Issue 10 - April 2011
SEPA for Cards
Time to Prepare the Eulogy - 'Six Feet Under' for the Magnetic Stripe in SEPAEurosystem recommends migration to chip-only cards
21.04.11 By Wiebe Ruttenberg and Monika Hempel
The Seventh Progress Report published by the European Central Bank (ECB) / Eurosystem in October 2010, recommends that from 2012 onwards, all newly issued SEPA cards should be issued, by default, as 'chip-only' cards. If the industry decides to keep the magnetic stripe for practical reasons, any data enabling magnetic stripe transactions should be removed. The industry will however, have to be prepared to offer the cardholder legacy magnetic stripe cards upon request, as long as there are still regions outside SEPA which have not fully migrated to EMV. Monika Hempel and Wiebe Ruttenberg comment on the expected demise of the magnetic stripe in Europe. Readers who are interested in this article are invited to join the transatlantic dialogue on this subject. The article 'The Magnetic Stripe: Why it is Hard for Americans to Say Good-Bye. In the US, clinging to old-fashioned payment methods is more than just a bad habit' outlines the less enthusiastic American perspective.
Key Information in this Article
The process of attaching a magnetic stripe to a plastic card was invented fifty years ago. At that time, the addition of the magnetic stripe to payment cards was a valuable tool in combating credit card fraud.
Today, the magnetic stripe as a tool to combat fraud has become blunt. Cards equipped with the magnetic stripe are vulnerable to skimming, i.e. the unauthorised reading and subsequent use of data contained in the magnetic stripe.
Card data abuse has become a global problem which causes huge losses for financial institutions worldwide. Given the vulnerability of magnetic stripe cards, and in support of the European payment industry’s commitment to migrate to chip and personal identification number (PIN) technology in the area of cards, the Eurosystem has recommended in its Seventh SEPA Progress Report that all new SEPA cards should, by default, be issued as chip-only cards from 2012 onwards.
The Eurosystem’s approach consists of three layers:
Scroll to the end of the page and post a comment.
Historical background of the magnetic stripe
Thirty years ago, the Walkman - a portable personal stereo audio cassette player - became one of the icons of youth culture and the 'bête noire' of a parent's generation. Like many great innovations of its time, it died out not with a bang, but a whimper. Today, other technologies perform the functions of magnetic tape for recording and playing back music and movies and the iPod, iPhone, iPad have taken the place of the Walkman.
Fifty years ago, one generation earlier, the process of attaching a magnetic stripe to a plastic card was invented. At that time, the addition of the magnetic stripe to payment cards was a valuable tool in combating credit card fraud, as it automated the tedious process of comparing account numbers with blacklists of fraudulent accounts at the point of sale.
Today, after half a century of accelerated technological progress, the magnetic stripe as a tool to combat fraud has become blunt. It has become vulnerable to skimming, i.e. the unauthorised reading and subsequent use of the data contained in the magnetic stripe. Card data abuse has become a global problem which causes huge losses for financial institutions worldwide. At the same time, according to Europol, which had to take action against card fraud networks on numerous occasions, criminals can still consider payment card fraud as a profitable and relatively low-risk business.
Reaction by the financial industry and status of EMV migration
The European Payments Council (EPC) has reacted to this situation. The SEPA Cards Framework (SCF) states the requirement that by the end of 2010, all cards, point of sale (POS) terminals and automated teller machines (ATMs) in the Single Euro Payments Area (SEPA) should be EMV-compliant, i.e. they should support the use of chip and on the acquiring side, the personal identification number (PIN). According to the SCF, magnetic stripe-based transactions are not SCF-compliant after 2010.
Furthermore, the EPC recommends in the resolution on 'Preventing Card Fraud in a Mature EMV Environment' that card schemes should grant issuers with the option to adopt a chip-only approach, be it by issuing chip-only cards or by allowing them to refuse magnetic stripe transactions. By using the chip instead of the magnetic stripe, stronger cryptographic algorithms can be used to authenticate cards and the cardholder.
The European Central Bank (ECB) monitors the migration from magnetic stripe to EMV chip for payment cards, POS terminals and ATMs in the European Union (EU) and euro area, and regularly publishes the results on the ECB website1. According to the ECB's SEPA card indicators for EMV-migration, at the end of the fourth quarter 2010, the migration status of cards in the euro area was 82 percent, POS terminals stood at 88 percent and ATMs at 95 percent2. Nevertheless, the vast majority of SEPA cards are still equipped with a magnetic stripe.
The completion of the migration towards EMV Specifications for payment cards, POS terminals and ATMs is an important prerequisite for migration at transaction level, i.e. card payment transactions with EMV-compliant cards at EMV-compliant terminals, using EMV technology in the processing of the transaction. The ECB also monitors the progress in this area and has found that at the end of the second quarter 2010, 57 percent of all POS transactions in the euro area were EMV transactions.
Migration at the transaction level however, lags behind due to the fact that the card is still often 'swiped' (i.e. the magnetic stripe is read) instead of 'dipped' (required to read the chip). Furthermore, a certain number of card payment transactions in the euro area are made by travellers from countries where the migration to EMV has not yet started. For instance, travellers from the US who shop in Europe still use their magnetic stripe credit and debit cards, and merchants who want to do business with them - as well as the acquiring banks - still have to accept that. Americans have started to realise however, that there are situations - such as train ticket vending machines - where only chip and PIN are accepted. In such situations, they have to revert to cash.
In the US, the magnetic stripe is a 'die hard' technology. This may have some historic reasons, such as relatively low telecommunication costs for card validation by phone in the US, compared to higher costs in Europe before the liberalisation of the telecommunication industry, as well as consumer habits and preferences. Nevertheless, it is a fact that the presence of magnetic stripes with customer and account identification data makes the card vulnerable to skimming.
Chip only Eurosystem recommendation
Because of this vulnerability and in support of the European payment industry in its migration to chip and PIN, the Eurosystem has recommended in its Seventh SEPA Progress Report that all new SEPA cards should, by default, be issued as chip-only cards from 2012 onwards. The Eurosystem's approach consists of three layers:
Firstly, from 2012 onwards, all newly issued cards should be issued as chip only cards, reflecting a gradual approach, with no big bang scenario. Secondly, if the industry decides to keep the magnetic stripe for practical reasons (e.g. to access to self-service areas of bank branches and at ATMs), it should not contain any payment-related data. Thirdly, legacy magnetic stripe cards may be issued on customer request (e.g. for travelling outside Europe).
For the sake of clarity, it is emphasised here that the Eurosystem's recommendation addresses only the issuing side of the card payment. It does not address the acquiring side. Merchants and acquiring banks remain free to accept magnetic stripe-only cards carried by non-European card holders.
Europe should strive to achieve an increased level of security for card transactions and, in doing so, should not be held back by decisions taken in other parts of the world.
Concern over card fraud is taken seriously
The concern over card fraud is illustrated by the decision of 22 Belgian banks to block their debit cards for usage outside Europe as of January 20113. According to the Belgian financial sector federation, 98 percent of debit cards would not be affected by that measure since they have never been used outside of Europe. Cardholders who require use of their debit cards outside of Europe are offered individual solutions by the issuing banks. It has been reported that this measure has already lead to a decrease in fraud due to skimming. While this is a first step in combating fraud, in the long run, it is recommended that steps should be taken to tackle the problem of skimming at its root by removing the magnetic stripe.
At first sight, cardholders might perceive this as a deterioration of service. On the other hand, consumers are increasingly aware of security issues regarding cards, and it cannot be denied that many card holders are more and more uncomfortable with using their cards due to increasing security concerns. These concerns have been triggered by media coverage of the theft of millions of credit card numbers from payment processors, international card skimming networks and payment card fraudsters. Thus, raising consumer awareness of the risks relating to magnetic stripe may help to alleviate the perceived inconvenience.
Like the cassette Walkman, which was retired by Sony in 2010, the heydays of the magnetic stripe on cards are over. It will not go six feet under in Europe all at once, but it is time to prepare the eulogy.
Wiebe Ruttenberg is Head of the Market Integration Division in the Directorate General Payments and Market Infrastructure of the European Central Bank. Monika Hempel is Expert in the Market Integration Division of the European Central Bank.
The views expressed are those of the authors and therefore should not be reported as representing the views of the European Central Bank.
Related article in this issue:
Related article in previous issue:
Work in Progress. The EPC approves update of the SEPA Cards Standardisation Volume and a new resolution 'Preventing Card Fraud in a Mature EMV Environment' (EPC Newsletter, Issue 9, January 2011)
2Figures will be published on the ECB website before long.
Other articles in this issue
21.04.11 SEPA Scheme Change Management - Public consultation starts in May 2011 By Javier Santamaría 21.04.11 EPC Plenary Meeting Update - Main decisions taken in March 2011 By Gerard Hartsink 21.04.11 The Magnetic Stripe: Why it is Hard for Americans to Say Good-Bye - In the US, clinging to old-fashioned payment methods is more than just a bad habit By Bob Sullivan 21.04.11 Moving Into New Territory - The impact of the e-money Directive on payment service providers By Dermot Turing 21.04.11 Dare to be Bold: Electronic Legal Tender is an Option - A SEPA legal tender model spanning both cash and electronic payments By Norbert Bielefeld 21.04.11 More Europe is Needed, Not Less - Lessons learnt from the financial crisis By Graham Bishop 21.04.11 Facing the Facts in April 2011 - The EPC Newsletter tracks the progress of SEPA migration By Gerard Hartsink 21.04.11 Innovacompegration (This is Not a Typo) - Reflections on the best approach to innovation, integration and competition in payments By Javier Santamaría 21.04.11 The SEPA Regulation - A Progress Report - First reactions by European Parliament and Council of the European Union introduce important improvements to European Commission´s proposal for a SEPA Regulation By Gerard Hartsink 21.04.11 The Trailblazer - Kela, the Social Insurance Institution of Finland, completes migration to the SEPA Credit Transfer By Anneli Seppälä (Interview) 21.04.11 Have Your Say - EPC Mobile Contactless SEPA Card Payments Interoperability Implementation Guidelines: consultation starts in April 2011 By Dag-Inge Flatraaker 21.04.11 SEPA Direct Debit for Billers: The SDD Mandate - EPC Newsletter series provides support for billers preparing migration to the SDD Schemes By Javier Santamaría and Herman Segers
If you would like to comment on this article, please use the box under the headline 'Add New Comment' below. Please identify yourself with your first and last name. Please note that your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC Newsletter Terms and Conditions, so please read them carefully before doing so.
To receive notification when a new comment is added to this specific discussion, please subscribe to get updates by email or RSS using the links below. (These links are not available on the mobile version of the EPC Website, to subscribe by email or RSS, please visit the standard version of the EPC Website).