The dysfunctional state of America's credit cards
First prototyped by IBM in the early 1960s and officially rolled out in 1970, the "magstripe" credit card has been in widespread consumer use since Paul McCartney announced that the Beatles were breaking up. Magnetic stripe card technology is outdated at best––predating the floppy disk by only a year––and hugely insecure at worst. After all, it was behind the Target breach, which keeps getting worse. Neiman Marcus became the latest retailer to announce a hack of its network last Friday, the same day Target expanded the size of its breach to include personal data on up to 70 million people, beyond the 40 million people whose specific credit card information was hacked.
The U.S. is a laggard on the global stage in still relying on this technology rather than EMV—otherwise known as Smart Chips, or computer chips embedded into credit cards––for point-of-sales transactions. Some European nations moved to the Smart Chip cards as a result of legislation to combat fraud, while emerging-market nations leapfrogged over the magstripe, similar to the move to cell phones before a landline was ever sunk into Earth.
The story of why the U.S. remains the world's laggard in point-of-sales technology is a battle between the country's biggest banks and retailers, and it threatens the reputation and business of all consumer-oriented businesses. "While the Target breach is serious, consumers divulge the same information every time they hand their card to a waiter in a restaurant," said Paul Schaus, president and CEO of CCG Catalyst Consulting Group.
Professor Danny Dolev of The Hebrew University of Jerusalem said chip and PIN cards are much harder to copy than traditional "swipe and sign" cards, partly because new cards cannot be cloned. "If we use stronger security and don't keep customer information, we'll be in much better shape," Dolev said.
(Read more: Target CEO still shaken by data breach)
There are hundreds of millions of magstripe cards in the U.S., and despite an upswing in U.S. credit card fraud, a report released in December 2013 by the Federal Reserve Financial Services Policy Committee indicates that American credit and debit card usage steadily rose over the past several years, growing at a rate of 7.6 percent from 2009 to 2012. Since it's one of the last markets in the world where thieves can operate against the easy-to-outsmart magnetic stripe technology, there's no reason the Target breach will be the last if EMV technology isn't adopted more quickly.
"The U.S. is the last country to adopt chip and PIN," said Avivah Litan, vice president and analyst at Gartner, specializing in data analytics and financial fraud.
Your account vs. bank accounting
Richard Sullivan, senior economist at the Federal Reserve Bank of Kansas City, said for financial institutions it may be a matter of a cost-benefit equation. It's cheaper for banks to absorb the cost of fraud up to a certain point than to develop and issue new cards. According to Sullivan, banks are essentially asking: "Is all the investment worth the reduction in fraud?" In the end, the banks answer that question with a no.
"It's been a system with fraud rates that cardholder services have been comfortable with," Sullivan said.
Experts say when fraud occurs on cards, to a large extent that fraud has been absorbed by retailers. Though there is some debate over the exact amount retailers absorb versus financial services companies, "it's all stacked against the retailers. Nobody [among the banks] has wanted to spend the money. There's no incentive," Litan said.
Experts insist that the superior security of these cards does not rely simply on the computer chip being more difficult to counterfeit than the magnetic stripe. PIN numbers certainly remain fallible, yet compared to signatures, they still offer far stronger security on the user end. Many of these cards don't only include a chip but require a PIN rather than a signature, a technology feature that experts say would have prevented the recent Target security breach, in which customer payment information was "skimmed" from the magnetic stripes on the back of the cards.
Even though PIN numbers were stolen in the Target breach, Litan said that PINs used with EMV systems work by unlocking the key for the chip, but the PIN itself "does not travel anywhere." And EMV can also use dynamic verification codes that change with every transaction.
(Read more: Google Glass coming to your local police beat)
If the U.S. were to adopt chip and PIN cards, 100 percent of retail transaction fraud would shift to e-commerce, Litan predicted. The thieves will find a way to adapt, but they can't clone a chip card like a magnetic strip card. "It would be a big step up—a huge step up," she said.
Embedded chips are more costly than the simpler magnetic stripes. The banks—and the U.S. payments duopoly of MasterCard and Visa—also make more money from signature card transactions than on PIN card transactions, one reason for the ambivalence about adopting chip and PIN versus chip and signature. PIN transactions can travel across more networks, and that competition keeps the cost of pin transactions down. Signature transactions, on the other hand, travel across two networks, Visa and MasterCard, ensuring virtually no competition—and keeping things less secure and more expensive for retailers and consumers.
As more markets have migrated to EMV, the concentration of fraud in those markets that have not migrated has accelerated, including the U.S., said Carolyn Balfany, senior v.p. of EMV at MasterCard, in an email statement. Balfany said now is the time for the U.S. to migrate to EMV cards, though she did not specify whether it supports chip and PIN or chip and signature cards, stating that each issuer and merchant manages their own business and technology decisions and whether, how and when to implement EMV. Visa did not respond to a request for comment.
For years Wal-Mart has been campaigning for chip and PIN cards, which its point-of-sales system can accept. Walmart would not comment further and said it was allowing trade groups representing the retail industry to speak out on the issue. Target tested a program approximately 10 years ago that utilized chip technology in Target REDcards and VISA REDcards and in Target card readers. The test lasted for about three years. A Target spokeswoman said that there were many benefits to the system, but it didn't move ahead because the industry didn't adopt the system.
Rewarding the customer?
The banks sometimes seem more worried about getting retailers to reimburse them for cards that need to be replaced after a fraud than in updating the nation's card technology.
Until recently, few American banks offered credit or debit cards with EMV technology. The irony, as Michael Dolen at the blog CreditCardForum points out, is that JPMorgan Chase originated this technology. EMV, likewise, refers to Europay, MasterCard and Visa, the three companies that originally developed the specifications in 1994. The big banks and transactions companies are moving in the U.S., albeit slowly. In 2012 Chase Paymentech, a subsidiary of J.P. Morgan Chase, launched new "Future Proof" terminals to deal with the changing landscape of credit card transactions. Providing such terminals allows U.S. retailers to accept EMV-enabled cards and traditional magnetic stripe cards, as well as other new types of payments.
A JPMorgan spokesman said that the bank has been issuing rewards credit cards using EMV technology to customers for several years. Yet while customers who want a Smart Chip card have several options––from the elite, invitation-only JPMorgan Palladium Card to the British Airways Visa Signature Card––all of the cards on offer remain chip and signature, not chip and PIN. JPMorgan has no near-term plans to introduce a chip and PIN card in the U.S., the spokesman said.
"The chip cards being introduced by the U.S. banks are better protection than the magstripe cards, but they have one big problem," said a retail industry executive who did not want to be quoted due to the tension between retailers and banks on this issue. "You can't take a relatively high-tech solution like chips and marry it with a useless authentication device like signature and make any difference. You need chip and PIN to reduce fraud," the retail industry executive said. "We have to get there."
(Read more: How Target shoppers can protect their info)
It costs banks as little as 50 cents to issue a magnetic strip card, while a chip and PIN card costs several dollars, but the economic impediments are more complicated than just the "few dimes vs. the few dollars" that keeps banks from making the switch, the retail executive said. It costs retailers a fortune to replace all of their point-of-sales equipment and install the chip and PIN equivalent. That leads banks to delay on issuing the cards, since there are few systems able to accept the technology and few retailers willing to implement the new POS systems while the banks are still issuing cheap magnetic strip cards.
It's a chicken-and-egg economics lesson that requires concessions from both sides, but the retail executive said, "The banks are the biggest issue and need to be convinced. Retailers are willing to invest in the new equipment, but they are not interested in doing half a job." Chip and signature cards, the type to which the JPMorgan spokesman referred, don't go far enough to compel retailers to make the investment in new POS systems. Most experts agreed with this assessment.
Speaking to CNBC on Monday morning, Target CEO Gregg Steinhafel said it's time for the national card security standard to be upgraded to EMV technology. We think it's time for America to make that commitment. ... EMV chip technology is the right technology."
Macy's CEO, Terry Lundgren, said in a separate interview with CNBC, "The retailers, the banking industry [and] the credit card industry should be working very closely together to figure out what is the right technology to protect the consumers … and then work around the solutions from there." He did not say whether he supported the EMV technology in particular.
The financial and retail industries are finally facing self-imposed deadlines to meet halfway. By October 2014, banks must issue chip cards; however, there is no requirement for the cards to be chip and PIN. By October 2015, retailers are expected to install equipment to read these cards. Beginning November 2015, if fraud occurs and a retailer was prepared to read a chip card but the bank was still issuing the magnetic strip card, then the bank will eat the fraud costs. If a bank issues the chip card and the merchant hasn't installed a chip reader, then the merchant will have to eat the fraud charges.
MasterCard said it will keep to the date of having chip cards in the U.S. market by October 2015 for face-to-face transactions. "As we've seen recently, fraudsters will not delay their activities. Any delay in the liability shift dates would potentially increase the U.S.'s share of the world's fraud losses," Balfany said.
Gartner's Litan, though, takes all of these deadlines with a grain of salt, pointing to extensions on previous deadlines already granted to the banking industry. It's a legitimate question if 3 million small merchants across the U.S. and 7,000 banks will be required to meet the existing deadlines when push comes to shove. In fact, Litan joked that by the time chip and PIN cards are required in the U.S., the entire industry may have already made the move to wireless transactions—in fact, she believes that MasterCard and Visa are moving to EMV in the U.S. only because it supports wireless transactions.
And that's part of the problem with any technology: keeping up. "There's no such thing as a perfect prison, but all you can do is keep making the prisons safer and more secure," the retail executive said. He said of the Target breach, "The sad thing is the bad guys are out there. The good thing is, it's highlighting something we have been complaining about for a while: the fraud-prone nature of the magstripe, signature card world. That needs to be fixed. Whether it results in PIN and chip or dragged out so long we leapfrog to the next generation of mobile is hard to say."
—By Sarah Chandler, Special to CNBC.com