Why the U.S. Leaves Its Credit-Card System Vulnerable to Fraud

When Target said last week that the personal information of 40 million of its customers had been stolen, it pointed attention toward a quirk in the U.S. credit system: American businesses haven’t adopted widely available technology that would make it far more difficult to commit credit-card fraud. And while the credit-card industry says a solution will be in place in late 2015, skeptics say the U.S. could lag global practices for much longer than that.

The issue is the continued use of magnetic stripes on the back of credit cards. Most other countries abandoned this technology long ago. They’ve switched to cards with embedded chips that generate a new code for every transaction, making cards very difficult to counterfeit. On the other hand, it’s easy to make fake magnetic stripes. It’s not clear how  Target was hacked—the company isn’t telling—but the U.S. is a great place to cash in for whoever got that information.

The technology in the computerized cards, known as EMV, has been around since the 1990s. It took off first in Europe, largely because telecommunications costs there were so high. While cards with magnetic stripes are validated by sending information to—and then from—the card issuer, EMV cards are checked at the credit-card terminal itself. As the rest of the world adopted the new technology, the U.S. became the world capital of credit-card fraud. Last year it accounted for 47 percent of global fraud, while processing just 24 percent of the payments by volume, according to the Nilson Report, an industry newsletter.

The credit-card industry downplays concerns about fraud. “This is a very rare occurrence,” says Jason Oxman, chief executive officer of the Electronic Transactions Association, a trade group for the payments industry. “If a consumer’s credit-card information is compromised and someone makes a counterfeit magnetic strip, they have no liability.”

Only about 6¢ is lost to fraud per $100 in payments. But fraud rates are on the rise, and the absolute numbers are huge. Businesses lost $11.27 billion in fraud in 2012, up 14.6 percent from the year before. Almost two-thirds of that comes from the companies that issue the cards.

If American credit-card companies are losing so much money, why don’t they just adopt a technology proven to cut down on it? Mostly because it would involve pain: More than 8 million merchants in the U.S. accept credit-card payments, and the terminals they use to accept those payments would all need to be updated.

The U.S. is lurching closer to a solution. In fall 2015, the credit-card companies will hold merchants who don’t accept EMV cards liable for fraudulent transactions from magnetic stripe cards. But even if merchants prepare themselves, there is no guarantee that credit-card companies will start issuing EMV cards. Producing a card with the chip costs about four times as much as making a magnetic card, according to David Robertson, publisher of the Nilson Report.

By the time the U.S. adopts better card technology, it might be too late, says Russell Spitler, vice president of product management for security firm AlienVault. The technology protects only against fake cards used in the physical world. A thornier problem is tackling fraud online. ”We have a 16 digit number which doesn’t change for years and is given to hundreds or thousands of people a year,” Spitler writes in an e-mail. “The fundamental premise of that system is broken no matter the technology that is used to manage the ‘secret’ 16 digit number.”

Technology already exists to allow people making online transactions to generate a random number from a separate device in order to prove they are who they say they are. Like many computer security measures, however, this adds a layer of inconvenience that’s seemingly incompatible with the expectation of convenience associated with Web shopping.

Even worse, the emergence of new threats may breed complacence about well-known vulnerabilities. Robertson of the Nilson Report says the industry wants to wait until phone-based payments become prevalent so as to altogether avoid the cost of EMV upgrades. But customers are generally slow to adopt new ways to pay for things, and smartphone payments remain a niche practice. Robertson’s prediction: “Ten years from now, we’re still serving up magnetic stripe cards.”

    Before it's here, it's on the Bloomberg Terminal.