In the nearly nine months since the credit card industry imposed an arbitrary October deadline for most businesses to accept their new EMV chip cards, there has been an ongoing debate on whether the cards do enough to prevent fraud.
We in the retail industry have said that the chip improves security somewhat compared with traditional magnetic stripe cards but that without a personal identification number the new cards provide less than half the fraud protectionthey are capable of providing.
The banks have offered plenty of excuses. They claim American consumers couldn’t remember a PIN. That’s an insult to consumers who have been using a PIN for 30 years at ATM machines. They say a PIN is a “static” number that doesn’t change. The truth is that a PIN can be changed easily by simply contacting your bank or going online. And, unlike a signature, a secret PIN is much harder to forge. They say the chip is good enough because it’s difficult to counterfeit. It is difficult to counterfeit, but that does not mean it can’t be circumvented – if nothing else, thieves knowthe cards default to the magnetic stripe when the chip doesn’t work.
Is a PIN perfect? Is it the answer to credit card security that will eliminate the need for anything else?
The answer to both questions is no. But the PIN is nonetheless proven technology used around the world for a generation that has reduced card fraud as much as 70 percent in places like England. There may well be advances with smartphone technology or other innovations yet to be dreamed of, but the PIN is here today and there’s no reason American consumers should be denied the security given to their counterparts around the world.
Anyone who’s ever signed a credit card receipt knows a signature is meaningless. Any illegible scrawl will do. By contrast, a PIN is a secret, secure number known only to the cardholder. A chip alone can prove that the card is legitimate, but does nothing to prove that the person using your card is legitimate. But if a criminal doesn’t know the PIN that goes with a card, he’s stopped in his tracks whether the card has a chip or not. A PIN would also reduce fraud in the growing world of online transactions, where chips do nothing.
Banks like to call their fraud prone chip-and-signature cards "chip-and-choice." "Chip-and-chance" might be a more accurate slogan.
You would think that banks would be the ones insisting on a PIN. After all, banks won’t let you take a $20 bill out of their ATM machines without a PIN. So why do they let a thiefchargehundreds or even thousands of dollarsof merchandise on your credit card with just a signature?
American consumers want PIN. In 2015, NRF found 62 percent of consumers surveyed prefer chip-and-PIN cards over chip-and-signature, and 63 percent said chip-and-PIN cards provide more data security than those that don’t. The survey found 83 percent of consumers who say a PIN is more secure would consider it worthwhile even if they had to remember a different number for each card.
Even the FBI says chip cards would be safer with PINs and last year issued a consumer alert the banks demanded be retracted.
With only a couple of exceptions, PINs are not yet available on U.S. EMV cards. They are available on debit cards and are required at an ATM, but debit cards can still be used – by the legitimate cardholder or a thief – to make a purchase in a store.
Our nation’s largest retailer, Walmart, recently moved to make debit card transactions more secure by requiring that customers use the PIN when they use a debit card that has a chip. Amazingly, Visa – which claims to care about security – refused to allow Walmart to do that, and forced Walmart to go to court to defend its right to protect its customers.
Americans should be outraged that their banks and credit card companies don’t care as much about card security as they claim. And why is that? Because the major card companies have set up the system so they and the banks make a little more money on average when they get people to sign. (Visa owns the largest signature network.)
But there may be an answer.
If enough consumers start calling their banks and demanding PINs with their chips,a few banks should eventually realize that there is more volume to be gained by offering true EMV chip-and-PIN cards and legitimately marketing them as safer than thechip-and-signature cards being foisted on American consumers by most banks. By contrast, other banks’ cards would be seen as unsafe. Once one major bank does that and starts to draw in millions of new customers, other banks would realize they are missing out on a huge business opportunity and would likely do the same.
Will that really happen? Hard to say. In the meantime, however, American consumers will know that it is retailers who are fighting to protect their credit and debit card data and it's banks who want to play chip-and-chance.
Mallory Duncan is senior vice president and general counsel at the National Retail Federation in Washington