After a series of high profile thefts of sensitive credit card data, Akos Rona-Tas and Alya Guseva, authors of Plastic Money, discuss the vulnerabilities of the American credit card and the barriers to switching to better alternatives.
Following recent massive credit card data theft at several national retailers, everyone, including Congress, is suddenly worried about cyber security. Cyber thieves made off with the credit card data of 40 million customers at Target’s U.S. stores during the pre-holiday shopping season. The company later said the personal information of 70 million people was also taken, including names, contact information and personal buying history dating as far back as 10 years. Neiman Marcus and several national hotel chains have also reportedly been targeted.
In the ensuing squabble, the banks are pointing fingers at retailers for not securing their communication channels. But the retailers, in turn, criticize banks for issuing theft-prone swipe-and-sign credit cards, which can be distinguished by the magnetic stripe on the back. If you’re looking for an example of such a card, look no further than your own wallet—virtually all US-issued credit cards are of the swipe-and-sign variety.
When a purchase is made with a swipe-and-sign card, a signal is sent to the bank that issued the card to authorize the purchase at the point-of-sale. It is during this exchange of information between the bank and the retailer that criminals can intervene.
The U.S. is actually one of the few countries where the magnetic stripe card—a technological dinosaur, on par with the compact audiocassette—still rules. Cardholders in most European countries, Canada and even Kenya carry chip-and-PIN cards that are more difficult to counterfeit because the chip is more complex than a magnetic stripe, and a PIN is a better protection than a signature. Besides, the chip can contain all the information about the cardholders’ account, including the amount of available credit, and as a result does not need to relay information to and from the bank, thus cutting out the exchange that is typically the site of interception for cyber thieves.
Europe is by and large wedded to the chip, which means that crooks inevitably gravitate to U.S.-issued cards as easier targets. Not only are the American swipe-and-sign cards less secure, but in the coming years they will be increasingly obsolete abroad. Magnetic stripe and chip cards require different card readers that are incompatible with one another, and—at least in Europe—magnetic stripe card readers are an endangered species. Already today, American travelers cannot use U.S.-issued cards to buy RER (train) tickets at a Parisian automated ticket kiosk, or pay for a road toll or a parking fee.
The U.S. credit card market is the first and the oldest in the world. This is where credit card technology was born, and it was the magnetic stripe that the first Visas and MasterCards featured. The barrier to switch is path-dependency, the same reason Americans stick to a non-metric system or why the Brits and the Japanese drive on the left side of the road.
It is generally costly, financially and mentally, to switch to a different technology (for instance, it costs about $2 to a bank to make and distribute a magnetic stripe card, but $15 to $20 to make and distribute a chip card). But the switch is particularly difficult in the case of a credit card market because the change would have to be adopted simultaneously by banks that issue cards, and by retailers who would have to purchase different card reader equipment compatible with chip cards.
Had most American cardholders already switched to chip cards, it would not be a difficult decision for a retailer to buy a chip-compatible card reader—not buying it would be tantamount to turning customers away. Conversely, had many retailers already invested in new chip machines, banks would gladly start issuing chip cards too. Several years ago a few large American banks did, in fact, flirt with the chip, by issuing cards that had both a magnetic stripe and chip technology. But the banks did not reissue them, most likely because there were not many chip-compatible readers in the U.S. and it was not worth the extra cost to the bank to produce the dual-function cards.
It is moving early, when no one or few other actors have already switched to new technologies that is both risky and costly (what if the rest of the market never switches?) As it stands, none of the key actors are sufficiently motivated to make the switch from swipe-and-sign to chip-and-PIN. In the U.S., consumers’ liability is limited by the Electronic Fund Transfer Act of 1978, and losses from fraud are generally absorbed by issuing banks rather than retailers. So it comes at little to no surprise that retailers are not especially interested in investing in more secure technology, but neither are banks, as it turns out! Card issuers can claim a 50 percent tax write-off on losses from fraud, and they can easily pass the rest of the costs incurred from unsecure cards onto consumers and merchants via increased fees and charges.
Since coordinating change between competitive private actors is difficult, there is a call for powerful third parties to step in. The recent security breaches of major U.S. retailers may be the final push that will result in across-the-board regulation (and chip card adoption) of the kind that was recently passed in the EU. That is, of course, unless our plastic payment methods capitulate altogether to the smart phone-as-mobile payment device first.
Akos Rona-Tas is Associate Professor of Sociology at the University of California, San Diego, a Research Associate at Met@risk, INRA in Paris, and co-author of Plastic Money: Constructing Markets for Credit Cards in Eight Postcommunist Countries.
Alya Guseva is Associate Professor of Sociology at Boston University and co-author of Plastic Money: Constructing Markets for Credit Cards in Eight Postcommunist Countries.