For years, we Americans have been stalling-around in adopting fraud-resistant payment systems that are standard in Europe, Asia, and elsewhere. The consequence? A lot of money lost. The U.S. sees nearly half of the $11.3 billion in global fraud losses on payment cards each year.
Banks and retailers have been talking about this for years, arguing about credit-card swipe fees and the need for better payment systems less vulnerable to theft. And while they’ve dithered and fought it out, U.S. consumers have blithely swiped their credit cards and debit cards, with magnetic strips holding access to their money, their good credit, and even their personal information. These simple magnetic strips have been compared to an eight-track cassette and are fairly porous to data-sucking thieves.
The United States is the only advanced economy still using these cards. Our peers in the industrialized world have upgraded to systems that use cards with an added layer of security — a chip embedded in the card that spits out a unique code (or PIN) for every transaction. The technology is known as EMV — for Europay, MasterCard, and Visa — and has been nicknamed “chip and PIN” by the world’s fish-and-chips-eating economies, England and Ireland.
"Cards not present" fraud big too
When it comes to e-commerce, where most credit card fraud actually happens even in EMV-using countries, many major retailers don’t have adequate protections in place during online checkout. In a recent study, password-management company Dashlane found that Apple Inc. (which the company gave a perfect score), Newegg Inc., Microsoft Corp., Chegg Inc., and, perhaps surprisingly, Target used the most secure password systems. KarmaLoop.com, Dick’s Sporting Goods Inc., Wal-Mart Stores Inc., and even trusted giant Amazon had the least-secure systems.
America wakes up after 2013's Christmas breaches
But back to EMV. Why isn’t it standard in the U.S.? Mainly, the conversion seemed costly and there was all that arguing about who had to do what, and when.
To be fair, the banks, credit card companies, and retailers did settle on 2015 as the year that everyone would get on board with EMV. By then, retailers would be expected to have installed the necessary equipment so that banks and credit card companies could start doling out the cards to consumers, a process that could take until 2017. Indeed, some companies, like Wal-Mart Stores Inc. and Kroger, already have the equipment ready to go.
But this past Christmas has jolted everyone awake when it comes to EMV, and now everyone’s in a hurry. Breaches at Target saw data thieves gain access to personal and financial information of as many as 40 million customers. Similar breaches at Neiman Marcus and crafts-retailer Michaels have affected millions more, and the FBI has warned that there is likely more bad news to come. Replacing cards and covering fraudulent charges have cost the banks, credit card companies, and retailers — and of course, in turn, consumers will pay in the form of higher prices at the store or higher bank fees.
It seems obvious now that “chip and PIN” has been, as many have said over the years, too long in coming, and there’s ample pressure to speed up the timeline for its adoption. Consumers are livid, politicians are calling for hearings, and U.S. attorney general Eric H. Holder Jr. this week announced he’s on the case.
Is EMV enough?
It’s better than what we have, for sure. But even “chip and PIN” cards are vulnerable to hacks, as researchers at Cambridge University in England found. The key to the success of "chip and PIN," that same research showed, is to be sure that the EMV systems in use, whether at ATMs or retail point-of-sale terminals, employ sophisticated enough algorithms. The PINS must be completely randomly generated or hackers have a chance at skimming them. The Cambridge sleuths found short cuts were being taken, and hackers took advantage.
Those researchers dug deep to find “chip and PIN” vulnerabilities after hearing a rash of stories of consumers being turned down by their banks after reporting fraudulent charges. The banks truly believed that the EMV systems couldn’t be hacked (or so they said). In any case, they were hacked, and some information-security experts say the Target breach couldn’t actually have been prevented by “chip and PIN” technology anyway.
There’s another aspect to this, and that is that this is essentially an arms race. The malware that allowed thieves into retailer payment systems is cheap and easily obtained. No doubt, as that malware is thwarted, more will be designed, and there are likely cyber-thieves hard at work right now on a “chip and PIN” workaround.
With that in mind, will there ever truly be a hack-proof payment system, or are retailers now forever doomed to making sure they stay one step ahead of hackers?