Look into the future a moment and imagine Christmas shopping 2014. Target offers a great deal on a perfect gift. At the register, you recall that someone stole 40 million credit card numbers from the retailer in late 2013. Then, you as flick your fingerprint across the front of the biometric reader of your new credit card, you smile, relaxed that your number will work just a single time and thus would be useless to steal from Target’s computer system.
That’s the new technology in development at Epic One, a Houston startup that will introduce its pilot credit cards with fingerprint reader and microprocessor inside later this year. It works, in essence, by offering a type of dual factor authentication, a second piece of information that confirms that you are who you claim to be before approving the transaction. The Epic One card never exposes your Visa, MasterCard, Amex or other cards to the network where most of the data hijacking occurs.
When a shopper uses an Epic One card, his fingerprint scan on the card generates a green light on top that signals to the merchant it’s okay to swipe the card. Then the transaction is relayed to the card’s issuing bank and to Epic One. The only data Target sees is your Epic One card number plus the one-time use code. Even if someone hacks into the credit card processing system subsequently, the Epic One card number will not work a second time because the thief can’t generate a valid code to use it.
“The root cause of fraud is the exposure of this information,” says William Gomez Jr., the co-founder and CEO. “The Epic One card does not hold any details of any credit cards. Neither does the Epic One application that runs on your smartphone. None of these devices hold any of your credit card information. The Epic One card grants you temporary access to your cloud wallet that is stored within Epic One’s back-end systems.”
The Target breach has highlighted some pretty serious security weaknesses in the way U.S. businesses process credit card payments. Some experts have called for European-style “chip and PIN” technology as one possible way to boost security, although stores would need new credit card readers, an expensive process. Congress wants to get into the act as well and three senators this week called for a banking committee hearing. “As companies collect, store, and process ever-greater quantities of consumer data, they—and our regulators—must become even more vigilant against breaches and improper use,” Senators Robert Menendez, Mark Warner and Charles Schumer wrote.
Some aspects of the Target breach remain puzzling. A representative at HSBC, which Forbes lists as the nation’s seventh largest bank, told me that none of its credit cards were impacted. How were they spared but other cards stolen? A Target spokeswoman declined to comment, citing the “ongoing criminal and forensic investigation.”
Epic One has spent about $150,000 developing the technology – spare change in the world of startups – but it has come up with an interesting concept. To gain acceptance, it must get banks that issue credit cards to sign up. So far, a Kansas City bank is in discussion to run a pilot program, and Epic One is talking to banks in Houston, California and North Carolina to start issuing their cards later this year.
Gomez estimates it will cost $6 or $7 each to manufacture their new credit cards in bulk, far more than for a conventional slab of American Express or MasterCard plastic. But they work on the existing U.S. credit card infrastructure. He is hoping banks will agree to pay that cost, as well as a small fee to process transactions through Epic One, as a way to mitigate fraud.
A lot of companies are seeking to devise the credit card device of the future. Michigan company Protean later this year plans to introduce a smart card that would store data from all of your cards, as well as library cards and other cards with magnetic stripes on the back. The device, which users would buy, would not prevent a Target-style data breach initially as it transmits the same credit card data as your current card, although the two founders say they plan a 2.0 version with enhanced security features. Coin is also developing a smart card product, and Loop has a similar idea that works on smart phones.
Reducing the huge bundle of cards that many of us carry in our purses and wallets will be a welcome advance. The company that does all that and incorporates added security and privacy should emerge a long-term winner, whether for shopping at Target or anywhere else.