Why do my UK card issuers insist on putting magnetic stripes on my payments cards? Why are they still embossing them? Where do they think I’m going to go on holiday? 1972?
I think it is important to understand what the general public think about things, no matter how ignorant or uninformed their views are, so I often read the comment threads under newspaper articles with more interest than the articles themselves. Take, for example, a recent Guardian piece on chip and PIN in the US (not!). In the comment thread, someone asked in passing as to why their (French) payment card had a magnetic stripe on it. This made me think, because two of my UK payment cards have been recently cancelled and reissued (at a cost of £godknowswhat each time). In both cases they are UK issuers bearing the cost of US fraud. In both cases they have been reissued with a pointless stripe. Is this really sustainable?
One of the cards, that I sometimes use for business expenses, was replaced a couple of weeks ago. My issuer called and told me that the card had been counterfeited and used (of all things) in a car wash in North America. I doubt that international criminals were after high-limit cards to use in car washes, so I assume they’d used it in the car wash to see if it had been cancelled yet. I asked the nice woman on the phone if they could reissue the card without a magnetic stripe on the back and automatically decline further magnetic stripe transactions. She said (in essence) that that option wasn’t in her script, so no.
Then I had a call from another issuer, saying that another of my cards was being cancelled and reissued because it had been reported compromised in a US data breach. I don’t remember shopping at Target in the last year (although I may well have done) so it must be another retailer. I don’t actually use that card much in the US so I suppose I could go back through statements, but hey, I’ve got client work to do today. The two other UK credit cards that I use from time to time (but don’t take overseas) are so far safe. The only other UK card I take to the US is my debit card, and that also remains safe because of my heightened security.
“I would never use my debit card… in a shop or online – only in an ATM,” Mr Birch says. “…mobile is far more secure than cards.”[From Mobile apps boost payment security – FT.com]
I did indeed tell the FT that I only ever use my debit card in ATMs. This is because my debit card, although it has a highly secure chip on it and that chip contains a highly secure EMV application, is undermined for transactional purposes. For unfathomable reasons by bank has chosen to glue a trivially-counterfeitable magnetic stripe to the back of my debit card, added embossing to it and even put my bank account and sort code details on the front. Bizarre. I don’t want the stripe, and I want my bank to automatically decline all stripe transactions whether at POS or ATM. Nor do I want embossing, and I want my bank to automatically reject any “zip zap” transactions. Nor do I use the card online, so I want my bank to decline all CNP transactions except those made with UK merchants (personally, I don’t really want to use it online at all but some merchants such as the DVLA surcharge credit cards by more than the useless Avios or minimal cashback is worth). By and large, unless incentivised otherwise, I’d rather use credit cards because of the combination of rewards and protections that they bundle. I am genuinely mystified as to why people use debit cards, but they do. MCX will have to deal with this as well.
Without offering consumers something equivalent, MCX Retailers will find it exceedingly difficult to convince customers to switch.[From Lessons from a breach | Drop Labs]
I can easily imagine that retailers will (successfully) bribe consumers to opt for ACH-based transactions with less consumer protections in return for loyalty points, coupons and the like. I wonder if the potential for reduced hassle because of increased security might also be factor?
This was brought home to me in ironic fashion because of the second call. They asked me to verify that certain transactions had, indeed, been made by me or my good lady wife. The transactions I was asked to verify included a chip and PIN transaction in a local petrol station. If I were a normal member of the public, and someone called to asked me to verify a chip and PIN transaction, then I would either conclude that something had gone horribly wrong with the chip and PIN system and that my chip had been cloned or that I was not talking to my issuer at all but sophisticated Eastern European fraudsters.
I’d already ruled out the latter possibility. When they first called me and asked me to confirm some personal details, I had naturally assumed them to be sophisticated Eastern European fraudsters, hung up and called back using the number on the back of my card. At this point, I was able to confirm all of the transactions. Anyway, they sent us the new cards. For me this wasn’t terribly inconvenient because I have loads of cards so I just started using one of my other cashback credit cards for the week but for other customers it might have been more of a problem.
When the new card arrived, I signed it immediately. Not in my real name, of course, because I don’t want thieves who steal my card to have a copy of my real signature to practice with. I would never sign “David Birch”, only fraudsters would do that. But what was puzzling was that that card was, once again, embossed and magnetic striped-up. I don’t want either of these fraud vectors on my card. The only place that I would use the stripe is in the USA, and I’m perfectly happy to use other cards while I’m there: in particular my excellent Simple card.
This is all a great waste of everyone’s time and money. Until we get a more secure mobile phone-based card infrastructure in place with working tokenisation, can I make a rather obvious suggestion to UK issuers: please block all stripe transactions by default. Customers who want to pay in at-risk areas such as the USA should be required to take special time-limited insecure magnetic stripe cards with them. Surely it would cost my bank less to give me a one-month magnetic stripe-only companion card a couple of times a year than to keep having to reissue chip cards. I would also like the ability to block all CNP transactions with new merchants unless using 3D Secure until my issuer app works properly to confirm transactions.
Incidentally my favourite comment on The Guardian thread was from the chap who said that the US still uses stripe because the NSA finds it easier to read the data and that it’s the NSA that is blocking EMV. Sounds plausible to me.