NEW YORK—The $45 million cyberheist where hackers robbed ATMs in New York City and around the world highlights a push for stricter credit card standards that U.S. businesses have been avoiding.
Most credit cards in the U.S. store their data in magnetic strips, and rely on little more than a swipe and a signature to prove authenticity. In most of Europe, however, smart cards are used, which verify transactions with a built-in microprocessor, high-level encryption, and several layers of authentication.
The higher standard is known as EMV (Europay, MasterCard, Visa) compliance. It was developed in 1994 to create a global system for smart card-based payments. According to a report from digital consulting firm Capgemini Consulting, by 2011, 75.9 percent of terminals and 42.4 percent of credit cards globally were EMV compliant.
In the United States, however, EMV is only now being adopted. Visa, MasterCard, American Express, and Discover announced their EMV migration plans for the United States in June 2012. Card processors were supposed to be EMV compliant by April 2013, and all merchants have until October 2015 to meet the standard.
The technology could have prevented a heist like the one that just struck New York City and other cities around the world. The cybercriminals had obtained pre-paid debit cards from international banks in Oman and Saudi Arabia, and hackers then accessed the processing systems to raise withdrawal limits on the cards. The information from the magnetic strips on the cards was then sent out to teams around the world, where it was encoded onto fake cards that were used to make withdrawals from the ATMs.
Had EMV standards been in place, the criminals would not have been able to transmit data to print fake cards, since the credit card data would not be contained on the magnetic strip, and since smart cards use advanced encryption.
The dated technology makes Americans targets for fraud, and the United States accounts for nearly half of the global fraud losses—at an estimated $6.9 billion a year, according to Capgemini Consulting.
The high security offered by EMV also has its problems, however, and this has brought resistance towards the new standard.
Cost is one of the biggest problems. Since smart cards are more advanced than those with magnetic strips, they cost more money for companies issuing the cards. According to Capgemini Consulting, getting the cards out will cost an estimated $1.7 billion a year.
The other main concern is the shift in liability. Right now, if a person falls victim to fraud, the credit card provider or bank is typically responsible. Under EMV, however, ATM companies, storefronts, and the cardholders, can be held responsible.
“The increased protection from fraud allows banks and credit card issuers to shift liability to merchants for any fraud that results from a magnetic stripe transaction,” states a press release from payment processing company Electronic Commerce International.
“For transactions in which an EMV card is used, the cardholder is assumed to be liable unless they can unquestionably prove they were not present for the transaction, did not authorize the transaction and did not inadvertently assist the transaction through PIN disclosure,” it states.