Retailers who have changed over to the chip-and-PIN terminals are fighting back against the card issuers and filing lawsuits to make transactions more secure.
Home Depot, the Atlanta-based home improvement retailer, filed a federal lawsuit this month accusing Visa and MasterCard, two credit card issuers, of hindering the retailer's efforts to boost the security of the new chip cards. In their lawsuit, the company claims that the card issuers are not giving retailers the option to offer more secure transactions where consumers have to use their PIN, a four digit code instead of a basic signature. Allowing the use of a PIN increases security and would lower the transaction fee being charged to the retailers by the issuers.
The chip-enabled, or EMV, cards contain a computer chip which has the ability to generate a unique code for each purchase. These cards are also more difficult to counterfeit.
In the lawsuit, Home Depot alleges that "while chip-and-PIN authentication is proven to be more secure, it is less profitable for Visa, MasterCard, and their member banks and it provides a greater threat to their market dominance."
These lawsuits have occurred, because retailers are "incredibly frustrated because they're spending a ton of money and still not getting the safest, best solution," said Matt Schulz, senior industry analyst at CreditCards.com, an Austin, Texas-based credit card comparison website. The likelihood that more retailers will file lawsuits is high.
Utilizing chip-and-signature means retailers are still vulnerable, because they are not receiving the most secure form of protection from hackers for transactions.
"I'm not surprised to see these types of lawsuits," Schulz said. "The truth is that chip and signature is a half-step, security-wise."
The adoption of chip-and-PIN for all transactions would make it harder for fraudsters to commit crimes, because "it's a whole lot easier to fake someone's signature than it is to know their PIN," Schulz said.
Shoppers must remain vigilant and always be on the lookout for fraud occurring, because hackers are often one step ahead despite the type of credit card they are using to pay for purchases.
"The most important thing for consumers to know is that whether you have a chip-and-signature card, a chip-and-pin card or even a good old fashioned magnetic stripe card, you must remember that you are one of your own best lines of defense," he said. "The truth is that no one cares as much about your money as you do, so it's vital that you check your online bank and credit card statements at least once a week for signs of fraudulent activity."
Credit card issuers are apprehensive that some consumers may not remember the four-digit PIN, so they are still allowing shoppers to utilize their signature as a method of identification, which can be forged and reproduced easily, said Joe Carson, head of global strategic alliances at Thycotic, a Washington D.C.- based provider of privileged account management (PAM) solutions.
"While we saw the introduction of chip and PIN cards in the U.S. last year, many credit card issuers still have not applied the security controls that other countries benefit from using the PIN instead of signing," he said.
Retailers doled out thousands of dollars and more to implement chip card readers in their payment system, but have failed to benefit from these added security controls, said Carson.
"While these cards are more difficult to replicate, the issue still remains that the security benefits are not being used," he said. "This resulted in the start of lawsuits against the credit issuers for failure to increase security."
The U.S. needs to switch its liability to Europe's system, Carson recommends.
"In Europe, you're accountable only in the case that your card and your PIN are used together," he said. "If my card is used in Europe without the PIN, the responsibility falls completely on the business, not the credit card company or me, but rather the individual who accepted the card."
One major issue is that many businesses in the U.S. have been slow to adopt the chip-and-PIN terminals and do not feel "motivated to go to great extents to protect customers from credit card fraud," Carson said. "Frankly, if accountability in the U.S. is amended, retailers still without support for chip and pin cards will change their ways pretty quickly. Technology is imperative in all cyber security matters. Nevertheless, making something as unassuming as accountability more reasonable can go a long way toward decreasing crime."
The adoption of chip-enabled by retailers has been painfully sluggish despite the ability of the technology to provide more secure transactions. While 70% of U.S. credit cardholders have a chip credit card, estimates demonstrate that only 22% to 37% of retailers have implemented the technology to accept these cards, said CreditCards.com. The deadline set by the credit card industry was Oct. 1, 2015 for converting to these new cards, which are intended to thwart hackers from accessing consumer accounts and personal details.
Merchants who missed the deadline and have not converted to using these new EMV cards are now financially responsible for any charges which are fraudulent. Boston Retail Partners, a retail consulting firm, estimates that only 22% of retailers have the software and card readers to accept the cards while Strawhecker Group, an Omaha-based consulting firm, predicts a larger amount or 37% of retailers who made the switch.
"National retailers such as Target have adopted the technology, but other companies have failed to complete these upgrades even though it can expose them to a lot of fraud and liability," said Schulz. "The retailers are willing to take the risk to avoid spending money."
Many retailers do not understand the threats they are accepting by not implementing the use of EMV cards, said Mark Parker, a systems engineer for Palo Alto Networks, a Santa Clara, Calif.-based network and enterprise security company. Even a seemingly minor data breach would make them liable for "tens, if not hundreds of thousands of dollars depending on its size," he said. "In many cases, the costs of a data breach like this would put a non-compliant small or medium-sized business out of business."
A survey conducted by CardHub, a Washington, D.C.-based credit card comparison company, found similar alarming results, leaving consumers exposed to hackers. Among retailers who were the targets of data breaches in the past five years, 43% have not updated their terminals and 42% of retailers have not updated the terminals in any of their stores.