Euro Security Watch with Mathew J. Schwartz

ATM / POS Fraud , Cybercrime , Fraud Management & Cybercrime

Payment Cards Finally Set to Lose Their Stripes

Mastercard Announces Timeline for Phasing Out Magnetic Stripes. What Took So Long?
Payment Cards Finally Set to Lose Their Stripes
Mastercard's decline and fall of stripes: Zebras not included (Photo: Guido Konrad, via Flickr/CC)

Payment cards are set to finally lose their stripes.

See Also: Live Webinar | A Buyers' Guide: What to Consider When Assessing a CASB

Mastercard has announced that starting in 2024, banks and other institutions that issue its credit and debit cards will no longer need to include a magnetic stripe on the back. By 2033, magnetic stripes on its cards will be extinct, it says, except for prepaid cards in the U.S. and Canada.

"For many years I had a lot of fun complaining about America's attachment to the magnetic stripe." 

No doubt other payment card brands will soon follow suit after Mastercard's announcement.

This change has been a long time coming. Credit for physically affixing a magnetic stripe to a card goes to IBM in the early 1960s. Adding the stripe to credit cards helped boost their adoption, especially in the United States. Today, the stripes encode essential card data, including such so-called track 2 data as a card's account number, expiration date and verification code.

But other options have long been available. Since the mid-1980s, for example, many European banks have issued smart cards, which include a microchip, eliminating the need to have a magnetic stripe or to maintain systems through which such cards get swiped. Adding a chip to cards also makes it much more difficult to produce counterfeit cards, for example, if attackers are able to steal track 2 data. The introduction of the EMV standard for smart card payment cards in the 1990s also made it easier for such cards to work across countries.

Given the poor security offered by magnetic stripes and having cashiers visually verify if a signature on the back of a card matches what a customer has just scrawled, one persistent question remains: What's taking so long for magnetic stripes to go extinct?

America's Love Affair With Stripes

The short answer appears to be that while the much of the rest of the world has moved to quickly embrace chip and PIN, as well as contactless payments - especially during the pandemic - the U.S. has continued to remain stuck on magnetic stripes.

"For many years. I had a lot of fun complaining about America's attachment to the magnetic stripe and chronicled the transition through to chip cards, contactless and mobile phones," says Dave Birch, a digital financial services expert, in a blog post. "That transition still has some way to go, incidentally, because unlike most of the world, where, to all intents and purposes, all in-person card payments are made using chips, as of last year, only around three-quarters of U.S. transactions were executed in this 21st-century mode."

US Is World Leader - in Card Fraud Losses

From a fraud-fighting standpoint, swiping a card - or inserting a chip card into a terminal - and then signing a paper receipt remains much less secure than other alternatives. Yet less secure approaches still dominate in the U.S., exacerbated by Mastercard, Visa and others opting to not require chip-and-PIN payments, perhaps worried that consumers wouldn't be able to remember PIN codes for the many different pieces of plastic in their wallet. Instead, the U.S. standardized on the weaker chip-and-signature approach.

Not coincidentally, the U.S. remains the undisputed world leader in credit card fraud. In 2019, worldwide card losses totaled $28.7 billion, of which the U.S. was responsible for more than one-third, despite only accounting for one-fifth of the world's card-payment volume, according to data from Nilson Report.

Credit card fraud, in particular, continues to be a major type of fraud that American consumers report to the Federal Trade Commission. In 2019, the FTC received nearly 54,000 such reports, totaling $135 million in losses, rising to 66,000 reports and $149 million in losses in 2020.

But banks and issuers experienced much greater fallout from such fraud, because they cover the fraud costs for many types of card-present transactions. If merchants make sure chip cards get "dipped" and not swiped, they are not liable for card fraud.

In the U.S., as of 2019, only 3% of payment cards had contactless capabilities. Whether POS systems could read them was another matter. Merchants must pay to upgrade their own POS systems, and unless there's a clear revenue upside, many won't be early adopters.

Europe and Other Regions Differ

Contrast the U.S. situation with Europe, which first embraced chip-and-PIN cards, and then contactless payments, in which a consumer waves their payment card, or a smartphone on which they've loaded their cards, in the vicinity of a reader. One benefit during the pandemic has been the lack of contact necessary to conclude a transaction.

In 2019, Visa found that more than two-thirds of face-to-face transactions in mainland Europe already occurred using contactless payments. By October 2020, more than 75% of in-store Visa payments in Europe were contactless.

In Britain, consumers in April used contactless payments for 47% of all credit card and 63% of all debit card transactions, collectively totaling $1.3 billion in spending, according to U.K. Finance.

"Contactless fraud on payment cards and devices remains low with 16 million pounds ($22 million) of losses during 2020, compared to spending of 9.46 billion pounds ($13 billion) over the same period," it says, which works out to fraud losses of just 1.8 pence for every 100 pounds spent.

Change Is Coming

But finally, magnetic stripes are set to end, at least for Mastercard. Here's the financial giant's timeline:

  • 2024: Mastercard payment cards in regions such as Europe will no longer require magnetic stripes.
  • 2027: U.S. banks issuing chip cards will no longer have to include magnetic stripes.
  • 2029: Mastercard says no more of its credit or debit cards will be issued with a magnetic stripe.
  • 2033: Mastercard anticipates that none of its still-valid cards will have magnetic stripes - except for prepaid cards in the U.S. and Canada.

News of the decline and fall of magnetic stripes comes on the heels of a consumer survey conducted by Phoenix Consumer Payments Monitor last December for Mastercard, which found that only 11% of Americans prefer swiping. More than half preferred inserting their chip card into a payment terminal, citing security concerns. A lesser number expressed a preference for paying via contactless.

Clearly, change takes time. In a July study, for example, Phoenix found 19% of U.S. consumers didn't want to see magnetic stripes go away.

Merchants in the U.S., however, say they can't wait to see the death of magnetic stripes.

"The merchant community looks forward to a day when requirements to support the magnetic stripe and the burden to protect data merchants really don't need are eliminated," says John Drechny, CEO of the Merchant Advisory Group, which represents more than 165 U.S. merchants. "We applaud Mastercard for taking this next step to help to strengthen payment security and protect merchants and consumers from risk. We'd like to see others in the industry move in this direction."



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.