Following several breaches, US companies are forced to offer credit cards with greater security features
November 4, 2014: The US is the last country with paved roads to adopt EMV, said Thad Peterson, senior analyst at the Aité Group, passing along a quip he had heard. That’s changing — almost all the new cards being issued in the U.S. today carry EMV chips and the card readers in businesses are increasingly able to read mag stripes, EMV and Near Field Communication (NFC).
EMV, which stands for Europay, MasterCard, Visa, is the standard for a security chip embedded in credit cards to protect consumer transactions. The tiny chip, visible on the front of the card, has approximately the processing power of an old 286 computer and interacts with a card reader when it is inserted at a store or restaurant, as Europeans know. They are accustomed to handing over their card and entering a PIN on the reader to authenticate it.
In the US, almost all credit cards have relied on a swipe to catch the details from the magnetic stripe on the back of the card. The mag stripe carries encoded information about the user which is relatively easy to copy and can be stolen in data breaches like Target, Neiman Marcus and Home Depot.
To some extent, the US has been a victim of its early mover role in combining cheap telecommunications with cards — almost all card transactions are processed in real-time by clearing them over telephone lines where they are subjected to some very sophisticated algorithms that look for fraud. Only the occasional tow-truck operator or crafts person at an art fair still uses the manual card copier, known affectionately as a knuckle buster, and even those users are moving to smartphone card readers like Square.
By October 2015, merchants will be liable for any fraud occurring from mag stripe cards, so the migration to EMV is underway.
“The migration won’t be complete, but virtually all the major retailers will be EMV-capable in time,” said Peterson. Stores still using mag stripe cards will continue to have the protection of real-time authorisation and existing fraud detection software, said Carolyn Balfany group head, US product delivery for MasterCard.
She said the industry is beginning to see consumer pull for EMV, interesting because the card companies have all but hidden the existence of chip cards from US consumers until last year.
BOM, the Canadian bank with a large presence south of the border, offered a chip and PIN Diners Club card, although you couldn’t find it on the bank web site. A couple of credit unions with well-traveled members, such as the UN and the US State Department, offered chip and PIN cards. But only recently have big banks and Amex provided them. Online travel sites have tales of frustrated American cardholders who couldn’t get a train ticket at an unmanned kiosk in Europe because their cards didn’t have chip and PIN. That apparently is changing at last, although why American card companies were so slow to offer chip and PIN, at least to their high-end, well-travelled customers remains a mystery.
During the introductory period, EMV cards will be used with signatures, less secure than a PIN, but more familiar to users. Visa is an ardent advocate that signature is just fine; MasterCard prefers PIN but for now is settling for the new buzz phrase — chip and choice. Peterson expects that the cards will move users to chip and PIN eventually, but no card wants to be stuck in the bottom of a consumer’s wallet because it is too difficult to use.
Nobody wants consumers, who have 3 or 4 other credit cards in their wallet, to have a bad experience with one card and then send it to the back of their wallet, explained Aité’s Julie Conroy, research director for retail banking at the group.
Small merchants will be slower to adopt EMV. Peterson said that a lot of them aren’t aware that the change is coming, although he thinks in the next three to five years virtually every merchant will migrate to EMV.
In the meantime, the US with the least secure card system, has become a target for fraud which doubled from 5 basis points to 10 basis points, according to Conroy.
“It speaks to the fact that criminals are targeting the U.S. because we are the weakest link in the chain.”
Perhaps even EMV isn’t as safe as banks would like.
Brian Krebs whose website KrebsOnSecurity broke the Target story, reported earlier this month that three U.S. banks have been hit with fraudulent transactions for tens of thousands of dollars from Brazil, apparently growing out of card data from the Home Depot breach.
“They were all submitted through Visa and MasterCard‘s networks as chip-enabled transactions, even though the banks that issued the cards in question haven’t even yet begun sending customers chip-enabled cards,” he reported.
Neither Visa nor MasterCard has posted any response to the story.
The move to EMV is putting a strain on manufacturing. Credit and debit cards are typically replaced every few years, but EMV is pushing a faster replacement cycle. The migration, which has been talked about for years, really got underway just this year, said Steve Montross, president and CEO at CPI Card Group, one of the leading producers of the plastic cards with nine plants in the U.S. Canada and Europe.
“Banks are working hard on these migration plans,” he said. “They are not only worried about card production but consumer education, internal education and their own systems. Everyone is focused on payment security and the customer experience; they want to make sure the customer is not held up at the point of sale (POS) and discouraged from making the purchase.”
He is all in favour of starting with chip and signature and then perhaps moving to tokenisation or PINs.
“It’s important to get the smart card out there and have the whole infrastructure to do chip transactions. Whatever speeds that up the most, the path of least resistance, that is what I am in favour of because that provides the greatest improvement in security.”
CPI is running 24 hours a day seven days a week to meet demand.
“It’s harder to make EMV cards because they require additional steps. You need precise milling and a precise spot for the chip, which itself needs to be prepared for the information you will put on it.”
Even running 24 hours can be insufficient to meet demand, said Ray Wizbowski, vice-president for financial marketing at Datacard, which makes the machines used to produce cards. Its big machines used in central operations bureaus, can produce 3,000 per hour.
Fortunately, the company also makes machines that can be used to produce cards on demand in bank branches because many banks are maxing out their centralised card production.
When Target suffered a breach of its card security, a Tier One bank turned to its branch card issuance machines to meet demand, Wizbowski said.
“They had already deployed instant card issuance in 2,000 branches. They sent a letter to customers saying they were going to reissue cards within weeks, but customers who wanted one sooner could go to a specific branch to get one issued instantly. The bank went from issuing 10,000 cards a day through its branches to 25,000 a day, topping out at 50,000 one day.” Branches stayed open late and on Sundays to meet demand.