Target security breach: Outdated payment system will cause credit card hacks to continue
9:11 AM, Dec 20, 2013
9:59 AM, Dec 20, 2013
NEW YORK (CNNMoney) -- There's a reason millions of credit cards can be stolen from Target at once -- and will continue happening in the future: Our payment system of plastic cards with magnetic stripes is outdated and fundamentally flawed.
The United States is the financial capital of the world, but when it comes to payment technology, it's actually in the boonies.
In recent years, more than 80 countries have upgraded to credit cards embedded with microchips. Cards with chips are inconceivably difficult to counterfeit, and there's added security in every swipe: Terminals require a user's PIN, and the information on the chip is encrypted.
Yet Americans keep using payment technology that was developed in the 1960's. That poses a big risk: Cards with magnetic stripes deliver all your data without hiding anything. Swipe your card and the computer sees everything in plain text: your name, credit card provider, card number, expiration date and more.
All hackers have to do is catch it before retailers' card swiping terminals encrypt that data into jumbled, protected code. They can then easily use that information for online purchases or make counterfeit cards by encoding the stolen account number on a blank card's magnetic stripe.
Chip-and-PIN credit card systems would likely have prevented the Target hackers from seeing anything but encrypted code. And they'd need a physical chip to make counterfeits.
The top credit card companies -- Visa, MasterCard and American Express -- would not say why the archaic magnetic strip system remains the norm.
Credit card fraud in England plummeted 34% in the six years after English banks and merchants implemented chip-and-PIN cards, according to a Federal Reserve report. During a similar period in France, fraud from in-person card use fell 35%.
But chip-and-PIN cards aren't going mainstream in the United States anytime soon. At $1 to $2 per card, they're about 10 times more expensive for banks to produce than magnetic stripe versions. Merchants would also need to upgrade their point-of-sale systems -- an expensive proposition.
"It's kind of a chicken and egg problem. Merchants need to make the upgrade, but do consumers have cards?" said Jason Oxman, CEO of the Electronics Transaction Association.
That trade group hopes the shift to chip-and-PIN will be underway by 2015, but others say 2018 is more realistic. Some banks, such as Chase and Citi, already offer the latest chip-and-PIN cards, but they're mostly marketed to customers who frequently travel abroad.
The problem is that banks and credit card companies have little motivation to change the current system, said Anisha Sekar, who reviews credit cards for finance site NerdWallet. Financial institutions earned $41.2 billion from credit card swipe fees last year, according to advisory firm Sonecon. Meanwhile, they lost just $5.33 billion to fraud, according to payment industry newsletter The Nilson Report.
"Credit card companies don't have much incentive to make cards safer," Sekar said.