The next step in card security should be obvious. So why does the industry hesitate?
Between EMV and tokenization, merchants today can accept credit and debit cards with little risk, card-present or not. Network tokenization is merely the latest evolution toward the ultimate goal, the demise of the payment account number, or PAN.
So why do the brands, the very authors of EMV and network tokenization standards, continue to flood the ecosystem with machine-readable PANs?
EMV standards have proved incredibly effective in reducing counterfeit fraud. EMV chip technologies leverage encryption and low-level device communications to hide card data from the bad guys. While functionally different from tokenization, encryption effectively hides card data while the transaction is in flight, from the very point when the device reads the chip until the data reach the safe confines of the issuing network.
As with tokenization in the e-commerce world, encryption in the card-present world keeps raw PANs out of a merchant’s environment. That reduces scope under the Payment Card Industry data-security standard (PCI). It also reduces potential breach liability.
Beginning in 2015 with the liability shift, fraud rates dropped by 76% within the first three years. When an EMV card was used with an EMV-compliant device, the merchant was no longer liable for fraudulent transactions. This helped drive the hardware conversion required for a complete EMV ecosystem. The latest available data put U.S. fraud rates for EMV transactions at about 0.03%.
Tokens have been standard equipment for some time in the e-commerce space, eliminating multiple challenges for the merchant. Tokens provide a safe means to manage customers’ payment credentials and significantly reduce PCI scope.
Tokens made instant sense to the gateway community, as well. From the early days of e-commerce, gateways recognized the stickiness value of tokens and semi-integration, and quickly developed their own token-vault technology. Because the gateway issues proprietary tokens, its tokens work only on that gateway, which makes it difficult for a merchant to change gateways. Tokens sold themselves, and everybody won.
In a market familiar with razor-thin pricing, the revenue models behind tokens quickly reached zero. The gateway industry has largely abandoned charging for token services, at least on a per-transaction basis.
Recently, however, there have been rumblings about Visa charging for their new Token Management Service, which replaces the legacy Visa Token Service. Therein lies the rub behind network tokens. Because the network issues the token, a merchant can change its gateway relationship without having to convert its stored tokens. Suddenly, gateways have lost a measurable product advantage.
But the larger point is that tokens and encryption are proven, effective methods of reducing fraud, which they do by keeping the PAN secret. As methods of rendering account numbers worthless, they are practically foolproof.
And therein lies quite another rub.
Why Do We Swipe?
By 2021, nearly all branded credit and debit cards issued were EMV-compliant. Thanks to Covid, they all support tap by default, not just dip, like they did in the early days. Foolishly, every single card also flaunts a 1960s-era magnetic stripe on its back, complete with in-the-clear PANs—right next to that modern chip that is so expensive to hack it’s just not worth it.
Bad enough that cards are still rocking those ancient mag stripes, but it takes two to tango. Mag stripes would be harmless relics if point-of-sale equipment didn’t read them.
Most terminals today support fallback functionality, which means when the EMV chip on the card isn’t working, or is unreadable, the device will allow a read of the magnetic stripe as an alternative source of the payment credentials.
This is convenient for card fraudsters and malicious merchants alike, presenting an easy vector to inject fraud at the point of sale. Mag stripes are simple and cheap to copy, a process known as cloning. Cloned cards with dummy, non-working chips but valid mag stripe data work fine on a terminal that supports fallback. And the fallback procedure is rarely questioned by retail personnel. They pay little attention to the device, since it’s the cardholder doing the swiping these days.
Skimmers are another example of how easily mag stripes get hacked, like those seen with regularity on gas pumps. Taking advantage of an industry that still lags in EMV adoption, pump skimmers are able to collect card credentials right off the stripe, without interfering with the underlying purchase. Some even report approval status, so the bad guys can sell the hot card numbers at a premium.
Both Visa and Mastercard have plans to phase out magnetic stripes on issued cards in the coming years. The quandary is, why the slow schedule? Mastercard seems to be the faster of the two. Starting this year, it no longer requires mag stripes on cards in certain EMV regions like Europe. This rule will follow in the United States in 2027.
By 2029, no new Mastercard credit or debit cards will be issued with magnetic stripes worldwide. The complete elimination of magnetic stripes on all Mastercard cards, including those in circulation, is expected by 2033. While Visa has expressed similar phase-out plans, it has not been forthcoming with specific schedules.
The result? Merchants across the country will be expected to accept an obsolete credential for the next decade, one that largely undermines the previous decade’s progress in security.
Why the Wait?
No technological migration of this scale happens overnight, and rarely happens without great cost. The card brands have spent billions over the previous decade to improve network security, adopt EMV, and implement network tokenization. Meanwhile, merchants have borne a significant cost for a new generation of EMV-compliant equipment.
It’s time to call out the elephant in the room: the next step in making the PAN obsolete is a freebie. Issuers simply need to stop printing the mag stripe.
Then, everybody wins. Merchants will stop getting drubbed for mag-stripe downgrades, and will enjoy both a lower interchange cost and the liability shift on risk—for all transactions, not just some.
At the same time, issuers win with lower fraud and issuance costs, and acquirers win with reduced fraud, fewer chargebacks, and improved interchange fees. Cardholders win with improved account protection and ease of use.
Better yet, there’s no new technology to build, certify, or implement. No new software to install. No policies to amend, since PCI, EMV, and brand rules in their current form all cover the implications of a swipe-free ecosystem. EMV was always meant to replace the mag stripe. Only one thing left to do—no more stripes.
There may be hope on the horizon. Leading point-of-sale hardware technology these days is all about mobile—iPhones and Android are the new Verifone. Along with all the other advantages these modern platforms bring to the industry, what they don’t bring just might be the game changer – swipe readers.
—Cliff Gray is principle at Gray Consulting Ventures, a payments advisory.