When Target announced that thieves had stolen access to the credit and debit accounts of 40 million of its stores’ customers, it shined a spotlight on America’s woefully outdated credit card technology.
It turns out that almost no one apart from us in the developed world uses “swipe and sign” credit cards anymore. Elsewhere – in Europe, Latin America, Asia, Africa, the Middle East – economies rely on so-called EMV technology: credit and debit cards equipped with a computer chip and protected by a personal identification number, or PIN. They generate a unique verification code every time they are used, which makes it very difficult to create counterfeit cards with stolen data.
“It’s very embarrassing because the credit card is an American invention,” said Lewis Mandell, professor emeritus of finance and managerial economics at the University at Buffalo School of Management. “We’ve invented every piece of technology and every upgrade, but when it comes to chip and PIN cards, which are a vast improvement, we’re the last people on earth to adopt it.”
Right over the border in Canada, chip cards are the norm.
“They’re as common as can be in Canada,” said Scott Crain, general manager of the Tex R Cana Roadhouse and Barbeque restaurant in Fort Erie, Ont. “Our American customers find it to be a little different, but we still have the ability to swipe cards to take care of them.”
That’s not the case throughout the rest of the world, where Americans abroad find their credit and debit cards incompatible with foreign card readers.
Chip cards are inserted into credit terminals instead of swiped. The chip sends a signal with a unique security code through the network, where the transaction is verified and authorized. Instead of signing for a purchase, consumers enter a PIN, which adds an extra layer of security protection. Without that PIN, a lost or stolen card cannot be used to make purchases in stores or withdraw money from ATMs.
Though smart chip technology has been around for decades, and has been in widespread use in the United Kingdom since 2004, the United States isn’t slated to make the change until 2015.
And, experts say, the longer we drag our feet, the more vulnerable we become.
As thieves find themselves thwarted by chip cards throughout the rest of the globe, they have turned to what has become the world’s easiest target – the United States.
“As other countries started adopting the technology, the fraud moved to whoever was the most vulnerable, so it left the United Kingdom and shot up in the United States,” said Janna Herron, a credit card analyst with Bankrate.com.
Thieves from around the globe have made American credit and debit accounts their No. 1 target, copying bank account information from our magnetic stripe cards and using it to make counterfeit cards, which can be sold on the black market for anywhere from $3 to $1,000, depending on the card’s balance.
So what’s taking us so long to make the switch?
“The U.S. market is a much more complicated, robust marketplace than anyplace else on earth,” said Jason Oxman, CEO of the Electronic Transactions Association, a trade group for the companies that offer products and services for processing electronic transactions. “The migration to EMV is well under way, but it takes time.”
It will also take billions of dollars.
There are 8 million merchants here who will need to upgrade their point-of-sale structure. More than 1 billion credit and debit cards will need to be reissued. Every gas station fuel pump and ATM in the country will have to be modified. And there are countless nagging technical issues to coordinate among the country’s 7,000 financial institutions.
“It’s a massive undertaking,” Oxman said.
Unlike emerging countries in places such as Africa that established their credit systems basically from scratch with EMV – which stands for Europay, MasterCard and Visa – America’s credit systems are much older and more long-standing. For a long time, retailers resisted the idea of making the laborious, expensive switch.
They figured that the return on investment was just not worth the hassle, considering that fraud accounts for less than 6 cents of every $100 spent on cards in this country, according to the Nilson Report, which tracks payment systems worldwide. And even though chip technology prevents thieves from making counterfeit cards, it does nothing to prevent online fraud.
“If you have a picture of the front and back of an EMV card, you can still use them online because the card is not being used to communicate with the card network,” Herron said. “It’s not the be all end all of security measures.”
In fact, even if chip cards were in use here, it wouldn’t have prevented Target’s massive data breach, since the data was stolen from Target’s giant database of electronic records, rather than at its point-of-sale terminals. Still, the Target debacle has stirred American consumers’ demand for the more secure chip cards.
The only truly compatible chip and PIN card available to Americans is one issued through the Travelex currency-exchange group, but those cards are expensive to use and must be prepaid in advance with hundreds of dollars in deposits.
Many banks have begun to offer what they call chip cards, but they are not identical to those offered overseas. The cards are embedded with computer chips, but American travelers abroad have found they are still not compatible with the advanced chip terminals because they are not assigned a unique PIN number and still require just a signature to make purchases. They are also not as secure as true chip and PIN cards.
“It’s a bait-and-switch. The banks and credit card companies are trying to convince us their chip cards are the same, but handing us this product that is not useful and has much higher fees,” said Mandell, the UB finance professor. “The industry has been treating consumers in a very, very shabby fashion.”
Even as the industry makes its slow transition to the more secure cards, the problem could persist, since no one is mandating that the cards be chip- and PIN-protected, meaning that American versions could still be chip cards that require only a signature, which is considered a worthless safety measure.
As the conversion takes place, it brings its own host of problems. When the United Kingdom began the switch nearly a decade ago, it saw a steep rise in mail, telephone and online fraud as thieves moved their operations online.
Lost and stolen card fraud increased as tens of millions of replacement cards hit the mail. And criminals continued to use bogus terminals to steal data when they realized they could still be used to make magnetic strip forgeries that would work in the United States, India and Thailand, said Ross Anderson, a professor of security engineering at the University of Cambridge in England.
“The move to chip and PIN didn’t save as much money as the banks hoped, and it cost the retailers a fortune in new terminals,” Anderson said in an email. “Customers didn’t do any better as banks started to blame customers more for fraud.”
Indeed, the greatest consequence of the conversion to EMV will be a shift in who swallows the losses associated with fraud. Banks could argue, as they have done overseas, that consumers are responsible when cards are compromised, accusing them of sharing PIN information. And retailers who fail to convert to EMV after October 2015 will be held liable for fraudulent purchases instead of the issuing bank.