Stores in North Jersey and around the country are gearing up for the next generation of credit cards, and consumers can expect to see changes in checkout aisles and in their wallets in coming months.
The so-called smart cards – credit cards with embedded computer chips that can store large amounts of data and perform functions like encryption – are being hailed as the cure for data breaches that have hit major retailers in the past year. The Target data breach in November and December, when cybercriminals stole information from credit and debit cards as well as the email and home addresses of more than 110 million customers, has given new urgency to calls to replace magnetic-stripe cards that can easily be copied by thieves and are vulnerable to fraud.
“We are seeing a lot of reaction as a result of the publicity surrounding this and a recognition that we need to have more robust systems to keep these 21st century hackers from compromising financial information,” said Mallory Duncan, senior vice president and general counsel at the National Retail Federation.
Banks and retailers are investing in chip-card technology in a big way. Some 100 million chip cards are expected to be issued this year, but that is a tiny fraction of the 1.7 billion credit and debit cards in use in the United States. Retailers are on track to have 4.5 million chip-card readers installed in their stores by the end of this year. Chip-capable card readers can be seen in the checkout aisles at Home Depot and Kohl’s stores in North Jersey. Wal-Mart’s Sam’s Club warehouse division began issuing a Sam’s Club chip card this month, and activated the chip readers already in place in its stores.
But the National Retail Federation, the nation’s largest retail-industry group, is cautioning that retailers need to make sure they are investing in the smartest ways to protect customer data before spending billions.
Chip cards have been widely used in Western Europe since about 2008, and have been credited with dramatically reducing credit-card fraud. They also are cited as a key reason foreign data thieves have increasingly targeted U.S. retailers in recent years.
The cards are usually described as having EMV technology – short for Europay, Mastercard and Visa, three card companies that developed a set of standards for chip-card compatibility.
The EMV Migration Forum, an organization that includes financial institutions, retailers and payment processors, was established to bring the various members together to introduce EMV technology in this country. It is based in Princeton Junction.
Randy Vanderhoof, director of the EMV Migration Forum, said the U.S. is going through the primary shift toward EMV chip cards, when card issuers are starting to send chip cards to consumers and merchants are replacing existing card readers with EMV-capable systems.
“Over the next year, we’ll be seeing this rapid number of merchants that will suddenly start to get their systems enabled and active and online, and those consumers who have received cards from their financial institutions will be told how to use them,” Vanderhoof said.
Card holders who do a lot of international travel most likely have at least one chip card in their wallets. Card companies also are starting to mail out chip cards as replacements for expired magnetic-stripe cards.
“I had to replace my American Express card because the magnetic stripe had been de-magnetized and it wasn’t working anymore, and when they sent me my new card it had an EMV chip on it,” Vanderhoof said.
Vanderhoof said the forum is starting to hear that financial institutions are beginning to issue EMV chip cards to select customers, like frequent travelers. “Also, Citibank has implemented a policy where if you call and request a card, they will issue you an EMV-capable card,” he said.
Those replacement chip cards will still have magnetic stripes, so they can be used at stores or restaurants that don’t have chip-card readers. But at stores with chip readers, the cardholder will be directed to insert the card in a slot that can interact with the chip and will be prompted to provide either a personal identification number or a signature.
The Target breach, Vanderhoof said, made retailers wake up and realize that they need to move quickly to invest in chip-card readers.
“What wasn’t generally recognized before that was that retailers are vulnerable no matter what they do to try to harden their networks to prevent malware and criminals from breaking in and stealing their payment data,” in a world when criminals can easily produce counterfeit magnetic-stripe cards with that data.
Secondly, Vanderhoof said, “Target unfortunately revealed that it is not just the risk of the cost associated with the loss of the cardholder data and the fines associated with that, it is also the reputational risk, the disruption of business.”
Target’s experience, he said, “made retailers aware that the cost of not doing something is much greater than it will be to make the investment to upgrade to EMV.”
Wal-Mart has had pay terminals that are capable of accepting chip cards, as well as magnetic-stripe cards, in its stores for about eight years. However, it is only beginning to activate the chip-reading functions this year, as more chip cards go into circulation. About 4,000 of the company’s 5,000 U.S. stores have activated chip readers, and the rest of the stores will be operational before the end of this year, Wal-Mart spokesman Randy Hargrove said.
Wal-Mart also plans to issue a chip-embedded Wal-Mart credit card later this summer.
Hargrove said Wal-Mart’s international operations alerted the company early on about the need to prepare for the advent of chip cards.
“We recognized years ago that this is where we thought the technology was going, and so, we put the terminals in at that point,” he said.
Target announced in February that it was speeding up installation of chip-card readers in its approximately 1,800 stores and speeding up conversion of its Target REDcards to chip cards, with the transition scheduled to be complete in the first quarter of next year.
Chip cards, like the current credit cards, require proof that the true owner of the card is using it. Current credit cards do that by requiring a signature, considered a weak form of identification.
Moving to a system of chip cards that require signatures, rather than PINs, would retain a weakness that currently promotes fraud, said Duncan of the National Retail Federation. The federation says that chip-and-PIN cards are the most secure technology, but it fears that card companies want to stay with signature verification because the larger ones have networks that are based on signature cards.
“Everyone knows that signatures are virtually worthless in terms of authenticating a card,” Duncan said, “and yet you have the big card networks, like Visa, wanting to issue new chip cards that are authenticated with a signature, rather than moving toward a PIN, as has happened in virtually every other place in the world.”
He added, “Visa and MasterCard are loath to give up signature even though they know it is fraud-prone, because they make more money, their banks make more money, and they’re hoping to pass the costs on to retailers and consumers.”
Magnetic-stripe cards with PINs would be a better alternative than chip cards with signature verification and can be used with existing PIN readers, Duncan said. Adopting a secure PIN-and-magnetic-stripe system would cost under $5 billion, compared with $30 billion-$35 billion for EMV readers, he said.
Some retailers are asking whether it would be wiser to spend $5 billion for a magnetic-stripe-and-PIN system and save the other $25 billion-$30 billion for investments in what is likely to be the payment system that makes credit cards obsolete – mobile payments.
“We’re reaching the point where the phone, which has a very powerful computer inside of it, could be used to provide a high level of security. So why don’t we spend that money on moving toward the day when we will have really secure, high-level mobile payments, rather than stretching out last-generation payment cards,” Duncan said.
The costs of chip conversion are not expected to be a problem for small retailers and restaurants with one card reader. Those readers usually are provided by the company that handles the payment transactions. But for retailers with hundreds of stores, a change in a card reader involves extensive retooling of its payment software and support systems.