By DOUGLAS F. BRENT, CIPP/US
2015 holiday shoppers who paid with plastic deserve forgiveness if they were confused by changes in America’s checkout ritual. Merchant terminals for completing purchases sprouted card receptor slots for reading credit cards with chips embedded to curb counterfeiting. Merchants that accept cards have an economic incentive to install the equipment requiring customers to insert cards instead of swiping. Procedures are inconsistent among large retailers, and many still need new terminals. The FBI may have added to the confusion by publicly questioning the effectiveness of the new card system then abruptly withdrawing its remarks.
What’s really going on?
Card Fraud Losses Mount in the U.S. as Counterfeiting Grows
According to The Economist, the U.S. accounts for about half of global losses from fraudulent payment card transactions, even though we only produce about a quarter of all credit card payments. Credit card losses were more than $5 billion in 2012 and have increased by roughly 10 percent each year. That doesn’t include losses associated with debit cards, where the fraud rate has increased at an even faster pace, according to industry groups.
Many of these losses begin at point-of-sale terminals. Considered the weak link in the payment process, terminals have been frequently breached by online criminals seeking unencrypted credit card track data that may be encoded onto other cards (for example, a discarded gift card) and used for fraudulent payments elsewhere. Defeating these schemes requires better security hygiene by retailers, but that alone does not address the risks in magnetic stripe cards that are easily copied.
Technology To Curb Counterfeits Finally Reaches U.S. Consumers
Developed nearly 20 years ago to reduce magnetic strip card counterfeiting, EMV (“EuroPay, Mastercard, Visa”) chips are the global standard for credit card security against counterfeiting. While traditional credit cards store data on a magnetic strip, EMV cards store card data in programmable circuits and issue a unique code for each transaction made using the chip. The chip card and terminal determine if a PIN or signature is required for verification, but most U.S. card issuers still require signatures. For now, U.S. cards still include a magstripe that can be used at retailers that have not installed chip readers.
Fraud Liability Shifts
Before October 1, 2015, card issuing banks generally absorbed losses for cards presented at retailers. As banks rolled out EMV cards, retailers were given a choice: install equipment capable of reading the chips, or accept liability for fraud of a card number associated with an EMV card you accept. This choice allows retailers to accept a business risk by continuing to use traditional mag stripe readers to process credit cards.
Card issuers have a similar choice—issue EMV cards or continue to absorb losses on older technology cards used at locations capable of reading chips. That choice has led to the inconsistencies we see today—some stores require customers to insert EMV cards in the chip reader, but some do not. Often card readers are in place but not yet activated.
Cardholder confusion is understandable, especially for those who (wrongly) assume the EMV card makes it impossible for anyone to abuse their card number. In November, the Congressional Research Service reported just 25 to 50 percent of U.S. retailers were prepared for the October fraud liability shift date. Many retailers have installed new equipment but have not yet activated the chip readers. Media reports have added to the confusion, referring to the new system as “Chip and PIN” even though the U.S. does not require PINs for the new cards.
Global Standard Not Adopted in U.S.
More than 80 countries use “Chip and PIN” technology to prevent point of sale fraud. Chip and PIN combines EMV technology with the user’s PIN entered on a keypad at the point of sale. The PIN prevents a stolen EMV card from being used at a point of sale if the merchant requires cards to be inserted into the EMV reader. But, as noted by the Federal Reserve Bank of Kansas City in a 2013 report, forging signatures is easier than stealing PINs, resulting in higher potential losses. Forecasts vary on whether eschewing the PIN requirement will affect fraud in the U.S. Some believe that until point-of-sale equipment is completely protected from malware, PIN entry could actually increase fraud at ATMs, where a combination of stolen magstripe data and a PIN can be used to drain cash. (U.S. ATMs do not yet incorporate EMV readers.)
Vanishing FBI Notice Fuels Debate Between Retailers and Banks
In an October 8 notice, the FBI said chip-based cards provide greater security than traditional magnetic strip cards, but may still be fraudulently used because they “can be counterfeited using stolen card data obtained from the black market.” The FBI notice encouraged merchants to require PINs for verification, sensible advice except that PINs haven’t been adopted in the U.S. Although the FBI quickly revised its notice, the National Retail Federation (NRF), a longtime advocate for requiring PINs with EMV cards, was prompted to respond, endorsing the original advice on PINs and calling out the FBI for appearing to back away from it. “You don’t need to be a security expert to know that an illegible scrawl is virtually worthless as a fraud prevention device,” said Mallory Duncan, NRF’s senior vice president and general counsel. “Yet signatures are what banks want to use to “protect” billions of dollars in daily transactions with their new generation of credit cards.”
Federal Regulators, State AGs and Congress Get Involved
Payment card fraud standards in the U.S. are not a matter of law; they are a matter of contracts between card issuing banks and merchants that accept cards. Legal protection exists for cardholders victimized by card fraud, but that is a different matter than the current controversy over the efficacy of Chip and Signature. But things could change.
In 2015, Federal Reserve Governor Jerome Powell supported the use of PINs. State law enforcement agencies recently urged major card issuers to implement PINs as a Secondary form of verification. Attorneys General from eight states wrote to major issuers in November, stating the chip and signature model will make consumers more vulnerable to damaging data breaches. And a November Congressional Staff Report suggested renewed interest could indicate a possible shift in the future if signature verification fails to reduce fraud.
Embedded chips will undoubtedly make it tougher for criminals to create working counterfeit cards. 2016 data will tell us if they slow the fraud epidemic.