NEW YORK (MainStreet) – New chip-and-PIN credit card technology is here, but that doesn't mean the U.S. is using it in a way that's going to make merchants or cardholders incredibly secure.
Visa, MasterCard, Discover, American Express and their banking partners have set a government-enforced deadline of Oct. 15 for a “liability shift” that, for the first time, would make merchants liable for fraudulent charges that result from using point-of-service readers that can't read chip-and-pin EMV cards. The issuers have been implementing the technology, but it's still up to companies including Home Depot, Target, Neiman Marcus and others to implement it or be held responsible for fraud resulting from continue use of magnetic strips.
Home Depot, 7-Eleven, Target, Kroger stores and others have ramped up their adoption of the readers and had some ready by last year's holiday season. But the paltry 7.3% adoption rate in the U.S. at the end of 2014 was just a small fraction of the 83% adoption rate in Europe, the 50% rate in Africa and Middle East and the 59% of Canadian, Latin American and Caribbean cardholders using EMV technology, according to chip-and-PIN management and testing firm EMVco. That slow adoption rate not only puts merchants in danger of missing the deadline for conversion, but it imperils cardholder data as well.
“The fact is that the conversion will take quite a while, presently estimated into 2017 at the least, and the current teams of card-present fraudsters will be moving in the same channel they have worked until there is less opportunity there,” says Seth Ruden, senior fraud consultant at Naples, Fla.-based banking and payments systems firm ACI Worldwide. “So the net is that there will be plenty of options in that space for a long time to come.”
That's a bit more vulnerable than this high-security technology is supposed to be. Used in Europe since the early 1990s, EMV cards — which take their name from Europay/MasterCard/Visa — contain an embedded microchip that is authenticated using a personal identification number. A reader detects the chip and asks the card user for a PIN that matches the one found on the chip. There isn't a magnetic strip with all a user's data embedded in it and far lesser chance of a chip-and-PIN user's data being stolen.
Ideally, a shopper would simply slide the chip end of their card into a slot at the bottom of a checkout card reader, enter their personal identification number and be done with the transaction. Instead of holding an unchanging cache of your personal data that requires only an unchecked personal signature, the cards are relatively useless to someone who doesn't hold their PIN.
“Card-present fraud is significantly reduced by the implementation of EMV chips in that it effectively makes any merchant data breaches less complete in the necessary payment card data and thus devalues the opportunity to attempts to skim this static data,” Ruden says. “Further, the chip is virtually 'unclonable,' uses dynamic data and thus further reduces attempts to use an EMV card in face-to-face transactions as a result of a data breach.”
Since chip-carrying cards are making their way into consumers' hands slowly, though, even those cards have been reduced to slightly upgraded versions of the technology they're replacing until retailers can catch up and install new readers. That means it's actually chip-and-signature, which means it may as well not have a chip in it at all if you're going to just use it in the most reckless and vulnerable fashion imaginable and swipe the magnetic stripe.
”A signature is obviously not as secure as a entering your PIN,” says Curtis Arnold, founder of credit card industry rating and monitoring sites CardRatings.com and BestPrepaidDebitCards.com. “U.S. issuers argue that chip-and-signature allows for a smoother transition than chip-and-PIN for U.S. customers that are so used swiping their card and signing. I get that, but given how rampant card fraud is — I just noticed some fraudulent charges on my Discover card statement — we as consumers should be concerned.”
Basically, they're easing the transition to the EMV deadline by undermining EMV and only hitting that deadline on a technicality. Why? Because this transition is proving costly. According to market research firm Javelin Strategy & Research, there are 15 million card readers, 360,000 ATMs and more than 1.1 million credit and debit cards that would have to be replaced at a cost of roughly $8.65 billion. Until all those changes happen, the adoption of chip-and-PIN technology won't be about familiarity with new cards and readers, but about completing the ecosystem.
“I also don’t think consumer behavior will be hard to modify. This technology is very simple, and it will only take a couple of uses for the average cardholder to get comfortable with this,” Ruden says. “Further, I imagine perhaps as many as 10% of Americans who travel abroad somewhat frequently may have already used it, and accept this as desirable.”
So how should consumers feel about this stopgap step between magnetic strips and chip-and-PIN? They should likely remember why the latter is being introduced in the first place. Home Depot's breach put 56 million credit card numbers and 53 million email addresses into jeopardy. Security blogger Brian Krebs discovered that the software used to infiltrate Home Depot's system was similar to that used in 2013 to snatch the data of more than 70 million Target shoppers. Credit protection firm BillGuard estimates that losses from fake charges tied to the Home Depot breach could reach upward of $3 billion after a hacker sold millions of stolen credit card numbers on the Ukraine-based site Rescator.
Unfortunately, those breaches haven't been new or rare occurrences. Back in 2007, 94 million shoppers had their data compromised after using cards at TJX stores including T.J. Maxx and Marshall's. In 2013, the data of more than 300,000 cardholders were accessed during a breach at Neiman Marcus. In August, hackers lifted data from 33 P.F. Chang's restaurant locations. Being able to swipe and sign until you're able to remember that PIN number — or your store is able to read your card's chip — is nice and all, but it doesn't make cardholders any safer.
“We are big on convenience here in America, and no one wants to keep up with another PIN, but in this case convenience may prove to be costly,” Arnold says. “I for one would rather avoid fraud at all costs — even if it costs me a little inconvenience at the checkout counter. I've been a victim of card fraud several times in the past few years and I can't help but think that I'm [not] the only one.”
Consumers aren't the only ones who are vulnerable, either. While larger retailers have the resources to swap out all of their card readers and install EMV readers that can help them avoid liability, small businesses aren't nearly so lucky. Not only can thieves still use their magnetic-strip-reading devices to skim customer information, but the businesses themselves will be on the hook for any charges incurred as a result of that fraud.
“Smaller, local merchants like restaurants may not only be used for point of fraud, but also continue to get skimmed, which is currently the prevailing skimming events we are seeing,” Ruden says. “I also wonder if many of these smaller merchants are being properly targeted by their local service providers to replace their machines and understand the risks of maintaining a magnetic stripe processing environment … So, to my favorite local restaurants: Please, do replace your point-of-service unit with a new model. It’s time.”
— Written by Jason Notte in Portland, Ore., for MainStreet
To follow the writer on Twitter, go to http://twitter.com/notteham.
This article is commentary by an independent contributor. At the time of publication, the author held TK positions in the stocks mentioned.