Credit card security will benefit from latest technological advances

How easy is it for a defrauder to steal your credit card information?

Consider this recent case of a Florence Bank customer, as told by John Heaps, the bank’s chief executive officer. Sometime last year, the customer used a bank card at a store to make a purchase. A defrauder intercepted the credit card information contained in the card’s magnetic strip and used it to make a fake credit card, which Heaps said is as simple as a trip to Home Depot for some supplies. That process was repeated with hundreds of other customers who visited the store that day and used their credit card.

Then the thief got into the back of a taxi and asked the driver to start swiping the cards to determine which were active. “The driver hands back the good cards and throws the bad ones away,” Heaps said. “Now the guy knows, OK, I’m going shopping.”

That simplicity, however, is about to get more complicated for thieves and more secure for customers thanks to one major technological change in the offing for 2015, and another promising one that has yet to play out, bank officials said during recent interviews.

First, the credit card industry, in a moved backed by MasterCard and Visa, is pushing ahead to do away with the familiar swipe-and-sign of a credit card transaction. In its place will be so-called chip-and-PIN technology called EMV, or Europay, MasterCard and Visa, that for years has proven much more effective at thwarting credit card theft in Europe and other parts of the world.

The second change is the advancement of mobile-pay options, including Apple Pay, a new type of service launched last year that many believe will be a game-changer in the way people pay for goods and services.

“With EMV and Apple Pay, there are a lot of barriers,” said Aleda D. Amistadi, first vice president of operations at PeoplesBank. “They are a more secure way to pay. It’s definitely more beneficial for our customers and for the industry.”

Out with the old

Global pressure had been mounting for some time on the United States to shift to the more advanced EMV technology, but those plans accelerated after major breaches at retailers including Target, Neiman Marcus, Home Depot and others last year left millions of customers vulnerable.

“Merchants, I think, were very complacent about this and had really no intention to invest in the terminals that they’ll need to invest in,” said Cheryl Scully, director of operations and technology at Florence Bank. “But because of these breaches, the bigger ones, they’ve woken up and said, ‘Oh boy. If nothing else I want to make this investment for my reputation risk.’ ”

Europe implemented chip-and-PIN for its credit card-holders a decade ago to replace the magnetic stripe technology developed in the 1970s. The U.S. is the last major market to use the old-fashioned swipe-and-sign system, and in recent years has become a prime target for thieves. That’s because the information on magnetitic stripes is not protected or encrypted in any way, said Lynn M. Starr, chief information officer at Easthampton Savings Bank.

“EMV is just starting to take hold in the United States and I do think it’s because of all the security breaches,” Starr said. “We’ve finally reached this critical mass, we have these breaches occurring all the time and there’s this cry for better security.”

Come October, most credit and debit cards in the United States will be replaced with new cards embedded with the EMV microchip on the front. The chip will contain the cardholder’s information, which currently is stored on a magnetic stripe on the back of the card.

“The information on the magnetic stripe is very static,” said Jacqueline B. Charron, senior vice president of operations at PeoplesBank. “Whereas this is dynamic. It’s changing every time a transaction happens so even if someone were to get information on that one transaction, you couldn’t use it again for another transaction.”

While some credit card companies have already sent customers the new cards, local banks say they are gearing up to do so this fall. Because it may take years for all merchants to upgrade their checkout systems to accept the new technology, the new cards will continue to have a magnetic strip on the back.

How it works

Here’s how chip-and-PIN technology works.

Instead of swiping a magnetic stripe, customers will insert their cards into the bottom of a machine that will hold it until the transaction is completed. During this time, which lasts a few seconds, the terminal reads the microchip and asks a customer for a PIN number to authorize the transaction. Some chip cards will not include the PIN feature early on and will continue to rely on signatures.

Microprocessors in these chip cards encrypt the data of a transaction shared with sales terminals, and add a layer of security to card transactions by turning cardholder information into a unique code for each transaction. Currently, these terminals simply read the data off the card’s magnetic stripe. With chip-and-PIN, the number on the chip alone is useless without a PIN.

This system is more secure and will make fraud more difficult to pull off for several reasons, experts said.

“Today, that magnetic stripe on the back of your card contains data and it lives on your card,” said Becky Lynch, eProduct Manager at Florence Bank. “So wherever your card goes, that information goes with you. The chip is making a one-time encrypted connection with a unique code. The next time the card is used it generates a new code. So it is almost impossible to duplicate and create fraudulent cards with them.”

October is a significant date in the changeover because that’s when liability for fraud shifts from card issuers to merchants, if merchants don’t upgrade their payment terminals to properly accept chip-based cards. Merchants will still be able to run a transaction with a swipe and signature, but they assume liability if a customer has a chip card and the information is stolen.

This is why most banks in the Valley expect to send new cards to customers later this year or in phases. The rollout will likely be accompanied by an educational campaign designed to explain to customers why they are getting a new card, how it will work and what they can expect.

“It’s going to be a change for customers,” said Amistadi, of PeoplesBank. “It’s going to be something that we do need to educate them on so that there is no frustration.”

The cards will also work in ATM machines in a similar fashion, Lynch said. She said Florence Bank has already upgraded all of its ATMs with the technology, but will not begin to use it until customers get the new cards.

Bank officials, however, caution that while chip-and-PIN is an effective way to protect information for “card-present” transactions in stores, it does nothing to protect online fraud.

“We believe that once EMV is put in place and more widely deployed, fraud is going to move to the online channel,” Starr said.

She said online fraud is very limited today because it is far easier for criminals to steal the data at the point-of-sale between retailers and their customers, make their own counterfeit cards with the data and then go out and complete transactions.

“The fraudsters are always one step ahead of us, at least that’s what it feels like,” she said. “I think that’s where the fraud is going to move. So EMV is a partial solution to the problem that we face in the industry but it’s not going to solve it for us completely.”

Scully said Visa and MasterCard are developing a way to create a one-time generated code for online transactions, similar to EMV technology, but that is still in its infancy.

Mobile payments

Experts hope that Apple’s new mobile-payment service called Apple Pay might take security a step further. While mobile wallet technology has been around for some time, it has yet to be widely adopted. Industry experts agree that Apple Pay’s “tap-and-go” system will soon change that.

Starr explains that unlike some of the more traditional mobile wallets that rely on customers’ credit card credentials such as a user name and password, Apple Pay is more secure because it uses something called tokenization.

Users load their credit card data into their phone, and the system then takes the card number and turns it into a token that is unique to that phone. In a tokenized transaction, the customer’s account number is replaced with a “token” — a series of unique, random characters that acts as a substitute for the real account number so that sensitive cardholder data is never seen by the merchant. The credit card information is not displayed on the phone, and the token can only be activated through biometrics, or a thumbprint that authorizes the transaction to occur.

The function only works with iPhone 6 phones, which may slow down its rollout initially. Local banks are also watching this technology closely to see if it’s something they will participate in down the road, said Lynch.

“Some are saying that tokenization is a more secure channel than EMV,” Lynch said. “I think it’s still emerging and we’ll see where it goes.”

The idea isn’t new. In 2011, Google Inc. introduced Google Wallet, a service that has been added to many smart phones running its Android operating system. But that initiative failed to gain much traction.

A third option, called CurrentC, is also in the offing. This system would require only a software download and can be used on existing iPhones and Android devices, whereas Apple Pay is only for the latest generation.

The bottom line with all these options, experts say, is that the technological advances will mean more security for customers.

Chad Cain can be reached at ccain@gazettenet.com.