Last month, the well-known nonprofit agency that operates thrift stores around the country, Goodwill Industries, confirmed that it has been investigating a possible breach of customer credit card information.
This news has instilled a sense of nostalgia and familiarity throughout the nation. Late last year, the largest credit card breach reported in history occurred at Target retailers in the U.S., where over 70 million customers’ card data was stolen, and began a domino effect throughout the country of major card breaches. A
ccording to Brian Krebs of Krebs on Security, the activity being seen from the alleged stolen data from cards at Goodwill, “is consistent with activity seen in the wake of other large data breaches involving compromised credit and debit cards, including the break-ins at Target, Neiman Marcus, Michaels, Sally Beauty, and P.F. Chang’s.” While the exact source of the recent Goodwill breach has not yet been shared, it is yet another illustration of how the U.S. is behind the rest of the world in the payments landscape, still utilizing outdated magnetic stripe card technology.
The current payment landscape in America consists of magnetic stripe cards that are easily replicated and in turn, used for fraudulent purchases as a result of breaches of this nature. Additionally, the current point of sale (POS) systems throughout the country leaves much room for hackers to steal associated sensitive cardholder data.
However, much of the rest of the world is miles ahead of the U.S., utilizing a payments system known as EMV or Chip technology, which uses dynamic data (only known by the card issuers) – which changes with each transaction. Magnetic stripe cards use static data – containing only the same ‘static’ characters – , once skimmed/obtained by hackers can be replicated and reused. According to the latest figures from EMVCo, there are 80 countries across the globe in the process of migrating to the standard, many of which are at different stages of their migrations.
But the outdated and non-secure payments system in the U.S. is in dire need of multiple parties making investments to begin migrating, as we are quickly approaching an important deadline. In October 2015 the U.S. card issuers and merchants will be faced with the Liability Shift, wherein the least compliant party will be held liable for any fraudulent transaction, if the party is not providing a chip-on-chip transaction environment. This could come in the form of a merchant who has not upgraded their POS system to be EMV-enabled, or a financial institution who has not issued Chip-enabled cards to consumers.
While the U.S. is at a disadvantage for not having migrated to the EMV standard yet, we also have the advantage of being able to look at the example set by other countries, and analyze and learn from how they managed to upgrade.
Canada, for example, is on its way to completing its EMV migration by next year having started in June 2003, when Visa Canada announced it would migrate all Visa Cards to EMV technology beginning the following year. As a result, Canada’s payments body, Interac Canada decided to invest in fraud trend analysis research – which revealed that Canada’s magnetic stripe payments system was leaving consumers across the nation vulnerable to fraud. Similarly to how the U.S. payments bodies created the October 2015 deadline – Canada too, set deadlines for Liability Shift in order to keep all parties on track with migrating. Interac has already reported significant reduction in fraud due to Canada’s migration, despite the fact that they have not yet fully completed migrating.
But what else needs to be done in the U.S. to begin to catch up with other countries who have already implemented Chip technology? There are still many steps that need to be taken from multiple parties for our market to catch up – but it is crucial that everyone realizes that time is of the essence in order to make the October 2015 deadline.
Research firm, Aite Group, predicted in a recent report that by the Liability Shift deadline, 70 percent of U.S. credit cards would be EMV-enabled, and 41 percent of debit cards. However, not all sources agree that enough EMV chip cards will be in circulation by October 2015. Javelin Research forecasts that only 166 million Chip cards will be in circulation in the U.S. by the end of 2015, which only represent 29% of all credit cards. They have also predicted that only 17% of debit and prepaid cards will be EMV enabled.
But there are many more pieces to the EMV puzzle than the amount of cards in circulation, rather merchants need to upgrade their processing systems to accept these new cards. Merchants, at this point in time, are not able to go to their ISV or VAR to purchase an off-the-shelf EMV-ready card acceptance solution, as in our current market, most do not yet have a complete understanding of all of the steps that are required to complete the upgrade. Even experienced EMV developers take around 21 months to upgrade technology to the standard.
No matter what card and terminal adoption rates end up netting out at by October 2015, it is clear that the current technology in the U.S. market is both outdated and insecure, and as a result is leaving consumers across the country at risk for fraud.
Written by Jeremy Gumbley on August 5, 2014