Magnetic swipe credit cards will finally be phased out in the US
I didn't know this but apparently the US is still using an outdated system that a lot of other markets have already moved beyond. I also didn't know that this is also why fraud problems tend to be more common in the US.
It’s a payment ritual as familiar as handing over a $20 bill, and it’s soon to go extinct: prepare to say farewell to the swipe-and-sign of a credit card transaction.
Beginning later next year, you will stop signing those credit card receipts. Instead, you will insert your card into a slot and enter a PIN number, just like people do in much of the rest of the world. The U.S. is the last major market to still use the old-fashioned signature system, and it’s a big reason why almost half the world’s credit card fraud happens in America, despite the country being home to about a quarter of all credit card transactions.
The recent large-scale theft of credit card data from retailers including Target and Neiman Marcus brought the issue more mainstream attention, leading to a Senate Judiciary Committee hearing this week. Executives told the senators that once the country transitions to the new system — which includes credit cards embedded with a microchip containing security data — these kind of hacking attacks will be much more difficult to pull off.
The shift is coming though: both MasterCardMA +1.88% and VisaV +1.26% have roadmaps for the changeover, and both have set October, 2015 as an important deadline in the switch. But why has it taken this long, and how will the changeover work for card users and businesses?
We spoke with MasterCard’s Carolyn Balfany, the company’s expert on all things related to the new payment system, known as EMV, that will lead to the end of the swipe-and-sign and the beginning of the chip-and-PIN. Here’s what she had to say.
Much of the rest of the world switched to chip and PIN cards years ago. Why has it taken the U.S. so much longer?
There’s a historical view to this. In the past, other markets migrated for two reasons. First, there were higher fraud rates in some other markets, and they wanted to make this move to combat fraud. Second, this system can operate in offline mode – the card and the terminal can authorize a transaction independent of communication with the bank’s systems. In some other markets they struggled with robust telephony networks, so this offline capacity was attractive.
Both those factors were not driving factors here in America. Fraud was more prominent in some other markets, but what has happened since then is that as other markets migrated to EMV and became more secure, fraudsters migrated their activity to markets with less security. We saw fraudsters move over to the US market – they are looking for the path of least resistance.
There were also some more specific challenges to US migration to the new system. Because the US is one of the largest and most complex markets, the business cases for the costs had to be established. And there were requirements of the Durbin amendment, mandating all us debit transactions are able to go across at least two networks, which took some time for the industry to sort out.
It seems now like there is agreement on the switch. So when will the changeover happen?
For Mastercard, now is the time, and we’ve been very consistent on that message for years. We introduced our roadmap for migration in 2012, and that roadmap says that for face-to-face transactions, where a consumer uses their card at a merchant’s location, the liability shift will happen in October, 2015.
The “liability shift” is a big moment in the changeover. Can you explain what it means?
Part of the October 2015 deadline in our roadmap is what’s known as the ‘liability shift.’ Whenever card fraud happens, we need to determine who is liable for the costs. When the liability shift happens, what will change is that if there is an incidence of card fraud, whichever party has the lesser technology will bear the liability.
So if a merchant is still using the old system, they can still run a transaction with a swipe and a signature. But they will be liable for any fraudulent transactions if the customer has a chip card. And the same goes the other way – if the merchant has a new terminal, but the bank hasn’t issued a chip and PIN card to the customer, the bank would be liable.
The key point of a liability shift is not actually to shift liability around the market. It’s to create co-ordination in the market, so you have issuers and merchants investing in the migration at the same time. This way, we’re not shifting fraud around within the system; we’re driving fraud out of the system.
How will the change over to the new system actually happen?
One important thing to know is that it’s not as if everybody just got to the starting line just now, there has been a lot of work on this that has already happened. For merchants, the terminals in many cases are readily available or already there, they already have the equipment ready to handle the new cards. Banks who issue cards in many cases already can issue cards with the chip, and they have been issuing them to customers who travel overseas.
U.S. consumers are already pretty aware of the chip and PIN system, because most of the rest of the world has already migrated. And we would expect in the wake of these latest breaches and the media coverage that awareness is now even higher. And as banks issue consumers their new cards, they will get information explaining the system and all the benefits, and obviously how to use it.
Aside from the security of the system, are there any other benefits for consumers?
One thing to remember is this migration really isn’t about a single device or technology, it’s about establishing a technological platform for the next generation of payments. So the EMV standard that we are moving toward isn’t limited to chip and PIN cards, it also includes things like contactless payments, where you can tap the card against the reader, all with the same level of security.
Card issuers will probably always issue a card, but in this system an account can be resident in multiple places – so you can have the card, but also maybe a tag affixed to your phone for mobile payments, or a fob on your key ring.
There are lots of different use cases and it depends on the venue, and the devices and what interaction method makes the most sense. In a transit location, contactless interfaces make a lot of sense. We’ll continue to see interactions broaden and evolve as this migration happens.
Re: Magnetic swipe credit cards will finally be phased out in the US
Yeah, recently heard a story about it on NPR. From what they said, and it seems echoed in your WSJ piece, is the credit card companies have wanted to move to the new system for years, because they are largely the ones who eat the loses on credit card fraud, but retailers have resisted because of the expense of moving over. After this whole Target scandal, the credit card companies are putting their foot down and retailers really aren't in a position to complain.
Re: Magnetic swipe credit cards will finally be phased out in the US
Still not convinced that changing the media will reduce credit card fraud. You're still scanning data off a card and transmitting it. Why does it matter how you scanned that data? The target fraud would have happened exactly the same with those fancy European cards. Online fraud will still be exactly the same. I really can't see a situation where it could possibly be beneficial.
Re: Magnetic swipe credit cards will finally be phased out in the US
Quote:
Originally Posted by D3matt
Still not convinced that changing the media will reduce credit card fraud. You're still scanning data off a card and transmitting it. Why does it matter how you scanned that data? The target fraud would have happened exactly the same with those fancy European cards. Online fraud will still be exactly the same. I really can't see a situation where it could possibly be beneficial.
A system to copy the magnet swipe is a lot cheaper and easier. At my closest unmanned fuel station a Romanian criminal gang had inserted such a system: they can copy the magnet swipe by inserting a small apparatus in the hole where you place the card. This could be enough to shop at some places here I reckon, but they also wanted the password and had a tiny camera in the pay machine as well.
To somehow copy the chip would be technically and mechanically (placing such a system in the machine) a lot harder.
Last edited by Rikupsoni; February 9th, 2014 at 03:07 AM.
Re: Magnetic swipe credit cards will finally be phased out in the US
How is it any harder? The chip is read in virtually the same way, is it not?
Besides, most significantly large credit fraud happens on a software, not hardware, level. Meaning some system somewhere is breached, rather than having a device physically inserted to steal data.
Re: Magnetic swipe credit cards will finally be phased out in the US
Funny how the article only mentions credit cards and not debit cards... I assume that in the US a credit card is more common then a debet card. Iit's the other way around here, most pay with a debet card from their bank which used to come wit a magnetic strip + PIN but now are replaced by a chip + PIN. The magnetic stripe is still on many (most?) cards though even though it's rarely used anymore (as far as I can the magnetic strip isn't used by any shop or ATM in the Netherlands for instance but I heard that some parts of Europe still use the magnetic stripe.. so that's why it's still on there). It would be good to see the magnetic stripe removed from the debet and credit cards entirely as to make things more difficult for people (eastern European gangs) to copy the cards by manipulating the device (ATM, card terminal etc.).
The thieves and gangs will most likely move on to digital account robbing: scam mails, malware etc. to either retreive people's login information or (since some banks need you to verify your identity by putting your actual bankcard in a reading device, which gives you a unique number every time you login) trying to direct you too duplicate/spoof pages: making the customer believe they are interacting with their bank or the genuine online shop when infact they aren't. For instance: people login to their online bankaccount, using a login device for better security, but then when they go to move funds (make a payment, move money around, ...) they will expect a delay. The client things it must be a temporary hickup (slow server, slow internet, temporary connection problem, ...) and after 30 or so seconds go to a page to confirm the payment. Infact this is a duplicate page, the thief/hacker has placed an additional transaction order, and when the customer confirms the order both the genuine order and the hackers/thief's order are confirmed by the accountholder... Which means you may be emptying your own bankaccount without you realizing (you only sent out an order for a 50 euro payment, but the thief added a 5000 euro order, thus instructing you bank to remove 5500 euro's which you will confirm with your login details and the login/payment device the bank has given to you to confirm your identity).
This site is part of the Defy Media Gaming network
The best serving of video game culture, since 2001. Whether you're looking for news, reviews, walkthroughs, or the biggest collection of PC gaming files on the planet, Game Front has you covered. We also make no illusions about gaming: it's supposed to be fun. Browse gaming galleries, humor lists, and honest, short-form reporting. Game on!
The Pub 
1Likes
Magnetic swipe credit cards will finally be phased out in the US 
Linear Mode
