Credit cards in the US are getting a makeover, but not without criticism. Financial institutions everywhere are rolling out updated versions of many of their cards, sporting “new” EMV (Europay, Mastercard, Visa) technology. These cards are aimed at improving consumer security and adhere to global credit card standards – EMV-support has been the norm in Europe, Africa, and Asia for more than a decade. New legislation has also given EMV an extra push into our market – beginning in October 2015, all retailers who do not have EMV readers, but still accept credit cards, will be liable for all fraudulent charges made at their business.
The U.S. is implementing a "chip & signature" technology over a more secure "chip & pin" variation. The major difference among the two types of EMV technology lies in their authentication method. As the name suggests, chip & signature cards require the users to sign for each purchase as a means of verifying their identity. Chip & pin cards opt for a method similar to that of debit cards – that is punching in a 4 to 6 digit personal identification number (PIN) at the time of purchase.
As we move closer and closer to the October deadline, the conversation behind EMV technology is heating up. Speaking at the Electronic Transaction Association’s Transact conference, the Senior Vice President of Wal-Mart, Mike Cook, relayed his opinion on the United States’ choice of EMV variant. Cook said his company would have preferred chip & pin as it would mean greater protection to cards from being stolen. Cook argued that “signature is worthless as a form of authentication”, pointing to the example of Target and Home Depot breaches, where it was credit – not debit – cards that needed to be re-issued. Presumably, a thief can easily create a counterfeit copy of a card, and then sign for a purchase (which most of the time can’t be immediately verified). Whereas, if the purchase required a PIN, the would-be-thief couldn’t make the purchase having to steal more information.
While it is true that chip & pin offers better security than its counterpart, it does not do much to protect against cases of card-not-present (CNP) fraud. These occur when credit card information is used to make purchases online, or any other terminals where the physical card doesn’t have to be present. CNP is a mounting concern in the battle against credit card fraud – within the United States alone, $2.8 billion in losses has been reported due to fraudulent CNP transactions.
Over the last decade, both the United Kingdom and Australia have implemented EMV technology into their credit card markets. While the U.K. chose to introduce chip & pin variants, the Australian government has chosen to support chip & signature. The damages from CNP fraud has not seen any reliable improvement, in either case.
The liability shift in the U.K. occurred in 2005, while Australia’s did not happen until 2008. Recently Australian officials have announced the country will begin migrating it’s systems over to chip & pin for improved security. However, as noted, this is likely to have little impact on cases of CNP fraud.
Ultimately, striving for greater security measures is a step in the right direction. Whether it’s a small step (chip & signature) or a slightly bigger step (chip & pin), it’s important to understand that the battle against fraud is an uphill one. There are many different fronts to defend, and as the technology to fight it improves, the tactics used by credit card thieves are sure to keep up the pace.