Retailers are appealing to Capitol Hill ahead of a Thursday deadline requiring them to install machines that accept a more secure, microchip-embedded credit card, or foot the cost of any credit card fraud.
In a bid to reduce the rash of cyber crime that has plagued the U.S. private sector, credit cards issuers announced in recent years they would stop absorbing the cost of fraudulent transactions at merchants that haven’t upgraded their payment terminals to accept the new cards.
That switch finally occurs Thursday.
Financial institutions say the move will drastically reduce counterfeit fraud and help thwart hackers. But retailers maintain they haven’t had the time to make the multi-billion dollar transition to the new technology and believe the change will only shift digital fraud to other outlets.
The Retail Industry Leaders Association (RILA), a leading D.C. advocate for merchants, made its concerns known in a letter that hit Hill offices on Wednesday.
“U.S. banks and credit unions have argued that the chip is enough, and will prevent counterfeit credit cards from being made,” said the letter, sent to party leaders and lawmakers on financial services committees. “However, cyber thieves have already begun to find ways to work around the chip.”
The U.S. lags behind much of the world when it comes to payment card technology.
Around Europe, roughly 95 percent of payment terminals already accept chip cards. In Canada, Latin America and the Caribbean, nearly 80 percent of terminals are chip-ready, according to the Smart Card Alliance. U.S. adoption checks in at just over 50 percent this year, up from only 14 percent last year, according to data from Aite Group.
Many blamed this chasm when U.S. retailers were hit by a recent swarm of mammoth data breaches. In late 2013, a hack at Target exposed 40 million credit card numbers. Months later, a breach at Home Depot topped that, compromising 56 million people’s data.
Overall, nearly half of the world’s credit card fraud occurs in the U.S., even though the country only accounts for about a fourth of global card volume, according to a recent Barclays report.
Credit card companies aren’t promising the new cards are a panacea. But they will help significantly, said Stephanie Ericksen, Visa’s vice president of Risk Products.
Unlike the static data on a traditional magnetic swipe card, a chip card creates a one-time code for each transaction, making it nearly impossible for fraudsters to reuse the stolen data. Visa is one of three companies that created the system, known as EMV (Europay, Mastercard and Visa).
“It may not prevent a data breach, but when the data is stolen, chip data is a lot less useful to criminals because they can no longer use it for counterfeit,” Ericksen said.
Based on other countries’ experiences, the likely result is a two-thirds reduction in counterfeit fraud once roughly 60 percent of retailers have the EMV-capable terminals, Ericksen added.
But retailers believe the switch is a rushed and expensive move for a technology that doesn’t go far enough.
“The new chip cards are sort of a half-baked solution,” said Mallory Duncan, senior vice president of the National Retail Federation, which represents all types of retailers, from department stores to chain restaurants to grocery stores.
Duncan and other retailers argue that chip-enabled cards need to be accompanied by a secondary, four-digit identification PIN code, similar to an ATM code.
As it stands, consumers will just be asked to sign for larger credit card purchases, similar to the current process.
“You’ve really done nothing more than cut off a partial avenue to the fraudsters,” Duncan said. The new process, he added, has “locked the front door and left the back door open.”
Without the PIN, fraudsters can still reuse pilfered chip card data online at ecommerce sites, Duncan said. Indeed, Aite Group estimates U.S. online card fraud will more than double from $3.1 billion to $6.4 billion between 2015 and 2018.
Visa’s Ericksen says the world is already moving past PIN verification because of the rise of mobile transactions and other digital payment technologies.
“So investing in PIN here would be an incremental investment,” she said. “It would probably slow down the move to EMV. We want to move to EMV as quickly as possible to address counterfeit fraud.”
It’s smarter, Ericksen added, to invest in more advanced fraud detection mechanisms to combat ecommerce fraud, such as biometrics, predictive analytics and analyzing the IP address of the purchasing device.
Jason Brewer, RILA senior vice president of communications and advocacy, agreed that such investments were important. However, he said, that doesn’t stop the need for stronger security today.
“It still begs the question, why would you go with a lesser form of security today just because you think you might get something better five years down the road?”
Brewer said RILA is taking its argument to Capitol Hill as part of a “public information campaign.”
RILA spent August arranging store visits for lawmakers, Brewer said. During the tour, RILA members got to display the new technology in action, while expressing their displeasure.
Ericksen said Visa and other card issuers have also “been having a lot of conversations to educate” lawmakers about the change.
Congress is considering a slate of data breach bills that could set nationwide data security standards. For now, none of the offerings include specifics about chip-enabled cards. The measures are more focused on ensuring companies simply have a modern security plan in place to protect customer data.
Both sides in the debate aren’t sure what role, if any, Congress should have in this transition.
“There’s not a lot of desire to do any technology specific type of mandate,” Ericksen said.
But down the line, Capitol Hill could get drawn in further.
“Could this get mixed in somehow?” Brewer said. “Maybe.”