It is no secret that instances of credit card fraud increase daily and cost billions of dollars in losses. This has prompted several countries to move away from complete reliance on the magnetic stripe found at the back of credit cards for approval for credit card purchases. The world is now moving towards the use of credit cards with embedded chips to fortify consumer protection.

What has prompted this move?In recent years there have been massive credit card data breaches all over the world. One of the most talked about surrounded Target Corporation. During the height of the holiday shopping season in 2013 more than 40 million customers of the retail business, Target Corporation, had their debit or credit card information compromised by a data breach. Hackers accessed Target’s server and installed malware that captured customers’ personal data, including credit card numbers, names, expiration dates, and three-digit security codes. These bits of information were then used by criminals to make fraudulent purchases all over the world.An investigation led by the attorneys general in Connecticut and Illinois concluded that Target was at fault in failing to provide reasonable data security to its customers. On May 24, 2017 it was announced that a settlement had been reached, wherein Target will pay US$18.5 million to 47 states and the District of Columbia. This settlement follows and is in addition to Target’s prior agreement to pay US$39 million to the banks which lost millions when they were forced to reimburse customers who lost money in the massive 2013 hack.But Target was not the only victim of a massive data breach in 2013. Soon thereafter there were several credit card data breaches at other well-known establishments, including Home Depot Inc and Neiman Marcus Group Limited. 

Theft of credit card data — magnetic stripeThese data breaches involved the theft of data stored on the magnetic stripe of cards used at the stores. The type of data stolen allowed the creation of counterfeit cards by encoding the information onto any card with a magnetic stripe.These massive data breaches in 2013 prompted card issuers to assess the weaknesses of the existing payment system which relied on the magnetic stripe technology. This assessment led to the vulnerabilities of the magnetic stripe technology being brought to the forefront of discussions.Soon thereafter US card issuers migrated to the use of a new technology to protect consumers and reduce the costs of fraud. The newly used technology is termed ‘EMV’ Cards. 

The ‘EMV’ card — The chip card‘EMV’ which stands for Europay, Mastercard and Visa is a global standard for cards equipped with computer chips which are embedded on the card itself. The computer chip card technology was developed by Europay, MasterCard and Visa, and it is from this that the card derives its name. 

Chip and pin fortified cardsThese cards were widely used in Europe before being introduced in the United States, and are said to fortify the security of the identity information which is stored on the card itself. The cardholder’s personal information and account information are stored directly on the embedded chip and it is concealed in a code to help increase data security when making transactions at terminals. The consumer also inserts a personal identification number to gain approval for the transaction. 

Magnetic stripes vs chip cardsEMV cards are more secure, as when an EMV card is used for payment the card chip creates a unique transaction number that cannot be used again for future purchases.This is a unique feature which was not present in the magnetic stripe technology. A vulnerability of the magnetic stripe on traditional cards is that it contained unchanging data. Therefore, the same data would be generated each time the card was used for effecting a purchase. Consequently, whoever accessed the data gains the cardholder’s sensitive information which is required for all purchases. This made the traditional card prime targets for counterfeiters.For the EMV card the unique transaction code is never repeated. Therefore, if a hacker stole the chip information from one specific point of sale, typical card duplication would never work because the stolen transaction number created in that instance cannot be used again for another transaction.It has been argued that had the EMV card technology been used during the holiday season of 2013, then the hackers would not have derived much benefit from stealing the card data found on the systems. In fact, the data stolen would not have been useful in conducting further transactions as all future transactions would have been denied.

The Jamaican contextCredit card and debit card fraud is not unheard of in our context, and it may not be incorrect to say that these incidents are also on the increase. Our society still relies heavily on the magnetic stripe technology which has been used for years. Until we perhaps move towards fully embracing global trends, it still behoves us all to do the best with what lies at our disposal. Vigilance for all stakeholders is key and a necessary tool in the fight against cyber criminal activity.A helpful tool for financial institutions would be to bolster cyber security measures to detect breaches early. Particularly with the use of credit cards, the transmission of customer alerts concerning unusual transactions and unusual patterns of credit card transactions may prove to assist in mitigating loss. Customers can also monitor balances and keep proper records of all transactions. 

ConclusionCredit card fraud and computer data breaches may be unavoidable; however, improvements in technology, such as the EMV cards may prove to mitigate and even deter such activities. If that occurs, it will certainly enure to the benefit of society as a whole. Therefore, in this age of the heavy reliance on data to effect commercial transactions, each individual and stakeholder is not without a role in the fight against cyber criminal activity. 

This material is for information purposes only and does not constitute legal advice. 

Andrea Martin-Swaby is head of the Cyber Crime Unit and a deputy director of public prosecutions (DPP) in the Office of the DPP.