U.S. slowly playing catch-up on secure credit cards

The Fresno BeeMay 9, 2014 

A customer signs his credit card receipt at a Target store. Most Americans' credit card security relies on the magnetic strip present on all cards, which is vulnerable to skimming and counterfeiting. That technology is being replaced elsewhere in the world with cards embedded with computerized chips.


"What's in your wallet?" It's a lot more than just a rhetorical question in an advertising pitch for credit cards.

Americans had almost 1.7 billion credit and debit cards in their wallets in 2012, the U.S. Census Bureau estimates, and those cards were used to rack up more than $4 trillion (yes, that's TRILLION, with 12 zeroes) in purchases.

And 99% of those cards are vulnerable to being counterfeited or cloned, allowing thieves to run amok and run up charges on personal accounts, creating headaches for customers and high costs for merchants and card companies.

Compared to the rest of the world, the card technology in the average American's wallet — that black magnetic stripe on the back of a credit card that gets swiped at a cash register or ATM — is downright antiquated, security experts say. That simple stripe carries all of the pertinent data for a ne'er-do-well to create a duplicate of a card without the consumer even knowing it.

"While having the embossed card number on the front of the card might have made sense in the days of knuckle-buster machines and carbon copies, those days are long past," Mallory Duncan, senior vice president of the National Retail Federation, said in congressional hearings on data security earlier this year. "Everything a fraudster needs is right there on the card."

Elsewhere around the globe, a growing number of credit and debit cards are embedded with computerized chips and compatible card-reading devices in stores intended to prevent cards from being skimmed, cloned and used by thieves.

The chip verifies the authenticity of the card, and the readers often require a PIN or signature — depending on what the card issuer requires — to verify the identity of the owner.

More than 80% of credit cards in western Europe, and almost 95% of the card-reading machines at merchants, banks and other points of sale, are equipped with such chip-and-PIN technology, also known as EMV (which stands for Europay, MasterCard and Visa, the three major card companies that developed the standard).

Outside the U.S. in the rest of North America and South America, about half of the cards and four out of five card terminals are EMV-capable.

Slow to adapt

Cards embedded with EMV chips are widely considered to be much less vulnerable to cloning and transaction fraud.

But the EMV Migration Forum — a banking and card-industry organization formed in 2012 to shepherd the U.S. conversion — estimates that in the U.S., banks have issued fewer than 20 million EMV chip cards, or about 1% of the plastic that people carry. The other 99% are the old magnetic-stripe cards.

"The magnetic stripe itself is easily cloned," Guy Berg, a senior managing consultant with MasterCard Advisors, said in an EMV Migration Forum teleconference this spring.

"Anytime somebody has your card, it's a matter of seconds." Cashiers or service attendants can quickly swipe a card through a device that skims the card's data, "and they could do it in such a way that the cardholder doesn't even know it's been done." Thieves can also install surreptitious card-skimming gear on card terminals, including those at gasoline pumps, and capture data without a cashier even realizing it.

With a cardholder's name and account number embossed right on the card, the National Retail Federation — long a cheerleader for chip-and-PIN card technology — says, "The bottom line is that cards are poorly designed and fraud-prone products that the system has allowed to proliferate."

EMV cards and readers are designed to diminish the opportunities for fraud.

"EMV is a mature technology that has been deployed in over 80 countries around the globe already," EMV Migration Forum director Randy Vanderhoof said in the teleconference.

"The U.S. market is at this point the last major market to move toward this more secure chip technology."

Credit card fraud always has been a concern, but it "is going up quite dramatically in the U.S., and one reason is that we don't have this (EMV) technology," said Magnus Carlsson, a payment-systems expert with the Association of Financial Professionals in Washington, D.C.

"Because the U.S. is very late in adopting higher security for card transactions, fraud is migrating from Europe to the U.S. because it is seen as the weak link."

The four biggest U.S. card brands — Visa, MasterCard, Discover and American Express — have all announced plans to adopt EMV-based payment systems. But so far, most of the U.S. cardholders with EMV cards are "individuals who travel outside of the United States frequently and therefore are able to use their chip-enabled cards in those countries that already have a mature EMV acceptance infrastructure in place," Vanderhoof said.

That could change over the next 18 months, however. Target, the Minneapolis-based retailer whose stores nationwide were hit last fall by a data breach in which thieves stole credit and debit card data for millions of customers, announced that it will be converting all of its store-branded cards to EMV chip-and-PIN cards.

Shoppers outside the Target store at the River Park shopping center in north Fresno said chip-and-PIN cards are a good idea.

"Any little thing will help," said Margaret Evans of Fresno, a frequent Target shopper who said she was nervous because she had used her credit card at the store during the holidays when the breach was occurring. A past victim of identity theft, Evans admitted to having second thoughts about shopping there after the breach.

Evans' daughter Monica said data stolen from her debit card during the Target breach was used within days to ring up about $400 in fraudulent charges on the East Coast, forcing her bank to issue her a new card and refund the lost money.

Doris Pacheco of Madera said she was glad Target is moving to the new technology — "if it is as safe as it claims to be."

"I was very disturbed by the original breach, and I was very faithful about checking my account after I heard about it," she said

Economic incentive

The conversion won't come cheap, however. Target estimates that it will spend about $100 million to switch to the new cards and to install new EMV card readers at its nearly 1,800 stores in the U.S., including its 12 stores in Fresno, Tulare and Kings counties.

The new readers will be installed by this fall, and the card conversion will happen by early next year.

Cost is one reason why the U.S. is so far behind the worldwide curve. Both card issuers and merchants will incur expenses in the transition, Carlsson said.

Cards with microprocessor chips are harder for thieves to counterfeit, but they also cost more to make. "And at the merchant level, the investment cost of new terminals is quite substantial," Carlsson said.

But there is a proverbial "big stick" coming for merchants by October 2015, when they — and not card issuers — will begin bearing the burden for transaction fraud from counterfeit cards if they have not installed payment systems that can accept EMV chip cards. At fuel stations that accept plastic at the pump, the liability shift will happen in October 2017.

"The cost of fraud (from counterfeit cards) is now picked up by the card companies," Carlsson said. "For merchants, it becomes a justification issue — what is the cost of the terminals versus the cost of fraud?"

Estimates of the nationwide cost to implement EMV in the U.S. run in the neighborhood of $8 billion and up, Carlsson said, compared to fraud costs for credit cards of about $8.6 billion. "So there is a balancing act there," he said.

Things were moving, albeit slowly, toward an eventual conversion to chip cards even before Target's massive data breach. But that much-publicized case, and those of other retailers including Nieman Marcus, "was a big igniter to get things going quickly," Carlsson said.

Carlsson predicted that by early next year, "we'll see a tremendous increase in chip cards being issued" by credit card companies.

PIN or signature?

While the major card companies are ready to shift even more liability for fraudulent card transactions to merchants, not all are ready to require PIN numbers as an added layer of card security.

"To be clear, there are multiple security capabilities and features that are supported by the EMV standard," said Vanderhoof of the EMV Migration Forum.

"EMV supports signature, PIN and/or no cardholder verification method. In the U.S. market, there is likely to be a mix of all three options that will be issued."

Requiring a PIN provides "an extra layer of security to protect against lost or stolen cards," Vanderhoof said. But, he added, "adding PIN to the card also creates additional complexity and cost to the system."

The NRF is pushing to require PINs, and not signatures, for all chip-card transactions, to reduce the prospect of shifting even fraud liability to merchants.

While a chip embedded in a card serves to authenticate the card to the payment system, NRF's Duncan said, a signature can easily be faked by someone who is not the cardholder — as is so common today.

In his testimony to Congress, NRF's Duncan said charge-backs from card companies already represent a double penalty for fraud to retailers and merchants.

"That is, the bank will not pay the retailer for the fraudulent transaction even though the retailer provided the consumer with the goods in question," Duncan said.

"When this happens, and it happens a lot, the merchant loses the goods and the money on the sale."

The reporter can be reached at (559) 441-6319, tsheehan@fresnobee.com or @TimSheehanNews on Twitter.

The Fresno Bee is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Commenting FAQs | Terms of Service