Credit card fraud has gone down in the six months since Visa and Mastercard made retailers and banks liable for fraudulent transactions if they haven’t implemented chip credit cards, but chips alone aren’t enough to secure Americans’ transactions, White House and consumer group representatives said Tuesday.
“The chip alone is not enough for security,” Camille Fischer of the White House Economic Council said during a panel on Capitol Hill Tuesday.
Panelists from numerous consumer groups agreed the industry is headed in the right direction with the widening adoption of credit and debit card chips, which generate a unique, single-use numeric code to send alongside an account number to the issuer for verification during a transaction.
But to achieve true credit card security in the U.S. market — home to half the world’s credit card fraud despite only accounting for about a quarter of all transactions — banks need to implement a PIN number system with each card in place of a simple signature, according to Debra Berlyn, president of Consumer Policy Solutions, a consumer interest firm.
Berlyn, who organized Tuesday’s panel, said signatures — which serve as a second form of authentications — are “widely ignored” by retailers and “easily forged” by fraudsters.
Instead, Berlyn and others said credit card issuers should enable a PIN system for credit cards similar to the one frequently used for debit transactions, establishing a truly digital form of the multi-factor authentication widely endorsed by the cybersecurity community.
In the wake of major retail credit card theft in recent years like those against Target and Home Depot, Mastercard and Visa gave retailers and banks until last October to upgrade their payment terminals before putting into effect the “liability shift,” which stipulates in the event of fraud the entity with the older payment technology — the retailer or the bank — will be liable for the fraudulent charge.
“So if a merchant is still using the old system, they can still run a transaction with a swipe and a signature. But they will be liable for any fraudulent transactions if the customer has a chip card,” Mastercard’s Carolyn Balfany told the Wall Street Journal about the new Europay, Mastercard, and Visa (EMV) credit card standards in 2014. “And the same goes the other way – if the merchant has a new terminal, but the bank hasn’t issued a chip and PIN card to the customer, the bank would be liable.”
EMV cards have already made a dent in fraudulent transactions, falling more than 18 percent across five U.S. retailers among the 25 most-inundated with fraud between fourth-quarter 2014 and 2015, according to Visa.
“We’re seeing EMV is having a positive impact on counterfeit fraud,’’ Stephanie Ericksen, vice president of risk products at Visa told USA Today in April. “Merchants who implement chip, their counterfeit fraud is going down, while those still finalizing plans, their counterfeit fraud is going up.’’
Counterfeit transactions could be reduced even further, Berlyn argued, if banks would implement PINs — something they have little incentive to do, having already met the liability requirement with chip cards.
“They incorrectly believe that requiring a PIN for credit card transactions could burden consumers who may have difficulty remembering another passcode – a baseless argument that does not give Americans enough credit,” Berlyn wrote in a Hill op-ed Monday. “The microchip coupled with the individual PIN make tampering and counterfeiting the cards, along with using stolen financial data, nearly impossible.”
The PIN could be even more useful for the growing percentage of transactions occurring online.
“The technology is out there,” Berlyn said. “It is just not widely used.”
Berlyn said the move to chip-and-PIN, adopted in most major markets outside the U.S., would not only render stolen credit card numbers unusable, but reduce the incentive for hacking retail networks in the first place, since the account information gleaned would be useless.
“Despite the overwhelming body of evidence that demonstrates its effectiveness, the financial services industry has thus far been unwilling to deploy these security measures in the U.S.,” Berlyn said.
Some are already making the switch. Last week Discover CEO David Nelms said the credit card company will begin transitioning to chip-and-PIN.
“I think we may be missing an opportunity to go to the higher level of security with EMV, which is how chip cards are handled in the rest of the world and what merchants in other countries expect when they see a U.S.-issued EMV card,” Nelms said.
