Editorial Note: The content of this article is based on the author’s opinions and recommendations alone. It may not have been reviewed, approved or otherwise endorsed by the credit card issuer. This site may be compensated through a credit card issuer partnership.
Barry Mosteller is the Denver-based director of research and development for CPI Card Group, one of a half-dozen "secure financial transaction card manufacturers" of the plastic in your wallet: credit and debit cards as well as prepaid gift cards contracted by Visa, MasterCard, American Express and Discover, among others. (CPI, an international association member, also mass-produces chain store gift cards.) We turned to Mosteller, a patent-holder many times over, to find out exactly how a card is made now, and how it will be made in the future.
This interview was condensed for clarity.
Is manufacturing a credit card a cookie-cutter process?
There are many cards that we produce that I’ll call standard-usage cards. The bank may issue millions of these cards: 10, 15 million. In that case, they may be doing, like, a flood-blue card with just their logo and the association’s logo. They have an established brand, this is an established portfolio that they have, and they may not be out trying to increase the cost of the card by adding uniqueness. And so, in those situations, in those particular portfolios, in those card designs that have been out there forever, it’s pretty straightforward on our end. We’ve tweaked our processes, and the designers and brand groups at the bank — at the issuer, because it may not be a bank, it may be American Express or Discover — are very happy with the way we reproduce the artwork and the card. Then it becomes mass-production.
But there are always portfolios where the high-spend card members, they want to make sure they stay with that issuer, so they’re looking to try to up the ante; to make the card look special and different so that it makes the person feel special and different. Or they try to make a connection to the person through the card design or the card materials. And, in those cases, it’s not business as usual.
What exactly is CPI's role in the making of credit cards?
Basically, we are a full-service shop, so we have some customers who come to us with finished artwork that they’ve paid a design company to make. Then we try to match that design on our materials and ink systems that we use here. Sometimes it works out, and sometimes it doesn’t. Because sometimes the designers don’t know enough about card manufacturing, and they’ve created a card that they’ve sold their upper management on, that it’s breaking a cardinal rule in card manufacturing and you can’t make it happen. In those cases we try to find a way around it, to give them what they want, but maybe not the way they were trying to get there.
Some card issuers work with designers who are very knowledgeable in card manufacturing, and usually those will run a lot smoother. And in some cases, the card designers or the issuer actually work with us, because we do have an in-house design group. They may come with a design — an end goal — and then sit down with us and talk about the different materials, and things that we can do, to achieve the look of that card. Of course, the goal is always to be what we refer to in the industry as “top of wallet," which means that they want that card, the design, to look very different, to make some kind of connection with the card member. So it becomes their favorite card, and the card that they always take out of their wallet and use the most.
Do the costs go up for the more highly-designed cards?
Per card, yes. We are a mass-production shop in the Denver area, while we have a shop in Indiana that I would call a job shop. The difference is that a production shop, their average job size might be, say, 30,000 cards per job. A job shop, their average card job is going to be somewhere in the neighborhood of 5,000 or 6,000 cards. The cost difference is going to be significant too. In a job shop, you can expect to spend three to as much as 10 times more per card as you will in a volume shop. The reason for that is, it doesn’t matter whether I’m making a million cards in a job, or I’m making ten or a hundred cards in a job: I still have to do the artwork; I still have to go through all the requirements for security; I still have to create all the printing plates; I have to create all of the screens; I have to set up my printing presses to print the job; I have to set up my screens to print the job… and that takes up most of the time. When you come into a print shop, it’s not unusual to not see any of the printing presses running. Because they actually only run about 20% of their time. The rest of the time is tearing them down, cleaning them up and setting them up for the next job. And that cost, if it’s going to be spread out over 500 cards, is going to be a lot per card, versus if I can spread that cost out over a million. Because once the job is set up, I’m going to be running 5,000 sheets an hour. So if I’m doing a 500-card job, I’m literally running for seconds. And if I’m doing a million-card job, maybe I’m running for a couple hours. So the cost is in the set-up and the tear-down; the actual cost while you’re running is relatively low.
How much could it cost to produce a single card?
Here’s where you’re going to get me in trouble. Because I’m the director of research and development, I don’t get involved in pricing. And I’m not in a position to be able to speak to pricing. But just to give you something to compare to: In large volume, it’s not unusual to see pricing down near or under around 10 cents to 16 cents a card. And if you’re doing small volume, it’s not unusual to see it be as much as $3.50 a card. It all depends on what you’re doing, and how many cards you’re making.
Regardless of volume, what is an example of an expensive card?
A card that requires a four-color process job. Let me explain: So everything that you read today, and all the photographs you see in magazines, are printed on what’s called four-color process. That means that I have a printing press, and that printing press has the main colors you need to create 86% of all the colors that are listed in the Pantone book, which is the printing bible for color. A four-color process means that I can take that image and reproduce it on one pass on my Litho Press. So it’s a relatively lower-cost card. Then other cards, they may require me to do two or three colors on a silk-screen press. So that’s three passes, three different screens. And then I may need to come over to my Litho Presses and run on a four-color process run; and then I may have to go back and change to some spot colors on my Litho Press and run the sheets through again. I’ve seen card designs that require that they be touched by 28 different screens or press plates, printing plates. Those kinds of cards are expensive.
How about the security of the card: What is CPI's role in fraud-protection?
We should talk about at three levels of security.
First of all, there is the security that’s inherent in the card. Most of the time — 99.9% of the time — the associations are responsible for the security of the card. So if you look at your credit cards today, you’re going to see things like holograms. Those holograms look like a dove flying, or it looks like two globes interlocked. There is a specific Discover hologram. AmEx doesn’t use it a lot, but there is an AmEx hologram. And beyond what you see with your eye, there are forensics in those holograms that are hidden, that are security features. Because if somebody is going to try and create a copy of a card, it’s not going to be easy for them to get a secure hologram. They’re going to make a hologram that looks like it. To your eye, it looks the same, but when you start doing forensics on the card, and looking under super-high-powered microscopes in various areas, there are going to be features that are missing that are in that secure hologram. There are other security features that anybody can verify. For example — some people don’t think it’s very secure, and it’s not if it’s not used — but, the security panel, the signature is there. "Does it match this person’s signature?" There's also the person’s name: "Does the person have a driver’s license with a name that matches that?"
The second level is that as a card manufacturer, I have physical security requirements. And those are driven by the associations and a standard called PCI. I’ve got to have bullet-proof glass in certain places; all of my employees have to be badged; all employees have to be vetted before they can be hired — meaning they do security checks; they do credit checks; besides the physicals that they have to take, they randomly get drug-tested and credit-checked to make sure that nobody’s on drugs, that they haven’t gotten into debt issues that might make them more vulnerable to be enticed to break security to try and profit. Other physical checks: camera systems and keeping the film for so long; where you can and can’t have doors, so the room has to be open; enforcing the two-man rule, which says that no one person can have access in specific areas. I also haven’t been on a secure card-manufacturing site that doesn’t have a 24-hour security guard who’s monitoring cameras, handling visitors, ID’ing the visitors, registering them. They have to sign agreements that they can’t talk about what they see in the plant. That’s because all of the cards that we’re manufacturing don’t belong to us: They belong to the issuers, and the artwork belongs to them. How many Visas I have on the floor at any time, or how many Mastercards, or what bank cards are moving through production: They can’t speak about that, so they have to sign non-disclosures when they come in.
Then there is the logical security: When data comes in and I’m handling data, that’s secure data. I have to have my system set up a specific way; it has to be a closed system; there can be no way for somebody outside to be able to get into that system.
And we get audited multiple times a year by the associations: by Mastercard, Visa, American Express, Discover. Some issuers, some banks, also come in and do security inspections. We’re licensed: if we ever are found to violate any of that security, our license can be pulled and we can no longer manufacture cards. If, for example, one association would pull that license — let’s say Visa — they will notify the other associations, and you can be sure that they will all pull their licenses.
How has the EMV chip affected your business?
From a manufacturing standpoint, it affects me multiple ways. With a standard magnetic stripe card, it goes through what we call card manufacturing, and then it ships to the "perso" shop that’s going to personalize the cards to put them on the street. When you’re talking about EMV, once the cards are through the manufacturing process, they have to go through a smart-card process. And in that smart card process, we have to mill the card out, embed the chip and contact plate into the card. We have to set the environment on the chip so that it is set up that the perso shop is going to be able to utilize the chip.
In the last year and a half, two years, card manufacturers -- all of us -- have had to ramp up very quickly with new equipment, new smart card lines, new operators, get all those operators trained, get all that equipment set up and running, get them into the maintenance schedule, get the processes for training and safety on that equipment in place, and everybody going. So it’s been a very hectic time for us, but at the same time it’s been a very profitable time for us: For every card that we manufacture, if it costs X, it’s going to be 5X or 10X when we put a chip into it, depending on how many cards people are ordering. It adds a significant amount of added value for us. Of course, that’s not all profit, because you have to plow that back into the company to buy that equipment, to hire those employees, to build that staff and infrastructure.
Speaking of staff, what exactly your day-to-day like?
So I actually fill two shoes here. I’m the director of research and development, and I’m also the director of the CPI corporate engineering team. So my interactions day-to-day will vary a lot, depending on specifically what’s going on. If there are any new materials coming into the systems -- like new inks -- it’s going to be myself or one of the engineers that works for me that is evaluating that material, testing that material against our processes. In the secure card world, every card that we manufacture has to meet a specific set of standards; we have five, six, seven different standards that we have to meet the ISO standards that we have to produce to.
If it’s a customer coming in with a new card design, a lot of times it doesn’t involve my group. It’ll be the designers and the customer care people working with the pressmen to get that design up on press and adjust the ink settings, maybe try different inks to get that card the way the customer wants it to look. That process is referred to as a "press check." So they actually come in, they pay to come in and basically take a printing press out of production, and it’s dedicated to them as they figure out how this design is going to look on a real live press. I and my team gets involved along the way.
Which is where your "research and development" title comes into play. So... what is coming next in card-making?
We're seeing a lot of mobile payments. What I find more exciting is HCE. HCE stands for host card emulation. Paying with your phone is very simple, and you don’t have to worry about whether you have cash on you. You don’t have to pull out a credit card because you’re buying a $3 ice cream. You just tap your phone and you pay. The problem is, for me, if I go ahead and have the card put onto the phone, and now every year a new Apple phone comes out, and I want to get a new phone, how do I get it off of there? And then when I get my new phone, I have to go back through and set it all set up again, just like my old phone. And I have to do that every year.
But, in HCE, what happens is the account is out in the cloud. So there’s a secure server out there, and if I get a card from a specific bank, I have a card — it’s called a companion card — but the account is set up out in the cloud. It’s anywhere, any device — whether it’s my personal phone; I could borrow your phone; I could use my tablet — I can access the cloud and get my payment information to make payments with any device that I have that has the capability to Wi-Fi to the cloud, or to go, because it’s a cell phone, to the cloud to get the information. And the information that’s coming down isn’t my account number; it’s a token. And now when I make that purchase, I’m giving them a token, not my account number. And that token is exactly like an account number — it looks like an account number — but it’s a one-time use token. So that token goes out, and now if somebody hacks that database they’re going to get a token that has no value. They can’t make a card with it.
Mobile payment doesn't threaten your business as a manufacturer of the physical, tangible card?
Well, it is still good for me, because if I have a phone and I’m making payments with my phone, what happens if my phone battery goes dead? What happens if my phone drops in a puddle? I can’t make payments. So I’m going to need a card as a backup. Putting accounts on the phone, or in the cloud, always starts with the base card. And the account information is put out there. So as a card manufacturer, I’m still going to be making cards. Now, maybe they won’t be as top of wallet, but it’s exciting times. As a card manufacturer, all of your large card manufacturers, we’re all service-providers. We all do some personalization — most of us do — besides doing card manufacturing. Offering a cloud solution or a mobile solution is a natural evolution for card manufacturers to move into.