Credit and debit cards embedded with computer chips have virtually wiped out the kind of security breaches that compromised millions of cards used at Winners and HomeSense stores in Canada, industry officials say. But it will be another three years before the cards are widely available in Canada.
Some Royal Bank Avion cards have embedded chips, but few merchants are equipped to take advantage of the feature. The cards are for the convenience of international travellers.
The first major rollout in Canada of chip-based cards will begin later this year as consumers' existing cards begin expiring, according to Visa Canada. Some Canadian retailers already have the kind of readers required to use the cards, but it will take until 2010 to replace all the millions of cards and card readers in use across Canada.
"It's really a large-scale investment on the part of the payments industry," said Kirkland Morris, assistant vice-president of strategic policy and programs at the Interac Association of Canada.
Interac, which represents debit-card issuers in Canada, along with Visa and MasterCard in Canada are participating in a pilot project this fall in Kitchener-Waterloo to test the cards, as well as the readers and network required for processing.
Countries in Europe and Asia that have adopted chip cards, also called smart cards, say the cost of card fraud has been cut by as much as 80 per cent. "We're really excited about what this is going to do for us," said Gord Jamieson, director of risk management and security for Visa Canada.
Card fraud in Canada is a multi-billion-dollar problem that's growing every year, partly because fraud artists have moved to countries that don't yet have chip technology, Jamieson said. Last year, credit- and debit-card fraud added up to more than $360 million, with credit cards bearing the brunt of the cost and counterfeit cards accounting for most of the crime.
No one is guaranteeing smart cards will end the kind of fraud that occurred after hackers broke into computer at Winners parent TJX Cos. Inc., putting millions of cards at risk.
"We never say chips are impossible to crack," said William Giles, vice-president of advance payments for MasterCard Worldwide. "We're making it so the economics aren't there. If it takes you 20 years to do it, or costs $20,000 to do it, the economics aren't there. You may hear about labs that do attacks on chip cards. They're not economically viable attacks."
The fallout from the security breach at TJX continued last week as bankers in the company's home state of Massachusetts confirmed that a handful of the compromised cards had been used for fraudulent activity. In Canada, the banks say they are monitoring any exposed credit card account numbers but have not seen any suspect transactions so far.
"If we do, we're going to contact those customers right away," said Kelly Hechler, a spokesperson for the Toronto Dominion Bank.
Current security features limit credit-card fraud by making the cards difficult to replicate, said Visa's Jamieson. As well, banks and other card issuers have systems to issue alerts about unusual activity. In addition, Visa's Zero Liability policy means cardholders are protected from the cost of any fraud that occurs on their accounts.
Still, the TJX incident has prompted renewed calls from consumers for tougher protective security measures. The card industry says consumers will get that with the new chip-based cards.
The industry is also implementing two other features to curb fraud. For the first time in Canada, a consumer will have to punch in a personal identification number, or PIN, instead of a signature, to use a credit card. Merchants will also be required to meet tougher standards for the collection and storage of card data.
Though PINs don't eliminate fraud, they do make it more difficult, MasterCard's Giles said.
That security feature saved Canadian debit-card users from being compromised in the TJX breach, because the cards are useless without the PIN, Interac spokesperson Tina Romano said. "Debit cards in Canada were not affected," she said.
That's not the case in the United States, where some debit cards require only a signature.
The payment-card industry is already pressing retailers to meet higher security standards.
"We prohibit the storage of what we call full track data, which is everything that's on the magnetic stripe, including the account information, the expiry date and the CVV," a special security code, said Visa's Jamieson. "Obviously, not everybody adheres to that."
He said 94 per cent of Visa's top merchants in Canada are in the process of ensuring they measure up.
To the consumer, making a purchase with a chip-based credit card will seem fairly familiar. Much like with a debit-card purchase today, the consumer will put a card into a reader. But instead of swiping the card through the reader, the owner will leave the card in place throughout the transaction while punching in the PIN and confirming the purchase.
Behind the scenes, the transaction will look quite different, because the reader can now obtain much of the information it needs directly from the card, including the authenticity of the PIN, instead of retrieving it over the network from the cardholder's financial institution.
As well, the banks can continually upgrade and change the "public and private keys" used to encrypt the cardholders' data.
The cards could also reduce the risk of shopping online, the industry said, if consumers installed card readers at home to communicate with merchants' sites and require PINs before registering payments.
Security isn't the only reason the card industry can't wait to get smart cards into consumers' hands. The cards also open up a whole new window of marketing and promotion opportunities. Smart cards can be loaded, for example, with all the customers' loyalty-program information. Chip cards can be programmed to make small "contactless" payments – over wireless networks that don't require PINs – at such places as fast-food restaurants and transit stations where speed is of the essence.
So, if chip-card technology is so attractive, why is it taking so long to get to Canada, which is known for having a banking industry among the most automated in the world?
Europe got an early start with France adopting its own proprietary system in the 1980s. As fraudulent activity began migrating, France's neighbours had to follow its example to protect themselves.
But an international standard wasn't set up until 1996, said MasterCard's Giles. The fact that the U.S. shows few signs of adopting chip technology anytime soon is also a factor.
"We can't ignore the fact that we share a border with the U.S.," he said. He hopes Canada's decision to forge ahead will help spur on the U.S.
Meanwhile, Visa's Jamieson said, the number of people likely to be defrauded from the TJX security breach will probably be very small compared with the number the company said were compromised. TJX has said the hackers got access to cards used over a long period, including all of 2003 and from last May to December. That could encompass millions of transactions, observers have said.
But those cards and the networks used for processing are loaded with security features that make the cards difficult to replicate and use, he said.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment