By Lindsay Wise, McClatchy Washington Bureau
WASHINGTON — Recent high-profile data breaches at Target and Neiman Marcus have accelerated plans by banks and retailers to implement technologies they say will prevent hackers from stealing consumers’ account information.
Malware installed in Neiman Marcus payment terminals exposed 1.1 million debit and credit cards from July to October last year, while the Target incident compromised the personal information of more than 110 million customers in November and December.
The sophistication and scope of the recent breaches has lent increased pressure to the adoption of a new generation of microchipped debit and credit cards and a cutting-edge technique known as “tokenization” to protect online and mobile purchases.
Industry experts say the technologies will limit the volume and value of consumer data stored by retailers, who no longer will have to safeguard sensitive details such as card numbers, PINs and security codes.
“It’s not just about protecting consumers from financial loss or the system from financial loss; it’s really about maintaining trust,” said Ellen Richey, executive vice president, chief legal officer and chief enterprise risk officer for Visa Inc.
In the aftermath of the breaches, Visa and MasterCard announced the formation of a new cross-industry security working group focused on speeding up and coordinating the adoption of the new technologies.
“We were pushing that direction, but this Target event has given it the kind of urgency that it didn’t have before,” Richey said.
Banks already are starting to issue debit and credit cards embedded with microchips, also known as EMV, which stands for Europay, MasterCard and Visa. The system is widely used in Europe. More than half of all credit cards in the U.S. are expected to shift to EMV by 2016.
To encourage the transition, MasterCard, Discover, American Express and Visa have instituted a policy that a bank or merchant that hasn’t adopted chip technology by October 2015 will bear the loss if a transaction turns out to be fraudulent, Richey said.
“It’s a fairly powerful incentive,” she said.
The United States has been slow to adopt microchipping because of the high costs associated with replacing traditional magnetic-stripe cards and payment terminals, estimated at $15 billion to $30 billion.
“Because of that high cost, there were definitely folks out there who were skeptical of whether they should or shouldn’t implement it, and now because of the data breaches, that seems to be moving a whole lot faster,” said David Fortney, senior vice president for The Clearing House, the nation’s oldest banking association and payments company, which provides payment clearing and settlement services.
Consumers aren’t likely to notice changes overnight. Banks will issue the microchipped versions as old cards expire, rather than all at once.
The new chip card will have a little symbol on the front to represent the microprocessor embedded inside.
“It’s actually like a little computer, a real little computer with applications and a processor in it,” said Visa’s Richey. The microprocessor also can be placed in a mobile phone, she said.
Instead of swiping the card to pay, a shopper dips a “contact” chip card into a slot in the pay terminal at checkout.
“Contactless” chip cards will use radio signals, so the shopper has only to tap or hold a card or mobile phone close to the terminal to make a purchase.
The computer in the card produces a cryptographic message that changes with every transaction, so even if thieves steal the account number, they can’t make a counterfeit card, Richey said.
“The problem we’re having is that criminals can steal information from a merchant environment, and they can get enough information to make copies of the card,” she said. “They don’t have to have your physical card; they can make copies — and as many copies as they want — because the data is static and doesn’t change from transaction to transaction.”
Photo: StormKatt via Flickr