Americans were shocked when Target, the retail giant, said in December that hackers had stolen the credit card numbers of tens of millions of customers. People in much of the rest of the world might have been shocked, too, but for a different reason: The extent to which U.S. credit and debit cards still rely on outdated security technology. How long will the country that invented credit cards lag behind? Target’s debacle has helped hasten the timetable for a switch to a more effective system that’s already widely used in Europe and parts of Africa, Latin America and Asia. No one is expecting the changeover to be simple, however, especially in the highly competitive U.S. payments marketplace, where an array of banks, payment networks and retailers are engaged in a continual struggle for advantage. And as the Target theft showed, no system is more secure than its weakest link.
The magnetic stripe on credit cards isn’t going away anytime soon. The plan in the U.S. is to add embedded computer chips known as EMV that store customer data in a way that’s harder to get at. Starting in October 2015, any bank that issues anything other than the new chip cards or any retailer who uses older technology will be liable for any fraud that occurs with them. As of March 2014, by some estimates only 2 percent of the nation’s more than 1 billion credit and debit cards that are due for the conversion had the chip system. That compares with 82 percent of cards in most of Europe, 17 percent in Asia, 39 percent in Africa and 54 percent in a region covering Canada, Latin America and the Caribbean. Only about a fifth of U.S. cash registers have been converted to EMV. The cost to banks and stores of just changing the plastic and hardware is estimated at up to $11 billion. Meanwhile, Visa and MasterCard are jousting over whether chip cards should require customers to enter a PIN or their signature. Using a PIN makes fraud less likely if cards are lost or stolen, but makes transactions slower — and gives consumers one more thing to forget.
Credit cards were cardboard when Diners Club introduced them in 1950. Cards moved over to plastic in the 1960s. In the 70s magnetic stripes were added once standards were set for the customer and security data, which was embedded on the stripes the way music was encoded on eight-track tape. In 1999, three networks — EuroPay International, MasterCard and Visa — established the EMV standards for global use that included the option of chip technology. The chips communicate with a retail terminal to verify the card’s authenticity when it’s used, adding another layer of security. But since the chip generates a unique security code for each transaction, even if bad guys get your card, they wouldn’t be able to clone the data to sell it — removing much of the incentive for theft or hacking. The chips caught on in Europe with the help of regulators who pushed for the new technology. The shift produced clear reductions in fraud involving the use of lost, stolen or counterfeit cards in stores. But in the U.S., for years companies considered it cheaper to deal with fraud on a case-by-case basis than to spend billions overhauling the system. That calculus was changed in a hurry by the Target thefts, in which hackers gained access to the store’s terminals and recorded data when the chip-less cards were swiped.
The payments industry in the U.S. has relied far more on self-regulation than in Europe. That seemed like a good thing when American companies were pioneering the credit-card economy. But in the wake of the breach at Target and smaller cases of fraud at Neiman Marcus and Michaels Stores, President Barack Obama and some lawmakers have called for national standards for database security and requirements for notifying customers when breaches occur. Fear of government regulation is part of the reason banks and merchants are speeding up adoption of chip technology. Yet even when chip cards become common in the U.S. — which could take years — the battle with hackers is bound to continue. In the wings, companies are working on new technologies for the mobile-payment market, which is expected to more than quadruple to about $90 billion by 2017. They’re developing new standards to make online and mobile payments safer and implementing swipeless smartphone transactions that will also depend on EMV chips. But that fight isn’t just about security — retailers and tech companies are hoping to win more control over the payment process as customers shift from cash and plastic to mobile devices.
The Reference Shelf
- Bloomberg Businessweek reconstructed the hack that led to the theft of credit card numbers from millions of customers of the U.S. retailer Target.
- The SmartCard Alliance put together this FAQ on the conversion to EMV.
- A report by the Aite Group on EMV conversion in the U.S.
- Roadmaps on EMV from Mastercard, Visa and American Express.
- The Nilson Report follows news in the payments industry.