My recent articles, The Peril of Plastic: The Problems With Debit And Credit Cards Are Deeper Than We Thought and It’s Time To Give Up On Swiping Credit Cards provided a lot of information about this issue. However, it is not a simple issue and perhaps it needs a little more explanation. Where and how our information is stored is very important. Just as important is how much of our information is transmitted and how it is sent when validating a transaction.
There is also still a lot of confusion around the physical cards, and I hope I can clear up some of that. As I said in my February 27 article it is time for the magnetic stripe to die.
Unfortunately as I said in that article unless things change when we make the transition to the next generation of credit cards, the magnetic stripe will still be on our cards. As we make this change to a different style of credit cards, we are also on the cusp of a revolution which might see smartphones will play a key role in how we pay for things. As these changes are happening we also have to worry about online transactions which are often called “card not present transactions.” Fraud continues to be a big problem there even in countries that have moved to newer credit card technology. I will touch on all of this, but I am not pretending to have all the answers.
There are three basic types of cards that we need to think about to understand the problem and the potential solutions. After I define the types of cards, it will be clear that by focusing on convenience and backwards compatibility, the companies leading this change are passing up on an opportunity to fix a big piece of the problem.
Right now most of us carry magnetic stripe cards, our information is encoded on this stripe on the back of our credit and debit cards. When we use the cards, we swipe the card through a card reader. Depending on the card, the merchant, and the issuer of the card, we might have to show the back of the card to a clerk to verify either our signature or our credit card security number which is actually a three-digit number designed to make certain that a card is present when someone makes an online purchase. Sometimes payment terminals require us to enter our zip code to verify our identity and though it does not happen often in small town America, people do get asked for a driver’s license to verify their identity. Current law prevents merchants from storing the three-digit number, known in the industry as the card verification value code, or CVV2.
Magnetic stripe cards are a big part of our problem. The information on the stripe is easy to steal and clone on another card with someone else’s identity or just a gift card. While you might feel safe with your debit card because it requires a PIN for use, you need to check your card. Many are now combination debit and credit cards and can be used as a credit type card without a pin. If your debit card magnetic stripe is stolen or you lose the card, someone can clean out your bank account without a PIN if your card is a combination credit-debit card. Then there is the problem of the PIN traveling across the Internet for verification. A system where the PIN is possibly exposed even in an encrypted format makes me uncomfortable. I am doubly uncomfortable if that PIN is stored someplace beside my head and at my bank.
A newer type of card is the NFC card, which builds on earlier RFID or radio frequency identification cards. The newest of these cards which as the linked article indicates are also part of the world of Smart Cards which I will talk about more later. Some of the ones out right now are not Smart Cards. NFC cards offer a very high level of convenience. They send a signal out and you only have to get them near a card reading device. Enabling a contactless transaction also has some risks but also offers some protections. There are devices including some newer SmartPhones with the right software that can capture the RFID signal that comes from NFC cards. I have learned that are protections built into the newer NFC cards as this article suggests. Even if your information is stolen in mid-air, it is good for only one transaction since the authentication code changes with each transaction. Consumer Reports verifies that at least in the case of American Express the card account number is not revealed. If you do not have to hand it to a waiter, waitress, or merchant. It is harder for them to get the CVV2 number or steal any magnetic stripe that is there for backwards compatibility.
The third type of card is what many call the chip and pin card. I have been familiar with them under their more common name, Smart Cards. I got involved with Smart Cards back when I was director of federal sales for Apple and the Department of Defense began issuing all DOD employees Common Access Cards or CACs. The cards have an embedded integrated circuit and can do some very cool things like verify your PIN. The cards require a PIN and used in a proper Smart Card reader, your PIN is never exposed to the world. DOD uses the cards for identification, building access, and network access. We had to convince the Apple executives to build Smart Card support into OS X. Some of us actually had Titanium Powerbooks with Smart Card readers in the PCMIA slots. We used a Smart Card and our PIN to access Apple’s VPN instead of the traditional SecurID solution. While we were making sure that OS X worked with Smart Cards, we got involved with American Express which at the time had a Smart Card credit card solution which required a Smart Card reader be hooked to your computer for you to make an online credit card purchase. From what I have been able to figure out American Express abandoned that solution because it was difficult to get Smart Card readers to work with the various operating systems that were out there over ten years ago.
Today’s chip and pin Smart Cards that are being issued in the United States and even in Europe often have a magnetic stripe for backwards compatibility. I see that as a big problem. I know Smart Cards work very well today with almost all computers because I used one when I worked in real estate for a few years. The Sentricard solution which is a Smart Card solution for lock boxes offers a much superior solution for providing agents easy access to homes than cranky combination boxes do. If I lost my Sentricard, someone would have to come up with my PIN before they could use it. If someone tries more than three times with a wrong PIN, the Smart Card will not work. If you get the PIN wrong on a DOD CAC, the card locks and you have to go to a special facility to have it unlocked. As long as a Smart Card reader is physically secure, a Smart Card is a very good solution for a credit or debit card. Our Sentricard did not even have our names on them, just a number. Our information was stored in the chip on the card.
However, I am also sure that a Smart Card with a magnetic stripe pretty well negates most of the advantages of the Smart Card. I would be much happier if our retail world would just bite the bullet and upgrade now to Smart Card readers. If would be a great, secure solution as long as our banks and credit card companies only issued us Smart Cards with no magnetic stripe. In fact I would be happy to buy a Smart Card reader and go back to the world that American Express envisioned years ago when they wanted us to put their Smart Card credit card in a reader and enter a PIN before making an online purchase. However, I would likely be in the minority. Certainly a transition as I envision might be painful but it would be secure.
There is more to this story because companies like Google would like us to start using Near Field Communication or NFC with our Smart Phones and Google Wallet to make purchases. Just to make things more complex, Google recently announced a Google Wallet debit card. Unfortunately the Google Wallet card has, and you guessed it, a magnetic stripe.
Smart Card technology with some of the newest smartphones can turn our phones into secure payment devices. That might be okay if your phone does not get stolen, is securely protected from unauthorized use, and can be remotely wiped clean before someone has time to crack into it, but I need to hear more to be convinced.
I would buy into using a NFC card and verifying with a PIN on my smartphone. That is more convenient than the current situation when you get a phone call at home to verify a purchase that does not meet your purchase profile.
As I mentioned in my February 27, 2014 RWW article I recently called America Express whose credit solutions I have trusted since 1973. They offered to send me a new chip and pin Smart Card credit card. However, it would come with my information encoded on the magnetic stripe. According to their current policy I would still have zero liability for fraud with my American Express credit card and that certainly is better than what I have with a debit card.
There are some new solutions out there that promise to make paying with your phone much easier even without NFC being used. PayPal’s new mobile app is an attempt to change the process of paying with your smart phone. With the app on your phone, you can see stores nearby which accept PayPal Interestingly PayPal has gone a step further in the United Kingdom with its PayPal here system which implements chip and pin technology. They also have an inexpensive chip and pin card reader which the merchants can implement using their own smartphones or tablets as the end device. PayPal claims end to end encryption for the PayPal here system. You can check into the store, be billed and receive either an email or print invoice. As they have rolled out this system in the United Kingdom, there have been some claims that cash will be obsolete in three years. Here in the United State we will currently have to settle for the PayPal app letting us use our Smart Phones to see which stores will accept PayPal.
PayPal here is not the only mobile enable payment system being implemented in England. Zapp a system which will only work initially with online payments is also in the works and will give 18 million UK bank clients the ability to use a smartphone to pay for online purchases and eventually store purchases.
A lot of big players are angling for a piece of the mobile payments world and it will be a while before we know the winners.
Certainly even if we move to Smart Card using chip and pin technology in the United States, we still have the challenge of where our information is stored. We have already learned that Target and others are not very good at protecting our information. The Target breach perhaps has been traced to the stolen credentials of a HVAC contractor. Are Google, Apple, and PayPal any better? I cannot answer that.
If our future has magnetic stripes for backwards compatibility, our information is perhaps at risk no matter how secure the location where it is stored. If merchants move to Smart Card technology with magnetic stripes which uses secure tokens and does not pass our account information around, our information will be safer. It seems the people driving mobile payment technology understand this far better than the banks and credit card companies who are clinging to plastic swipe cards because of the resistance they believe they will get from merchants and customers who might go back to cash like my wife and I have for a lot of our purchases.
Doing secure online transactions remains a challenge even where chip and pin technology which has reduced fraud in stores that require you to use your card in their presence. Solutions like Zapp have come to the fore because chip and pin solutions do not help a lot with “card not present” or online purchase fraud. There are other solutions like Trustev which profiles us to a much higher degree than current credit card companies do when they are fighting fraud. Of course that solution ends up with the amorphous cloud knowing more about me than I might like it to know.
Security and individual privacy involve trade offs. I would rather use technology to solve my problem without losing all of my privacy. I would be quite happy to use a chip and pin card for online transactions with the requirement to validate each transaction with my smartphone similar to the way that I prove who I am when I log into Facebook from a new device. Or I would also be happy to use a SecurID keyfob for online transactions. I am already using two factor authentication for PayPal on my computers. Maybe we are trading off some convenience using electronic two factor authentication, but we would be getting a system that fixes several of our problems.
The problem is that none of this is as easy as swiping a credit card for the majority of people.
As much as I would like for life to remain simple for the majority of plastic using consumers, it is time for magnetic stripes to disappear from our cards and those of us in the technology world need to push for it.