The news last week that Home Depot is suing MasterCard and Visa for allegedly forcing consumers to use unsecure credit cards raises the question: Wasn’t the whole point of the new chip-embedded cards to make payments safer? Given the delays the chip scanners are causing at checkout counters, you’d certainly hope so.

The answer is yes, the new cards were supposed to improve security. However, the Home Depot suit and a similar one recently filed by Walmart against Visa claim that the system was executed poorly, leaving credit card transactions vulnerable to fraud.

Here's what you need to know.

Why Home Depot is suing

Home Depot’s lawsuit, filed Monday in the United States District Court for the Northern District of Georgia, points out that consumers who use Visa and MasterCard cards at a register are asked to verify their identity by signing their name, instead of typing in a personal identification number (PIN). Signatures can easily be forged, the new lawsuit says, and cashiers aren’t trained to decipher the messy scrawls that most shoppers employ.

“Visa and MasterCard have pushed consumers to use payment card technology that Visa and MasterCard know is defective and subject to fraud and have colluded with each other and with the banks that issue debit and credit cards to do so,” it reads.

As a result, Home Depot is charged higher fees by the card issuers, the suit claims.

“The Interchange Fee on signature transactions is markedly higher than the fee on PIN transactions,” Home Depot’s complaint alleges. “According to data from the Federal Reserve Board, as of 2009, the average Interchange Fee for signature debit was 56 cents per transaction (or 1.53%) while the average fee for PIN debit was just 23 cents (0.56%).”

A Visa spokesperson told Consumer Reports, “We are aware of the lawsuit,” but did not comment further. 

MasterCard is “still reviewing the claims,” communications vice president Seth Eisen said in a written statement. “MasterCard leaves the decision on how to verify the cardholder identity – PIN or signature – up to the merchant and the issuer.” 

Home Depot argues that retailers don't truly have the option to choose the PIN method because the banks that issue the cards are not willing to move to that system, and that Visa and Mastercard have adopted rules that strongly favor chip-and-signature cards.

How a PIN improves security

To understand the controversy, you need a quick tour through the technology involved. Let’s start with the tiny chip you should have on the front of most or all of your credit cards by now. That EMV (short for “Europay, MasterCard and Visa,” the three firms behind this standard) carries on an encrypted conversation with the slot in an EMV card reader. In contrast, when you swipe the magnetic stripe on a card, the data exchange is unencrypted, and therefore easy to read by both the retailer's card reader and potentially by criminals.

Your reward for using a chip card inserted in a reader is protection from having your card cloned. As the lawsuit reads, "the data on a magnetic stripe can be easily copied (skimmed) with a simple card reading device, which enables criminals to reproduce counterfeit cards." Thirty-three percent of credit-card fraud involves a counterfeit card, according to Visa.

Chip-and-PIN cards add a step. They require you to authenticate the transaction by punching in a PIN, as though you were at an ATM. This is a form of two-factor authentication, in which a transaction requires both something you have (the card) and something you know (the PIN). The addition of the PIN stops the fraudulent use of lost or stolen cards at cash registers—a problem that accounts for 9 percent of all credit card fraud, again according to Visa.

The chip-and-PIN combination is already ubiquitous in other regions of the world, particularly in Europe.

However, a chip-and-PIN combination doesn’t make a credit card account immune to fraud. According to Visa, half of all credit card fraud cases occur through phone and online transactions. Such transactions can happen when a criminal has acquired a stolen card—even European merchants generally don't require credit card PINs for online purchases. Additionally, criminals can acquire account information through other means, such as phishing attacks in which users are tricked into providing account information in response to emails that appear to be from their financial institutions.

If the experience of European countries is any guide, those types of fraud cases may increase as chip-carrying cards become more widespread.

“We have seen card-not-present fraud steadily rise in Europe since EMV's rollout,” Stephen W. Orfei, general manager of the payment-technology group PCI Security Standards Council, said in a written statement. "EMV chip technology (PIN or signature) is not the silver bullet that some think it is.”

Why the U.S. didn't adopt PINs

In Europe, PINs were introduced decades ago, when many card terminals were offline: They couldn’t connect to card networks to verify a transaction. In the U.S., that’s not an issue.

Still, though, PINs do improve security. So why aren't they used here? The lawsuit alleges that Visa and Mastercard are putting barriers in the way of adoption to keep retailers' fees high.

However, according to one analyst, card issuers actually worried that requiring shoppers to memorize a PIN would discourage them from using the cards.

“Not all issuers were implementing a PIN; therefore, any card requiring a PIN was at a disadvantage in the competition to be ‘top of wallet’,” says James Wester, research director for global payments at the market-analysis firm IDC. “Also, the costs to issuers to implement PINs for credit cards is significant.”

Michael Thelander, a product manager at the security firm Iovation, made a similar point in an email. “Switching the world's largest, most distributed, and most fragmented credit card market to a chip-and-PIN plan would have been horrifically complex and expensive,” he wrote.  

From some consumers' point of view, incidentally, the lack of a PIN can also be inconvenient. This used to trip up Americans overseas when they tried to pay at automated card terminals that needed a number. More recently, moves by card issuers to waive the PIN requirement for small transactions seem to have resolved that issue. (I had no trouble paying with a chip-and-signature card at ticket-vending machines in the Barcelona Metro and the London Underground earlier this year.)

How consumers can stay safe

First, if you insist on a chip-and-PIN card, you can get one; for instance, Barclaycard’s cards offer this option as do some credit unions. You can’t, however, add a PIN to a chip-and-signature card; your card issuer would have to replace it to make that switch.

However, some security experts advise consumers to keep the cards in their wallet and pay with their phones whenever possible. Mobile-payment apps such as Apple Pay, Android Pay and Samsung Pay boost security by generating one-time credit-card numbers for each transaction

That “tokenization” of the card number leaves nothing for a fraudster to use online, even if the store’s payment system is as hopelessly compromised as, say, Home Depot’s was in the data breach discovered in 2014. “Smartphone payments are definitely safer,” IDC’s Wester says.

At stores such as Whole Foods that accept mobile-payment apps but haven’t yet switched on EMV card readers at the same terminals, a phone’s security advantage becomes even greater.

The tokenization technology used in mobile-payments apps is promising to make online transactions safer as well—witness the “Apple Pay on the Web” Mac software Apple unveiled at its WWDC conference last week

Long term, card issuers are working to incorporate tokenization into every channel of payment. According to PCI’s Orfei: “Our best defense is to devalue the data so that it is useless in the hands of organized crime, state funded actors, and criminals.”