Thursday, August 19, 2021

End of the Magnetic Stripe

In 1956 my senior colleagues in "Advanced Product Planning" at IBM Research wrote a "blue sky" paper in which they visualized our modern token based retail payment system.  They could not foresee the personal computer, the mobile computer, or the Internet but they did get cards right.  Frankly, I do not think they gave enough thought to the fraud that might come with it.  It was to be another generation before we began to worry about "Data Security and Privacy" as we called what we now call "cyber security."

While it is long over due, there is finally a plan with a date certain for removing the magnetic stripe from credit and debit cards.    I have argued for a plan with a schedule and I should not whine about how far out it is. This is a major change and those few merchants who cannot yet process EMV, much less contactless, deserve some time to catch up.  However, 13 years seems a little much.  

As with other innovations in this space, the plan is for the US to trail the rest of the world.  We were the last to get EMV and we will be last to get rid of the mag-stripe.  There will continue to be a lot of fraud exploiting this fundamental vulnerability in the window in this plan, but better late than never.

Perhaps there is some difficulty in getting rid of this obsolete mechanism that I do not understand.  Mastercard is clearly not bringing to this effort the pressure that it brought on the industry to adopt EMV or the Payment Card Industry Data Security Standards (PCI DSS). 

Comment:   Now I feel better.  A colleague reminded me that we do not have to rely upon the brands to eliminate the magnetic stripe; the consumer may do it for use  Cards may well have disappeared long before Mastercard's unrealistic timeline for removing the mag-stripe.  

I am close to cardless already.  I carry one card; however, I rarely have to use it; I usually pay with my watch.  I use my card at my dentist and, of course, in restaurants.  (In Europe they do not even need cards in restaurants.  On a recent ferry trip, I asked if I could use Apple Pay.  The bartender simply put his wireless point of sale device on the bar, just like in European restaurants.) 

Because of the way I carry the one card, on two recent excursions into NYC, I simply forgot it.  When the waiter presented the check, instead of putting down my card, I simply put down my iPhone with an  image of my card.  The waiter took it away without comment and returned it without comment.  I signed the credit card receipt and we were done.  

Most of my retail transactions are done with my watch.  For e-commerce, I prefer merchants who offer PayPal, Apple Pay, or Google Pay.  Many already do.  More will do so as they learn that it protects them from fraud, perhaps at a higher, but efficient, transaction rate.  

As I think about, it is almost too late to worry about the mag-stripe.  The brands can do more to resist fraud by promoting check-out proxies, than by eliminating the mag-stripe.