|
 For years, U.S. merchants and banks have balked at adopting a
well-established system that uses credit and debit cards that store
information on computer chips. The technology, ubiquitous in Europe,
Canada and elsewhere, makes it harder for thieves to misuse data
compared with cards that store data only on magnetic stripes.
The problem is the costs of the new chips and some 10 million
payment terminals to process them.
The delay may prove costly to Target's U.S. customers. The
third-largest U.S. retailer said unknown hackers stole data from up
to 40 million credit and debit cards used at its stores in the first
three weeks of the holiday season.
Now, after years in which U.S. companies tolerated fraud as a cost
of doing business, high-profile breaches such as the one at Target
are raising demand for increased card security.
"There's no doubt in my mind it will happen over the next two years.
The fraud risk is too high," said Rush Taggart, chief security
officer of CardConnect of King of Prussia, Pennsylvania, which helps
merchants process payments. "I think we all wish it had happened
over the last four years."
An early switch to the global card system may not have prevented the
Target data theft but the chip technology would have reduced the
value of the stolen data by making it harder for hackers to reuse
the customer information. For one thing, the new systems are better
at detecting counterfeit cards.
Visa Inc has warned that merchants' banks may start bearing the
costs of fraud starting in October 2015 if the merchants don't
upgrade.
EUROPE MOVES AHEAD
In much of Europe, 94 percent of sales terminals use the chip
system, according to a 2012 report by consulting firm Javelin
Strategy & Research. The figure was 77 percent in Canada and Latin
America. That compares with only 10 percent of U.S. sales terminals
with upgrades.
The report said the figure would still reach only 60 percent by
Visa's October 2015 deadline. And the timetable could face delays if
merchants push back on changes that banks and processors want but
will not pay for.
Retailers over the summer won a ruling from a U.S. district court
judge in Washington that could help them reduce the fees that banks
can charge for debit card transactions.
Banks had counted on those fees to pay for extra network upgrades,
and the uncertainty could put off further investment, said Al
Pascual, a senior analyst at Javelin. "We should move to it,"
Pascual said about the new standard. "But 'should' and 'would' are
two different things," he said.
Some U.S. banks, including Citigroup Inc and Wells Fargo & Co, have
begun to issue chip-carrying cards that meet the global standard — known as EMV, the initials of the companies that created it in 1994:
Europay International SA, MasterCard and Visa. (MasterCard bought
Europay in 2002.)
There are now nearly 1.6 billion EMV payment cards in use worldwide.
Wells Fargo said recently its U.S. customers with the Visa consumer
credit cards it issues may request a new card with a chip to use
while traveling.
"Today, very few domestic merchant terminals support EMV technology,
so there is little need for a full-scale roll-out," a Wells Fargo
spokesman said via e-mail.
[to top of second column] |
JUST A COST OF BUSINESS
U.S. banks and merchants have tolerated the weak security in part
because they are able absorb the costs, said David Robertson,
publisher of the Nilson Report, a California trade journal that
tracks the payments industry.
In its August issue, Nilson said global card fraud rose to a record
$11.3 billion in 2012, from just under $10 billion the year before.
Nearly half the losses occurred in the United States, helped by the
lack of the more advanced card readers.
But on a volume basis the losses amounted to just 5.2 cents for
every $100 that consumers put on payment cards, up from 5.07 cents
per $100 in 2011. Those figures are insignificant for most of the
players in the chain, Robertson said.
"It's a very manageable cost," Robertson said. Organized shoplifting
in comparison costs U.S. merchants around $30 billion per year, he
said.
Consumers, who are generally not held responsible for covering for
fraudulent purchases, have had little incentive to push for change.
But the rising fraud rates also mean more dangers of identity theft.
CHECKOUT SYSTEMS LIKELY COMPROMISED
Target said it was still reviewing how the attack was carried out,
but experts expect that systems at cash registers were compromised.
A Target spokeswoman did not respond to questions for this article.
The incident appeared to be among the largest security breaches in
retail history, though it fell short of the one announced by
retailer TJX Cos in 2007, which was blamed on poor security in the
wireless computer networks at TJX stores.
Since then, retailers have upgraded their systems under what are
meant to be the secure Payment Card Industry standards, or PCI,
meant to cover existing magnetic stripe cards.
But Gartner Research analyst Avivah Litan said many breaches since
then have occurred at companies that officially met the standards.
The problem is the magnetic stripe used to store data on most U.S.
cards is not secure enough to begin with, said Litan, who favors
upgrades to EMV.
"PCI isn't working because it is attempting to patch an inherently
insecure payment card system and network," she said. "We can't
expect retailers to patch their systems to work around the
weaknesses of this antiquated technology," she said.
Nilson's Robertson said the rise of mobile phones as payment devices
may complicate upgrade plans because they could crowd out payment
cards. If that happens soon, companies may have wasted billions of
dollars.
"It would be like investing in improving silent movies when everyone
else is moving to sound," Robertson said.
(Reporting by Ross Kerber; additional
reporting by Jim Finkle; editing by Richard Valdmanis, Frank McGurty
and Sandra Maler)
[© 2013 Thomson Reuters. All rights
reserved.] Copyright 2013 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed. |
