U.S. credit cards, chipless and magnetized, lure global fraudsters

Howard Schneider,Hayley Tsukayama,Amrita Jayakumar

U.S. banks and retailers, a decade behind in deploying the secure, high-tech credit cards used elsewhere in the world, may take years longer to switch to a system that all but eliminates common types of fraud.

Under pressure from credit card companies, major banks and retailers have begun to roll out the cards, which carry a computer chip and advanced security software that keeps the customer's account number and other details invisible, even if crooks manage to steal records from a store or bank.

But the conversion could take years to reach critical mass amid a squabble over who will foot the estimated $8 billion bill, and despite fears that scammers have been targeting the United States because of its outdated technology. U.S. credit card fraud rates, once the lowest in the world, have doubled in the 10 years since chip cards spread through Europe.

The theft of tens of millions of records from Target over the holiday shopping season has focused attention on the United States as a weak link. Lawmakers have begun to call for faster action to secure systems while law enforcement agencies investigate the massive breach, which is thought to have been the work of sophisticated overseas hackers.

But taking even the obvious step of introducing state-of-the-art cards "will take time. . . . The U.S. is the largest and the most complex market to move, so that will influence the migration," said Carolyn Balfany, a senior vice president with MasterCard Worldwide. The large card companies have said that as of late 2015, they will hold merchants or banks who have not moved to the chip-card system responsible for fraudulent purchases that the advanced cards would have prevented.

Balfany estimated that even by that deadline, the number of cards and terminals carrying the advanced technology may only be "in the midrange" -- a vast improvement over the negligible numbers of chip cards and terminals currently in place, but one that would still leave many consumers vulnerable.

Fraudulent purchases using fake credit cards or stolen numbers can be a nightmare for individuals. Consumers are protected under federal law from paying for the purchases but must still deal with the potential damage to their credit record and worry about the risk of more serious forms of identity theft.

Across the country's sprawling retail economy, however, the cost has been relatively small -- as little as $1.1 billion a year lost to the fraudulent transactions chip cards are most likely to prevent, according to U.S. Federal Reserve data, an amount that businesses have been willing to absorb rather than invest in a new system.

In a 2012 Federal Reserve Bank of Atlanta study, payments risk expert Douglas King concluded that the level of fraud in the United States was low enough that the business case for chip cards had "yet to fully crystalize."

The conversion has also been tangled in disputes between banks and retailers over the cost of payment processing -- the "interchange" fees merchants pay to use credit cards -- and the risk posed by other types of fraud, such as online scams, that chip cards cannot prevent.

The result: While the rest of the world has sped forward, U.S. shoppers remain at risk in a system where old-school magnetic-stripe cards will remain the norm for perhaps several more years. Unlike the chip-bearing cards, data from magnetic strips are easily read and exploited by hackers, who can use the information to make fake purchases, produce counterfeit cards or use in other identity-theft schemes.

Banks typically are introducing the new cards as old ones expire, which means it could take as long as three years to complete the process, given the usual replacement cycle. The larger card-issuers have announced no plans to speed up the process following the Target breach.

Large retailers such as Wal-Mart and Target, meanwhile, have invested in the new terminals needed to read the extra security that chip cards offer, but it's not clear how long smaller companies or mom-and-pop stores will take to make the conversion.

In Western Europe, where the chip technology first developed, more than 90 percent of retail terminals and 80 percent of cards have been shifted to the chip-based system.

The technology has not eliminated all fraud, but it has lead to a dramatic reduction in some staple criminal tactics. Chip cards are all but impossible to counterfeit, for example, and even if records are stolen from a central company computer or "skimmed" from a store terminal, the consumer's information is inaccessible.

"Even if you do a systems breach, it makes the data much less valuable," said Jack Jania, senior vice president for Gemalto North America, the U.S. subsidiary of a Dutch card-manufacturing company that makes about 2 billion credit, debit and other cards a year. Jania said stolen records from transactions involving chip-bearing cards sell on the black market for perhaps a tenth of what criminals will pay for records derived from magnetic strips.

"The U.S. is being targeted for these kinds of breaches specifically because you can clone our cards. And on the card black market, the fraudsters are sophisticated enough to know that."


While the United States still mainly uses traditional magnetic swipe banking cards, the rest of the world has been shifting to a different standard -- EMV smart chip cards (which stands for Europay, MasterCard and Visa). Established in the early 1990s, chip cards contain an embedded microprocessor that stores and processes encrypted information, making it difficult to copy or counterfeit, unlike magnetic swipe cards. Most in-store or face-to-face purchases require the cardholder to also enter a personal identification number to complete the transaction. Some chip cards may require only a signature.

-- Traditional magnetic swipe card, common in the United States

Most payment cards in the U.S. only have a magnetic stripe that is swiped at a payment terminal during a trans-action

Information recorded by a retailer when card is used:

Cardholder's full name

Primary account number

Card's expiration date

Country code

-- EMV "smart" microchip payment card

Most chip cards are "contact" smart cards, which require the card to be inserted into a payment terminal. A magnetic stripe is also on the back, but some countries are removing this to prevent fraud.

Information recorded by a retailer when card is used:

A unique transaction number, called dynamic authentication, is forwarded to the cardholder's bank. Merchants cannot link to an account number.


The United States -- a slow adopter to chip cards because fraud rates have been relatively low -- mainly uses magnetic stripe and signature for payment authorization, although some banks and card companies now offer chip cards upon request. Starting in 2015, Visa and MasterCard plan to start migrating to chip technology. Outside of the United States, in countries where fraud rates have been historically much higher, such as in Britain, more than 1.6 billion payment cards, 44.9 percent of all payment cards, are now using chip technology.

Chip cards impact on fraud in the United Kingdom

In 2002, three types of card fraud -- counterfeiting, lost or stolen cards, and cards stolen while in transit (mail non-receipt) -- accounted for more than $500 million, or 74 percent, of all fraud losses inflicted to merchants and card issuers. As the United Kingdom fully migrated to chip cards by 2006, chip cards were effective at drastically reducing those types of crimes, which resulted in criminals shifting to other fraudulent activity. By 2012, phone, Internet and mail order fraud (known as "card not present"), and card identification theft fraud accounted for more than $450 million, or 72 percent, of all losses. Losses attributable to card not present fraud are recently on the decline as online merchants are employing more secure payment verification services, such as 3d Secure by Visa and Mastercard.

Sources: "The U.S. Adoption of Computer-Chip Payment Cards: Implications for Payment Fraud" by Richard J. Sullivan, Nilson Report; Federal Reserve Bank of Kansas City; Douglas King, Federal Reserve Bank of Atlanta; Financial Fraud Action UK; UK Cards Association


By Howard Schneider, Hayley Tsukayama and Amrita Jayakumar
Washington Post