According to a recent Gallup poll, Americans today are more worried about having their credit card information stolen than they are of being murdered, assaulted, or robbed.
This is not too surprising considering the likelihood of being affected by credit card theft. More than a quarter of Americans report their card information has been hacked through a store, and seemingly with each passing week, we hear of a new major retailer that has had customer data stolen.
One of the largest breaches occurred with Home Depot, which has stores in both the US and Canada. While many US customers have been hit by instances of fraud, Canadians have fared much better.
Why? Experts say the threat of fraud can be substantially diminished by using technology employed by most other developed countries and many developing countries.
Canada uses chip and PIN (Personal Identification Number) technology, which requires cardholders to enter a PIN rather than sign for purchases, just as is required of Americans when withdrawing money from an ATM. And instead of the easily-hacked magnetic strip on the back of cards, which was invented in the 1960s, chip technology inside cards generates a unique security code for each transaction. This system ensures that it’s the cardholder who is using the card and that the card is real.
The difference in security is substantial. According to the Federal Reserve, the use of PINs instead of signatures make transactions 700 percent more secure. A separate study by the Federal Reserve Bank of Kansas City suggests that chips in cards will reduce counterfeiting, and the continued use of magnetic stripes will be a significant source of fraud.
Consumer groups and some merchants have pushed to adopt chip and PIN.
Allie Brandenburger, Senior Director of Communications at the Retail Industry Leaders Association, tells InsideSources, “Chip and PIN cards is one of the important layers of protection needed to increase payments security. The chip authenticates the card while the PIN authenticates the cardholder. This two-factor authentication technology has been in place for decades in nearly every other G20 nation and has proven to substantially reduce fraud.”
While some retailers have invested in the capability of accepting chip and PIN, many stores have shown some hesitancy to buy the systems needed to accept chip and PIN until the credit card companies say they will issue cards that have it. That’s not a top priority for credit card issuers. The transition to chip and PIN “hasn’t happened here, mainly because banks don’t want to spend the money to upgrade the system, writing off the hassle and expense of your identity fraud as a cost of doing business,” wrote David Dayen in a January 2014 New Republic article.
“Wall Street intransigence” is the culprit holding consumers back from having better fraud protection, said Steve Pociask, a researcher with the American Consumer Institute, in an interview with InsideSources. “They’ve been unwilling to adopt better data security measures because they cost more than the ineffective magnetic stripe cards their peddling now. Today, Visa and MasterCard earn higher transactions fees off of the old signature system, which makes them reluctant to spend the resources necessary adopt better measures like requiring a PIN along with chip-enabled cards. Meanwhile, European nations recognized the pervasiveness of financial fraud early on and acted decisively to adopt chip and PIN cards a decade ago.”
Additionally, many other countries place greater liability for fraud on the credit card companies. In the US, the industry has been able to push much of the liability to retailers and consumers. There’s less incentive for the card issuers to prevent fraud.
But the story is far more complicated. The financial industry sees a need for all sides to find a common solution. There has been some progress, but there is still a long way to go.
To start, the card networks will be requiring most merchants to accept chip cards, under what’s called the EMV standard, by October 2015 or face a liability shift for fraud. As such, the magnetic stripe will remain on cards to accommodate merchants who don’t make the change. A PIN will also not be required—only a signature. This takes away another layer of security, but part of this challenge is about the customer experience. Some merchants are opposed to chip technology because it slows down payment. And some consumers may have trouble remembering PINs for all the cards they carry in their wallets.
This dilemma, however, leaves us right where we’re at now. And merchants are hesitant to spend the $25-30 billion it will cost to upgrade payment systems unless they know it will be the new standard.
The Obama Administration has helped to push for a chip and PIN standard. In mid-October, the President issued an executive order to institute chip and pin for any government agencies that accept payment from consumers, including post offices. The order also requires all government-issued credit cards to have chip and PIN. This includes cards given to government employees and Direct Express debit cards for those receiving government benefits, such as veterans and Social Security recipients. It’s possible that the 4.8 million people using Direct Express will spur adoption of chip and PIN, but not necessarily.
“There needs to be more public pressure to push the banks and credit card companies to finally embrace better data security measures like chip and PIN,” says Pociask. “American consumers are fully aware that the magnetic stripe cards they have are less secure and more susceptible to fraud than ever before. As chip and PIN cards become more prevalent, consumers are going to look around and ask why their banks and credit card companies are unnecessarily leaving them vulnerable to identity theft and financial fraud by relying on older magnetic stripe cards.”
Still, chip and pin is not new technology. And hackers are smart enough to find ways around it. Online sales also create a complication because the card does not need to be present.
“While chip technology and PINs do a very good job at addressing one specific type of fraud from lost, stolen or duplicated cards, they’re not a panacea. EMV is one piece of the much larger fraud puzzle, and PINs in some cases can serve as a bridge technology as new security innovations come to market,” explained Jason Kratovil of the Financial Services Roundtable in an interview with InsideSources. “Already we’re seeing how layering technologies – like including biometric validation on top of tokenized data that helps render sensitive information useless to would-be criminals – creates a more secure payment channel. That’s where payment security is headed, and it’s what consumers will look for to ensure they’ll have trust and confidence when utilizing electronic and mobile payments.”
Consumer advocates agree that we need to seek out better technology. Apple Pay, for example, is a step in the right direction, but it is still not widely available. There is much debate ahead on new payment technologies, to include fees paid by merchants, as well as the use of tokenization and biometrics.
It’s been two decades since chip and PIN cards were introduced, and there is still no agreement on implementing it as a standard. With new technology emerging, one can only be left to wonder whether this four-sided market of banks, card companies, merchants, and consumers will be able to find a solution to the problem anytime in the near term, or whether our current technology—chip and PIN—is really the best option for the foreseeable future.