The Washington Post
U.S. banks and retailers, a decade behind in deploying the secure, high-tech credit cards used elsewhere in the world, may take years longer to switch to a system that all but eliminates common types of fraud.
Under pressure from credit card companies, major banks and retailers have begun to roll out the cards, which carry a computer chip and advanced security software that keeps the customer’s account number and other details invisible, even if crooks manage to steal records from a store or bank.
But the conversion could take years to reach critical mass amid a squabble over who will foot the estimated $8 billion bill, and despite fears that scammers have been targeting the United States because of its outdated technology. U.S. credit card fraud rates, once the lowest in the world, have doubled in the 10 years since chip cards spread through Europe.
The theft of tens of millions of records from Target over the holiday shopping season has focused attention on the United States as a weak link. Lawmakers have begun to call for faster action to secure systems while law enforcement agencies investigate the massive breach, which is thought to have been the work of sophisticated overseas hackers.
But taking even the obvious step of introducing state-of-the-art cards "will take time. . . . The U.S. is the largest and the most complex market to move, so that will influence the migration," said Carolyn Balfany, a senior vice president with MasterCard Worldwide.
Balfany estimated that even by that deadline, the number of cards and terminals carrying the advanced technology may only be "in the midrange" -- a vast improvement over the negligible numbers of chip cards and terminals currently in place, but one that would still leave many consumers vulnerable.
Fraudulent purchases using fake credit cards or stolen numbers can be a nightmare for individuals. Consumers are protected under federal law from paying for the purchases but must still deal with the potential damage to their credit record and worry about the risk of more serious forms of identity theft.
Across the country’s sprawling retail economy, however, the cost has been relatively small -- as little as $1.1 billion a year lost to the fraudulent transactions chip cards are most likely to prevent, according to U.S. Federal Reserve data, an amount that businesses have been willing to absorb rather than invest in a new system.
In a 2012 Federal Reserve Bank of Atlanta study, payments risk expert Douglas King concluded that the level of fraud in the United States was low enough that the business case for chip cards had "yet to fully crystalize."
The conversion has also been tangled in disputes between banks and retailers over the cost of payment processing -- the "interchange" fees merchants pay to use credit cards -- and the risk posed by other types of fraud, such as online scams, that chip cards cannot prevent.
The result: While the rest of the world has sped forward, U.S. shoppers remain at risk in a system where old-school magnetic-stripe cards will remain the norm for perhaps several more years. Unlike the chip-bearing cards, data from magnetic strips are easily read and exploited by hackers, who can use the information to make fake purchases, produce counterfeit cards or use in other identity-theft schemes.
Banks typically are introducing the new cards as old ones expire, which means it could take as long as three years to complete the process, given the usual replacement cycle. The larger card-issuers have announced no plans to speed up the process following the Target breach.
Large retailers such as Wal-Mart and Target, meanwhile, have invested in the new terminals needed to read the extra security that chip cards offer, but it’s not clear how long smaller companies or mom-and-pop stores will take to make the conversion.
In Western Europe, where the chip technology first developed, more than 90 percent of retail terminals and 80 percent of cards have been shifted to the chip-based system.
The technology has not eliminated all fraud, but it has lead to a dramatic reduction in some staple criminal tactics. Chip cards are all but impossible to counterfeit, for example, and even if records are stolen from a central company computer or "skimmed" from a store terminal, the consumer’s information is inaccessible.
"Even if you do a systems breach, it makes the data much less valuable," said Jack Jania, senior vice president for Gemalto North America, the U.S. subsidiary of a Dutch card-manufacturing company that makes about 2 billion credit, debit and other cards a year. Jania said stolen records from transactions involving chip-bearing cards sell on the black market for perhaps a tenth of what criminals will pay for records derived from magnetic strips.
"The U.S. is being targeted for these kinds of breaches specifically because you can clone our cards. And on the card black market, the fraudsters are sophisticated enough to know that."