Security Strategy, Plan, Budget

Is the United States the weakest link when it comes to credit card security?

With almost every other developed country in the world now moving toward chip-and-PIN technology to support EMV, a global standard for authenticating credit and debit card payments, the continued use of magnetic stripe cards in the United States has looked out of order for a while now.

The reasons behind the United States' stance are complex, but it seems now that some important voices are calling for a change, and as more voices are heard, the chance for change will only increase.

At a recent NACHA - The Electronic Payment Association conference in Seattle, Walmart, one of the world's largest retail companies with more than 8,500 outlets in 15 nations, threw its support behind chip-and-PIN, announcing that its stores already have the hardware in place to accept chip-and-PIN cards and that, later in the year, it will be accepting one or more chip-and-PIN programs.

At the same conference, a T-Mobile executive also backed a move to EMV, warning that the United States is becoming the “weakest link” in card fraud and that banks must listen to what merchants are asking for.

It is good to see retailers throwing their support to this technology, and there is clear financial incentive for them to switch to a chip-and-PIN system.

As it is now, merchants are at risk when there is fraud as card issuers are not liable for all the risk, particularly with credit cards. If a transaction is authorized online, all that is being checked is if the account is OK and funds would be authorized. It does not guarantee that the person presenting the card is the actual authorized user. The card could be stolen, cloned, etc. If a charge is disputed, the merchant has the burden of proof based on signature or other method that it used to authenticate the user.

On PIN debit transactions, it is different in that the PIN is "proof" that the owner or the card (or at least one that knows the PIN) is the actual user. But on credit, because there is not guaranteed method of authentication, a merchant is at risk.

With chip-and-PIN, every transaction, debit or credit, has the benefit of authenticating the user prior to a transaction taking place. That is why liability shifts can be put in place, from merchant to issuer, if the merchant supports chip but the issuer does not.

The example set by the U.K. and Europe in terms of reducing card fraud is clear, and a few sums based on a 2009 survey by LexisNexis about the “True Cost of Fraud” show that U.S. merchants could save about $50 billion by moving to an infrastructure that supports EMV.

A shocking figure in this report is that U.S. merchants pay about $100 billion in fraud losses due to unauthorized transactions and fees/interest associated with chargebacks. This figure is nearly 10 times greater than the cost incurred by banks. However, the expense to upgrade the card payments infrastructure to use EMV is not insignificant, which is one factor that has held retailers and acquirers back. But if EMV upgrades are timed to occur when other changes are planned, the additional cost is small.

For example, many merchants and acquirers are changing their networks to enhance cardholder data protection and are deploying end-to-end encryption or other approaches in their networks. Changes to the network to add EMV messaging can be made at the same time with little additional cost. Similarly, if EMV capability is added to the point-of-sale (PoS) at the next cycle of renewal, there is only a marginal difference in cost.

For consumers, the transition to chip-and-PIN would create a shift in culture.

As American consumers currently have no liability for transactions on lost and stolen or counterfeit cards, they do not see the additional security of EMV cards as a benefit.

Entering a PIN during purchases is seen as getting in the way of a simple swipe and sign transaction. Issuers also have little incentive to move to EMV, as they can charge higher interchange rates on magnetic stripe transactions.

In spite of this, some issuers (for example, the United Nations Federal Credit Union) have unveiled plans to issue credit cards that comply with the EMV standard.

What has driven them forward is an understanding that as more and more countries adopt EMV, Americans who travel internationally are finding it increasingly difficult to use their cards abroad. In theory, EMV-enabled retailers should continue to accept magnetic stripe cards, but in practice, lack of experience with non-EMV cards means they are often rejected.

While the transition to chip-and-PIN would improve security of the U.S. payments infrastructure, it is important to note that it is not a “silver bullet” for completely eliminating fraud.

Card transaction data still needs to have greater protection, so it is important for retailers, banks, payments processors, PoS terminal vendors and other entities involved in the payments infrastructure to continue their focus on end-to-end data protection schemes to ensure that there are no exposed vectors for fraudsters to exploit.

This is especially true as we look to the future. Online purchases continue to grow strongly, and chip-and-PIN does not inherently address potential fraud for phone or internet transactions.

Taking into account all these factors, it is difficult to predict when — if at all — the United States will move to EMV. But the voices calling for change certainly seem to be getting louder.

For the migration to EMV to happen, the business and security benefits of EMV and the disadvantages of U.S. isolation as the rest of the world abandons magnetic stripe cards must outweigh the costs to upgrade and the incentives not to change, and when and if this will happen is extremely hard, if not impossible, to predict.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.