Even though Target Corp. has not revealed how criminal hackers stole about 40 million credit card numbers at its stores, the breach has made it clear that plastic cards and the systems designed to process them are more vulnerable than ever. A big part of the problem rests in that decades-old magnetic strip technology.
That black bar on the backside of US credit and debit cards contains and transmits financial data when they are swiped at stores, restaurants, or gas pumps. It’s definitely convenient. But thieves have figured out how to take stolen financial details and easily make counterfeit magnetic strip replicas.
There is a deterrent to such deception, and many other parts of the world implemented it long ago.
In the mid-1980s, Europe began testing a credit card technology that transmits financial details using a tiny computer chip embedded in the card that generates a secret code to make a transaction. The code is typically paired with a four-digit personal identification number the card holder uses to complete a purchase or withdraw money from an ATM.
Since this standard — known as EMV — has become commonplace in Europe, the rate of credit card fraud has plummeted there, according to many specialists.
A key reason that European countries moved quickly to adopt the chip system was the way credit card companies monitored for fraudulent transactions. Unlike in the United States, it was not common for overseas banks to perform nearly real-time checks on credit card purchases to check for fraud, so they wanted a way to improve security at the point of sale.
Many thought that as Europe adopted new EMV standards, the United States would soon follow.
“We’ve been here waiting a long time for this transition to happen,” said Martin Ferenczi, president of the North America region of Oberthur Technologies, a French company that makes cards imbedded with chips and opened US operations in 1996.
But only about 14 percent of the cards it makes in the United States contain chips. The vast majority still have magnetic strips.
And even though many US retailers and banks realize the benefit of moving away from the magnetic strip system, they’ve resisted the chip-and-pin technology due to the massive investment required to accept those cards. It would cost billions of dollars to upgrade every point-of-sale device and ATM machine, and to issue new credit and debit cards.
“It really is tough to get all the retailers on board,” said Henry Helgeson, chief executive of Merchant Warehouse, a Boston payment processing company.
That could change because of the Target breach, he said. “I believe the retailers are slowly but surely realizing that we have to do this.”
Actually, the switch to EMV is already slowly underway. Major credit card companies have set October 2015 as the deadline for merchants to begin accepting cards with embedded microchips. If they don’t make the switch, stores could be held liable for transactions made with counterfeit magnetic strip cards.
Still, many doubt US merchants will be able to meet the deadline or even make the necessary changes to enable a wholesale move to EMV cards.
“It ain’t happening in the US. The question is closed,” said Anton Chuvakin, an analyst at the research firm Gartner Inc.
Chuvakin said that since the United States has resisted chip technology for the past two decades, retailers and banks might be better off bolstering other types of security technology to protect magnetic strip cards. One way to do that is to begin encrypting financial data from the moment a card is swiped at the point-of-sale device until it is processed at a bank.
“If it’s encrypted, there’s nothing to steal,” Chuvakin said. “You ensure the entire chain and you’re done.”
Even that type of security is not common at American retailers. It has been only recently that merchants began working on new ways of protecting the consumers’ financial details at the point of sale.
Another complicating factor is the changing nature of how people shop. EMV was designed to protect transactions made in person, not via e-commerce. “What EMV is addressing is a serious problem in the market, but it’s not where the problem is right now,” said Nick Holland, a payments analyst with Javelin Strategy and Research. “Where the fraud is really going is online.”
The Target breach didn’t appear to impact the chain’s online customers, and in recent years security for credit card transactions over the Internet have been improved to the point where some security specialists say its safer to buy online than inside stores.
Overall, the US payments industry is in flux as buying habits evolve. At the same time, there’s a rise in alternative payment methods such as Square or LevelUp that use technology within smartphones to make transactions at stores and over the Internet.
But until the credit card system is made more secure, consumers should expect more instances of massive fraud, according to security specialists. “We’re going to be in for a lot of pain before we get this right,” said Helgeson of Merchant Warehouse.
In the meantime, he said, common sense security practices could prevent many credit card thefts. One is for cashiers to use existing security checks such as the signatures on the back a card, he said. “We’ve actually been shopping all weekend and no one asked to see the signature on my card,” he said.Michael B. Farrell can be reached at firstname.lastname@example.org.