Visa and MasterCard are renewing a push to speed the adoption of microchips into U.S. credit and debit cards in the wake of recent high-profile data breaches, including this week's revelation that hackers stole consumer data from eBay's computer systems.
Card processing companies argue that a move away from the black magnetic strips on the backs of credit cards would eliminate a substantial amount of U.S. credit card fraud. They say it's time to offer U.S. consumers the greater protections microchips provide by joining Canada, Mexico and most of Western Europe in using cards with the more advanced technology.
Chips aren't perfect, says Carolyn Balfany, MasterCard's group head for U.S. product delivery, but the extra barrier they present is one of the reasons criminals often choose to target U.S.-issued cards, whose magnetic strips are easy to replicate.
“Typically, fraudsters are going to go to the path of least resistance,” Balfany says.
The chip technology hasn't been adopted in the U.S. because of costs and disputes over how the network would operate. Retailers have long balked at paying for new cash registers and back office systems to handle the new cards. There have been clashes between retailers, card issuers and processors over which processing networks will get access to the new system and whether to stick with a signature-based system or move to one that requires a personal identification number instead. These technical decisions impact how much retailers and customers have to pay — and how much credit card issuers make — each time a card is used.
The disputes have now largely been resolved. And the epic breach of Target's computer systems in December, which involved the theft of 40 million debit and credit card numbers, along with smaller breaches at companies such as Neiman Marcus and Michaels, helped garner support for chip-based cards among retailers who were previously put off by the costs.
Chip cards are safer, argue supporters, because unlike magnetic strip cards that transfer a credit card number when they are swiped at a point-of-sale terminal, chip cards use a one-time code that moves between the chip and the retailer's register. The result is a transfer of data that is useless to anyone except the parties involved. Chip cards, say experts, are also nearly impossible to copy.
For its part, Target is accelerating its $100 million plan to roll out chip-based credit card technology in its nearly 1,800 stores. New payment terminals will appear in stores by September, six months ahead of schedule. Last month, the retailer announced that it will team up with MasterCard to issue branded Target payment cards equipped with chip technology early in 2015. The move will make Target the first major U.S. retailer with its own branded chip-based cards.
Even so, the protections chips provide only go so far, according to opponents who note that chips don't prevent fraud in online transactions, where consumers often enter credit card numbers into online forms. Some opponents also point to other technologies, such as point-to-point encryption, as better long-term solutions.
Ken Stasiak, founder and CEO of SecureState, a Cleveland-based information security firm that investigates data breaches, says that while chips would be a big security improvement, they wouldn't have stopped the hackers from breaching Target's computer systems where they also stole the personal information, including names and addresses, of as many as 70 million people, putting them at risk of identity theft.
“Chip and pin is just another security component,” Stasiak says. “What matters is how companies like Target use consumer information, how they protect it.”
Banks generally pick up the tab for credit card-related losses, but companies such as Visa and MasterCard stand to lose too, if data breaches continue to occur with increasing frequency. After all, if consumers don't feel safe using cards, they may choose other ways to pay for purchases.
“It's not just about fraud and losses, it's about the trust involved in electronic payments that's destroyed,” says Ellen Ritchey, Visa's chief enterprise risk officer.
In March, Visa and MasterCard announced plans to bring together banks, credit unions, retailers, makers of card processing equipment and industry trade groups in a group that aims to strengthen the U.S. payment system for credit and debit cards. The initial focus of the new group will be on banks' adoption of chip cards.
That comes ahead of a liability shift set to occur in October 2015, when the costs resulting from the theft of debit and credit card numbers will largely fall to the party involved with the least advanced –and most vulnerable– technology. For example, if a bank has updated to chip technology, but the retailer involved hasn't, the retailer will be liable for the costs.
Stasiak says many of the retailers he works with already have the technology in place. Once the banks start issuing chip cards, the retailers will activate their new systems, he says.
Banks say that despite the jump in high-profile data breaches, fraud still accounts for a small fraction of total transactions processed, while the cost related to issuing chip cards to all of their customers and switching out all of their ATMs is substantial. Banks have urged lawmakers to make retailers more accountable for their own security in hopes of recouping more of the losses from cybercrime.
Richard Hunt, CEO of Consumer Bankers Association, says that in cases of major fraud, banks have generally been able to collect only pennies on the dollar from the retailers involved.
Hunt says even if banks put chips in cards, it won't do any good if retailers don't upgrade their systems.
“We have to improve fraud prevention across the board,” he says. “There are people who get up every day across the world with one mission and that's to break credit card technology. But there's no magic pill out there. The solution involves everyone.”