"The reason payment cards the world over still have a mag stripe is because, until a few years ago, chip cards were simply not a thing in the U.S. "
So let them have it, why should I care and endure security risk? I've never been to USA nor I'm planning to (at least not unless they fix that gestapo-like border control), but still my every card has a magstripe waiting to get skimmed. If I ever need to go to USA, I'll get a suitable card.
> So let them have it, why should I care and endure security risk?
Because banks the world over are notoriously slow about doing anything that might nudge even a fraction of a percentage of customers over to a competitor. If they removed magnetic stripes (which, in the short run, would cost a bank money because that's a specialty card) and said "just contact us if you're going to the States and we'll overnight you a States-compatible card, no questions asked," nothing would stop a competitor from running adverts that say "why wait 24 hours and worry about not getting your card? We issue cards that work in the United States from day one!" Now the person who made the decision to delete the magstripe from cards issued by the first bank is out of a job and so now you see why his or her interests didn't line up with yours.
It's the same reason why chip-and-PIN isn't primary in the United States; chip-and-sign is. Over here, customers have been trained that entering a PIN means the money comes out of a checking (draft/demand/deposit) account while signing means it goes "on the card." Trying to get that mindset changed is more costly than just eating the potential stolen-card-being-used-before-being-shut-down fraud for most issuers.
(Some credit unions, primarily catering to people who travel overseas, and smaller banks that want to differentiate themselves are issuing PIN-primary cards but they are definitely in the minority. I happen to have cards from three of them--First Tech, Spokane Teacher's, and Target--for reasons of security and international use but I am also in the minority. Amusingly, it's large merchants who want PIN-based cards because it puts the onus on the cardholder, not the merchant.)
Because they could instead sell it as "an unskimmable card!". Many people I know have had their cards preemptively replaced by their bank because it was used at a store/ATM where other cards were skimmed. Avoiding worries/hassles like that could be a selling point.
Get rid of the magstripe and bad actors will steal your card info using cameras (pretty much all the info in the magstripe is also printed on the card, that's how online shopping works).
It would be good to raise the bar, but it won't be an end-all solution.
At the end f the day, it's going to take quite some effort to move the entire payment industry to something more secure.
The current state of affaires is good enough in terms of cost for the banks vs loss from fraud.
Wait, you guys don't use card readers for online payments?
Edit: My bad, just realized you use credit cards instead of debit cards we use in europe. CC here also don't use ccard readers for online payment.
To elaborate a bit on what amenghra said, the information you are asked for when you use your card for a "card not present" transaction (card number, card security code, name, billing address, expiration date) falls into three categories.
• information required by the bank,
• information that the bank will check if you supply it,
• information that is not checked by the bank.
The first category, required information, is just the card number for most banks (and the amount to charge, of course).
The second category, checked by the bank if supplied, is everything except for the card number and the expiration date and the amount. This information is used for fraud control. If a merchant supplies it, the bank tells the merchant if it was correct. With many banks the credit card fees are slightly lower if this information is supplied. Even if the merchant supplies this and the bank says it does not match the merchant can go ahead with the transaction, although such transactions have a higher risk of fraud (and therefore chargebacks).
The third category, information not checked by the bank, is the expiration date. The expiration date check is at the payment processor, and that check is simply:
if expiration_date < current_date()
reject_transaction()
The expiration date on a card is just when that physical card is no longer supposed to be used. It is not an expiration date on the underlying account.
This is one reason why many people have gotten a surprise when they have had some kind of subscription they no longer wanted, and instead of actually cancelling it they just let their card expire and think the re-billing will then fail. There are three problems with that approach.
1. If the merchant marks a transaction as a recurring transaction some payment processors skip the expiration date check.
2. Some merchants include something like this in their re-billing code:
if expiration_date < current_date()
expiration_date = date_add(expiration_date, interval(3, 'years'))
3. Visa, Mastercard, and Discover (not sure about Amex) have updater services. Merchants can send a credit card number and expiration date to the updater service, and the service will tell them the current expiration date and the current card number for the underlying account. This one can be especially surprising to people because it can update both the expiration date and the card number.
Are you sure that the expiration date is not checked for any vendor? I recently paid online (Mastercard I think) and the transaction got declined because I entered the wrong expiration date. The date was in the future, I just entered a wrong month. So there must've been a check. But could be that they used 3D secure (or equivalent) and it got declined there, the check often happens too fast to notice.
I believe this comes down to the cardholder bank. My local credit union doesn't check expiration date of cards (I've tried as far out as 2029). CapitalOne does.
Trying to use a non-US card in the USA is a pain: most online shops or machines (e.g. NYC Metrocard) require a 5 digit ZIP.
Cards from elsewhere don't have a 5 digit ZIP to enter. So usually I can't use those websites, at least if it's a machine I can pay cash.
The core of the problem is that visible info on the card is enough to authorise payment. Visible info is not secret. Info that you share with every seller is not secret. Public information should not be good enough to authorise payment.
Payment should require some kind of private information, either from the chip, or from the head of the owner (like a PIN), but preferably both.
I use a company called Revolut to manage a card of mine. One of the options in the app is to explicitly disabled Magstripe payments, so one wonders if you could ask your bank to disable it?
In the UK, I've recently had to swipe a card and sign the receipt as the card reader was misbehaving and that's what it wanted me to do. It's a reasonable backup. (I've also had to use a carbon-copy machine to print my card details onto a piece of paper to make a deposit a couple of years ago - now that was ancient tech!)
So let them have it, why should I care and endure security risk? I've never been to USA nor I'm planning to (at least not unless they fix that gestapo-like border control), but still my every card has a magstripe waiting to get skimmed. If I ever need to go to USA, I'll get a suitable card.