alone.
Sabric says criminals steal point-of-sale devices and illegally convert them into skimming devices. They are not connected to a bank system and are used to capture information from the card.
If a terminal shows any signs of tampering or skimming devices attached it, Sabric advises that you don’t use it and inform your bank. Also, check that the rand value of the transaction on the screen of the terminal matches the purchase amount, and is in rands, before you enter your PIN. Importantly, be vigilant. Never let your card out of your sight and never let anyone see you type in your PIN.