Pinning Hopes on Chip

  Payment system changes in Europe are having repercussions in many different ways. And sometimes even those involved in helping the region to improve payment card security can find the transition challenging.
  When James Crosbie handed over his credit card to pay for a business dinner at an exclusive Edinburgh restaurant on Valentine's Day, the waitress asked him to key in his personal identification number on her handheld payment terminal. Crosbie could not remember his PIN, and the restaurant refused to swipe the magnetic stripe on his card to initiate the payment. So a friend had to step in to pick up the tab.
  That embarrassing moment normally would not have made the newspapers but for one thing: Crosbie is the chief executive of HBOS, one of the United Kingdom's largest banks.
  The incident illustrates two sides of the challenge facing the U.K.'s payments industry as it introduces a new way to pay, with smart cards that require consumers to enter a PIN at the point of sale. On the one hand, consumers, who have been accustomed to signing for credit card purchases at retail locations and only using a PIN when withdrawing cash at an ATM, have to remember the PINs for all of their credit cards. At the same time, merchants and their employees have to learn the chip-and-PIN rules.
  In Cosbie's case, the merchant made a mistake. The restaurant could have run the payment through as a mag-stripe transaction. Even consumers who have chip cards still can pay by swiping the card if they claim to have forgotten their PIN, at least during a transition period.
  These issues are coming to the fore because the U.K. crossed a crucial watershed Jan. 1, when new rules went into effect shifting liability for fraudulent purchases made with a chip card to any merchant not equipped to handle the new chip-and-PIN cards. While the organizers of the chip card conversion have attempted to educate banks, merchants and consumers about this change, considerable confusion remains, as the Crosbie incident shows.
  Some consumers erroneously believe they no longer can use cards that only have a mag-stripe or that they now will become liable for fraudulent use of their card. Many also wrongly believe that they must use a different PIN at a shop than the one they use at a cash machine. Some merchants are insisting on PIN entry, while others are programming their payment terminals to automatically read the mag-stripe, bypassing the smart card chip and PIN that are meant to reduce card fraud.
  The experience of the U.K. is worth studying in the U.S. because it is the first major industrialized nation to adopt the new global standard for payment smart cards, EMV (Europay/MasterCard/Visa). France and other European countries, Japan, Canada and other nations are in various stages of introducing EMV-compliant chip credit and debit cards that will require entry of a PIN at the point of sale to prevent use of lost or stolen cards.
  For more than 10 years, France has used chip-and-PIN debit cards complying with a domestic standard. Only the U.S. among major Western economies has yet to commit to an eventual move to EMV.
  So how is the conversion to chip and PIN going in the U.K., and what are the lessons to be learned?
  David Porter, head of security and risk at U.K. consulting firm Detica, predicted in a report last summer there would be consumer confusion if the switch to chip and PIN were implemented on Jan. 1 and that cardholders would pick easily guessed PINs and use the same four-digit code for all their cards.
  Have those fears been realized? "No and yes," Porter recently told CCM sister publication Card Technology. "We forecast if consumers had to suddenly switch over there would be confusion. What happened is there hasn't been as much confusion because we haven't switched over completely."
  Some retailers require entry of a PIN with a smart card, while others do not, Porter says. Plus, Porter says, because all the smart cards also continue to carry the mag-stripe, a criminal who steals a chip card can deactivate the chip by stamping on it or putting it into a microwave oven, forcing a retailer to accept payment via the less-secure mag-stripe.
  While evidence of such activity is only anecdotal, Porter says, "It's not a very secure situation, and I think it will persist for a while yet."
  Others involved in the conversion say it has gone fairly smoothly, despite confusing media coverage. Some articles, for example, warned that many retailers would refuse to accept cards without chips after Jan. 1 because they would not want to accept responsibility for fraud. (In fact, the issuer remains responsible for fraud on mag-stripe-only cards; the liability shift only applies to the new cards with both a chip and a mag-stripe.)
  "The January sales were emphatically not chaotic," says Paul Smith, policy director for the British Retail Consortium, which represents U.K. retailers. "There was very poor media reporting at the end of the year, largely due to ignorance. For the retail trade and for the banks, chip-and-PIN's debut went extremely smoothly."
  The conversion will be an ongoing process, as not all cards in circulation carry chips yet, and not all payment terminals are ready to accept chip cards. But the U.K. has passed the halfway point on both cards and POS devices.
  Card Tally
  As of Dec. 31, 2004, U.K. banks had issued 31.4 million chip-and-PIN credit cards and 45.4 million debit cards, out of some 140 million payment cards. Of 860,000 POS devices, 636,000 were ready for chip and PIN, according to the Association for Payment Clearing Services, or APACS, the banking group managing the move to chip-and-PIN.
  Some consumers are resisting the change. "There is a significant number of credit cardholders, around 10%, who are refusing to use their PINs and insist on signing for purchases," says Anthony Pickup of U.K.-based Consult Hyperion. "Cardholders may have quite a number of credit cards and can't be bothered to learn their PINs for each card. Also, they can't see what the benefit is for them, as they know they are not liable for any card fraud losses."
  Marketing and security departments within banks often have conflicting priorities, notes Campbell Fisher, head of smart cards at the Royal Bank of Scotland. "Marketing wants customers to have the same PINs for all their cards, as this will lead to ease of use. But the fraud-control people say that this is a terrible practice and customers should keep their PINs different. Royal Bank feels that it is best for cardholders to make their own decision on their PIN numbers."
  The office coordinating the chip-and-PIN effort took pains to ensure that all banks and merchants sent a consistent message to consumers. For example, the chip-and-PIN logo, and its catchphrase, "Safety in Numbers," appeared on all of the banks' literature mailed out to cardholders, says Fisher. "As an industry, we all agreed not to have our own bank advertising conflict with the generic messages," he says.
  Fraud Concerns
  Special efforts were made to reach certain groups of consumers, such as the elderly. "The elderly are particularly concerned about fraud, as they tend to be targeted by criminals. So they have been enthusiastic about chip-and-PIN," Quinn says. "But to make sure they got the message, we had special campaigns for the elderly."
  Still, some observers say the consumer orientation process could have been handled better.
  Hyperion's Pickup says that the banks, which started sending PIN mailers to their cardholders last year, overestimated their customers' willingness to read advisory letters from them. "The banks assumed people would look at PIN mailers and make a note of the number," he says. "The banks really should have given customers a choice-have a chip-and-PIN credit card, where there is no fee and a reduced risk of fraud, or pay a fee for a credit card that requires a signature."
  Store employees could play a big role in educating customers about chip-and-PIN, but first they have to understand the new system. Many do not.
  David Cavell, a U.K. cards industry consultant, says his personal experience suggests clerks are not prompting customers to enter PINs. "I have had a chip-and-PIN credit card since last year, and have never been asked to enter a PIN," he says.
  While chip-and-PIN's main goal is to reduce fraud, ironically credit and debit card fraud losses went up by 20% last year, to ?505 million ($959.5 million). One reason was a 62% increase in fraud resulting from the theft of cards sent through the mail, as criminals took advantage of the tens of millions of new chip-and-PIN cards issuers were sending their customers. Such card-related fraud amounted to ?72.9 million in 2004.
  The rise in mail fraud "is a temporary phenomenon, due to fraudsters realizing that chip-and-PIN was coming and would prevent them from committing mag-stripe-related fraud," says Paul Lucraft, U.K. general manager for MasterCard Europe.
  With all these issues, is chip-and-PIN worth doing? Even the skeptical Porter says it is, "if it's done properly." But he says banks may have to consider additional security measures as criminals adapt to chip-and-PIN. Cardholders taking better care of their cards would also help a lot, Porter says.
  Unless the payment schemes want to risk alienating consumers by making them liable for fraudulent use of their cards, that sort of change in consumer behavior may be too much to ask. But the U.K.'s experience suggests that most consumers will in a matter of months adapt to a requirement that they tap in a four-digit PIN when they pay with plastic, at least those who can remember their PINs.