際際滷

際際滷Share a Scribd company logo
Industry Research
Publication Date: 25 July 2007                                                               ID Number: G00149569



The Demise of the Magnetic Stripe and the Rise of the
Chip
Alistair Newton

Gartner's 2006 predictions for the banking industry identified 2007 as the beginning of
the end for the magnetic stripe in payment cards. A number of factors and developments
increase the likelihood that banks will start migrating away from payment cards with
integrated magnetic-stripe capability as standard practice.

Key Findings
          Fraud is still being perpetrated on Eurocard, Mastercard and Visa (EMV) payment cards
           using magnetic stripes that contain payment card and customer details.

          The magnetic stripe remains a weak point that may compromise data and its
           subsequent reuse in countries where EMV has not been deployed.

          Removing the magnetic stripe from chip-enabled payment cards would eliminate the
           ability to use those cards in non-EMV payment terminals and ATMs, but would also
           reduce the risk of compromised card data and ID theft for customers and banks.

          Customers are being inconvenienced by banks' attempts to combat this fraud, including
           stringent limitations on the use of payment cards at overseas ATMs or point-of-sale
           terminals.

Recommendations
          Banks currently issuing EMV-based payment cards should plan now to start allowing
           customers to request payment cards  starting with debit cards  without a magnetic
           stripe to help protect them from identity theft.

          As banks add functionality, such as contactless capability, they should consider allowing
           customers to customize their payment card to include the deletion of the magnetic
           stripe.

          As use of prepaid payment cards grows, banks have an opportunity to offer prepaid
           foreign currency cards to customers who have elected to have the magnetic stripe
           removed from their day-to-day payment cards.

          Banks should examine and assess their existing card management applications to
           ascertain the feasibility of issuing and managing a portfolio of payment card products
           with no magnetic-stripe contingency.




息 2007 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form
without prior written permission is forbidden. The information contained herein has been obtained from sources believed to
be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although
Gartner's research may discuss legal issues related to the information technology business, Gartner does not provide legal
advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors,
omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein
are subject to change without notice.
ANALYSIS

In Gartner's 2006 predictions for the banking industry, the banking team examined the likely
demise of the magnetic stripe as the core data and service interface for payment cards, and its
complete replacement by chip technologies for all card payments. Recognizing that in some
markets  particularly the United States  the magnetic stripe will remain in place for years,
Gartner predicted that 2007 would mark the beginning of the end of the magnetic-stripe payment
card. A number of factors and developments have since taken place that add further weight to the
potential for many banks to start migrating away from payment cards with integrated magnetic-
stripe capability.
Full rollouts and pilots of EMV chip technology are progressing well in Europe, Asia, Canada,
Central America and South America, and are succeeding in cutting fraud for point-of-sale and
ATM transactions in those countries. However, payment cards are still being illegally cloned and
customer details are being abused, because the magnetic stripe has been retained on the back of
most payment cards as a fallback during the transition to EMV. This allows customers to use the
payment cards in countries that do not offer EMV.
The details in the magnetic stripe can be used to produce cloned payment cards that can, in turn,
can be used in countries that have not yet rolled out EMV. Banks and payment card companies
have reacted to this fraud in a number ways, and have used fraud identification and tracking
software effectively to manage fraud losses. However, many banks have also deployed blunt
transaction limits and blocks on overseas card use that are problematic for customers and do little
to encourage customers to use their payment cards when traveling abroad.
As more countries roll out EMV  particularly as the Single Euro Payments Area develops to the
point that EMV cards become mandatory  opportunities for fraud stemming from such
weaknesses will be reduced. Significantly (from the customers' point of view), the number of
countries that do not support EMV will also be reduced. While Gartner recognizes that the
complete removal of magnetic-stripe technology on payment cards on a global basis is years off,
new chip-enabled payment cards have extended the life of payment cards, and banks are starting
to issue cards with expiry dates up to four years out.
Banks that issue EMV cards should start planning for the time when customers demand payment
cards without magnetic stripes and expect their banks to accept only payment requests initiated
through EMV chips and pin-based applications as a means of protecting their financial identities.

Identity Theft  Banks Can Act to Protect More Customers
The rise in the number and scale of identity thefts associated with bank customers' payment
cards has been rising steadily during recent months. Specifically, payment card details have been
compromised by:

          Corrupted point-of-sale devices or staff  for example, a spate of attacks on petrol
           service-station point-of-sale devices in the United Kingdom in which card details and the
           associated pin numbers were compromised.

          ATMs fitted with skimming devices and cameras  for example, recent attacks on ABN
           Amro in the Netherlands and WestPac in Australia resulting in both banks having to fit
           antiskimming devices to their ATM networks.

          Direct theft of card payment details from retailers  for example, the hacking of the
           retailer TJX in the United States, which appears to have compromised more than 45
           million credit and debit card details.


Publication Date: 25 July 2007/ID Number: G00149569                                        Page 2 of 4
息 2007 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
The increasing range of these attacks has resulted in the production of a growing number of
cloned cards. Importantly, the success of these cloned cards has been because of reliance on
magnetic-stripe technology, which allows the replication of customer details and subsequently
allows cash withdrawals from ATMs or purchases with the fake cards. Predominantly, these
cloned cards are being produced for use in countries that are not making use of the current EMV
chip card standards, or are in the early stages of rolling out EMV so that all transaction and
authentication details are routed through the magnetic stripe.
Banks that already issue EMV cards can limit the rise in identity theft and differentiate themselves
in terms of helping to protect their customers from identity theft by removing the magnetic stripe
from those cards that are unlikely to be used abroad or that are likely to be used only in countries
that support EMV transactions. The removal of the magnetic stripe would not be relevant or
correct for a certain type of customer  specifically the customer who travels regularly. However,
for others who maybe travel infrequently or not at all, the stripe's removal would be unlikely to
hinder day-to-day use of their payment cards. To avoid losing large amounts of interchange
income generated from overseas card transactions, banks should consider offering this service
first for debit cards, which tend to be used less for overseas purchases than are credit cards.

Current Actions to Reduce Fraud Can Be Difficult for Customers
For some time, banks have used fraud detection applications, in addition to stronger front-end
authentication, to identify and act on transactions that are considered unusual and out of the
ordinary. If deployed with sensitivity to changing customer payments habits, such fraud detection
solutions can prove extremely successful. However, with the use of cloned cards on the increase,
banks are often reverting to fairly blunt forms of control, such as:

          Rejecting requests for cash advances from foreign or out-of-state ATMs, or payment
           requests at the point of sale, unless the customer has previously informed the bank that
           he or she will be traveling to a specific country

          Imposing mandatory limits on cash withdrawals or transaction limits, either in total or on
           a daily limit basis
Both types of regulation are inconvenient for customers  especially where these limits and
controls are not well publicized. Banks imposing these controls argue that they are protecting
their customers, thereby increasing customers' faith in their banks ability to manage fraud.
However, they should balance protection with convenience and usability or else risk loosing the
customer transactions to other banks that may offer greater flexibility.
By offering customers the option of removing the magnetic stripe  initially from their debit cards,
and later from their credit cards  and accepting only payment requests or ATM withdrawals
initiated via the EMV chip, banks would be able to lift these restrictions and controls on their
customers who would only be using their cards in countries with EMV capabilities, making it more
convenient for the customers and driving more card payment revenue and reducing fraud
exposure for the banks.




Publication Date: 25 July 2007/ID Number: G00149569                                         Page 3 of 4
息 2007 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
REGIONAL HEADQUARTERS

Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
U.S.A.
+1 203 964 0096

European Headquarters
Tamesis
The Glanty
Egham
Surrey, TW20 9AW
UNITED KINGDOM
+44 1784 431611

Asia/Pacific Headquarters
Gartner Australasia Pty. Ltd.
Level 9, 141 Walker Street
North Sydney
New South Wales 2060
AUSTRALIA
+61 2 9459 4600

Japan Headquarters
Gartner Japan Ltd.
Aobadai Hills, 6F
7-7, Aobadai, 4-chome
Meguro-ku, Tokyo 153-0042
JAPAN
+81 3 3481 3670

Latin America Headquarters
Gartner do Brazil
Av. das Na巽探es Unidas, 12551
9属 andarWorld Trade Center
04578-903S達o Paulo SP
BRAZIL
+55 11 3443 1509




Publication Date: 25 July 2007/ID Number: G00149569                Page 4 of 4
息 2007 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

More Related Content

The Demise Of The Magnetic S 149569

  • 1. Industry Research Publication Date: 25 July 2007 ID Number: G00149569 The Demise of the Magnetic Stripe and the Rise of the Chip Alistair Newton Gartner's 2006 predictions for the banking industry identified 2007 as the beginning of the end for the magnetic stripe in payment cards. A number of factors and developments increase the likelihood that banks will start migrating away from payment cards with integrated magnetic-stripe capability as standard practice. Key Findings Fraud is still being perpetrated on Eurocard, Mastercard and Visa (EMV) payment cards using magnetic stripes that contain payment card and customer details. The magnetic stripe remains a weak point that may compromise data and its subsequent reuse in countries where EMV has not been deployed. Removing the magnetic stripe from chip-enabled payment cards would eliminate the ability to use those cards in non-EMV payment terminals and ATMs, but would also reduce the risk of compromised card data and ID theft for customers and banks. Customers are being inconvenienced by banks' attempts to combat this fraud, including stringent limitations on the use of payment cards at overseas ATMs or point-of-sale terminals. Recommendations Banks currently issuing EMV-based payment cards should plan now to start allowing customers to request payment cards starting with debit cards without a magnetic stripe to help protect them from identity theft. As banks add functionality, such as contactless capability, they should consider allowing customers to customize their payment card to include the deletion of the magnetic stripe. As use of prepaid payment cards grows, banks have an opportunity to offer prepaid foreign currency cards to customers who have elected to have the magnetic stripe removed from their day-to-day payment cards. Banks should examine and assess their existing card management applications to ascertain the feasibility of issuing and managing a portfolio of payment card products with no magnetic-stripe contingency. 息 2007 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner's research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.
  • 2. ANALYSIS In Gartner's 2006 predictions for the banking industry, the banking team examined the likely demise of the magnetic stripe as the core data and service interface for payment cards, and its complete replacement by chip technologies for all card payments. Recognizing that in some markets particularly the United States the magnetic stripe will remain in place for years, Gartner predicted that 2007 would mark the beginning of the end of the magnetic-stripe payment card. A number of factors and developments have since taken place that add further weight to the potential for many banks to start migrating away from payment cards with integrated magnetic- stripe capability. Full rollouts and pilots of EMV chip technology are progressing well in Europe, Asia, Canada, Central America and South America, and are succeeding in cutting fraud for point-of-sale and ATM transactions in those countries. However, payment cards are still being illegally cloned and customer details are being abused, because the magnetic stripe has been retained on the back of most payment cards as a fallback during the transition to EMV. This allows customers to use the payment cards in countries that do not offer EMV. The details in the magnetic stripe can be used to produce cloned payment cards that can, in turn, can be used in countries that have not yet rolled out EMV. Banks and payment card companies have reacted to this fraud in a number ways, and have used fraud identification and tracking software effectively to manage fraud losses. However, many banks have also deployed blunt transaction limits and blocks on overseas card use that are problematic for customers and do little to encourage customers to use their payment cards when traveling abroad. As more countries roll out EMV particularly as the Single Euro Payments Area develops to the point that EMV cards become mandatory opportunities for fraud stemming from such weaknesses will be reduced. Significantly (from the customers' point of view), the number of countries that do not support EMV will also be reduced. While Gartner recognizes that the complete removal of magnetic-stripe technology on payment cards on a global basis is years off, new chip-enabled payment cards have extended the life of payment cards, and banks are starting to issue cards with expiry dates up to four years out. Banks that issue EMV cards should start planning for the time when customers demand payment cards without magnetic stripes and expect their banks to accept only payment requests initiated through EMV chips and pin-based applications as a means of protecting their financial identities. Identity Theft Banks Can Act to Protect More Customers The rise in the number and scale of identity thefts associated with bank customers' payment cards has been rising steadily during recent months. Specifically, payment card details have been compromised by: Corrupted point-of-sale devices or staff for example, a spate of attacks on petrol service-station point-of-sale devices in the United Kingdom in which card details and the associated pin numbers were compromised. ATMs fitted with skimming devices and cameras for example, recent attacks on ABN Amro in the Netherlands and WestPac in Australia resulting in both banks having to fit antiskimming devices to their ATM networks. Direct theft of card payment details from retailers for example, the hacking of the retailer TJX in the United States, which appears to have compromised more than 45 million credit and debit card details. Publication Date: 25 July 2007/ID Number: G00149569 Page 2 of 4 息 2007 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
  • 3. The increasing range of these attacks has resulted in the production of a growing number of cloned cards. Importantly, the success of these cloned cards has been because of reliance on magnetic-stripe technology, which allows the replication of customer details and subsequently allows cash withdrawals from ATMs or purchases with the fake cards. Predominantly, these cloned cards are being produced for use in countries that are not making use of the current EMV chip card standards, or are in the early stages of rolling out EMV so that all transaction and authentication details are routed through the magnetic stripe. Banks that already issue EMV cards can limit the rise in identity theft and differentiate themselves in terms of helping to protect their customers from identity theft by removing the magnetic stripe from those cards that are unlikely to be used abroad or that are likely to be used only in countries that support EMV transactions. The removal of the magnetic stripe would not be relevant or correct for a certain type of customer specifically the customer who travels regularly. However, for others who maybe travel infrequently or not at all, the stripe's removal would be unlikely to hinder day-to-day use of their payment cards. To avoid losing large amounts of interchange income generated from overseas card transactions, banks should consider offering this service first for debit cards, which tend to be used less for overseas purchases than are credit cards. Current Actions to Reduce Fraud Can Be Difficult for Customers For some time, banks have used fraud detection applications, in addition to stronger front-end authentication, to identify and act on transactions that are considered unusual and out of the ordinary. If deployed with sensitivity to changing customer payments habits, such fraud detection solutions can prove extremely successful. However, with the use of cloned cards on the increase, banks are often reverting to fairly blunt forms of control, such as: Rejecting requests for cash advances from foreign or out-of-state ATMs, or payment requests at the point of sale, unless the customer has previously informed the bank that he or she will be traveling to a specific country Imposing mandatory limits on cash withdrawals or transaction limits, either in total or on a daily limit basis Both types of regulation are inconvenient for customers especially where these limits and controls are not well publicized. Banks imposing these controls argue that they are protecting their customers, thereby increasing customers' faith in their banks ability to manage fraud. However, they should balance protection with convenience and usability or else risk loosing the customer transactions to other banks that may offer greater flexibility. By offering customers the option of removing the magnetic stripe initially from their debit cards, and later from their credit cards and accepting only payment requests or ATM withdrawals initiated via the EMV chip, banks would be able to lift these restrictions and controls on their customers who would only be using their cards in countries with EMV capabilities, making it more convenient for the customers and driving more card payment revenue and reducing fraud exposure for the banks. Publication Date: 25 July 2007/ID Number: G00149569 Page 3 of 4 息 2007 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
  • 4. REGIONAL HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT 06902-7700 U.S.A. +1 203 964 0096 European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM +44 1784 431611 Asia/Pacific Headquarters Gartner Australasia Pty. Ltd. Level 9, 141 Walker Street North Sydney New South Wales 2060 AUSTRALIA +61 2 9459 4600 Japan Headquarters Gartner Japan Ltd. Aobadai Hills, 6F 7-7, Aobadai, 4-chome Meguro-ku, Tokyo 153-0042 JAPAN +81 3 3481 3670 Latin America Headquarters Gartner do Brazil Av. das Na巽探es Unidas, 12551 9属 andarWorld Trade Center 04578-903S達o Paulo SP BRAZIL +55 11 3443 1509 Publication Date: 25 July 2007/ID Number: G00149569 Page 4 of 4 息 2007 Gartner, Inc. and/or its Affiliates. All Rights Reserved.