Credit card of tomorrow: software, not plastic

Credit card of tomorrow: software, not plastic

Recent data breaches injected new urgency into adopting newer technology

Credit card of tomorrow: software, not plastic

Since the 1970s, paying with plastic has been pretty standard everywhere: customers swiped their cards, signed receipts and took home their purchases. 

But after security breaches at Target late last year led to the loss of personal data from as many as 110 million customers, the financial industry is racing to adopt technologies that will alter that decades-old ritual. Driven largely by security concerns, credit card companies and issuers say they are working to make the system as consumers know it obsolete through smart chips and advanced computer programming. 

To many, it is about time. The roots of the magnetic strip on credit cards extend back to World War II, ample time for thieves to learn to hack and steal those black lines of prized account information. Credit card fraud totalled nearly $5.3 billion in the United States alone in 2012, giving the industry plenty of incentive to devise a better system. The amount lost to fraud continues to grow by 30 to 50 per cent a year, according to estimates from the Aite Group, a research company. 

Efforts to bolster card security were underway well before hackers broke into the systems of Target, Neiman Marcus, Michaels and other store chains. But the recent data breaches injected new urgency into adopting newer technology. “I think this will become a defining moment about how we in the industry think about security,” said Eileen Serra, the chief executive of Chase Card Services. 

The credit card industry, especially in the United States, has long relied on increasingly sophisticated analytical programmes to weed out potentially fraudulent transactions. But it has also focussed on a handful of technologies it contends will better protect customers in stores and online. One is placing microprocessors onto cards, a standard known as EMV for its initial backers: Europay, MasterCard and Visa. Another is known as tokenisation, a way of masking consumers’ card information over the Internet. “It’s about taking vulnerable data out of the merchant environment,” said Ellen Richey, Visa’s chief legal officer. 

EMV is the best-known technology. Such cards are embedded with smart chips authenticating that their bearers are their rightful users. The chip is also extraordinarily difficult for thieves to counterfeit. Cardholders verify the transaction with a PIN or a signature. Though the latter is less secure, it will likely be more prevalent in the United States at first, though Chase and others expect to offer chip-and-PIN cards this year. 

Europe and parts of Asia have already used the system for the better part of a decade, while American merchants and issuers have balked, largely because of cost. Chip-equipped cards cost an estimated $1.30 each to make, while a standard plastic card with a magnetic stripe on the back costs roughly 10 cents. Retailers, too, have been loath to update their systems to accept chip technology because of the added cost. 

“EMV is going to cost billions of dollars to implement in this country,” said Shirley W Inscoe, an analyst at the Aite Group. But research suggests that the system works. In 2005, when Britain fully phased in the EMV technology, credit counterfeit card fraud was 25 per cent; such fraud plummeted to 11 per cent seven years later, according to the Aite Group. 

Visa, MasterCard and American Express all announced road maps for adopting smart chips more than a year and a half ago, with the aim of forcing most retailers and issuers to put EMV in place by October 2015 in the United States. By then, the liability for any counterfeit fraud will fall on whoever has not adopted the chip technology (gas stations and ATMs will have until 2017 to meet the new requirements.) 

From 17 million to 20 million chip cards have been issued in the United States, according to the Smart Card Alliance, an industry group. But that represents just 2 per cent of the one billion cards in use. In many ways, the chip technology is already decades old. It has been around since the 1990s, born in an era before the Internet and widespread e-commerce. 

Industry officials concede that such technology would not have prevented the data breach at Target, or any sort of online fraud in which thieves obtained lists of customers’ credit card numbers. Markets where EMV has been adopted have shown a significant increase in Internet fraud. That is a gap that tokenisation is meant to fill.
 The technology works behind the scenes of a digital transaction: customers still put in their card number, but software then transforms that information into a one-time token — a randomly generated code — that is sent through the payment-processing chain. Thieves who intercept the code can do little with it without the means to unscramble the token. 

To many in the industry, part of the technology’s appeal is that it requires less upheaval than EMV customers still put in card information as they always have. And the digital tokens are largely in the same format as traditional card numbers, but mask identifying information. 

“Now you don’t have personal information around the world,” Serra said. “With tokenisation, we can keep that data much more secure.” The hope of digital tokens is that they will not be confined to any one way of paying. Websites, digital wallets and mobile devices could all use the technology, broadening its utility. “Every device should have the same foundation,” Ed McLaughlin, MasterCard’s chief emerging payments officer, said. 

Token technology

Still, for years token technology lacked the sort of universal standard that underpins chip cards. But in recent months, a joint venture of Visa, MasterCard, American Express and others announced a proposed framework to ensure that everyone was on the same page. At least two of the five biggest card issuers in the United States are adopting some form of tokens, Inscoe said. 

A framework for token systems is still being built, and meaningful adoption is years away, said Randy Vanderhoof, the executive director of the Smart Card Alliance. For now, chip cards will help eliminate the most obvious and pressing kinds of fraud. “If your boat is leaking in multiple places, and you can’t plug them all up at the same time, you plug the biggest one first,” Vanderhoof said. 

Ultimately, while physical cards will remain in use for some time, many in the industry predict plastic as the primary way to pay will give way to digital wallets embedded in smart phones, tablets and other devices. MasterCard is already testing a way for Australian consumers with Samsung Galaxy S4 phones to pay using their phones. 

Smart chips and tokens eventually will be embedded in an array of computers, providing multiple layers of security, Mr McLaughlin of MasterCard said. A consumer’s smartphone will not only have a unique ID, it will also generate one-of-a-kind tokens for every transaction — ones that can easily be disabled if the phone is lost or stolen. “The mag stripe will become functionally obsolete,” Richey of Visa said. “Mobile will take over.” 

Get a round-up of the day's top stories in your inbox

Check out all newsletters

Get a round-up of the day's top stories in your inbox