The payment card industry has some explaining to do.
According to an Aug. 30, 2013, joint public filing by Visa and MasterCard, "requiring the use of a personal identification number (PIN) rather than permitting signature as a means of customer authentication for transactions at Point of Sale is a proven method of reducing card fraud." Unfortunately for American consumers, that was from their submission to the Australian Competition and Consumer Commission. Here in the United States the companies have chosen to implement signature authentication only, a standard that by their own admission (in the same filing) is less secure.
Millions of Americans will soon be using a new type of credit card with an embedded chip that gets "dipped" into the credit card machine, joining their counterparts in Europe, Canada and Australia, whose citizens have been "dipping" for years. During the past few months over 500 million of these cards have been mailed to American consumers.
My first experience with this technology came when I checked out at Target over Labor Day weekend. Like other retailers around the country, Target is starting to prepare customers for the transition to these "dip" cards, known in the payments industry as the Europay/Mastercard/Visa standard. Quite simply, EMV technology is a big improvement over the current magnetic strip, which hasn't changed much since its widespread introduction 35 years ago. While EMV won't stop fraud, it makes it much harder to exploit someone's stolen credit card information.
This is a positive development for consumers and businesses alike, and it is especially positive for Target, which suffered a high-profile data breach in 2013 that exposed the information of 40 million credit and debit cards. Last month, Target agreed to pay up to $67 million to financial institutions affected by the theft. As banks send customers new credit and debit cards, retailers are updating their payment terminals to accept them.
It's good news for consumers, too. Starting Oct. 1, if fraud occurs at the point of sale and a vendor hasn't made the switch to EMV technology, that vendor can be held 100% liable the losses.
There's just one problem.
In updating credit cards with EMV technology, Visa and MasterCard have neglected an important element of what makes EMV so successful elsewhere. Virtually every other country in the world that has transitioned to EMV has paired it with PIN verification. In the U.S., card companies have chosen signature verification. This is a far less secure method of authentication that will leave consumers vulnerable and will undermine EMV's effectiveness.
The danger in choosing signature over PIN is twofold. First, for transactions where a machine has problems reading a chip, the equipment will automatically default and accept a magnetic stripe. When only signature verification is employed, this creates a simple workaround for fraudulent transactions in the event of a breach. Second, when (not if) hackers find a way to counterfeit EMV chips we'll be right back in the same vulnerable position we were in before.
In 2012, the U.S. accounted for 47.3% of global payment card fraud, but only 23.5% of global payment card volume. Last year, data breaches like those at Target and Nordstrom's cost retailers a combined $32 billion. Consumers paid the price in the end. Fraud leads to higher credit card fees, which translates into more expensive goods and fewer payment options. It also undermines consumer confidence at a time when we need more market engagement, not less.
EMV technology is no silver bullet against fraud. The failure to employ a more secure verification method is irresponsible in an era of organized crime and cyber warfare, at a time when the Social Security numbers of 21 million people can be stolen from the Office of Personnel Management and (presumably) bought and sold over the Internet. The need for PIN verification is clear.
The Federal Reserve Bank of Atlanta has said chip-and-PIN verification is seven times more secure than chip-and-signature. The payment networks should be embracing this technology like they have done in Canada, Australia and all across Europe.
The U.S. is one of the last industrialized nations to adopt EMV technology. Now that we have, domestic consumers deserve the same protections and data security standards enjoyed by the rest of the world, and a signature just doesn't cut it. The trade-off from chip-and-PIN verification is worth an extra second at the register — especially it means more protections and lower prices.
Joseph Colangelo is the executive director of Consumers' Research.