It only took the theft of 40 million Target customer credit card details to spur Congress into finally joining the rest of the world in abandoning the highly insecure credit cards you're used to. Starting late next year, every credit card in the United States will adopt a more secure system. Here's what it is, and how it works.
The "sign and swipe" cards that you use today—you know, the ones with the magnetic stripe on the back—have been around since an IBM engineer named Forrest Parry invented them in the 1960s. Originally developed as security pass cards, the magnetic-striped cards were soon adapted for a variety of other uses, from driver's licenses to debit cards.
Magnetic stripe technology is efficient and ubiquitous in credit cards, but leaves a lot to be desired in terms of security. In fact, the United States is the only major market on the planet to still use swipe and sign technology. And because we've been so slow to evolve, we account for half—yes, half—of the world's daily total of credit card fraud, despite only constituting a quarter of the world's daily card-based transactions.
The Target holiday data breach, which exposed the confidential credit card information of some 40 million American customers, turned out to be the final straw for the Senate Judiciary Committee, which called for expedited implementation of the newer, more secure EMV (Europay, MasterCard and Visa) card. As Delara Derakhshani of the Consumers Union testified at the Senate hearing on February 4th of this year:
Many other countries have shifted or are in the process of shifting to what is known as EMV "smart cards" – or chip and pin technology, which utilizes multiple layers of security – including a computer chip in each card that stores and transmits encrypted data, as well as a unique identifier that can change with each transaction. Cardholders also enter a PIN to authorize transactions. Total fraud losses dropped by 50 percent and card counterfeiting fell by 78 percent in the first year after EMV smart cards were introduced in France in 1992...We believe it is money well-spent, and it is a penny-wise pound-foolish philosophy to wait any longer, particularly when the burden of guarding against harm following a breach falls most squarely on the shoulders of innocent consumers whose data was compromised.
The Senate agreed. "Half of the fraud occurs in the United States but only a quarter of the credit card use," Richard Blumenthal, D-Conn., said during the questioning. "Something is wrong with this picture."
To that end, both MasterCard and Visa have set an October 2015 deadline to roll out the technology in America, nearly a quarter century after they debuted in France in 1992. The October 2015 deadline is an important one in the new standard's implementation. As MasterCard's Carolyn Balfany told the WSJ:
Part of the October 2015 deadline in our roadmap is what's known as the 'liability shift.' Whenever card fraud happens, we need to determine who is liable for the costs. When the liability shift happens, what will change is that if there is an incidence of card fraud, whichever party has the lesser technology will bear the liability.
So if a merchant is still using the old system, they can still run a transaction with a swipe and a signature. But they will be liable for any fraudulent transactions if the customer has a chip card. And the same goes the other way; if the merchant has a new terminal, but the bank hasn't issued a chip and PIN card to the customer, the bank would be liable. Either way, liability no longer falls on the consumer.
EMV cards come in two varieties: chip and pin, and chip and signature. Both include embedded chips that make duplicating stolen credit cards nearly impossible using cryptographic algorithms such as DES, Triple-DES, RSA and SHA. They also include secure e-commerce programs for added fraud-protection when shopping online.
Chip and pin cards, however, are more secure (though less convenient) than chip and signature cards as they require a pin that must be stolen, a tougher trick than just forging a signature. So rather than slide your card through a magnetic strip reader, then sign a hard copy of the receipt, the chip and pin system will instead have you insert your card into the POS terminal like you would at an ATM, then enter your PIN. If the PIN doesn't match the secure info on the card, your purchase doesn't go through.
Currently, both Bank of America and Chase Bank have announced that they're going with the chip and signature variety, though other financial institutions have the option to implement the more secure chip and pin architecture as well. It's more secure than our current system, but still vulnerable to forgeries.
The major sticking point at the moment is, of course, the cost of switching systems. Converting to the new technology requires replacing or updating existing point of sale terminals and ATMs—like, all of them—and that is not a small outlay of capital. How long that will actually take, however, is still up in the air. Many major financial institutions and retailers are talking about making the switch over "the next few years," despite the October 2015 liability deadline.
Still, the prospect of seeing a massive 50 percent drop in fraud incidents, as France did in 1993, would be a boon for American consumer confidence—a vital indicator of the nation's financial health and barometer of the average American consumer's outlook on the state of the economy. It could also provide some relief for the credit card industry, which has taken no small amount of (and not undeserved) flack for its role in the Great Recession. [WSJ 1, 2 - UPI - Wiki - BI - Tom's Guide - Bank Rate]