Smarter, safer credit cards: Why are we so far behind?

evm cards.jpg

By Laura Haight
Originally published as the Digital Maven column in Upstate Business Journal, Jan 24, 2014

When I say EMV, you think of … a) long lines and eye tests, b) an expensive diagnostic procedure or c) what the heck are you talking about?

EMV - Europay MasterCard Visa - is a credit card security protocol far safer than the outdated and - as we learn everyday (attention, Target shoppers!) more exposed magnetic stripe technology almost all of our credit cards have. EMV cards, often referred to as Smart Cards, use an embedded chip and a number of possible authentication methods that create a unique transaction each time..

On a magnetic stripe card, all the information is stored physically on the card. It is easily stolen and easily duplicated. Even the secure code on the back of your card is encoded on the magnetic strip, although it is only used in “card not present” transactions, such as online purchases.

EMV chips cannot be duplicated and the dynamic verification processing creates a unique identifier for each transaction that is randomly generated and never used again.

We may think of EMV technology is “new” but it is far from it. In fact, EMV technology was first used by France in 1992. By the end of 2011, EMV was the global standard with at least 80 countries migrated, more than 1.5 billion cards issued and 21.9 million point-of-sale terminals in use, according to the Smart Card alliance.

The U.S. is one of the last industrialized countries to move to the EMV standard. Those who have traveled abroad with their traditional stripe cards are well aware of this disconnect.

But that is about to change: The major players have all joined forces and set up roadmaps for migration to the EMV technology by October 2015.

Consumer Reports, citing information from the Mercator Advisory Group, a major consulting organization for banking and payment industries, said issuers would spend $2.85 billion to replace all current cards in the US and another $310 million to update ATMs. For merchants, replacing POS terminals is estimated at $2.64 billion.

Does the cost outweigh the benefit? Not as far as credit card companies are concerned. They are currently shouldering two-thirds of the cost of fraudulent payments with the merchant eating one-third. Cardholders aren’t usually liable for any individual breach directly but we all pay in higher card fees, interest rates and annual “membership” costs..

The UK (United Kingdom) Cards Association reported that credit card fraud dropped 58 percent between 2004 and 2009, retailer losses fell 67 percent since 2009 and “mail non-receipt” fraud -- cards stolen in transit -- dropped a staggering 91 percent. In Canada, losses from card skimming drop from $142 million in Canadian dollars in 2009 to $38.5 million in 2012. 

These dramatic improvements in the rest of the world are bad for the U.S. as credit card thieves - blocked in most of the world - set their sights squarely on our outdated and insecure transaction methods.

Skimming - the hack used in the Target breach - is a common method of stealing information either over-the-air for physically at the terminal. Although Target is the most visible of these efforts - where the credit card number, card member name and identifying information (all encoded on the magnetic stripe) are “skimmed” off by fraudsters while the transaction is occurring - the highest risk occurs at the gas station.  

McAfee, the computer security firm, estimates that the number of malicious programs written for the purpose of stealing your credit card or other personal information has grown from 1 million in 2007 to 130 million today.

By October 2015, all major card issuers will be replacing your credit card with a Smart Card - although anticipating reluctance on the part of cost-conscious merchants, the early iterations will carry both the magnetic stripe and the chip.

Retail merchants accepting credit cards and - take note all you Square and GoPayments users - must replace their POS terminals with ones that accept the new cards. The major difference is the card is not swiped, it is inserted so the card can be read and the dynamic authentication process generated.

To push compliance, card issuers will shift liability for fraud after that date as well - with the bulk of the burden then falling on non-compliant merchants, not card companies.

How well prepared are we for this transition? Apparently, not very. Although there is no real way to know exactly how many retailers have moved to the new standard, analysts estimate about 10 percent with the major retailers not surprisingly leading the way. Small businesses, main street shops, restaurants and mom-and-pops will likely be the stragglers - making them ironically the new high-value targets for sophisticated thieves.

Although the standards are voluntary and the key implementation dates don’t hit for another 22 months, some card issuers already offer Smart Cards on request. Go ask for one and start asking your favorite retailers when they will be taking Smart Cards and consider rewarding adapters with your business.