What is the shift to Cards and does it fix security issues?

folder_openBusiness, Technology
commentNo Comments

New technology about to be deployed by credit card companies will require U.S. consumers to carry a
new kind of card and retailers across the nation to upgrade payment terminals. But despite a price tag
of $8.65 billion, the shift will address only a narrow range of security issues.
Credit card companies have set an October deadline for the switch to chip-enabled cards, which come
with embedded computer chips that make them far more difficult to clone. Counterfeit cards, however,
account for only about 37 percent of credit card fraud, and the new technology will be nearly as
vulnerable to other kinds of hacking and cyber attacks as current swipe-card systems, security experts
say.
Moreover, U.S. banks and card companies will not issue personal identification numbers (PINs) with
the new credit cards, an additional security measure that would render stolen or lost cards virtually
useless when making in-person purchases at a retail outlet. Instead, they will stick with the present
system of requiring signatures.
president of global merchants services at American Express, cited cost and complexity as reasons for
not issuing PIN numbers, which would require a much larger investment by card issuers. “It is the PIN
management system that takes the effort, in part because of the additional customer support it requires.
Chip technology has been widely used in Europe for nearly two decades, but banks there typically
require PINs. Even so, the technology leaves data unprotected at three key points, security experts say:When it enters a payment terminal, when it is transmitted through a processor, and when it is stored in a
retailer’s information systems. It also does not protect online transactions.
“The simplest way to circumvent chip-and-PIN is to use a stolen card number to make an online
purchase.
Analysts predict that credit card fraud at brick-and-mortar retailers will fall after the introduction of
chip-enabled cards, but that online fraud will rise, as has happened in other countries using the
technology. Research and consulting firm Aite Group estimates U.S. online card fraud will more than
double to $6.6 billion from $3.3 billion between 2015 and 2018.
Retailers and security experts say it would make more sense for the United States to jump instead to a
more secure system, such as point-to-point encryption. This technology is superior to chip-and-PIN,
which first was deployed about 20 years ago, because it scrambles data to make it unreadable from the
moment a transaction starts.
But the newer technology would cost as much as twice what the chip card transition will cost, and does
not have the older technology’s long track record.
Moreover, some security experts say that mobile payment services such as Apple Pay, a service from
Apple that stores data on the cloud, have the potential in coming years to secure payments without the
need to swipe or tap a card at all.
Liability for Breaches
The dispute over the effectiveness of dueling payment security systems offers insight into a broader
battle over who bears liability for breaches: retailers or the financial firms that extend the credit.
Currently, card issuers are generally liable for fraudulent charges. After the October deadline, if a
retailer is not using a terminal that can read the new cards and a security breach occurs involving a chip
card, the retailer will be liable, though consumers will still deal with their banks in the event of a
fraudulent charge. If the retailer is chip-and-PIN enabled, the card issuer will be liable.
The liability issue has engendered anger on the part of some retailers, but it has also provided an
incentive for compliance with the new standards.
“When banks and card companies are only concerned about shifting the liability to the retailer, you
have to comply first,” Brooks Brothers Chief Executive Officer Claudio Del Vecchio said. “And then
think of solutions that will fix your problems.”
The clothing retailer expects to meet the October deadline, but Del Vecchio declined to give details on
the cost involved.
Banks and card companies argue that chip-enabled cards are a needed first step toward defending
against the use of lost, stolen, or counterfeit cards. “The first thing we need to do as a country is secure
face-to-face transactions,” said Carolyn Balfany, senior vice-president of product delivery forMasterCard, one of the companies involved in setting the new standards known as EMV, which stands
for Europay, MasterCard and Visa.
And there are reasons that banks and card companies haven’t yet embraced newer, more secure
systems.
Big Spend
With the October deadline approaching and the upgrade costs hitting retailers’ income statements, some
merchants remain unaware of the required changes, while others have renewed their focus on the
shortcomings of chip technology.
“As the deadline approaches, retailers realize they are stuck with this massive investment they have to
make for a technology that does not solve the problem,
The installation of 15 million payment terminals that can read chip cards in the U.S. will cost
approximately $6.75 billion. Banks are expected to spend some $1.4 billion to issue new cards and
another $.5 billion to upgrade their Automated Teller Machines according to Javelin Strategy &
Research.
The upgrade of a single payment terminal to chip-and-PIN capability costs between $500 and $3000,
depending on features. It would cost between $1000 and $4000 to install a point-to-point encryption
terminal.
“The problem now is how do we allocate our capital in a way that addresses EMV first and then
immediately find the funds to upgrade again and install a better solution,
For some small merchants, however, the problem is even more basic: Knowing what will be expected
of them in October.
Six of 10 small retailers isaid they had no idea about the deadline later this year and have no plans to
upgrade their payment terminals. Three others said they had heard about the shift, but that their
businesses were small and hadn’t had problems with fraud that would justify the expense of installing
new equipment. Only one business owner said she would like to upgrade terminals, though she says
cost is an impediment.
“The cost implications are important and I’m going to wait and see if by the end of the year there is a
way to rent these terminals instead of buying them,” she said. Manion already pays a $500 fee every
month for the two card terminals she now has.
The Retail Merchants Association said it believes a majority of small retailers are aware of the risks
from card fraud but haven’t started making the required investments yet. The group is developing a plan
to explain the shift in liability and will start reaching out to smaller merchants soon.”Many small retailers have a tendency to wait until the very last minute until they realize they
absolutely have to spend that money because for them cash is king,”

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed

Menu