Scarcely a week goes by without various news media publishing stories on the theme “Hackers break into corporate database, steal account info from scads of customers.” Same story every time, differing only in the details: which particular company got hacked, what exact number of customers were affected, and which specific white-hat hacker or security blogger first exposed the breach.
Also, these stories usually end by saying “If you, American Consumer, bought anything from the hacked company recently, you need to call your bank and cancel your account and re-organize any automatic payment plans attached to it, and if you do everything right this shouldn't cost any actual money from your pocket, but 'doing everything right' will still be a hugely time-consuming pain in the butt for you. No, of course you won't be compensated for any of your lost time.”
American consumers are more likely to suffer from such hacking incidents than credit or debit-card holders almost anywhere else — not because American computers are easier to hack into than their counterparts in other countries, not even because American credit or debit-card account numbers are easier to steal, but because American account numbers, once stolen, are much easier for thieves to use. However, credit-card heavyweights MasterCard and Visa might finally be taking steps to change that.
MasterCard and Visa announced today that they had formed a “new cross-industry group focused on enhancing payment system security.” The initial phase of this enhancement will be adopting what's known as “EMV chip technology,” which is already ubiquitous in most of the world but absent in the United States (hence the relative ease with which thieves can make use of stolen American account numbers).
EMV stands for “Europay, MasterCard and Visa,” the three companies that first developed the technology. It's been around since the early 1990s and has been in common use throughout the world (except the U.S.) for roughly a decade now.
At first glance, an EMV credit card looks like any other. The difference is that an EMV stores information on an encrypted microchip, rather than a non-encrypted (and relatively easy to counterfeit) magnetic strip.
EMV cards also tend to require a personal identification number (PIN) at point of sale.
These features do not make it impossible for hackers to steal money from accounts, but they definitely make theives' lives vastly more difficult.
Why so slow?
So why haven't EMV cards already become commonplace in America? Answer: the short-term cost of implementation; Reuters mentioned unnamed experts who estimate conversion costs of up to $10 billion.
But the increasing frequency of data breaches in America (and the increasing costs to the credit-card issuers, who usually have to eat the cost of whatever an identity thief buys with his stolen account numbers) has finally persuaded the major card companies that maybe they ought to upgrade their anti-theft systems.
Unsurprisingly, the National Retail Federation supports the proposed security upgrades, and promptly issued a press release saying so. NRF's senior vice president, Mallory Duncan, said of the current American security status quo: “Easy-to-forge signatures are a virtually worthless form of authentication. Insisting on chip-and-signature cards is like installing an alarm on the front door of a home while leaving the back door wide open. It doesn't make sense when the technology exists to secure the entire house.”