U.S. clings to insecure magnetic stripe cards — what’s the attraction?

Linda Musthaler
By | January 18, 2012

Posted in: Network Security Trends

The next time you dine out and hand your credit card to the waiter to cover the check, think of this story. In November 2011, the Manhattan District Attorney’s Office announced that law enforcement agencies had broken up a ring of 28 people, most of them waiters, who were using handheld card skimmers to steal credit card data from customers dining in high-end restaurants in New York, Connecticut and New Jersey. Shortly thereafter, a waiter at a restaurant near me in Katy, Texas was busted for card skimming.

The New York gang was able to convert the stolen credit card numbers into cash and merchandize worth more than a million dollars. The group used data from the magnetic stripe on the back of customers’ cards to print counterfeit cards that were then used at ATMs and in luxury goods stores. It’s not hard. Card skimmers are readily available for less than $30, and the data that a reader gathers can be printed onto a blank plastic card for mere pennies.

The technology used in magnetic stripe credit cards is more than 40 years old. In fact, magstripe cards themselves are so insecure that the payments industry has had to build multiple layers of security around them. For example, the bank that issued your credit or debit card knows your typical usage habits. If someone – perhaps you, perhaps not – tries to use your card (or a counterfeit replica of your card) at an unusual place or time, the transaction may be flagged for scrutiny or even rejected. This is just one of many antifraud measures in use today. Despite these efforts, payment card fraud in the U.S. totals about $8.6 billion a year, according to the analyst firm Aite Group.

The United States is the last major region of the world that still uses a magnetic stripe as the primary means to encode the sensitive data used in a payment transaction. The rest of the world is on a security standard known as EMV that uses a smart chip embedded in the card to store the account number and other sensitive data. EMV stands for Europay/MasterCard/Visa — the companies that originally developed the standard in 1994. EMV-based credit cards are far more secure than magnetic stripe-based cards. The countries that have adopted the EMV standard have seen their card fraud rates plummet.

You might wonder why we don’t start using EMV cards in the United States if they work so well elsewhere. In order for the U.S. to adopt the EMV security standard for credit and debit cards, every aspect of the card payment system has to agree to go along with the switch. Consider what this means:

  • Every bank and credit union that ever issued a credit or debit card would have to reissue new cards with the embedded chip. There are 609.8 million credit cards and 520 million debit cards in use in the U.S. today, and it would cost an average of $2-$4 to replace each magstripe card with a smart card. The total replacement cost is estimated to be $1.4 billion.

  • Every merchant that accepts payment cards at the point-of-sale (POS) would have to change out its equipment for card readers that read the data on the embedded chip rather than on a magstripe. There are more than 15 million POS devices installed today in stores, restaurants, gas stations, vending machines, kiosks, etc.; replacing them would cost about $6.75 billion.

  • Every ATM device would need to be replaced or upgraded to support the new card reader technology. There about 350,000 machines in the U.S. today. Replacing/upgrading them is estimated to cost about $500 million.

  • All told, it could be an $8 billion proposition to implement the EMV smart chip antifraud technology.

If the annual cost of fraud (which is largely borne by the banks that issue the cards) is $8.6 billion and the one-time cost to implement the new technology is $8 billion, it seems like there would be a fairly quick ROI.

Major payments industry players including Visa and MasterCard are trying to jump-start the EMV migration efforts, but it will take much more than just those card brands issuing a few mandates to the banks that issue their cards and the merchants who accept them. To date, the U.S. federal government has declined to get involved, but it truly might take an act of Congress to bring about the wholesale replacement and retirement of magstripe-based payment cards in the U.S. to increase payment card security for us all.

In my next post, I’ll talk in detail about EMV technology and why it makes credit/debit cards so much more secure.

You May Also Be Interested In: