Monday, February 17, 2014

American businesses are holding credit card security back


Why US credit cards continue to use signatures while the rest of the world uses PINs

Readers may have noticed a rash of stories earlier this month hailing the end of the swipe-and-sign credit card in the US in favor of cards that require a PIN, which are standard in Europe and most developed markets. Unfortunately, the story has turned out to be significantly more complicated. While there is a major security upgrade happening to the payments system in the US, the majority of cards being issued in the US still require only a signature to complete a purchase.

A PIN is obviously stronger protection against fraud than a signature, which can be easily forged and is ignored by most cashiers anyway. So why is the US moving to the less secure version of a more secure system, and why did the media get it wrong?

This debate started with a global standard developed in 1994 by Europay, MasterCard, and Visa known as EMV. The standard ensured interoperability between merchants, banks, and a new type of credit card that contained a computer chip. The chipped cards were more secure than cards that stored data on a magnetic stripe, which can be more easily copied by thieves and printed onto blank cards. Most of Europe, the Netherlands, Canada, and Mexico all moved to the new standard. The US did not.

WHY IS THE US MOVING TO THE LESS SECURE VERSION OF A MORE SECURE SYSTEM?

Fraud in the US was relatively low at the time and the cost of replacing readers in stores and issuing new cards to customers was high, so the country never got around to replacing those magnetic stripe cards. As a result the majority of new cards have only a magnetic stripe, only a small minority of stores are capable of reading chipped cards, and Americans traveling abroad frequently find they can’t buy metro tickets in Paris because their cards are incompatible with the machines.

This is finally changing. Payments processors including Visa and MasterCard will be implementing a "liability shift" in October of 2015 that will place the burden of fraud on whichever party has less secure technology. In other words, the policy will penalize issuers that don’t put chips in their cards as well as stores that don’t accept chipped cards.

MOST CHIPPED CARDS WILL STILL REQUIRE A SIGNATURE, NOT A PIN

There are a lot of moving pieces in the transition, however. Stores must install new equipment; banks, credit unions, and other issuers must begin offering new cards; and customers must begin using them. Most of the new chipped cards will still have a magnetic stripe on account of the fragmented adoption of chip readers, which will prolong the changeover. In the Netherlands, a much smaller country where everyone was in agreement on the issue, it still took two years.

Congressional hearings related to the Target data breach as well as a widely cited Wall Street Journal interview with a MasterCard executive triggered attention to the issue this week. Both Target CFO John Mulligan and MasterCard talked about the movement to a so-called "chip-and-PIN system," implying that customers will soon be tapping in codes rather than signing receipts.

That’s not the case, according to a list of chipped cards that are available now, as compiled by the credit card collectors at the forum Flyertalk. Most chipped cards will still require nothing but a signature as proof of ownership.

"The current pending US rollout of chip cards will allow use of the less secure chip-and-signature cards rather than the more secure chip and PIN cards," Edward Mierzwinski, consumer program director at the US Public Interest Research Group, said during a Senate hearing. "Why not go to the higher chip-and-PIN authentication standard immediately and skip past chip and signature?"

Representatives from the banking industry say chip and signature is what consumers and merchants want: convenience and speed. Customers don’t want to have to remember a PIN for their credit cards, vice president of legislative affairs at the American Bankers Association Jason Kratovil tells The Verge. "You've got both banks and retailers struggling with how to find the right mixture of providing security to customers, yet also the convenience that American customers expect."

BANKS SAY AMERICANS DON'T WANT TO REMEMBER MORE NUMBERS

It’s debatable whether signing is significantly faster or more convenient than typing a four-digit code. Banks and card issuers do want to move toward chip-and-PIN eventually, however, in order to reduce their costs associated with fraud. A PIN could also provide another layer of protection in online or "card not present" transactions, where fraud has increased more rapidly.

However, even chip-and-PIN technology is fallible. The system would not have prevented the Target attack, Kratovil says, in which hackers gained inside access and stole card numbers. (It would have reduced the quantity of numbers that could have been stolen, however, since the malware presumably wouldn’t have saved any information from customers using chipped cards.) Researchers at Cambridge University also demonstrated a method for duping chipped cards. And eventually, the country will move toward pay-by-phone or contactless systems, which are even further behind due to delays from companies and a lack of standards. "Nothing is a panacea here," Kratovil says. "You're talking about one piece of the bigger struggle to stay at least in step with the fraudsters if not one step ahead."


Source: Business Insider; The Verge;

No comments:

Post a Comment