November 12, 2013
In University, I worked at a restaurant. The police showed up one day and arrested one of my waiter colleagues, for ‘stealing’ card numbers. He carried a discrete device that clandestinely skimmed mag stripe data. He would then sell the data to criminals who produced counterfeit cards.
How to steal card data on a mag stripe is widespread knowledge. An even more basic theft is one where the thief literally reads the printed card number right off of the card. In Canada’s EMV market, skimming with the aim to counterfeit a card is a dead sport. But Card-Not-Present fraud has increased in recent years. The Canadian Bankers Association produced the following figures:
2012Visa, MC, AMEX (CNP Losses Only)
+0.03%Debit / Interac(All Losses)
-45%Important Facts Visa/MC/Amex Liability Shift (Can.) 2011 Visa/MC/Amex Liability Shift (US.) 2015 Visa/MC/Amex Liability Shift (Europe) 2005/6 (!) Interac/Debit Cut-Off Date (Can.) 2015 Interac/Debit EMV Migration (Can.) 2010 - 2012
There are a few things to keep in mind about Canada’s debit network. The Interac cut-off date means that no terminals may process a non-EMV debit transaction beyond 2015 – it doesn’t merely pertain to a liability shift. Card issuers are well ahead of that deadline and have completed their EMV card migrations. Additionally, on-line debit in Canada is not yet widely used but it is growing in popularity. The figures in the chart above show us that as the EMV framework rendered it impossible to steal from a cardholder’s bank account through a counterfeited debit card, thieves shifted to credit card fraud. Notice how credit card fraud increased as EMV debit migration culminated, and then levelled off from 2011 to 2102. The levelling-off is attributable to the Canadian issuers’ near completion of the non-EMV to EMV card migration. So pretty soon the only type of card fraud that will be possible on Canadian-issued cards will be Card-Not-Present fraud.
This article champions a single novel idea: The issuance of cards without the card number printed on the face, and in some cases also omitted from the mag stripe. I think that there are enough cardholders prepared to adapt to this hypothetical new product for the benefit of its added level of security and privacy. If a cardholder forgets her number, she can always check her statement or portal. Despite the fact that we remember so few phone numbers anymore, we still have it in us to memorize a sixteen digit number.
How would numberless cards work and what are the benefits? Two types of cards would be required: For EMV cards the number needn't appear on the face nor on the mag stripe. This would work handsomely in a market like Canada's where nearly every terminal has an EMV reader. In a card present EMV environment (namely, where terminals can read EMV chips), the mag stripe and embossed number are entirely redundant. With a numberless card, the benefit here is that the number cannot be pilfered since it's not on the face, and not in plain text on the mag stripe.
In the pre-EMV US marketplace, the card number would have to remain on the mag stripe, but could be removed from the face. The benefit here is less than in Canada, but still noteworthy: A cashier or waiter could no longer copy the number down, and neither could your kid, both of whom might use the stolen number to make purchases on-line.
Numberless cards are not for everyone; firstly, cardholders wishing to make online purchases but not willing to memorize or safely store their card number probably won't want a numberless card. Secondly, an EMV card with no number on the mag stripe will not work in non-EMV venues since fallback to the mag stripe would fail (no card number in the track data). So travellers with numberless EMV cards will enjoy only limited acceptance, and might consider carrying a second card. But a traveller can certainly use a card with card data on the mag stripe and not embossed the front - this would work in EMV and non-EMV environments.
Savvy cardholders are a species growing in number. Many have been victims of fraud in the past, others read news and are aware of card-related fraud. There are also cardholders who understand the value of an ostensibly numberless card. The issuer who first goes to market with a numberless card product will enjoy benefits on several levels. It will realize reduced Card-Not-Present fraud losses, it will attract new customers who understand the value and appeal of this augmented level of security and privacy, and it will also enjoy a clientele with higher-than-average levels of technical intelligence and card know-how.