The credit cards you carry in your wallet today are far different from the ones you carried a few years ago and are vastly different from the ones your grandparents carried forty or fifty years ago. Technology has made stealing information from your cards easier than ever, and the card issuers – banks, companies like Discover and American Express – have banded together to fight technology with technology to combat the high rates of credit card fraud.
In the Beginning, there was…. Nothing
The birth of the modern-day credit card started with a left-at-home wallet. The founder of the first charge card, Diners Club, realized he’d left his wallet at home when it was time to pay for his restaurant meal. His wife paid the tab, but Frank McNamara conceived the idea of using a card to pay for goods or services at the table, and discussed the idea with the owner of the restaurant, and Diners Club was born. In 1950, when Diners Club was born, computers were on the horizon but there was no way to verify the user of the card was actually the owner. Cards were imprinted on paper, signed, packaged by the merchant and sent to the card issuer for processing. The card issuer paid the merchant when the tickets were processed and sent the bill, due in full, to the cardholder. After Diners Club proved to be a success, other companies were started, namely American Express and Carte Blanche. These three cards are not credit cards – the bill is due in full at the end of each month – and are termed Travel and Entertainment (T&E) charge cards. The first true credit cards were the BankAmericard, the precursor to Visa, and Interbank Master Charge, the precursor to MasterCard. Banks were able to issue revolving credit accounts with the cards, allowing the cardholder to pay off the bill over time.
Technology Arrives on the Scene
Charge cards were created in 1950, when computers were in their infancy, and networks weren’t even thought of at this point. The only tool for authorizing a purchase before the sale was complete was the telephone. As the charge and credit cards gained in popularity, the incidences of fraud caused the card issuers to develop a way of authorizing the transaction before the sale was final. The first tool for authorization was voice authorization, where the merchant would call a voice center established by the card issuers, with information about cardholders easily accessible. This was slow but better than nothing, and voice centers are still in use, primarily as backups for when the network is down. After the voice center, the next step was audio response, where the issuers would establish phone lines for merchants to use. The merchants would call these lines and enter the transaction information over the phone to an automated system. Before touch-tone phones, the merchant would speak the information; once the touch-tone phones were in use, the merchant would use the keypad to enter the data. The system then looks up the information given, and either issues an approval, with a code, or declines the transaction. These systems reduced fraud, so the card issuers continued to develop ways authorizing purchases before they were complete.
Merchant Terminals and Magnetic Stripes, oh my!
The next big step for authorizing transaction was the advent of the magnetic stripe on the back of the card. This stripe carries information, in a static form, to be used to identify the person making the purchase, and to approve or decline the transaction based on his or her account information. The mag stripe is still in use in the US today, although it is being phased out. While a vast improvement in security, the stripe has problems; the stripe is easily duplicated on readily available equipment, and the information can be captured when the stripe is swiped at the point of sale. These flaws, and the amount of fraud they produce led to the next step in card security – the chip.
RFID Chips and the Card
The US is late to the party when it comes to utilizing chip security; Europe has been using the chips and the protocols to process them for quite a while. The first protocol for chip processing was developed by Europay, Mastercard, and Visa, and is named EMV. The protocol uses encryption when a transaction is taking place, and the data is not stored on the chip. The chip and the transaction terminal use a process known as tokenization. The chip and the terminal create a unique, one-time use token to send to the authorization center for online verification, or it will be verified by the terminal itself, in offline verification. Offline verification is not as secure as sending the transaction to an authorization center, but it is faster. During times of heavy volume, card issuers will allow merchants to use offline verification for small amounts, to keep traffic off the networks.
There are two types of chips in use in cards: contactless (embedded) or contact chips. The contact chips are more secure, as they require physical contact before being activated. Contactless chips utilize another protocol, known as Near Field Communications, or NFC. These chips use wireless technology to communicate with a terminal. These cards do not require insertion, but you tap or wave the card at the terminal instead. The protocol also uses encryption and tokenization to verify the transaction data, but it is much faster than cards that must be inserted. The drawback is they’re more easily compromised; someone with an RFID reader can get close enough to the cardholder to swipe their information without their knowledge. While the distance for access is small, it’s still possible to get someone else’s information while standing behind them in a line, or sitting next to them. To protect against random theft while not using the card, get a metal card case for carrying the card, or use tinfoil as a low-tech alternative while the card is in your wallet.
Chip-and-Signature or Chip-and-Pin
Card issuers in the US generally issue credit cards with chip-and-signature verification protocols. This simply means you sign for your purchases, just as you always have with your mag stripe cards. In Europe, they have replaced the chip-and-signature verification with chip-and-pin. This means you enter a pin as part of the verification process. This is generally regarded as more secure, as signatures can be easily forged, and clerks rarely verify the signature entered against the signature on the card. You can get a card that carries both protocols in the US, but the chip-and-signature is the default protocol used on this side of the pond. Debit cards that function as both debit and credit cards are chip-and-pin verification, simply because US card holders are used to entering their pins on ATM and debit transactions. Your card issuer should inform you of which protocol your card is capable of using; if it’s not chip-and-pin, you should still be able to use it in Europe when making purchases where a human is involved. It may be difficult to use at unattended kiosks, such as a railway ticket kiosk, but it’s not a show-stopper.
Credit cards are vastly different from when they were first developed, although the way you use them hasn’t changed. The differences are for fraud prevention and theft protection; card issuers have a vested interest in keeping both down to as low a level as possible. As technology advances, your methods of payment will advance with them, making your life easier in the process.