Is the U.S. the 'weakest link' for credit card security?

Commentary - With almost every other developed country in the world now moving toward Chip and PIN technology to support the Europay, MasterCard and VISA (EMV) standard, the continued use of magnetic stripe cards in the United States has looked out of order for a while now. The reasons behind the United State’s stance are complex, but it seems now that some important voices are calling for a change and as more voices are heard, the chance for change will only increase.

At a recent NACHA conference in Seattle, Walmart, one of the world’s largest retail companies with more than 8,500 outlets in 15 nations, threw its support behind this technology, announcing that its stores already have the hardware in place to accept Chip and PIN cards and that later in the year, it will be accepting one or more Chip and PIN programs.

At the same conference, a T-Mobile executive also backed a move to EMV, warning that the United States is becoming the “weakest link” in card fraud and that banks must listen to what merchants are asking for.

It is good to see retailers throwing their support to this technology, and there is clear financial incentive for them to switch to a Chip and PIN system. As it is now, the merchants are at risk when there is fraud as card issuers are not liable for all the risk, particularly with credit cards. If a transaction is authorized on line, all that is being checked is if the account is ok and funds would be authorized. It does not guarantee that the person presenting the card is the actual authorized user. The card could be stolen, cloned, etc. If a charge is disputed, the merchant has the burden of proof based on signature or other method he used to authenticate the user. On PIN debit transactions it is different in that the PIN is ‘proof’ that the owner or the card (or at least one that knows the PIN) is the actual user. But on credit, because there is not guaranteed method of authentication, a merchant is at risk.

With Chip and PIN, every transaction, debit or credit, has the benefit of authenticating the user prior to a transaction taking place. That is why liability shifts can be put in place, from merchant to issuer, if the merchant supports chip but the issuer does not.

The example set by the U.K. and Europe in terms of reducing card fraud is clear, and a few sums based on a 2009 survey by LexisNexis about the “True Cost of Fraud,” show that U.S. merchants could potentially save about $50 billion by moving to an infrastructure that supports EMV.

$100 Billion in fraud shows U.S. needs to do more with card security
A shocking figure in this report is that U.S. merchants pay about $100 billion in fraud losses due to unauthorized transactions and fees/interest associated with chargebacks. This figure is nearly 10 times greater than the cost incurred by banks. However, the expense to upgrade the card payments infrastructure to use EMV is not insignificant, which is one factor that has held retailers and acquirers back. But if EMV upgrades are timed to occur when other changes are planned, the additional cost is small.

For example, many merchants and acquirers are changing their networks to enhance cardholder data protection and are deploying end-to-end encryption or other approaches in their networks. Changes to the network to add EMV messaging can be made at the same time with little additional cost. Similarly, if EMV capability is added to the Point Of Sale (POS) at the next cycle of POS renewal there is only a marginal difference in cost.

What does Chip and PIN mean for consumer card use
For consumers, the transition to Chip and PIN would create a shift in culture. As American consumers currently have no liability for transactions on lost and stolen or counterfeit cards, they do not see the additional security of EMV cards as a benefit. Entering a personal identification number (PIN) during purchases is seen as getting in the way of a simple swipe and sign transaction. Issuers also have little incentive to move to EMV as they can charge higher interchange rates on magnetic stripe transactions.

In spite of this, some issuers (for example, the United Nations Federal Credit Union) have unveiled plans to issue credit cards that comply with the EMV standard. What has driven them forward is an understanding that as more and more countries adopt EMV, Americans who travel internationally are finding it increasingly difficult to use their cards abroad. In theory, EMV-enabled retailers should continue to accept magnetic stripe cards, but in practice, lack of experience with non-EMV cards means they are often rejected.

Not a silver bullet but a step in the right direction
While the transition to Chip and PIN would improve security of the U.S. payments infrastructure, it is important to note that it is not a “silver bullet” for completely eliminating fraud. Card transaction data still needs to have greater protection, so it is important for retailers, banks, payments processors, POS terminal vendors and other entities involved in the payments infrastructure to continue their focus on end-to-end data protection schemes to ensure that there are no exposed vectors for fraudsters to exploit. This is especially true as we look to the future. Online purchases continue to grow strongly, and Chip and PIN does not inherently address potential fraud for phone or Internet transactions.

Taking into account all these factors, it is difficult to predict when – if at all – the U.S. will move to EMV. But the voices calling for change certainly seem to be getting louder.

The most recent voice is that of an executive vice president of the Federal Reserve Bank (FRB) of Atlanta's Retail Payments Risk Forum, who recently questioned whether it was time for government to develop a plan for the country to move to EMV. He brings up an intriguing point: As we’ve seen in Europe and Canada, it takes more than a few vocal entities to initiate change. Instead, a unified industry or government approach is needed for the train to really start to roll.

For the migration to EMV to happen, the business and security benefits of EMV and the disadvantages of U.S. isolation as the rest of the world abandons magnetic stripe cards must outweigh the costs to upgrade and the incentives not to change, and when and if this will happen is extremely hard if not impossible to predict.

biography
Jose Diaz is the director of technical and strategic business development at Thales e-Security, a world leader in mission-critical information systems for defense and security, aerospace and transportation. The Information Systems and Security group provides information and communication systems security solutions for government, defense, critical infrastructure operators, enterprises and the finance industry. For more information email Jose Diaz.