A change is coming in the credit card world, which given all of the recent hacks at leading retailers and banks (JP Morgan, Target, Home Depot to name just a few), cannot come soon enough. What is interesting is that the U.S. may be choosing a different path than other countries.
Hat tip to Peter Davies, who tipped me off about this fascinating (to me, anyway) interview regarding this transition on Krebs On Security. Here are some highlights:
- Other G20 countries have chosen most secure method of protecting credit card information using chip-and-PIN which protects against counterfeits and lost/stolen cards:
The United States is the last of the G20 nations to move to more secure chip-based cards. Other countries that have made this shift have done so by government fiat mandating the use of chip-and-PIN. Requiring a PIN at each transaction addresses both the card counterfeiting problem, as well as the use of lost or stolen cards.
- U.S. seems to be moving toward the less secure “chip and signature” standard:
Here in the States, however, the movement to chip-based cards has evolved overwhelmingly toward the chip-and-signature approach. Naturally, if your chip-and-signature card is lost or stolen and used fraudulently, there is little likelihood that a $9-per-hour checkout clerk is going to bat an eyelash at a thief who signs your name when using your stolen card to buy stuff at retailers. Nor will a signature card stop thieves from using a counterfeit card at automated payment terminals (think gas pumps)
So, why are we different?
- Fear of ATM Fraud (Chip and PIN cards will still have magnetic strips for ATM withdrawals): “Most card issuing banks and Visa don’t want PINs because the PINs can be stolen and used with the magnetic stripe data on the same cards (that also have a chip card) to withdraw cash from ATM machines. Banks eat the ATM fraud costs. This scenario has happened with the roll-out of chip cards with PIN – in Europe and in Canada.”
- Concerns that consumers will forget PIN numbers and therefore won’t be able to use their cards: “There was a Canadian issuer that — when they did their migration to chip — really botched their chip-and-PIN roll out, and consumers were forgetting their PIN at the point-of-sale. That issuer saw a significant dip in transaction volume as a result. One of the missteps this issuer made was that they sent their PIN mailers out too soon before you could actually do PIN transactions at the point of sale, and consumers forgot.”
- KISS (keep it simple, stupid) principle (also shows you what card companies think of the average consumer: “We don’t really think we can teach Americans to do two things at once. So we’re going to start with teaching them how to dip, and if we have another watershed event like the Target breach and consumers start clamoring for PIN, then we’ll adjust.” So the issuers I spoke with wanted to keep it simple: Go to market with plain vanilla, and once we get this working, we can evaluate adding some sprinkles and toppings later.”