Historical background of the magnetic stripe
Thirty years ago, the Walkman - a portable personal stereo audio cassette player - became one of the icons of youth culture and the 'bête noire' of a parent's generation. Like many great innovations of its time, it died out not with a bang, but a whimper. Today, other technologies perform the functions of magnetic tape for recording and playing back music and movies and the iPod, iPhone, iPad have taken the place of the Walkman.
Fifty years ago, one generation earlier, the process of attaching a magnetic stripe to a plastic card was invented. At that time, the addition of the magnetic stripe to payment cards was a valuable tool in combating credit card fraud, as it automated the tedious process of comparing account numbers with blacklists of fraudulent accounts at the point of sale.
Today, after half a century of accelerated technological progress, the magnetic stripe as a tool to combat fraud has become blunt. It has become vulnerable to skimming, i.e. the unauthorised reading and subsequent use of the data contained in the magnetic stripe. Card data abuse has become a global problem which causes huge losses for financial institutions worldwide. At the same time, according to Europol, which had to take action against card fraud networks on numerous occasions, criminals can still consider payment card fraud as a profitable and relatively low-risk business.
Reaction by the financial industry and status of EMV migration
The European Payments Council ( ) has reacted to this situation. The Cards Framework (SCF) states the requirement that by the end of 2010, all cards, point of sale (POS) terminals and automated teller machines (ATMs) in the Single Euro Payments Area ( ) should be EMV-compliant, i.e. they should support the use of chip and on the acquiring side, the personal identification number (PIN). According to the SCF, magnetic stripe-based transactions are not SCF-compliant after 2010.
Furthermore, the recommends in the resolution on 'Preventing Card Fraud in a Mature EMV Environment' that card schemes should grant issuers with the option to adopt a chip-only approach, be it by issuing chip-only cards or by allowing them to refuse magnetic stripe transactions. By using the chip instead of the magnetic stripe, stronger cryptographic algorithms can be used to authenticate cards and the cardholder.
The European Central Bank (ECB) monitors the migration from magnetic stripe to EMV chip for payment cards, POS terminals and ATMs in the European Union ( ) and euro area, and regularly publishes the results on the ECB website1. According to the ECB's card indicators for EMV-migration, at the end of the fourth quarter 2010, the migration status of cards in the euro area was 82 percent, POS terminals stood at 88 percent and ATMs at 95 percent2. Nevertheless, the vast majority of cards are still equipped with a magnetic stripe.
The completion of the migration towards EMV Specifications for payment cards, POS terminals and ATMs is an important prerequisite for migration at transaction level, i.e. card payment transactions with EMV-compliant cards at EMV-compliant terminals, using EMV technology in the processing of the transaction. The ECB also monitors the progress in this area and has found that at the end of the second quarter 2010, 57 percent of all POS transactions in the euro area were EMV transactions.
Migration at the transaction level however, lags behind due to the fact that the card is still often 'swiped' (i.e. the magnetic stripe is read) instead of 'dipped' (required to read the chip). Furthermore, a certain number of card payment transactions in the euro area are made by travellers from countries where the migration to EMV has not yet started. For instance, travellers from the US who shop in Europe still use their magnetic stripe credit and debit cards, and merchants who want to do business with them - as well as the acquiring banks - still have to accept that. Americans have started to realise however, that there are situations - such as train ticket vending machines - where only chip and PIN are accepted. In such situations, they have to revert to cash.
In the US, the magnetic stripe is a 'die hard' technology. This may have some historic reasons, such as relatively low telecommunication costs for card validation by phone in the US, compared to higher costs in Europe before the liberalisation of the telecommunication industry, as well as consumer habits and preferences. Nevertheless, it is a fact that the presence of magnetic stripes with customer and account identification data makes the card vulnerable to skimming.
Chip only Eurosystem recommendation
Because of this vulnerability and in support of the European payment industry in its migration to chip and PIN, the Eurosystem has recommended in its Seventh Progress Report that all new cards should, by default, be issued as chip-only cards from 2012 onwards. The Eurosystem's approach consists of three layers:
Firstly, from 2012 onwards, all newly issued cards should be issued as chip only cards, reflecting a gradual approach, with no big bang scenario. Secondly, if the industry decides to keep the magnetic stripe for practical reasons (e.g. to access to self-service areas of bank branches and at ATMs), it should not contain any payment-related data. Thirdly, legacy magnetic stripe cards may be issued on customer request (e.g. for travelling outside Europe).
For the sake of clarity, it is emphasised here that the Eurosystem's recommendation addresses only the issuing side of the card payment. It does not address the acquiring side. Merchants and acquiring banks remain free to accept magnetic stripe-only cards carried by non-European card holders.
Europe should strive to achieve an increased level of security for card transactions and, in doing so, should not be held back by decisions taken in other parts of the world.
Concern over card fraud is taken seriously
The concern over card fraud is illustrated by the decision of 22 Belgian banks to block their debit cards for usage outside Europe as of January 20113. According to the Belgian financial sector federation, 98 percent of debit cards would not be affected by that measure since they have never been used outside of Europe. Cardholders who require use of their debit cards outside of Europe are offered individual solutions by the issuing banks. It has been reported that this measure has already lead to a decrease in fraud due to skimming. While this is a first step in combating fraud, in the long run, it is recommended that steps should be taken to tackle the problem of skimming at its root by removing the magnetic stripe.
At first sight, cardholders might perceive this as a deterioration of service. On the other hand, consumers are increasingly aware of security issues regarding cards, and it cannot be denied that many card holders are more and more uncomfortable with using their cards due to increasing security concerns. These concerns have been triggered by media coverage of the theft of millions of credit card numbers from payment processors, international card skimming networks and payment card fraudsters. Thus, raising consumer awareness of the risks relating to magnetic stripe may help to alleviate the perceived inconvenience.
Like the cassette Walkman, which was retired by Sony in 2010, the heydays of the magnetic stripe on cards are over. It will not go six feet under in Europe all at once, but it is time to prepare the eulogy.
Wiebe Ruttenberg is Head of the Market Integration Division in the Directorate General Payments and Market Infrastructure of the European Central Bank. Monika Hempel is Expert in the Market Integration Division of the European Central Bank.
The views expressed are those of the authors and therefore should not be reported as representing the views of the European Central Bank.
Related article in this issue:
Related article in previous issue:
2Figures will be published on the ECB website before long.
If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.