US gets chance to catch up on credit card security

Sep 09, 2011 By PETER SVENSSON , AP Technology Writer
Two bank smart cards are displayed in London, Friday, Sept. 9, 2011. Smart cards with built-in chips, are the equivalent of a safe: they can hide information so it can only be unlocked with the right key. Because the important information is hidden, the cards can’t be copied. The cards are recognizable by the fingernail-sized gold contacts embedded on one side. Through the contacts, a chip inside the card can transmit information to a terminal when slid into a slot. (AP Photo/Martin Cleaver)

The next time you swipe your credit card at check-out, consider this: It's a ritual the rest of the world deems outdated and unsafe.

The United States is the only developed country still hanging on to credit and with those black magnetic stripes, the kind you swipe through retail terminals. The rest of the industrialized world has switched -or is in the process of switching- to "smart" chip-based cards.

The problem with that black on the back of your credit card is that it's about as secure as writing your account information on a postcard: everything is in the clear and can be copied. Card fraud, and the measures taken to prevent it, costs U.S. merchants, banks and consumers billions each year.

The can't be copied, which greatly reduces the potential for fraud. Smart cards with built-in chips are the equivalent of a safe: they can hide information so it can only be unlocked with the right key. Because the important information is hidden, the cards can't be replicated.

But the stripes have been so entrenched in the vast U.S. payment system that banks, payment processors and retailers have failed to reach consensus on how to revamp it, leaving the U.S. behind the rest of the world.

"The card system in this country has been dysfunctional for a long time," says Mallory Duncan, general counsel of the National Retail Federation. "We have far, far too much fraud because we have a very antiquated payment system relative to the rest of the world. This is something they should have fixed a long time ago."

Yet even here, there are now serious moves to swap conventional cards for smart cards in a few years.

Last month, Visa announced new policies that will give U.S. banks a reason to issue smart cards and stores several reasons to accept them, starting in 2015.

Eric Schindewolf, product manager for smart cards at Wells Fargo & Co., says Visa's announcement is a "watershed" moment.

"I think that the U.S. has reached a tipping point. You'll begin to see more and more smart cards in the hands of U.S. consumers," Schindewolf says.

Smart cards are recognizable by the fingernail-sized gold contacts embedded on one side. Through the contacts, a chip inside the card can transmit information to a terminal when slid into a slot.

Here's how a smart card works in practice: When it's time to settle the bill at "Le Gaspard de la Nuit," a tiny restaurant just off the Place de la Bastille in Paris, the waiter brings to the table a wireless payment terminal. The customer inserts his chip-equipped "smart" credit card and enters his code on the keypad.

Voila! The foie gras is paid for without the card leaving the customer's sight, and the combination of and PIN code kept the transaction safe from fraud.

The U.S. payments industry has so far been locked up in a "chicken and egg" quandary, Schindewolf says. Stores had little reason to install terminals for smart cards if banks didn't issue them, and aside from some contactless cards, banks didn't issue them because stores wouldn't accept them.

The impasse has left U.S. businesses and consumers struggling with higher fraud rates. Richard Sullivan, the senior economist in payments research at the Federal Reserve Bank of Kansas City, says that in 2006, 9 cents out every $100 paid by card in the U.S. ended up in the pockets of criminals. The comparable figure for Spain was 2 cents. Sullivan believes the use of smart cards there is a big reason for the difference. Other factors play a role, too. Spaniards, for instance, are less likely to shop online.

Javelin Strategy & Research puts the amount of fraud based on stolen card numbers in the U.S. at $14 billion. Fraud based on new card accounts created using stolen identities adds billions more - the total cost of identity fraud in the country is $37 billion.

Visa's move comes as industry experts are warning that U.S. merchants are set to become targets for fraudsters in other countries where payment systems already have tighter security. Since counterfeit magnetic-stripe cards are now difficult to use in other countries, these criminals will probably ship the cards to the U.S.

That prospect is especially worrisome now that Mexico and Canada, are adopting smart cards, experts say.

"There's already evidence that that type of channel for fraud is increasing in the U.S.," says Sullivan.

The U.S.'s status as a holdout has also started to cause problems for travelers. While most European stores and restaurants still accept magnetic-stripe cards, Americans are finding that their credit cards don't work in European automated kiosks, like the ones that sell tickets for the Paris Metro. Some U.S. banks, like Wells Fargo, have started issuing smart cards to customers who travel abroad.

Next year, Visa will start dangling this carrot in front of store owners: If they replace most of their terminals with ones that accept smart cards, they will no longer need to have their payment-system security checked every year. U.S. stores spend hundreds of millions of dollars a year for these audits, according to the NRF.

In an even more momentous shift, in 2015 Visa is shifting the liability for a certain kind of fraud from the banks to stores.

The specific case is this: If a customer presents a smart card in a store that can't accept it, then it will fall back to using the backup magnetic stripe on the card. If that transaction turns out to be fraudulent, the payment processor will be liable, and in practice, make the store eat the loss. Today, the bank would be liable for the fraud.

The change means that banks will have an incentive to put chip-based cards in their customers' hands, since their fraud liability will be reduced when the cards are used. For their part, stores will have a reason to install smart card terminals, because otherwise, their fraud costs could increase.

Javelin puts the cost of moving to chip-based cards at about $8 billion, mostly for upgrading payment terminals in stores.

The retail federation's Duncan calls Visa's move a necessary step, but not a fully satisfactory one. One of the shortcoming he sees is that it doesn't mandate the use of PIN codes with smart cards, so even if the cards can't be copied, they could still be used on a signature basis if stolen.

Smart cards won't help secure online payments either, at least not initially, so that will remain an avenue for fraudsters. But they could help secure online transactions if paired with computers that can communicate with the chips, perhaps through accessory card readers. (American Express issued PC readers for its Blue smart card in 1999. But the "smart" features on the card were proprietary to Amex, and saw very little use.)

Phone makers are also starting to build smart-card chips into cellphones, which could then be used in place of cards at "contactless" terminals and perhaps help secure online shopping done through the phone.

The world's largest retailer, Wal-Mart Stores Inc. can't wait for smart cards to come fast enough. It's frustrated with the gaping security holes in the current payment system and wants to save money on card-acceptance fees that are inflated by fraud.

Wal-Mart has already installed terminals with slots for smart cards in all its U.S. stores, and it's working on getting the behind-the-scenes software working, so it can start accepting payments. It, too, sees PIN codes as essential to the security of the system.

"Signatures are a waste of time," says Jamie Henry, senior director of payment services at the company. "They add no value to anyone."

Explore further: Google searches hold key to future market crashes

4.2 /5 (12 votes)
add to favorites email to friend print save as pdf

Related Stories

Software defect hits millions of German bank cards

Jan 05, 2010

(AP) -- Millions of German bank cards have been affected by a "millennium bug"-like problem because they contain software that can't process the number 2010, industry groups said Tuesday.

Payment startup Square rolls out iPad sales app

May 23, 2011

(AP) -- First, mobile payment service Square made it easier for merchants to accept credit cards anytime, anywhere, with just a smart phone and a tiny, plastic credit-card reader. Now the startup led by Twitter co-founder ...

Credit card fraudsters take aim at World Cup

Jun 05, 2010

Jean-Pierre arrived on his South African holiday, withdrew some money from a cash machine, and hours later received a call from his bank to say that 300 euros had suddenly been charged to him.

Recommended for you

Chinese smartphone makers win as market swells

2 hours ago

Chinese smartphone makers racked up big gains as the global market for Internet-linked handsets grew to record levels in the second quarter, International Data Corp said Tuesday.

Full appeals court upholds labels on meat packages

2 hours ago

(AP)—A federal appeals court has upheld new government rules that require labels on packaged steaks, ribs and other cuts of meat to say where the animals were born, raised and slaughtered.

User comments : 17

Adjust slider to filter visible comments by rank

Display comments: newest first

Isaacsname
5 / 5 (1) Sep 09, 2011
Chip and pin already compromised.

http://www.youtub..._RBA9gIo

hush1
not rated yet Sep 09, 2011
? PETER SVENSSON and AP suffer even more from a lack of creditability. From zero to negative trust. The last nail in the coffin of all main stream media.

"This material may not be published, broadcast, rewritten or redistributed." How true. The article never existed. No one is liable.
Eikka
4 / 5 (2) Sep 09, 2011
All the chip&pin machines I've ever used allow you to bypass the pin by authorization with signature. The machine just says "check signature" to the cashier.

And nobody ever does.

Plus, for certain cards it can sometimes take up to five minutes to get an online verification from the bank. And the chips have regular connection problems because of dirt and wear, and the machines too.

People lick their cards to get them to work sometimes. It's just horrible.
tigger
5 / 5 (1) Sep 09, 2011
*Ducks and covers from impending tide of irrational "U.S.A... U.S.A... U.S.A..." chanting mob*
Temple
5 / 5 (2) Sep 09, 2011
Plus, for certain cards it can sometimes take up to five minutes to get an online verification from the bank. And the chips have regular connection problems because of dirt and wear, and the machines too.


Verification occurs whether you have a chip or a swipe card. The pin check is performed in-machine and occurs whether there is a connection or not (you'll note it says "Pin OK" almost immediately.

All manner of things can affect the ability for a chip or a magstripe to be read.

Reverting to signature verification on a chip card usually costs the merchant the fraud protection normally provided by Visa. If they choose to swipe a chip card, visa will not reimburse them if the card was stolen (which it would on a non-chip card).

Chips are more secure, not failsafe.

As a consumer, I didn't like them at first, but believe it or not, the average transaction time is actually reduced compared to when a signature is required. It's a pain in the butt now when I have to enter my pin.
Gordon_Jenkins
1 / 5 (1) Sep 09, 2011
Rev. 13:16-17. Favourable press? Why is that? Ah yes, the ol' everybody has one propaganda put out by the One World Banking System. Nice Try, Satan!!
SmaryJerry
1 / 5 (1) Sep 10, 2011
I couldn't find one reason chips are better than magnetic strips.. The best defense is still the credit card companies spend monitoring so it gets shut down for irregular activity.
TheQuietMan
not rated yet Sep 10, 2011
Rev. 13:16-17. Favourable press? Why is that? Ah yes, the ol' everybody has one propaganda put out by the One World Banking System. Nice Try, Satan!!
Don't worry, the world really does end in 2012, unlike all the other announcements.

Thing I wonder, how about online transactions?
harmlessdrudge
4 / 5 (1) Sep 10, 2011
I've been using chip and pin for over 10 years in Europe. Never been defrauded and only once ever had any problem, and that was resolved by using another card. In using such cards more or less daily I have NEVER had a transaction take 5 minutes. Most are more or less instant.

No surprise to see One World Banking system nonsense here.
Eikka
not rated yet Sep 10, 2011

Verification occurs whether you have a chip or a swipe card. The pin check is performed in-machine and occurs whether there is a connection or not (you'll note it says "Pin OK" almost immediately.


Actually, it doesn't. The pin authorizes the transfer, but doesn't verify it.

For debit cards, the online verification is done randomly, or for transfers of over 50 euros. I've used the machines and they don't do online verification most of the time, unless it's an Electron card, in which case it always verifies, and it usually takes a long time. Especially if it's a handheld unit that operates over radio. It's used to see if there's any money on the account.

Save for the exceptions, the unit sends the transactions over the internet during the night, or when you manually press send. The list of closed cards is also downloaded when the unit sends the transactions to the bank, so when you lose a card and report it, there's still an up to 24 hour window when it may be used
twildeman
not rated yet Sep 10, 2011
My fellow Physorgers,

I'm a pin user for as long as I can remember. In the last couple of years a new criminal practice of skimming was running rampant here. Not until public outcry became a publicity problem (conjecture), all terminals were altered to use the chip that was on the cards since way back when. The magnetic strip is not allowed anymore. Before this the magnetic strip was used. On this magnetic strip the PKI way of authentication is used, think ssl. A public token and a private token are sent to the bank system, where the transaction is signed by this 'signature'. Now with skimming, you can obtain the private token on the strip and by using a camera or however, you only need the pin number. All easily done. With a chip, the signature is calculated on chip and checked at the bank system. This is done for every transaction as was always the case. Because banking systems are not yet ready an intermediate solution is used and this intermediate is hacked.
twildeman
not rated yet Sep 10, 2011
With only a creditcard swipe as authentication and trusting the merchant to check the physical signature, leaves a whopper of a chain of trust exploit. So even though the magnetic strip has been used in Europe for a very long time. The method employed was more secure than the credit card way for simply using a pin as a signature. That effectively cuts out the merchant out of the chain of trust.
canuckit
5 / 5 (1) Sep 10, 2011
What about US catching up on metric system?
rwinners
not rated yet Sep 11, 2011
I suggest a thumb scan or iris scan would be much preferable to a pin code.
twildeman
not rated yet Sep 11, 2011
biometric scanners have already been fooled. A pin number is non-persistent in the open. It is not accessible without the free will of the person knowing the pin. A thumb print is, and so is an iris. Security is better by using the K.I.S.S. method. Keeping things as simple as possible, eliminates possible attack vectors.
Gordon_Jenkins
1 / 5 (1) Sep 11, 2011
"In 1966, a national credit card system was formed when a group of credit-issuing banks joined together and created the InterBank Card Association, according to MasterCard."
...
"While the plastic card has been the standard for a half century, recent developments show alternative forms of payment rising to prominence, from online services such as PayPal to credit card keyfobs to chips that can be implanted into cell phones or other devices."

ATM cards go back to the 1960's and early 1970's in London and New York.

Chip and PIN SMART cards were invented in Germany 1968, patented 1983 and first used in France in 1985 for Public Telephones (Telecarte).

Electronic banking systems have been evolving and Banks, being corporate entities have been merging. Simple extrapolations are being overlooked. Fraud never ceases.
What is inconceivable about the human body storing the bank info? Rev13:16-17 is not inconceivable. Who tells the U.S. President what to do the banks or the peple? Think!
Magnette
not rated yet Sep 12, 2011
As well as the security argument there is also the problem of not being able to use non-chip cards in atm machines or a lot of retailers these days. Retailers have just not been set up for manual card swiping and signature verification for many years now.

I have some American friends who regularly visit and they've had to get in the habit of buying a pre-loaded visa card in the UK and transfering funds to it as needed because none of their cards will work in Europe any-more.