Credit Card Security

Why the U.S. Is Several Swipes Behind

By | Updated July 29, 2016 9:01 PM UTC

Americans were shocked when Target, the retail giant, said in December 2013 that hackers had stolen the credit card numbers of tens of millions of customers. People in much of the rest of the world might have been shocked, too, but for a different reason: The extent to which U.S. credit and debit cards still rely on outdated security technology. How long will the country that invented credit cards lag behind? Target’s debacle helped hasten the timetable for a switch to a more effective system that’s already widely used in Europe and parts of Africa, Latin America and Asia. However, the changeover hasn’t been simple in the highly competitive U.S. payments marketplace, where an array of banks, payment networks and retailers are engaged in a continual struggle for advantage. And as the Target theft showed, no system is more secure than its weakest link.

The Situation

In the U.S., the big transition to the new technology, known as EMV, which adds a computer chip for verification, started in October 2015. That's when the burden of liability for credit card fraud shifted to banks or retailers that hadn’t switched to the new technology. The changeover was more than a little bumpy. Some retailers hesitated to switch because of the cost, while others wanted to spare customers what was initially an extra 15 seconds per transaction. But analysts predict more than 80 percent of credit cards and nearly 60 percent of debit cards will be EMV-capable by the end of this year.  All the while, a fight has been brewing between payment networks and retailers over whether chip cards should require customers to enter a PIN or their signature.  And in the aftermath of the transition to EMV, retailers including Wal-Mart Stores Inc. and the Kroger Co. have sued Visa Inc. and MasterCard Inc., saying the fees they’re charged for debit-card payments have climbed. After spending $30 billion to $35 billion on the switch to EMV, retailers are in no mood to pay credit-card companies more than they have to.  

Source: 2015 Issuer and Processor Survey by Aite Group and Iovation

The Background

Credit cards were cardboard when Diners Club introduced them in 1950. Cards moved over to plastic in the 1960s. In the 70s magnetic stripes were added once standards were set for the customer and security data, which was embedded on the stripes the way music was encoded on eight-track tape. In 1999, three networks — EuroPay International, MasterCard and Visa — established the EMV standards for global use that included the option of chip technology. The chips communicate with a retail terminal to verify the card’s authenticity when it’s used, adding another layer of security. But since the chip generates a unique security code for each transaction, even if bad guys get your card, they wouldn’t be able to clone the data to sell it — removing much of the incentive for theft or hacking. The chips caught on in Europe with the help of regulators who pushed for the new technology. The shift produced clear reductions in fraud involving the use of lost, stolen or counterfeit cards in stores. But in the U.S., for years companies considered it cheaper to deal with fraud on a case-by-case basis than to spend billions overhauling the system.

Source: FICO

The Argument

The payments industry in the U.S. has relied far more on self-regulation than in Europe. That seemed like a good thing when American companies were pioneering the credit-card economy. But in the wake of well-publicized breaches, President Barack Obama and some lawmakers have called for national standards for database security and requirements for notifying customers when breaches occur. Obama also ordered that government cards used for a variety of benefits including Social Security use chip cards — with pins. Mandates like that and fear of government regulation is part of the reason banks and merchants are speeding up adoption of chip technology. Yet even as chip cards have become common in  U.S. stores, the battle with hackers has continued on a new front – e-commerce.

Source: 2016 Consumer Survey by Aite Group and ACI Worldwide

 

The Reference Shelf

  • Bloomberg Businessweek reconstructed the hack that led to the theft of credit card numbers from millions of customers of the U.S. retailer Target.
  • The SmartCard Alliance put together this FAQ on the conversion to EMV.
  • A report by the Aite Group on EMV conversion in the U.S.
  • Roadmaps on EMV from Mastercard, Visa and American Express.
  • The Nilson Report follows news in the payments industry.

 

First published June 11, 2014

To contact the writers of this QuickTake:
Elizabeth Dexheimer in Washington at edexheimer@bloomberg.net
Jennifer Surane in New York at jsurane4@bloomberg.net

To contact the editor responsible for this QuickTake:
John O'Neil at joneil18@bloomberg.net