The way Americans spend money is on the verge of its biggest change in decades, but the drumbeat of doubters continues to get louder. New chip-enabled credit cards are slowly getting into consumers’ hands in advance of a looming deadline later this year. But a Walmart executive recently told CNN that U.S. chip cards are a “joke,” and a new report examining other countries’ changeovers suggests criminals around the globe merely switched tactics and kept right on stealing from consumers’ accounts.
The switch to chip cards goes by the shorthand EMV, which stands for Europay, Mastercard and Visa. In Europe, when banks implemented the change, government rules forced consumers to start using credit cards like debit cards – requiring that PIN codes be entered each time a card is used. The change adds two important levels of security, or two-factor security. To complete a transaction, buyers need to have in their hands a chip card, which is incredibly challenging to counterfeit. And they must know something — a PIN — that’s not on the card.
The U.S. is poised to implement only half this system. Chip cards must be accepted by merchants by the fall deadline, but not PINs. The so-called “chip & signature” system is a half-measure, according to Mike Cook, Wal-Mart’s assistant treasurer and a senior vice president.
“The fact that we didn’t go to PIN is such a joke,” Cook told CNNMoney.com.
For example, a criminal who physically steals a chip & signature credit card will have no trouble using it to commit fraud in a store by faking the consumers’ signature.
Meanwhile, a report issued recently by analyst firm Mercator raises even more concerns that the switch to chip cards might not reduce fraud, but simply nudge criminals towards different fraud.
“Unless the payment industry tackles other growing concerns like lost and stolen card fraud, overall fraud losses will continue to spiral up toward pre-EMV levels,” the report says.
Why? So-called “card-not-present” fraud is on the rise in places that adopted EMV long ago, according Mercator’s Tristan Hugo-Webb, who is Associate Director of the Global Payments Advisory Service.
For example, the United Kingdom was one of the first countries in the E.U. to complete the switchover to EMV back in 2006. While counterfeit card fraud has shrunk — from 27 percent of all fraud in 2003 to 13 percent in 2013 — other kinds of fraud have soared. Card-not-present fraud, which includes online and telephone sales, has climbed from 29 percent of fraud in 2003 to 67 percent in 2013. Chip cards have no impact on online or telephone sale fraud because the chips cannot be used for authentication.
So as e-commerce has risen, online fraud has risen right along with it. In the U.K., there has been a sharp increase since 2011, Hugo-Webb says.
New technologies that would add a layer of authentication to online purchases, such as electronic tokens that help verify consumers remotely, have been invented but have not been implemented.
“The hope is that with the creation of new security technologies like tokenization, the industry can begin to play offense rather than always having to play defense against payment fraud attacks,” Hugo-Webb says.
The trickiest part of the migration is that the U.S. is so far behind – at least a decade behind the U.K, for example – that new payment forms, such as mobile payments, may have overtaken old-fashioned plastic cards by the time the EMV adoption is complete. To some observers that lessons the urgency of the changeover.
But Hugo-Webb says the U.S. must still migrate, even if the step doesn’t reduce fraud. It’s more a matter of holding serve, he said.
“If the U.S. decided to skip EMV….it would be more of a target than it is today,” he said. “There is still value in migrating….it’s going to take a lot longer than people expect for mobile payments to really become commonplace.”
Because of the decade-long delay, however, the value of the upgraded security will be less in the U.S. than it was in Europe, however, where banks enjoyed at least a few years of reduced fraud before criminals caught up. Here in the U.S. criminals already have quite a head start on their EMV workarounds.
That fact should help inform banks and merchants as they consider how much to invest in new forms of security for the coming generation of payment systems.