NEW YORK (MainStreet) – Credit card issuers have until October to change their dated, vulnerable magnetic strip technology, but breaches at Home Depot and Target in the past two years have ushered in the future in a hurry.
Visa, MasterCard, Discover, American Express and their banking partners have set a government-enforced deadline of Oct. 15 for a “liability shift” that, for the first time, would make merchants liable for any fraudulent charges resulting from using point-of-service readers that can't read so-called chip-and-PIN EMV cards. The issuers have been implementing the technology, but it's still up to companies including Home Depot, Target, Neiman Marcus and others to implement it or be held responsible for fraud resulting from continue use of magnetic strips. Home Depot, 7-Eleven, Target, Kroger stores and others have ramped up their adoption of the new readers, which consumers have been seeing in stores since at least the winter holidays.
“We’re seeing banks and issuers move slowly toward adopting chip technology,” says Matt Schulz, senior credit card industry analyst for CreditCards.com. “However, most of it is still chip-and-signature, as opposed to the more secure chip-and-PIN.”
Used in Europe since the early 1990s, EMV cards — which take their name from Europay/MasterCard/Visa — contain an embedded microchip that is authenticated using a personal identification number. A reader detects the chip and asks the card user for a PIN that matches the one found on the chip. There's a far lesser chance of a chip-and-PIN user's data being stolen than those whose data are embedded on a magnetic strip, which are easy to read, easy to duplicate and easy for hackers to access yet still relied upon by U.S. retailers, banks and credit card companies.
Ideally, a shopper would simply slide the chip end of their card into a slot at the bottom of a checkout card reader, enter their personal identification number and be done with the transaction. But since new chip-carrying cards are making their way slowly into consumers' hands, even new card readers have been reduced to slightly upgraded versions of the technology they're replacing.
“When you do see a retailer that has installed a chip-enabled terminal, they often aren’t yet activated, so if you stick your chip card in the slot, nothing will happen,” Schulz says. Getting those terminals fully working and getting employees trained up to know how to use them and guide customers through using them is all part of the transition process. It’s going to take time.”
It's also going to take money. According to market research firm Javelin Strategy & Research, there are 15 million card readers, 360,000 ATMs and more than 1.1 million credit and debit cards that would have to be replaced at a cost of roughly $8.65 billion. Retailers who've been breached are making the switch if only to restore the public's trust in their business.
Home Depot's breach put 56 million credit card numbers and 53 million email addresses into jeopardy. Security blogger Brian Krebs discovered that the software used to infiltrate Home Depot's system was similar to that used last year to snatch the data of more than 70 million Target shoppers. Credit protection firm BillGuard estimates that losses from fake charges tied to the Home Depot breach could reach upward of $3 billion after a hacker sold millions of stolen credit card numbers on the Ukraine-based site Rescator.
Unfortunately, those breaches haven't been new or rare occurrences. Back in 2007, 94 million shoppers had their data compromised after using their cards at TJX stores including T.J. Maxx and Marshall's. Last year, data of more than 300,000 cardholders were accessed during a breach at Neiman Marcus. In August, hackers lifted data from 33 P.F. Chang's restaurant locations. All of that has taken its toll on consumer confidence.
"My thoughts on card usage is that folks are definitely using some cards less — particularly in the the wake of recent data breaches,” says Curtis Arnold, founder of credit card industry rating and monitoring sites CardRatings.com and BestPrepaidDebitCards.com. "I do think that with the new security regulations coming later this year that this will change. And I think that the card decline is usually temporary — we as humans have short memories."
While blame lies with the hackers, Arnold and other experts note that the decades-old credit card technology still being used in the U.S. enabled breaches.
A bit of the blame, however, rests with consumers themselves. Their sloth isn't to be underestimated. A CardRatings survey found that a quarter of all cardholders had been victims of data theft, but among those victimized, only 51% checked their credit card statement, 45% checked their credit report, 54% checked their bank accounts and only 24% either signed up for credit monitoring or put a credit freeze in place. Only three in every 10 U.S. cardholders has a chip-and-PIN card, a CreditCard.com survey says.
That leaves it to card issuers and retailers to put as many safeguards in place as possible to woo skeptical consumers. That hasn't been easy, as even mobile payment options such as Apple Pay and Google Wallet that bill themselves as secure alternatives to existing card technology have been largely shunned. CreditCards.com also found that two-thirds of U.S. consumers say they would “never” or “hardly ever” use their smartphone to make a purchase. Schulz says even the appearance of vulnerability makes U.S. shoppers — especially older consumers — hesitant to embrace mobile payment. That leaves the somewhat more familiar EMV cards as issuer and retailers' best hope, and one they're clinging to well before their October deadline.
”The biggest obstacles to mobile payments usage are convenience and security," Schulz says. "Consumers are already very comfortable swiping their credit and debit cards. Most people don't see why a mobile payments service would be quicker, easier or more secure."
— Written by Jason Notte in Portland, Ore., for MainStreet
To follow the writer on Twitter, go to http://twitter.com/notteham.
This article is commentary by an independent contributor. At the time of publication, the author held TK positions in the stocks mentioned.