Recent data breaches in the US (mainly Target and Neiman Marcus) have once again sparked the age old debate of magnetic strip cards vs. EMV (Europay/Mastercard/Visa) chip cards.
Whenever a store completes a transaction the data from that transaction is stored on the organization’s servers. The EMV cards use a proprietary chip embedded within the card, which generates a one-time security code every time a payment is processed; basically the data on the card is encrypted. These cards also require a PIN to work, a second authentication, meaning thieves must have both pieces of information to be able to use the card. This does not prevent the data from being stolen, but makes it incredibly difficult for the breached data to be used.
The magnetic strip cards, used throughout the US, contains all the necessary financial information, sans the encryption. Once the card info is stolen it can easily be encoded onto another card and reused.
The EMV cards were first introduced in 1993 and are now used by a majority of the world, except for the United States. Here are some figures to give you an idea of the popularity of the EMV cards.
As you can see, the EMV cards are the standard in developed countries. Because of this hackers have aggressively moved their efforts and focus to the US. We have made ourselves a target to data thieves because we use an unsecure and outdated system. Why, you ask? Money.
Since the rest of the world adopted this safer method of payment processing early on it was relatively easy and inexpensive to build the necessary framework for it. The US failed to follow suit, now banks are looking at billions of dollars to update the infrastructure, and they don’t want to spend the money.
It is estimated there are over 5 billion magnetic strip payment cards worldwide, accompanied by over 15 million magnetic strip POS terminals in the US alone. Not to mention over 420,000 ATM’s would need to be replaced to compensate updated cards, after they have already been replaced to compensate for XP’s end of life.
In terms of costs, this would be no small task, or cheap one. Javelin Strategy and Research estimates the cost of the ATM upgrades to be north of $500 million and the costs to fully implement EMV cards and systems to be in the $5 billion dollar range. It would cost banks roughly $3 billion to replace cards, and would collectively cost merchants more than $2.5 billion to replace payment terminals.
Issuers and merchants claim they don’t see the justification in making the move because fraud losses, even though they are getting steeper every year, are still a very small part of their overall revenue. This is unacceptable. Organizations are willing to pass up on a safe method of payment transactions because it isn’t a huge financial hassle for them. I think after seeing what Target, Zappos, and Adobe will have to pay after their breaches their mindsets may change.
But there is some light at the end of the tunnel. PCI security standards and credit card networks (Visa, MasterCard, and Discover) have proposed a shift in liability rules to help ‘encourage’ banks and merchants to make the switch. For example, by October 2015, if a merchant has an EMV based terminal and payment is processed using a magnetic strip based card, the bank will assume liability if a fraudulent act occurs. This will work in the opposite direction. If a customer uses an EMV based card and a merchant does not have an EMV based terminal, the merchant is liable.
At the moment all of this is voluntary, but it is time we catch up with the rest of the world. It may take steeper penalties, or savvy merchants and customers to push the envelope by using and accepting other forms of secure payment such as BitCoin or M-Pesa, which can be used via mobile phones. At any rate there is a definite need for change because this issue is only going to become more problematic for both merchants and customers alike.