Picture yourself setting at the ATM, card in hand, when something catches your eyes. The LEDs around the port don’t seem right. The coloration of the plastic doesn’t quite match the machine itself. You shrug. As you reach out to touch it, the entire front of the machine clatters to the asphalt with an audible clatter. This isn’t just a story, it’s happened. Many fraudsters now use devices, called skimmers, to both read and steal your information. Many of these can now be attached, virtually undetectable, to the front of ATMs and payment terminals. This type of fraud, or simple identity theft, costs the economy billions of dollars. We needed a solution.
There’s a war going on in your wallet. On one side, we have the old and trusted magnetic strip (magstripe) credit card. On the other, we have chip-enabled smart cards. Since the latter was first launched in the 1980s, it’s slowly encroached on territory once firmly held by the trusty magnetic stripe.
The Horse and Carriage Way: Magnetic Strips
Before the magnetic strip was added to credit cards, processing a credit transaction took days, not minutes. To process a credit card, a merchant would make a copy of the card using a zip-zap machine. He or she would then take the resulting ink transfer to the bank for processing. Checking for fraudulent charges required manual comparison and line-by-line checking by local banks. With zip-zap machines easy to buy, and a huge lag existing between transaction and receipt, fraud was prevalent. Thieves could be long gone before anyone realized something was fishy. This was also a time before ATMs and remote deposits. Checking-in at the airport was a nightmare. A push from big-ticket airlines, and credit card companies, prompted IBM to begin developing the first magnetic strip card.
To satisfy its clients, IBM needed something inexpensive, easily decoded, and versatile. While not really used outside the battlefield, the storage capabilities of magnets had been common-knowledge as far back World War II. This knowledge, along with observations of the London Underground, sparked the idea of the magstripe card. Jerome Svigals and his team worked seven years to perfect the needed technology. In 1970, his hard work was tested by American Express, IBM, and American Airlines. IBM would go on to accept the team’s recommendation in 1973. The first bank card and magnetic employee badges soon followed.
However, once costing approximately two-dollars per card, the technology remained too expensive for MasterCard and Visa until the early 1980s. With their adoption of this technology, rampant theft via zip-zap machine became a thing of the past. The thieves, however, did not take long to catch up. Now, much like the zip-zap cards before it, the magstripe card finds itself locked in a battle for wallet supremacy.
How Does A Magnetic Stripe Card Work?
A magnetic card modifies iron-based particles to store information across three separate tracks. The third, as its use is so uncommon, will not be expanded on. The other two contain information, such as primary account numbers, that must be verified by the machine. The data in these tracks, if it adheres to standards set out by the airline and banking industries, can be easily read by most point-of-sales systems. When you swipe the card, a specific component within the machine, commonly called a read head, converts that data into a machine-readable format. Its then sent to an acquirer to be validated. Once approval is received, all funds will be transferred to the retailer.
Here’s how it works:
- The consumer swipes the credit card through the electronic data catcher (ECD).
- The card reader captures the information encoded on your magnetic strip.
- The terminal then uses a dedicated connection, or a dial-up line, to forward the information about your card and your purchase to the bank that collects your card payment.
- After that, the bank typically passes the data on to the card’s issuer.
- When the issuer determines, you have the funds necessary to complete the transaction, it forwards your approval back to the bank.
- After that, the bank forwards that approval to the store.
All six steps happen in seconds. The process outlined above has remained relatively unchanged since the magstripe card was first presented in 1970. It’s efficient. It’s low-cost. But, it’s also outdated and unsecure.
What’s the Problem?
Identity thieves and other never-do-wells have had more than forty years to perfect their assault against magnetic striped cards. In that time, they’ve developed devices, known as skimmers, that can read the data on the back of your card. Some skimmers can be installed at ATMs, or slipped over existing card readers, to collect card numbers from a distance. As the information stored in that magnetic strip is static, it’s easily stored and replicated for later use. For many years, due in part to astronomical costs involved in changing over, US card issuers continued to rely on outdated magnetic stripe technology.
Criminals have moved to capitalize upon this fact. Though the USA conducts only a quarter of all card transactions, it shoulders nearly 40-percent of the world’s credit card theft. In 2015 alone, this amounted to roughly 8.5 million dollars in losses. That’s why most of the world turned to the new kid on the block: the EMV card.
Who Foots the Bill?
Thieves don’t usually line up to pay fraudulent charges. In the United States, that responsibility typically falls to one of three parties: the retailer, the card issuer, or the consumer. Here’s a breakdown of what each one can expect:
- Consumers: Consequences faced by the card owner vary depending on the length of time before reporting the theft, the amount of money spent, and whether the card used was debit or credit. Thanks to the Fair Credit Billing Act, people who’ve had their credit card stolen rest easy. By law, they’ll be responsible for no more than 50 dollars in fraudulent charges. If you report the card stolen before its used, that amount drops to zero. Debit card consumers, on the other hand, can be responsible for the entire amount if they take more than 60 days to report the theft. Even with that stipulation in mind, consumers pay around two-percent of all fraudulent charges.
- Retailers: Much of the weight for fraud, however, falls on the backs of retailers. In 2009, the Federal Reserve Board concluded that merchants absorbed 43-percent of all debit card losses. For credit cards, that number rose to over 50-percent. In 2013, a credit card related breach cost Target nearly one-billion dollars. As it’s merchants’ products and services being stolen, they’re also the ones with the most incentive to change over to the new system. However, the expense involved makes many reluctant. Chip-and-pin readers, depending on the model, cost between 100 and 600 dollars apiece.
- Card Issuers: Banks and card issuers cover the other 60-percent of costs incurred by credit and debit card theft. They’re also responsible for issuing new cards to affected clients. If they find that a retailer was negligent in their security, however, many of the bank or issuers cost can be transferred to the retailer. This was why Target ended up footing so much of the cost.
In other countries around the world, such as the UK, solving these issues is less tug-of-war and more a matter of cooperation.
Why is the USA Lagging? Why Are Things Changing Now?
In 2015, 92.8 percent of US credit card transactions were conducted via outdated magnet-based technology and just 70-percent of Americans possessed a single chip-based card. In Europe on the other hand, nearly 98-percent of all card transactions are conducted without the use of magnetic strips. Typically, the first adopter of new technology, it seems odd that the USA would be so out of the loop on this one. Why, exactly, is that? The answer’s simple: money. It costs around $3.50 to issue a new smart card. Replacing all payment cards in the US would cost card issuers about 2.85 billion dollars and nearly 500 million in new ATMs. Replacing the sales terminals at stores could inconvenience retailers to the tune of about 2.64 billion dollars. Updating a market entrenched in swipe-and-go habits, especially when it’s the world’s largest, was never going to be easy.
Recently, however, chip-and-pin adoption rates in the USA have skyrocketed. In the five-month period between October of 2015 and February of 2016, EMV card usage shot up by more than 10-percent. This sudden change has a variety of root causes. Doubtlessly included among them are the following:
- Credit card fraud rose drastically in the 10 years proceeding this change. In 2014, it was estimated that losses credited to were approximately 10 cents out of every 100 dollars spent.
- The hardware used to read smart-chip cards is also compatible with most forms of mobile payment. As more and more people switch to paying with cell-phones, these terminals provide a dual advantage.
- As the technology becomes more prevalent, the costs of smart-chip enabled terminals, and related devices, falls drastically. This makes it a much more feasible, and cost-effective, options.
- USA consumers finding it difficult to conduct transactions in other countries. If a card issuer didn’t start sending out updated cards, they were likely to lose their more globalized customers.
- Lastly, a law passed in 2015 drastically shifted liability for many retailers. Any retailers who chose not to accept chip-and-pin cards could now be held responsible for 100-percent of losses incurred. By the end of 2017, ATMs and gas pumps will face the same requirement.
Meet George Jetson: The Smart Card
Chip-enabled cards, also known as integrated circuit or smart cards, were first introduced by Michael Ugon in 1977. These cards replace the antiquated magnetic stripe with a more secure microprocessor. Long before they becoming Europe’s go-to payment option, these chip-and0pin were used to pay, monitor, and track transactions at the phone box. Some companies also use them to limit access to high-security systems, gym equipment, drugs, and company property. By 1992, the first chip-enabled debit card entered the market. After that, the idea of chip-based payment cards spread like wildfire.
In 1993, several international payment companies began to develop a set of specifications for these new smart cards. As this project was originally the brainchild of Europay, MasterCard, and Visa, the resulting standards would later be described as EMV. After drafting these initial standards, the card issuers passed maintenance to an outside company known as EMVCo. While always maintaining backwards compatibility with 1998 requirements, these specifications would go on to be upgraded in both 2000 and 2004. Contactless smart cards emerged onto the market shortly after EMV released its third set of standards. Many countries are now considering adopting smart cards for purposes of identification.
In 2014, MasterCard became the first company to offer an EMV compliant card to US consumers. Since then, the number of chip-enabled cards and stores skyrocketed. As of 2016, just 16-percent of US banks fail to offer chip-and-pin cards uncompliant with EMV regulations.
How Does the EMV Chip Card Work?
It might look like a normal credit card, but it doesn’t act like one. Whether or not your EMV card supports contactless payment, it still processes transactions in a similar manner. There are nine steps involved in the typical chip-and-pin transaction:
- The user initiates conversation between the terminal and the card’s microprocessor. This can be done by either tapping the card against or inserting the card into the terminal.
- The terminal figures out what type of card is being used. First, it figures out which functions this card supports. Is it a debit or credit card? Does it process cashback? Then, the card reader determines where the card keeps all its needed information. To do this, the terminal issues a “Get Processing Options” command to your card.
- The data on the card is then read. Your card’s microprocessor sends encrypted data to the terminal that processes your card.
- Data authentication if performed. The terminal then unencrypts and authenticates the validity of the given data.
- The terminal ensures card use is authorized. The machine will then determine if your purchase is allowed. In this step, the machine also checks if your card is expired, out-of-date, or set-up for processing in the country of purchase.
- The user must verify they are the owner of this card. At this point, the user either signs for the product or enters their PIN. Cards that skip this step are typically much less secure than their counterparts.
- Data is then sent to the card issuer. It’s the responsibility of the card issuer’s system to ensure that there are enough funds present to process the transaction.
- The card issuer sends back their approval. If enough funds exist to pay for the requested purchase, the issuer will approve the transaction. At this stage, the issuer can also update any data on the card.
- The user ends the card-to-terminal conversation. After the bank or company issuing the card confirms its approval, the user removes the card from the terminal.
What Are the Benefits and Drawbacks of the New Technology?
When compared to magstripe cards, chip-and-pin cards offer several advantages. These include:
- Enhanced security. Unlike magnetic stripe cards, which parrot their information out to anything that can read it, smart cards encrypt their data. They never use the same security codes twice either. This makes it very difficult for identity thieves to take advantage of the data on the card. In addition to the encryption, chip-and-pin cards require many more authentication steps than their outdated counterparts. As nearly all of them require a PIN for authorized use, thieves cannot use them without access to that number.
- Flexibility. Unlike magnetic stripe cards, which store information for one purpose, the typical smart card can support a variety of functions. They can be used as an ID, a payment method, a stored-value cash card, and a repository of medical or personal information.
- Decreased maintenance costs. The cards, simply put, last longer than their magnetic stripe counterparts. They cannot be wiped by a magnet error or wear down over time. Stores also benefit. Terminals equipped to read smart card technology typically outlast their less advanced counterparts.
However, this new technology comes with a variety of drawbacks:
- Transactions take ages. The average chip-and-pin transaction takes just 15-seconds. For busy Americans, this may feel like an eternity. A poll conducted by CreditCards.com concluded that 16-percent of consumers felt that they take too long. However, this time is required to ensure a safe, encrypted conversation takes place between terminal and computer. However, some companies, such as VISA, are already working on fixing this problem.
- Some stores just aren’t prepared. If a store is not equipped with a terminal ready to read chips, all the security advantages go out the window. Encryption doesn’t help if consumers are forced to rely upon antiquated swiping technology. This complaint was trumpeted by about 12-percent of users interviewed in 2015.
- The change is forcing an increase in online fraud. In all countries where chip-and-pin cards were adopted, consumers witnessed in upswing in the amount of online fraud.
- Many of these cards are still vulnerable to ATM fraud. By installing devices like ones involved in the introduction, thieves can still steal valuable information and record your PIN number. Some of these devices can even trap your card inside them for future use.
Has the Introduction of the EMV Chip Done Its Job?
The answer’s simple: it sure has. A poll conducted by Visa in 2015 concluded that rates of counterfeit card use dropped by 18.3-percent after the introduction of chip-and-pin cards. Retailers with compatible terminals reported similar numbers. On the other hand, merchants without the technology, saw their fraud rates climb by over 10-percent. Since the introduction of EMV technology in Europe and the UK, brick and mortar stores have seen fraud rates plummet to just 25-percent of their former levels,
What Does the Future Hold?
While the inconvenience of contactless chip-enabled cards seemed impossible to beat, many companies are turning their attention to smart phones. The popularity of mobile-based payment platforms has increased in recent years. The SIMS card inside most mobile phones is nearly identical to the one issuers embed in their cards. They can store the same information. They provide the same level of security. However, for some time, both technologies will persist. After all, nearly 30-percent of the US population still haven’t jumped on the smart phone bandwagon.