Computerworld - As news of Wal-Mart Stores Inc.'s plan to convert its U.S. payment terminals to smartcard-compatible systems surfaced, there was also news of efforts to make existing magnetic stripe cards more secure.
One effort that appears to have made considerable progress involves a card authentication technology that uses information from the magnetic stripe on the back of each card to create a unique digital fingerprint of the card.
Each time the card is used, information from its magnetic stripe is matched with its fingerprint. The technology is designed to use data about stolen cards to detect and stop the use of counterfeit cards at the payment terminal.
A major U.S. retailer will be announcing its support for the technology within the next one month or so, said Tom Patterson, chief security officer at MagTek Inc., a Seal Beach, Calif.-based vendor of card readers, check scanners, PIN pads and other electronic payment and identification products.
Patterson said the unnamed retailer is equipping about 30,000 of its outlets with payment terminals featuring a MagTek technology that captures specific magnetic stripe information and compares it to a baseline "fingerprint," stored by the card issuer, for that card. Fifth Third Bank piloted similar technology with Visa last year.
In the Fifth Third pilot, called Digital ID, the bank installed upgraded payment readers at several merchant locations and tested the fingerprinting method.
The fingerprint approach offers a viable and relatively low-cost means of securing magnetic stripe card transactions, Patterson said. "We view this as a risk-management tool that can be used by merchants" to mitigate the threat of fraud, he said.
"We are not against smartcards. We know they are being used around the world," Patterson said.
But technologies such as magnetic stripe fingerprinting systems give merchants a way to continue supporting existing cards in a more secure manner for several years, he said. "The mag stripe is going to be a legacy for more than a decade at least" and possibly considerably longer, said Patterson.
He said that several other companies have expressed interest in the fingerprint technology.
Other initiatives are testing other ways of making magnetic stripe card transactions more secure.
For example, retailer OfficeMax Inc. last year tested a challenge-response security system at point-of-sale terminals in several hundred of its stores.
Another approach that is being tested is card tokenization technology, which takes the information in the magnetic strip on the back of a card and replaces it with randomly generated numbers, or tokens, before transmitting it for authorization.
Such efforts come even as card issuers and the major credit card companies are coming under slowly mounting pressure to move to chip-and-PIN technologies. Chip-and-PIN systems use smartcards that store cardholder data on embedded microprocessors (or chips) rather than magnetic stripes. To complete a transaction with such cards, cardholders usually have to enter personal identification numbers (or PINs). Smartcards equipped with chips are thought to be significantly safer than magnetic stripe cards, and payment systems that use them have been adopted widely around the world.
The U.S. has been one of the few holdouts in the migration to chip-and-PIN systems, largely because of concerns about the cost of moving to the technology.
This week, Wal-Mart disclosed plans to make all payment terminals in its domestic stores chip-and-PIN-capable. And the United Nations Federal Credit Union (UNFCU) announced this week that it will soon be issuing smart credit cards.
A number of other retailers and card issuers are said to be exploring the technology, but few have gone public about the plans yet.
"The issue for U.S. retailers is where they should be investing their money," said Avivah Litan, an analyst at Gartner Inc.
Because of recent changes to the credit card industry's Payment Card Industry (PCI) data security standards, many retailers will soon need to upgrade to new payment terminals that are capable of supporting encryption, she said.
The question retailers will need to deal with is whether they should upgrade to new chip-and-PIN-compatible systems or to systems that are designed to make magnetic stripe transactions safer, she said.
"They don't want to invest their money twice," said Litan. "Chip-and-PIN is where the rest of the world is. It is not perfect, but it's stronger than shoring up magnetic stripe."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at 
@jaivijayan, or subscribe to Jaikumar's RSS feed 
. His e-mail address is jvijayan@computerworld.com.
Read more about Security Hardware and Software in Computerworld's Security Hardware and Software Topic Center.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
