by Luke Jones
Posted 1/27/2014 12:00 am
Updated 11 months ago
The heavily publicized theft of credit card data from Target servers in November has highlighted a glaring issue that Arkansas banks and retailers must soon address: Our plastic technology is obsolete.
Security on these cards can be laughably easy to skirt: Credit cards require only a signature from the customer, and few retail establishments check the card’s signature against the customer’s.
Debit cards typically require a PIN, but many merchants allow them to be used as credit cards.
EMV — which stands for Europay, MasterCard and Visa — is now the leading technology for credit cards in most of the world.
“It replaces the magnetic stripe on the back of the card with a chip,” said Jason Oxman, CEO of the Electronic Transactions Association of Washington, D.C., which advocates for EMV.
“More specifically, it replaces what are called ‘static’ security credentials, that don’t change, with dynamic security credentials that change with each transaction.”
The magnetic strip on the back of regular credit cards is embedded with the “static” code, but the chip on EMV-enabled cards generates a unique code each time it’s used, making it “nearly impossible” to create a counterfeit card.
So why hasn’t the United States adopted an ostensibly superior technology like EMV?
Oxman said there are a few reasons.
For one, it’s tough to overhaul an infrastructure of card readers.
Merchants “haven’t seen EMV cards in the marketplace,” Oxman said.
“The challenge with the U.S. market is there are 8 million merchants in the U.S. that accept credit cards. That’s a big number of merchants who need to migrate over.”
Secondly, the more than 1 billion credit cards in circulation will all need to be replaced — an expensive prospect for card issuers and a complicated one for the human psyche.
“It’s a different type of card requiring a different type swipe,” Oxman said. “It’s a dip instead of a swipe.”
Arnold added that the focus in recent years has been unevenly placed on convenience at the expense of security, and the reliance on old technology is becoming even more glaring as travelers find their credit cards unusable in other countries.
From the issuer side, Oxman said, the industry has been slow to start distributing the cards to customers, with the exception being frequent overseas travelers.
The Big Switch
The good news is that this technology won’t be esoteric in America for long. Major credit card companies have established a deadline of October 2015 for most of the country’s banks and retailers to switch to EMV.
Oxman said the deadline is stretched for certain industries like gas stations, which will have to replace entire pumps to be able to accept the technology.
Wal-Mart Stores Inc. of Bentonville, for example, has long been an advocate of EMV and has already started deploying EMV terminals at its checkout lanes in preparation for the switch.
Banks have been slower to change.
“Some of the bigger banks, like Chase, are the only ones starting to issue the chip-and-pin method popular in Europe,” Arnold said. “But I think you’ll see an acceleration of that.”
Luke Wigley, president of Arvest Bank’s Security Bankcard Center, which handles all of the Fayetteville bank’s credit card processing, confirmed Arnold’s predictions.
He said the bank will in February start issuing EMV cards to its commercial accounts that frequently travel overseas.
Arvest is among the top 75 in issuers of credit cards, although Wigley was quick to note that it’s near the bottom of that ranking with roughly 175,000 cardholders.
Compare that to an entity like Chase Bank of New York, which sits at the top, with closer to 80 million.
But Wigley said credit cards are still a very important part of Arvest’s business.
By the third quarter of this year, he said, 90 percent of the bank’s customers with card reissue dates in 2014 will have EMV-enabled cards.
The cards will have both a chip and the traditional strip, he noted, since it’s far too optimistic to expect the majority of U.S. merchants to be using EMV by then.
The full transition should be completed by the end of the first quarter of 2016, he said.
Arnold said the switch to EMV will be tough, but necessary.
“The chip-and-pin thing needs to happen,” he said. “I’m fearful for Arkansas banks; it’s going to be pretty taxing on these smaller issuers in terms of cost and whatnot.”
Indeed, Wigley said, it will be an expensive process.
“It depends on who you are,” Wigley said. “The more cards you order, the cheaper it’s going to be. Chip cards are going to cost us more.”
If the smaller banks don’t follow the bigger players, though, Arnold said, the losses will be greater.
“It’s reached a turning point, a melting point,” he said. “It’s not going to go away if something’s not done.”
Target’s data fraud also highlighted just how vast the depths of credit card fraud can reach.
In the low-interest environment, Arnold said, banks’ method of profiting from cards has swung from interest charged on credit card balances to merchant fees generated at the point of sale.
But, Arnold said, that market is in danger if fraud continues to make people worried about their identities being stolen.
“That needs to be urgently addressed,” he said.
“For the [card] industry, in my estimation, it’s the biggest threat to be faced in many, many years.”
On the consumer side, fraud isn’t as big a deal as it might seem. Oxman said fraud losses from credit cards account for less than 6 cents out of every $100 spent.
Federal law makes customers liable only up to $50 of a fraudulent charge, provided they give notice quickly enough, and major card companies usually free customers from liability entirely.
“You’ve got all these industries that realize that fraud is a great threat to their business models and have all these different policies so that, in effect, card owners have zero liability,” Arnold said.
“Which is a good thing. It does give cardholders and consumers some reassurance, but somebody’s got to eat all that fraud. If consumers are not eating it, who’s eating it?”
The answer is, of course, banks.
Last year banks issuing Visa and MasterCard absorbed around $3.5 billion in fraudulent charges, Wigley said.
As the big players — card companies and the government — swoop in to investigate frauds, banks like Arvest are left to deal with the victims, and that usually means losing money.
Most of the time, Wigley said, Arvest writes off the fraudulent transaction. It’s just the cost of doing business.
Sometimes a settlement will trickle down a few years later, but they are usually very small — “pennies on the dollar,” Wigley said.
“We may or may not make money off of them,” he said. “So we budget, on the card side, a percentage of our sales as a loss we’re going to take as fraudulent transactions.”
So will the switch to EMV fix this problem?
Oxman noted that the Target incident was actually a cybercrime involving installation of malware and would have had the same result even if EMV tech was in use.
“Forty million people shopped at Target during the breach,” he said. “All 40 million of those cards were captured regardless of whether it was a chip or stripe. It was a breach of a server, not of the card.”
Still, EMV would have made the criminals’ task more difficult if their aim was to copy the stolen cards.
“The easiest thing to do with stolen card numbers is to make counterfeit cards and go to retail,” Oxman said.
“With EMV cards, it’s much harder to counterfeit. The unique codes generated by the chips are matched by the unique code of the server side, and they don’t have access to that, so they can’t counterfeit the card.”
As for Arvest, Wigley said the EMV transition would take care of “a lot” of the bank’s point-of-sale level fraud issues.
But, “unfortunately,” Arnold added, “most of our fraud is card-not-present,” meaning transactions where the merchant never sees the card, usually carried out on the Internet, and even EMV can’t provide much defense against that.