Stripping the Magnetic Stripe: What's Taking So Long?Experts Detail Why the US Lags Despite Security and Fraud Risks of Magnetic Stripe
The world is moving on from magnetic stripe payment cards, with one notable exception: the United States. Credit card issuers, banks and consumers agree the magnetic stripe is prone to hacking - so why is one of the largest markets for plastic payment still clinging to decades-old technology?
Cards with the 60-year-old technology exist in the United States because replacing them is an expensive and tedious process - and it's nobody's particular responsibility to make that transition, said Marc Massar, senior adviser at Boston Consulting Group, who added that the U.S. market is one of only a handful of holdouts.
"It's not the only one," Massar said. "There are other smaller markets that ship hasn't made it to yet, like Latin America and some Asian markets, but they're not very large card-acceptance markets."
Magnetic stripes store static account information, while EMV chip cards don't actually transmit the card number during transactions. Instead, chip cards generate a unique code for each transaction for the merchant's card reader, making them much harder to compromise. Financial institutions may be motivated to replace magnetic stripes to reduce fraud, but that requires convincing millions of small businesses to bear the cost, especially when the payment process they have now works well, said Troy Leach, chief strategy officer at Cloud Security Alliance. Leach helped establish and lead the PCI Security Standards Council.
Card brands also cannot, out of the blue, choose to not support a standard anymore, Massar said. "The U.S. especially has millions of merchants, with millions more card-acceptance devices - that's a lot of devices to replace," he said. Gas stations, for example, are one of the largest everyday-spend categories for card payments - and also the costliest for deploying new software, he said.
Organizations also need to adhere to payment standards such as the ISO, which defines the shape, layout and even fonts that can be used on a card.
Merchants are concerned about the disruption to the user experience too, said Al Pascual, senior vice president of enterprise risk solutions at Sontiq. They do not want to introduce something at the point of sale that ostensibly could take longer than a swipe, he said.
Card networks eventually shifted the liability of magnetic stripe-related fraud, and that brought about a behavioral change, Massar said. "If there was fraud at the point of sale, like a counterfeit card being used, the loss would be borne by whatever party wasn't EMV-compliant. And more often than not, that was the merchant," he said.
The liability shift was staggered, so the liability rule didn't apply everywhere all at once. Gas station payment terminals, for instance, were given a bit more time to make the transition.
The change happened in 2015, but "even at that point, there were billions of cards circulating in the U.S., most of which were magnetic stripe cards with shelf lives of four to five years," Pascual said. "So, it took time for merchants to roll out the hardware, for issuers to replace all the cards that were already in the market, processors to get the technology in place, and now eight years later, it's pretty ubiquitous."
But eight years later, magnetic stripes still have not been phased out. That is primarily because merchants feel the need to have a fallback payment method.
"There were a lot of concerns, especially with customer experience. If you're a merchant, and the chip card doesn't work, you're out of a transaction through potentially no fault of yours. That's part of the reason why payment cards maintained the magnetic stripe," Pascual said.
Some merchants also had concerns that transactions using chip cards may not be processed correctly due to hardware issues. "Basically, merchants wanted to give customers the option of swiping too," he said.
While there is a cost associated with the removal of the magnetic stripe, the holdup is about more than just merchants - it is also about the card-issuing community, John Drechny, CEO of the Merchant Advisory Group, which represents more than 150 U.S. merchants, told Information Security Media Group.
"For instance, in Mastercard's announcement, it states that prepaid cards do not have a timeline for the removal of the magnetic stripe. This means that even if merchants install new EMV equipment, they will still be required by the brands to support magnetic stripe, leaving a gap. So, if cards are still going to be in the market, it doesn't make sense for some use cases to install the new equipment," Drechny said.
The Merchant Advisory Group supports a "reasonable" timeline to remove the magnetic stripe to alleviate the burden merchants bear for the liability of fraud if a data compromise occurs, he said. At places such as parking garages, where the magnetic stripe reader is built into the kiosk, it will take some time for merchants to replace them, he added.
"We're not going to have both EMV and stripe on cards forever. Everyone's now used to EMV cards, and the infrastructure should fully be in place by now. There are no excuses," Massar said.
Securing Magnetic Stripe Cards Until They're Phased Out
Payments giant Mastercard looks to phase out payment cards with magnetic stripes by 2033, while Visa has "no specific plans to eliminate magnetic stripe." Visa did not respond to ISMG's request for comment, but Mastercard shared its approach to payment card security.
Security for payment cards, including those with magnetic stripes, requires a "layered, defense-in-depth approach rather than a single solution or silver bullet," Mastercard said.
"Mastercard and colleagues across the industry founded and developed the PCI Data Security Standard, which has hundreds of controls that ensure the safety and security of payment card data, including those found in magnetic stripes," a spokesperson for the payments card company told ISMG.
Leach echoed Mastercard's statement that PCI DSS was created "specifically for the purpose of protecting payment data," and designed to address risks to payment data when it is stored, processed or transmitted. Over time, technologies such as P2PE, tokenization and other advancements minimized the risk of that exposure, he said.
While Mastercard said it continues to ensure that all chips used in its cards are evaluated to be resistant to "sophisticated, state-of-the-art attacks," it did not specify how it is doing so.
The card processor, however, did say that a multilayered approach to security, which provides additional security at every stage of a transaction, is crucial. Mastercard's Decision Intelligence tool, for instance, uses artificial intelligence and machine learning to provide smarter authorization decisions, detect fraud and provide a better consumer experience, the company said.
The Quest for a Perfect Alternative
"From magnetic stripes in the 1960s to biometric payments, innovation has driven the way we interact and transact," Mastercard said. More than 90% of card-present chip transactions are now EMV-enabled, and the newer developments offer enhanced security and convenience, it said.
The EMV chip is an excellent method for minimizing risk and fraud in a face-to-face environment. In countries where EMV chip has been implemented, fraud has decreased significantly at the point of sale, said Nitin Bhatnagar, regional director for India and South Asia at the PCI Security Standards Council.
But EMV chip cards also come with their own drawbacks.
Moisture, for example, can be a challenge, Leach said. Chip reading can be tough in places that have high levels of humidity, and having the more durable and tactile magnetic stripe can help get a secondary read.
If criminals want to use magnetic stripes now, the odds of the transaction going through are not nearly as good as they were 10 years ago. But that doesn't mean EMVs make transactions invincible to fraud.
And while ISO and EMVCo have standardized chip technology, its use is not mandated yet because of the existence of many other newer technologies, such as mobile pay, Leach said. "We don’t want to create a lock-in to any technology that is more than 20 years old, no matter how confident we are to protect current payment transactions," Leach said.
Security researchers at ETH Zurich agree. They found a way to bypass EMV verification to extract data from the chip and demonstrated that that data could be used to create a magnetic stripe version of the same card that can be used at any card-present merchant.
EMV chip cards are still popular among threat actors carrying out card-not-present fraud in countries requiring them, Bhatnagar said.
Securing payment data with data security standards, especially in an evolving payment ecosystem, is critical, as is putting security at the center of building a robust payments infrastructure, Bhatnagar said. PCI DSS v4.0, he said, is a unique example of how the council is evolving security standards and validation programs to support a range of environments, technologies and methodologies to achieve security.
(Associate editor Suparna Goswami from Bengaluru contributed to this article.)