When in 1970 American Express, American Airlines and IBM rolled out the first magnetic stripe credit cards, a technology that was to revolutionize the banking and credit industry was born. Although credit and charge cards had been in use for several decades, it was the invention of the ‘mag-stripe’ technology that allowed cards to become ubiquitous. The ability to fit account information on a little magnetic piece, affix it to the already known plastic and allow it to be run through and read by hand-held reader devices for computerized verification gave wings to the credit card industry.
Today credit cards are ‘swiped’ everywhere in the US. With 71% of consumers owning at least one credit card and the average credit card holder having almost 4 cards, ‘putting it on the card’ is very popular with every 4th dollar spent charged to a plastic. The majority of these cards still sports the good old ‘mag stripe’, the technology that IBM debuted in 1970.
Mag-stripe cards are cheap to produce at less than 5 cents per card and they are reasonably secure and easy to use. Incidentally, these three factors – cost, convenience and ease of use – are the most important factors in banks and consumers’ considerations when choosing an available payment options. Financial institutions encourage and invest in cost-efficient technologies, while customers look for secure and convenient solutions.
While the stripe still dominates the US card market, its security limitations have become increasingly costly to financial institutions and consumers. The stripes are unnecessarily vulnerable to theft of account information that they store in an unencrypted form. With around 1/3 of US card users reporting some form of card fraud or theft, institutions are increasingly under pressure to address key security concerns.
Programming the stripe
New technologies propose to make the magnetic stripe itself more flexible and or more secure by making it reprogrammable. New card designs allow card-owners to reprogram their cards with little buttons included on the surface of the standard size plastics. Entering a secret PIN code loads the card’s magnetic slip with the necessary account information before and just for the duration of a transaction. The account information fades away after the transaction making the card ‘dead’ and useless for fraud.
Other cards such as Citi’s new G2 can be programed to switch between various accounts: behave as a debit card for one transaction, access the owner’s credit account for another or even allow for the redemption of reward points. Allowing the card to be interactively programed for multi-account use makes it uniquely flexible and appealing to both customers who can cut down on the number of cards they carry and banks for whom card management becomes more cost-efficient.
Another novel feature of Citi’s G2 enables the issuer to ‘wipe clean’ the card’s magnetic stripe remotely in case of card theft or loss. As credit card owners are typically liable for maximum $50 of fraudulent or unauthorized charges on their stolen or lost cards, issuers carry the brunt of the financial losses related to stolen cards. Finding and offering technology solutions limiting the use of stolen cards are in banks’ best interests.
Beyond the CSV number: OTP or one-time passwords for authentication
As both credit card usage and online and other remote transactions have become more popular, secure authentication for online or phone credit card purchases and transactions has been receiving more attention. Static passwords that can be easily intercepted and reused and the still widely used CSV number-based authentication provide inadequate security costing an estimated $4 billion to card issuers every year. New solutions promote the use of OTP or one-time passwords that are generated and remain valid specifically for a single transaction.
OTP generation capability can be embedded into the card itself. Australian authentication specialist, eMue Technologies’ authentication-embedded cards’ microchip, keyboard and display work together to create and reveal a unique OTP for the specific transaction. Digital security provider Gemalto developed a card-sized reader for the generation of a non-reusable OTP upon the insertion of the credit card and PIN-based user authentication.
Smartcards: chips, pins and contactless
In Europe and Asia other, more secure and convenient new card technologies have long been used. Smartcards that store all the necessary information protected by encryption in a tamper-resistant, built-in chip offer many advantages. For starters, chip-based data storage is more secure than the magnetic stripe. The smartcards can also be programed to work in a contactless way which does not require their running through a reader as data transfer is done via faster near-field communication (NFC) or radio-frequency identification (RFID). Thus, payment processing with an RFID card can take 50% less than with traditional credit cards. RFID chip cards can also be set up with additional authentication features such as the required presence of a mobile device registered to the card’s account to deliver a one-time PIN code for added security.
Chip-enabled smartcards come in ‘non-card’ shapes and sizes, as well, such as key-chain fobs. Major US credit card issuers have been offering chip-and-pin contactless cards since 2005 and many newly issued mag-stripes include embedded chips, as well, mostly unbeknown to the average user. As most merchants in the US are still equipped with mag-readers, only, adoption of chip cards, such as Chase’s Blink or Blue from American Express, is expected to be slower.
Ditch the plastic: digital wallets
Many, including Jerome Svigals, IBM’s project manager in charge of the original mag stripe development, believe that the easiest-to-use, most secure payment method of the near future will be neither a chipped, nor a striped card, but smartphone-based e-wallets. Digital wallets combine security and encryption software technology and the personal data stored in the digital device. They use NFC or near-field communication technology to transmit secure transaction data to digital readers by ‘waving’ the mobile device in the reader’s close proximity. Recently, Google and PayPal have announced projects aimed at developing digital wallet solutions for mass market use. However, with 16 million magnetic stripe readers sitting on the counters of virtually every business in America, the transition to a ‘cardless-stripeless’ world of ‘wave it’ is not expected to be quick.