The U.S. accounts for nearly half of all payment card fraud losses worldwide, in part because the 1960s-era magnetic stripe technology used to secure sensitive personal information on credit and debit cards is prone to counterfeit card fraud, experts said.
In the wake of recent, massive data breaches at Target, Neiman Marcus and other retailers, the National Retail Federation is calling for mandatory use of more secure cards with embedded microchips, like those used in European countries.
However, the financial and retail industries remain at odds over the timing and cost of converting to next-generation payment card technology.
“We are using an antiquated payment system,” said Gordon Gough, president and chief executive of the Ohio Council of Retail Merchants. Stakeholders including card issuers, banks and retailers need to determine how to best update the U.S. payment system to limit implementation costs and ensure consumers’ trust, he said.
The U.S. lost $5.3 billion in 2012 to payment card fraud, according to the Nilson Report, a payment industry newsletter. That represents 47.3 percent of the total $11.3 billion in global card fraud losses that year. In contrast, the U.S. generated only 23.5 percent of the total volume of credit and debit purchases, and cash advances and withdrawals, officials said.
The Nilson Report said the lack of “smart chip” payment cards and terminals in the U.S. contributes to fraud losses. The U.S. is the only region where counterfeit card fraud continues to grow, accounting for 26.5 percent of global fraud losses in 2012.
The Consumer Bankers Association said its member banks have spent nearly $154 million so far to replace more than 15.3 million credit and debit cards in response to the Target data breach.
In Ohio, “tens” of member banks have had to replace customer payment cards related to the Target breach at a cost of $5 to $7 per card, said James Thurston, spokesman for the state Bankers League. The number of cards replaced was not available, but incidences of fraud from the breach appear to be few, he said.
“We have to keep the customer accounts safe — that is our first and foremost responsibility. That, unfortunately, costs a lot of money, which we end up footing the bill for, as opposed to the retailers who were breached,” Thurston said.
The Target breach from Nov. 27 through Dec. 18 impacted more than 40 million card accounts and is believed to be the second largest in U.S. history, after 47.5 million cards compromised in 2007 at the parent company of T.J. Maxx stores. Personal information on 70 million Target customers, including addresses and phone numbers, was hacked from a marketing database concurrent with the payment system breach.
Executives from Target and luxury retailer Neiman Marcus testified Tuesday at a Senate Judiciary Committee hearing about their holiday season data breaches. Last month, arts-and-crafts chain Michaels Stores also alerted customers about a possible data security attack.
On Monday, Indiana-based hotel franchise management firm White Lodging said it was investigating a data breach that may have compromised the credit and debit card information of thousands of guests at its hotels. White Lodging manages 168 hotels in 21 states, including the Marriott, Sheraton, Hilton and Westin brands.
Adoption of smart chip cards at the point of sale is “the strongest defense against counterfeit cards,” said David Robertson, the Nilson Report’s publisher, in a statement.
Current magnetic stripe cards leave customers’ account information vulnerable to criminals, who can easily copy that information to create counterfeit cards. Such cards only require an electronic signature to authenticate the user’s identity, said David Salisbury, a University of Dayton associate professor of information systems.
Smart chip cards, also called EMV (Europay, MasterCard and Visa) or “PIN and chip” cards, contain embedded microchips that are harder to copy than magnetic stripe cards, Salisbury said. In addition, chip cards provide an additional layer of security by requiring an encrypted PIN code that is verified, as well.
“If you can find a way to rationalize who pays for the changeover, it does make sense to have just one more layer of authentication,” Salisbury said. The “tipping point” will come when consumers are not comfortable using certain payment systems because of fraud concerns, he said.
American Express, Discover, MasterCard and Visa have announced plans to move to an EMV-based payments infrastructure in the U.S., according to the Smart Card Alliance, an association that represents companies using the technology.
Experts said replacing millions of cards and corresponding payment systems will cost billions of dollars, making the switch a difficult sell to banks and retailers.
“These cyber criminals, unfortunately, they tend to be one step ahead of the game,” Thurston said. “You could move toward something like that, but the likelihood is they would find a way to counter it.”
Salisbury noted that payment fraud in Europe has moved from in-person to online transactions, because the latter doesn’t require the embedded chip and PIN.
Gough said it is important for the retail and banking industries to work together to find a solution, whether it is smart chip cards or another new technology that might be cheaper to implement. “All of the smart people in the room need to get together and figure out what is the best payment system going forward for banks and retailers and consumers,” he said.
Payment card fraud by the numbers
$11.3B: Global payment card losses in 2012
$5.3B: U.S. payment card losses in 2012
$154M: Cost to replace U.S. payment cards in response to Target data breach
Sources: The Nilson Report; Consumer Bankers Association