The Little Stripe on Your Debit Card Is a Massive Achilles’ Heel

  • Share
  • Read Later
Getty Images

If my mobile phone is so smart, why is my credit card so dumb?

That’s the question you might be asking yourself if you are one of the more than 100 million people whose personal information was filched in the hacks on retailers Target and Neiman Marcus over the last two months. And the number of retailers and victims could grow larger as the investigation widens. In the U.S., the magnetic stripe on the back of your credit or debit card that contains your vital information is a 40-year old technology. The rest of the world uses smarter cards with a technology called EMV that employs a chip embedded in the card plus a pin number to authenticate transactions locally. It’s a more secure card. We have AM; they have EMV.

In light of the massive hack some banks, such as Wells Fargo, are offering to convert your magstripe card to a chip and PIN model. (It’s actually a hybrid that will still have magstripe.) Should you take them up on it? If you travel internationally, the answer is yes, absolutely. “For customers who travel to countries where EMV technology is more prevalent, we offer Visa consumer credit card customers the option to call and request their card be reissued with this technology, ” said Jason Vasquez, a spokesman for Wells Fargo, in a statement. And which countries would those be? Every other country, basically. In some places you won’t even be able to use a mag stripe credit card. Plus, chip and PIN is a lot faster, since merchants can use portable terminals. At restaurants, that they bring the terminals to your table—so there’s less chance of skimming either.

Keep in mind, too, that credit cards have different liability protection than debit cards. If someone uses your credit card fraudulently, it’s the issuer or merchant, not you, who is taking the hit. Debit cards have different liability limits depending on the bank and the events surrounding any fraudulent uses. “If it’s available, the logical thing is to get a chip and PIN card from your bank,” says Eric Adamowsky, co-founder of “I would use credit cards over debit cards because of liability issues.” Cash still works pretty well, too.

But don’t expect the card issuers to make a big move to chip and PIN. The reason? It’s all about relative costs, says David Robertson, who runs The Nilson Report, an industry newsletter: “The cost of the card, putting the sticker on it, coding the account number and expiration date, embossing it, the little mailer: fully loaded you are in the dollar range.” A chip and PIN card currently costs closer to $3, says Robertson, because of the price of chips. There are more than 5 billion magstripe credit and prepaid cards in circulation in the U.S., so as the saying goes, do the math.

Won’t merchants and banks benefit from lower fraud levels? Yes, chip and PIN cards are tougher for hackers to crack and more difficult for fraudsters and thieves to use. So there ought to be some impetus to make the change. “All of us have a common interest in being protected so this might be a chance for retailers and banks to for once to work together as opposed to sue each other like we’ve been doing the last decade,” said JP Morgan Chase ceo Jamie Dimon in the company’s earnings call. (The two groups have been fighting over transaction fees.) But consider that there’s $11 billion in card fraud on global basis, says Robertson, and 43% of that is in the U.S., the most of any one country. Calculators, please: 43% x $11 billion=$4.73 billion. That’s a lot of money, but at the same time the numbers are saying that absorbing the liability for even big hacks like Target is still cheaper than replacing all those magstripe cards.

Plus, merchants for years have been fighting any switch to chip and PIN because they don’t want to invest in the new infrastructure needed for the technology, especially if they’ve invested recently in a new point of sale system. (An earlier effort by Target to move to chip and PIN never gained traction.) The historic reason they don’t want to switch, ironically, is all about the phone systems in Europe and the U.S. Here, our cheap, ultra reliable wireline operation made authentication over the phone very practical. In Europe, card issuers created EMV because the French telephone monopoly was so maddeningly inefficient and expensive. Voila, a workaround that allowed transactions to be verified locally and securely.

The Target and Neiman hacks, though, may have pushed consumers and the card companies to a point where they are going to demand action. Visa has warned merchants that if they don’t become EMV compliant by 2015 they will lose their indemnity against counterfeit cards. “When you get the consumer into a position of worry and inconvenience that’s where the rubber hits the road,” says Robertson. And if retailers won’t protect them, it’s consumers who will be hitting the road.