Smart Credit Cards Arrive in U.S. -- Finally
Credit cards featuring smartcard technology have been standard fare around the world for several years now -- but not in the U.S., where financial institutions have continued using cards based on less-secure magnetic stripe technology.
That may finally be about to change. Last week, the United Nations Federal Credit Union (UNFCU) became the first financial institution in the U.S. to unveil plans to issue credit cards that comply with the Europay MasterCard Visa (EMV) smartcard standard. The credit union's new Platinum Visa EMV cards will be issued to about 5,000 of its most high-value customers and can be used anywhere EMV cards are accepted
Cards based on the EMV standard use an embedded microprocessor instead of a magnetic stripe to store cardholder data and all of the other information needed to use the card for a transaction. Many financial institutions that issue EMV Chip cards also require cardholders to enter a Personal Identification Number (PIN) as an added security measure when using the card.
Chip-and-PIN credit cards are considered to be significantly safer than cards with magnetic stripes, which has led to the widespread adoption of EMV smartcards across Europe and in several other countries. EMVCo, an organization run by MasterCard, Visa, American Express and others to administer the EMV standard, estimates that close to a billion EMV cards were in use worldwide in 2009.
Financial institutions in the U.S., however, have resisted using the technology because of the expected costs of integrating it into the payment system. To accept Chip-and-PIN technologies, merchants will be required to either upgrade or replace all of their existing payment terminals. Banks, too, could end up spending significant money to roll out the cards to customers.
But that reluctance to adopt the technology is being felt by U.S. travelers abroad, said Merrill Halpern, card services manager at UNFCU. U.S. card holders are finding it harder to use their magnetic stripe cards in countries that have standardized on EMV technology. That's especially true in situations involving unmanned payment terminals such as ticket kiosks at railway stations or payment stations at parking garages.
"The U.S. is definitely behind in this area," he said. "It lags the rest of the world."
Boston-based Aite Group LLC last year conducted an online survey of more than 1,000 U.S residents who traveled outside of Canada, the Caribbean and Mexico. The survey found that, on average, U.S. cardholders had about a 50-50 chance of experiencing some sort of problem using their card in Western Europe. Aite Group estimated that nearly 10 million U.S. cardholders had such problems while abroad in 2008 resulting in nearly $4 billion in lost transactions for the U.S. card industry.
"The promise of ubiquitous card payments acceptance falls apart once U.S. cardholders cross their national border," the survey said.
UNFCU's rollout of EMV smartcards was driven by a desire to address such issues, Halpern said. "It definitely was a need that was expressed to us by our members...," Halpern said. "Many of our members felt disadvantaged when traveling abroad by not having a card that could readily be accepted."
The credit union's new cards will work on standard payment terminals in the U.S. as well because they also support magnetic-stripe technology, Halpern said.
In a research note, Gartner analyst Avivah Litan noted that convenience more than security is likely going to drive adoption of EMV smartcards in the U.S. But security should not be overlooked, she said, and companies such as Visa and MasterCard should consider easing some of their security requirements for U.S. merchants willing to make their payment systems EMV-ready.
Visa has reduced the scope of its security audits in cases where organizations have implemented EMV technologies, and the same could be done in the U.S, Litan wrote.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld . Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org .
Read more about security in Computerworld's Security Knowledge Center.