In Search of a More Secure Credit Card

In Search of a More Secure Credit Card
| Published February 19, 2014 |

By R. Alan Clanton
Thursday Review editor

The pre-holiday security breaches at Target, Neiman-Marcus, Michael’s and other retailers exposed the vulnerabilities of credit card use and data security in a digital age. Between November and December of last year as many as 110 thousand U.S. credit card users may have had their most personal information stolen, and the suspect is a 17-year-old Russian hacker who developed a backdoor application to gain entry to credit card machines at thousands of retail locations.

The eventual cost of that data breach remains unknown, but will likely cost consumers as retailers, banks and credit card vendors pass those cost overruns, fees and penalties along to customers. Target has again apologized, most recently in the form of a bill insert mailed to every one of its current credit customers, and has vowed to take steps to insure no such catastrophic breach occurs. Michael’s and Neiman-Marcus has also announced new procedures to reduce the risk of hacking.

But some security analysts and credit card experts say that the whole series of fiascos could have been easily avoided had the U.S. proceeded in a timely fashion years ago toward more secure, encrypted credit cards.

Most Americans use credit cards which contain a magnetic strip on the back. That strip contains the essential data about your account—your name, account number, home address, and other critical information. And that means that any time a customer swipes that card through a standard card reader, the information being transferred is at risk of being grabbed by increasingly smart hackers and tech-savvy criminals.

Testifying in Washington in front of the special committee investigating security problems, Target executives suggested that the direction retailers should be looking is toward cards which contain tiny embedded microchips—chips which are encrypted and cannot be easily hacked.

Sounds exotic and cutting-edge, right?

Well, they’re not. Encrypted cards have been in widespread use in many other countries for several years, and in the United Kingdom and Canada, the newer cards have been widely credited with a dramatic reduction in hacking, criminal misuse and fraudulent charges.

But the U.S. banking, credit card and retail business is sluggish—some would say downright glacial—when it comes to major changes in the point-of-sale technologies (think of the upcoming deadline for ATM conversion and Microsoft’s plans to cease support for Windows XP). And there has been little in the way of public or political pressure to bring about those changes, which can be costly because of the complex mosaic of American banking, retail and card technologies.

That cost, it seems, had been the major factor all along for those retailers and financial institutions who see a myriad of things which have to happen, more or less, all at once: new, expensive card readers in tens of thousands of locations, new uniform standards of data management and storage, possibly new account numbers, and then brand new cards for millions of Americans, to the tune of as many as one billion cards. Think about how many cards you have in your wallet or purse right now, and multiply that by everyone who has cards.

Plus, the cost of the high tech embedded cards can run up to six times the cost of traditional cards. Magnetic strip cards cost roughly fifty cents to manufacture. The new cards may cost as much as $2.50.

But the Target breach—and those of the other major retailers caught up in last fall’s colossal hacking—has pushed the issue to the forefront.

Billions of dollars are at stake as a result of the mishap, and now some in Congress are asking why something wasn’t done sooner to make the process more secure. Now there is a push underway to convert American card activity into the chip technology by late fall of 2015, roughly 22 months from now. Both Visa and Master Card have signed on to the deadline, and say that they will be ready. Banks, too, will feel the pressure to comply.

And now the driving issue will be liability: none of the major players want to be the one left standing when the music stops, for the industry component with the weakest technology after the transition will be the one most likely responsible for the cost of fraud.

The new encrypted credit cards, which are in use by a very small percentage of Americans, have the distinct advantage (for now, at least) of airtight security. The Chase Bank website says “the embedded microchip makes the card extremely difficult to copy, which ensures enhanced security if it is lost or stolen, and makes a card much more difficult to counterfeit.”

Furthermore, some of the major banks and credit card providers will, as part of this migration, soon require customers to enter a unique PIN with each transaction, essentially making the new credit cards similar to a debit card. Most believe that this will reintroduce a more stringent level of security similar to that quaint age—in the not-too-distant-past—when we had to sign an actual piece of paper and a clerk or retail associate would ask for our identification. The widespread use of card readers killed the notion that we were required to show a driver’s license or other ID, but opened the door to other problems.

By some estimates, the new encrypted cards will reduce credit card fraud in the U.S. by as much as 60%, a rate comparable to the lower rates of fraud in Canada and Britain after the transition. (After the major conversions in Europe and other countries, opportunistic hackers and criminals, who once preyed upon those overseas markets most vulnerable to attack, shifted their efforts to the U.S. where the magnetic strip made stealing data easy).

But there are a lot of moving parts to this transition, and not everyone is on board. And there are hundreds of questions about costs, PINs, customers who travel, compatibility, and the dizzying array of complex, interlocking technologies which must all work in harmony once the shift begins.

One friend in banking said to me, “think of the Obamacare rollout, and then multiple that times twenty!”

Related Thursday Review articles:

Can You Protect Yourself From Credit Card Fraud?; Thursday Review; Saturday, January 18, 2014.

Who Pays for the Target Breach?; R. Alan Clanton; Thursday Review; Thursday, January 16, 2014.