The massive data breach at Target is a big shining beacon illuminating exactly how behind the times the United States remains when it comes to credit card security — namely EMV® chip technology.
EMV is a worldwide standard for credit and debit card payments based around the use of chip card technology. The acronym stands for Europay, MasterCard, and Visa, who collaborated to create the technology. The goal of this project was to create a card that worked based off of a microprocessor chip that is read by the payment terminal. Because the U.S. has yet to widely deploy embedded chip technology, the nation has increasingly become the focus of hackers seeking to steal such information. The stolen data can easily be turned into phony credit cards that are sold on black markets around the world.
In fact, KrebsOnSecurity, the website that broke the news of the Target hack, has reported that the card information stolen in the Target Data Breach has been showing up on the black market. Credit and debit card accounts stolen during the security breach have reportedly flooded underground black markets, going on sale in batches of one million cards. The cards are being sold from around $20 to more than $100 each.
Over the last decade, most countries have moved toward using credit cards that carry information on embeddable microchips rather than magnetic strips. The additional encryption on these aptly named smart cards has made the kind of brazen data thefts suffered by Target almost impossible to pull off in other countries. Which is why as of Q4 2012, there were roughly 1.62 billion EMV cards in consumers’ hands and 23.8 million terminals deployed throughout Europe, Asia, and Africa. About 80 countries have adopted the technology as a standard. By comparison, about 1% ofcredit cards issued in the U.S. contain such technology, making the United States a tasty target for hackers.
“The U.S. is one of the last markets to convert from the magnetic stripe,” Randy Vanderhoof, director of the EMV Migration Forum told the LA Times. “There’s fewer places in the world where that stolen data could be used. So the U.S. becomes more of a high-value target.”
The credit card industry reports the U.S. accounted for only 24 percent of global credit card payments by volume in 2012, but it accounted for 47 percent of the fraud.
So Why No Chips in the U.S.?
According to experts the reasons the U.S. lags so badly in adopting smart cards are complicated. In part, there hasn’t been the political will to demand that businesses and financial institutions make the change. One might think the Target data breach would spur politicians to action or at least get consumers to light a fire under those politicians. But the Target hack is just one in a growing list of data breaches, and the 40 million compromised cards are rather mundane.
In April of 2011, the Playstation Network was hacked, compromising the vital information of 77 million accounts, and 24.5 million Sony Online Entertainment accounts. This has been touted as one of the largest personal data heists recorded in history, and prompted Sony to shut down its services for a month. In 2009, credit card processor Heartland Payment Systems disclosed that thieves had broken into is internal card processing network, and installed malicious software that allowed them to steal track data on more than 130 million cards.
If neither of those data breaches could spur on the adoption of EMV cards, it’s unlikely the Target hack will move the needle. The inertia built up against the smart cards then must be due to some other reason Analysts also say the payment processing system in the U.S. is more complicated, with merchants, credit companies and banks reluctant to spend the big bucks it would take to convert a system with 1 billion credit cards to EMV from magnetic stripes. But that’s still too murky.
The primary reason such technology has taken so long to make its way into the U.S. is far more simple: Chip-embedded cards are more expensive to produce. Each merchant would have to purchase new equipment to hand them.
What the Future Holds …
The good news for consumers is that the U.S. is indeed moving to embrace smart credit cards. The Official Merchant Services Blog reported almost two years ago that the United States was moving slowly but surely toward adopting chip cards. Visa took the lead in the U.S. push, reporting that as of December 31, 2011, the credit giant had issued more than 1 million credit cards that use “chip” technology to store consumer payment information. Visa made an announcement in August 2011 hat it planned to start issuing more EMV — Europay, Mastercard, Visa — smart cards to push the industry toward better security and an easier transition to mobile payments.
In the last couple of years major card issuers have laid out road maps for upgrading the card technology, and many have set out to achieve this by October 2015.
TransFirst, Host Merchant Services’ acquirer and one of the premier providers of transaction processing services and payment processing technologies in the U.S., issued a mandate in response to the EMV push. TransFirst said that Visa will require U.S. acquirer processors and sub-processor service providers to be able to support merchant acceptance of chip transactions no later than April 1, 2013. Visa also intends to institute a U.S. liability shift for domestic and cross-border counterfeit card-present point-of-sale transactions effective October 1, 2015, and for fuel-selling merchants by October 1, 2017.
Ocotber 2015 was chosen because at that point major credit card companies will change their rules about who is liable for fraudulent purchases caused by security breaches. Under the new rules, the entity in the payment chain — merchant, credit card, banks — deemed to have the weakest security will be liable. Credit card companies can’t make anyone adopt the technology, but they’re giving them a hard nudge.
The Bottom Line
While the Target Data Breach once again brings up the topic of credit card security, it seems like the U.S. is still poking along with its slow adoption of EMV chip cards. Hackers will still continue to target the low hanging fruit that the largely magnetic stripe based U.S. credit card industry still works with. But EMV chips and increased digital security of cardholder information is coming. October 2015 looms closer and closer.
