The US is slacking in credit card data security.
Because of a malware attack on Target’s computer systems, over 40 million customers now have their credit card numbers, expiration dates, and security codes floating around on the internet’s black market. This has not been the first case of a mass security breach of a large retailer.
In July of 2005, T.J. MAX had a breach that resulted in data stolen from at least 47 million of their customers. These instances of mass theft should serve as a wakeup call for the US to increase the security of credit and debit cards.
Instead of the widely adopted ‘smart card’ that carries data in an embedded chip, the US still uses the less secure, magnetic strip. Smart card technology isn't new. In fact, the majority Europe uses smart card technology, and has been doing so for the past decade. The embedded chip allows for more data encryption and could’ve easily stopped Target’s breach. With more and more countries adopting smart card technology, the US has become a top target.
Credit card information can be very lucrative on the black market. The credit card number alone might sell for a dollar or less. However, like in the recent Target case, having the name, number, expiration dates, and security codes can sell for $10 or more. Multiply that by 40 million, and it’s easy to see why this type of theft isn’t going away.
This is exactly why understanding the concept of level 2 or level 3 credit card processing is so important. The requirement for additional data is much deeper and makes it nearly impossible for a thief to commit fraud. This is mostly true for business to business and business to government companies who tend to key in customer purchasing or procurement credit card numbers.
Including these data points with a transaction significantly increases the security of a payment and in turn that due diligence is rewarded with much lower interchange rates and credit card processing fees.
Over 80 counties now use smart card technology and it’s easy to see why it’s been embraced so well. It’s much easier to steal information of a magnetic strip than it is an encrypted chip. As a result, the US has been a huge target for hackers.
So why hasn’t the US done something?
The answer is a bit complicated. To start, these type of cards do exist in the US, there’s just not a lot of them. Credit Card issuers might give them to traveling clients because very little places abroad still use magnetic strips. Still, only about 1% of cards in the US have this type of technology.
Lack of political push for greater security measures is a big reason why smart cards have not been embraced. Businesses need more regulation and if there’s no push for it things are likely to remain stagnant.
Another reason is the sheer scale of the transition. Credit card issuers, banks, merchants, and consumers would all have to make the switch to smart cards from the existing 1 billion magnetic strip cards in circulation. Making such a huge scale transition would be extremely expensive and is unlikely to happen without some sort of government reform.
The good news is that it does look like the US is slowly moving towards smart cards. Many credit card issuers have publicly stated that they plan on making the transition by late 2015. By October 2015, if a merchant or acquirer’s equipment does not support smart cards, otherwise known as EMV cards, they will be liable for any instances of counterfeit fraud instead of the issuers.
What can I do to increase security?
Merchants looking to swipe cards should ask if their machine is EMV compatible. For those Merchants doing business to business and business to government transactions you need to make sure you are setup properly with level 2 and level 3 credit card processing capabilities. It's going to protect your business and significantly decrease the fees you pay to accept cards.