MasterCard, Visa form group to push for better card security

Fri Mar 7, 2014 2:41pm EST

MasterCard and VISA credit cards are seen in this illustrative photograph taken in Hong Kong December 8, 2010. REUTERS/Bobby Yip

MasterCard and VISA credit cards are seen in this illustrative photograph taken in Hong Kong December 8, 2010.

Credit: Reuters/Bobby Yip

Related Topics

(Reuters) - Visa Inc and MasterCard Inc said they had launched a cross-industry group to improve security for card transactions and press U.S. retailers and banks to meet a 2015 deadline to adopt technology that would make it safer to pay with plastic.

The move follows several data breaches at U.S. retailers, including one at Target Corp late last year involving the theft of about 40 million credit and debit card records.

The new group - which includes banks, credit unions, retailers and industry trade associations - will initially focus on the adoption of 'EMV' chip technology, MasterCard and Visa said in a statement on Friday.

EMV cards, already used in Europe and Asia, store information on computer chips rather than on traditional magnetic strips, making them harder to counterfeit.

They can also require - depending on the issuer - that users enter a personal identification number, or PIN, to make purchases, adding an extra layer of security.

However, the National Retail Federation, the world's largest retail trade association, said it had not joined the group because there were no plans to immediately implement the PIN option, making for a "half-baked solution."

"They're not serious about reducing fraud, unless they put a pin on," said Mallory Duncan, the NRF's general counsel.

"We remain insistent that U.S. retailers' customers be given the same protections as consumers in more than 80 countries who have both a chip and a PIN securing their credit and debit cards," Duncan said in a statement.

Visa and MasterCard declined to provide details on specific proposals for the technology to be used in the cards or the make-up of the cross-industry group.

The American Bankers Association did not respond to requests for comment but Patrick Keefe, a spokesman for the Credit Union National Association, confirmed that the trade association was part of the industry group.

"The recent high-profile breaches have served as a catalyst for much needed collaboration between the retail and financial services industry on the issue of payment security," Visa President Ryan McInerney said in the statement.

STRIKING WHILE IRON IS HOT

MasterCard and Visa had already set a deadline of October 2015 for U.S. retailers to adopt the new payment technology.

"Probably about 80 percent plus of the larger retailers were going to be able to make the deadline anyways," said David Robertson, publisher of payment industry newsletter The Nilson Report. Robertson said the formation of the group would help push small and mid-size retailers to adopt the new technology.

Banks and retailers have been dragging their feet over the upgrade, at odds over how the costs would be split.

The NRF has said it could cost the U.S. retail industry about $30 billion to upgrade to chip-based cards, including equipment, training and software.

"Banks and retailers want to make sure that if they invest in new infrastructure, they'll get the return in reduced fraud," Wedbush Securities analyst Gil Luria told Reuters.

MasterCard and Visa said the group would also address security issues with mobile and online transactions. One proposed solution is for traditional account numbers to be replaced by a unique digital payment code.

Target said last month it was accelerating a $100 million program to implement the use of chip-enabled smart cards to protect against cyber threats, with a goal to have the technology in place by early 2015.

"In the aftermath of the Target breach, security is on the minds of executives in the way it hasn't been in a very long time," Robertson said. "This is a classic example of trying to strike while the iron is hot."

(Additional reporting by Tanya Agrawal; Editing by Kirti Pandey, Don Sebastian and Ted Kerr)

FILED UNDER:
We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (6)
jdlind... wrote:
“chipped” cards will secure in-person transactions thoroughly, but they can’t help with card-not-present online transactions. Electronic cards -that display and encode (on the mag-stripe) a
one-time-use/one-merchant-use number… work to secure BOTH in-person and online transactions.

Let’s address the “static number” problem- not promote solutions that work well (EMV) for one transaction method, but ignore other real-world use cases/methods!

All U.S. payment cards suffer from an inherent problem- it’s known as the “replay attack”.

The numbers on your card can be re-played, over and over again with or without your authentication or authorization.
This type of fraud could be all but eliminated, if the issuing banks were to embrace technology that’s existed for several years. Just one of the technologies that could be used are dynamically created or ‘changing’ card numbers that are only valid for one merchant at a time (however, that merchant can use the number multiple times -including processing returns!)

One perceived roadblock to a wider acceptance of “one time use” card technology is that merchant Point-of-Sale (POS) systems would need to change significantly, and therefore it’s “too costly”.
This is not entirely true.

Check out a company named Dynamics Inc. based in Pennsylvania that has a product that can encode [one-time-use card] numbers onto the magnetic stripe(s) on the back of the card. This enables standard, existing POS card readers to work seamlessly with the newer technology.

A card number that is only good for one transaction at a time, cannot be [re-]sold by criminals.
Whether or not card data is stored at (or scrapped from) the POS terminal is irrelevant if the data itself (the card number) changes with every transaction.

See Dynamics Inc.’s webpage (/Corporate/Products) and their “Dynamics Inc. – Enabling Payments 2.0®” Dynamic Credit Card via archive.org [http://www.dynamicsinc.com/Cor...]

Here: http://bit.ly/19fbXKb
(last archived by archive.org on Oct. 1st, 2013).

The single most frightening thing anyone could say that should be the catalyst for the card industry to move toward enhancing the 1950′s card technology that we currently endure is “I’m just going to pay cash and stop using credit cards”. Of course that’ll never happen and as long as everyone continues to believe the myth that “all we can do” is to cancel compromised cards and pay extra for “account monitoring”, recover from identity theft best we can, yada, yada, yada.

The news story that consumers should be hearing is that card skimming fraud could have been eliminated years ago. I believe any merchants that get compromised, are victims themselves, victims of our current card technology that hasn’t evolved significantly since it was first introduced in the 1950′s.

Taxicabs in Illinois, Target, Neiman Marcus, Michael’s, Aaron Brothers, every merchant, and every consumer that has ever suffered financial, personal-data, or identity theft losses due to the inherent security flaws in (U.S.) credit card transactions, should hold the Payment Card Industry (including issuing banks) primarily responsible.

Mar 07, 2014 12:46pm EST  --  Report as abuse
majkmushrm wrote:
The recent high-profile breaches have served as a catalyst for much needed collaboration between the retail and financial services industry on the issue of payment security….

Only sorta. What really happened was that the retailers and banks realized that the slipshod security in the cards might well cost them a real chunk of change. The more secure cards have been implemented in the rest of the world. What’s taking so long to implement it here?

Mar 07, 2014 2:01pm EST  --  Report as abuse
Naksuthin wrote:
This is an instance where you need government intervention. Retailers are playing with the private personal information of card holders because they don’t want to spend the money to do what Europe and Asia HAVE ALREADY DONE….MAKE CREDIT CARD MORE RESISTANT TO HACKING.
Targets hacking exposed the credit card information, personal information and email addresses of over 40 million Americans.
The breech has hurt the company image and negatively affected profits. But worst of all it has left 40 million Americans vulnerable further abuse by hackers.

It’s time for government to step in where private retailers have failed and mandate that credit cards provide the same security features found in THE REST OF THE DEVELOPED WORLD.

Mar 07, 2014 7:57pm EST  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.

Retirement Road Map