An EMV chip embedded in a credit card — a worldwide standard for point-of-sale transactions that the U.S. market is woefully behind on. (Mastercard)
A series of hacks at two major retailers over the Christmas shopping season has so startled the U.S. retail sector that it is rushing to catch up, technologically, with Kenya in terms of security.
Magnetic stripe credit cards that are swiped at the retail counter — and present a security flaw that was exploited at Target and Neiman Marcus to steal millions of credit card numbers — will in the coming years give way to cards that have computer chip security and are enhanced with a personal identification number (PIN).
That technology is already in use in Kenya, the United Kingdom and most of the rest of the world, said Mallory Duncan, general counsel for the National Retail Federation.
“Most of the developed world and non-developed world is already using this technology,” Duncan, whose trade group represents firms like the two retail giants, told FoxNews.com. “It’s a more secure payment method than the magnetic card and signature, or the magnetic card and a PIN. It tells the retailer you are who you say you are – and you have the ID on the card to prove it.”
‘It’s like having a small computer on a credit card.’- Dan Kaminsky, founder of White Ops, a company that uses hacking methods to reduce online fraud
Staggering Size of U.S. Market Caused Delays
For more than a decade, the sheer size of the U.S. and the billions of dollars it would cost to deploy new credit card readers at every retail establishment have created a disincentive to modernize. But the recent incidents have lent a fresh urgency to efforts to make the switch.
“Fraud is rising too quickly not to make progress,” Duncan said. “Banks are going to do the right thing. The risk has gone up. Everyone is going to adapt.”
Hackers accessed 25 terminals for the Target breach, installing malware, and also cracked credit card accounts at Neiman Marcus, executives of the companies told a congressional panel late last week.
The way to stop such fraud is the “chip and pin” technology, Dan Kaminsky, founder of White Ops, a company that uses hacking methods to reduce online fraud, told FoxNews.com. “It’s like having a small computer on a credit card. The computer negotiates with retailers and has a unique number for every transaction, rather than one number that is repeated over and over.”
The recent attacks are accelerating industry plans to have the technology installed across the U.S. in the next few years. “Chip and pin are going to happen before 2020,” said Kaminsky, whose firm works with both retailers and banks. “This is the safer, low-risk option. There is a lot of PIN fraud going on there. That’s got to stop because it harms economic activity – the amount of money people are willing to spend because of fear of getting hacked.”
Rob Sadowski, director of technology solutions at security firm RSA, agrees that the massive holiday season hacks have spurred interest in newer technology. “A roadmap by the credit card brands has been out there,” he said. “But there is urgency now. Banks need to issue chip cards and get them in the hands of consumers. And consumers need to get used to them.”
The technical name for the initiative, which is a voluntary industry effort and isn’t powered by federal regulations, is EMV – which stands for Europay, Mastercard and Visa. The three companies agreed in 2002 to develop standards to encrypt every chip on a card differently, but the legal liability they now face as a result of credit card fraud is a new and powerful motivation to dump the magstripe for good.
“The chip encrypts data differently for each transaction, making it more effective in preventing fraud and harder to duplicate than a magnetic stripe card,” said IT law expert Barrie VanBrackle, a partner at national law firm Manatt, Phelps & Phillips.
Not a Cure-All
Some experts argue that the government should regulate a solution. “To get there, we have to all hold hands and jump off the ship together, which means a regulatory move should likely be put into place,” Steve Pao, general manager of security for the IT security firm Barracuda, said.
But though chip technology is more effective than the magnetic stripe, it’s not a cure-all.
“Fraud prevention is a complex game of cat and mouse between criminals and the payments industry,” Loc Nguyen, chief marketing officer for fraud sciences company Feedzai, said. “In countries that migrated to EMV chip, online fraud increased as in-store face-to-face fraud fell, initially resulting in little to no impact in overall card fraud.”
There are other security options available, too, experts say, and tech investors may have an opportunity here. The founders of Loop just received $10 million in funding for their invention, a way to load your wallet’s credit cards onto your smartphone that works with 90 percent of the magnetic stripe readers already in place today, a spokesman for the firm said.
In the end, the hacking problems of today will lead to tech innovations that make purchasing online and in person much easier tomorrow. It’s an upside to fraud – however remote it may seem.