With credit card and identity theft prevention taking center stage earlier this month, it’s a natural time to ask: Just what does it take to protect consumers when they pay for goods and services? Hackers are growing bolder and increasingly more sophisticated, making the need for continued vigilance and action by all of us more important than ever before.
Electronic payments are safer than cash – it is much easier to get a card replaced than recover cash from a lost wallet – and the consumer benefits have grown over the years. From extended warranties to transaction dispute rights, electronic payment options like major credit/debit cards and mobile wallets provide an extra feeling of security.
The short answer is that the retail sector is not under the same kind of consumer data regulations as the financial sector, and it shows. Major data breaches at TJX, Home Depot, Staples and Target exposed millions of card accounts. In these breaches, it was the retailer’s unregulated systems that were compromised. In each case, banks stepped up to quickly replace cards and make consumers whole.
That “chip” card you may have received is aimed at making it harder to use this stolen data in stores. Unlike the magnetic stripe on the back of cards, the chip cannot be counterfeited using data stolen from retailers. The faster that merchants convert over to chip card readers, the faster that counterfeit card fraud gets squeezed out of the picture.
So why aren’t many U..S chip credit cards being issued with PINs? Some retail trades have floated creative theories, but the real reason is rather practical – times have changed. When chip and PIN was deployed abroad years ago, most fraud came from genuine cards stolen from wallets and purses, not huge Internet data breaches that lead to counterfeit cards. The reverse is now true.
Today the scam goes like this: Hackers find a retailer with weak security, break in from thousands of miles away and download consumer account data (including PINs, where available). Trying to trip up the rare pickpocket with a four-digit PIN is not the solution to marauding international crime rings that often find retailer systems virtually unlocked.
But what about online transactions? Besides the ‘neural networks’ that scan transactions for fraud, financial institutions are implementing “tokenization” technologies, which substitute a one-time code in place of one’s credit card account number, and point-to-point encryption, which renders data unreadable on its journey through the payments network.
While banks believe that innovation and common-sense standards are the surest paths to increased security, the retail lobby continues to offer up only distractions. Retail lobbyists continue to fixate on mandating “simple solutions” like PINs that won’t prevent future data breaches, while fighting tooth-and-nail against proven security standards. This is a recipe for continued cybercrime that hurts consumers.
The retail industry’s position, which would require PINs to accompany credit and debit card transactions, reveals the troubling gaps between retailers’ understanding of the cybersecurity landscape and what is needed to protect consumer data. Retail trades are not doing their members any favors by endlessly proposing a narrow, static “solution” that does little to protect them from fraud losses. It is high time that they stop passing off a single tool as a panacea that will save their members big money – it is simply not true. This fight is not a productive use of resources that could instead be spent on upgrading retailers to bank-level security.
Retail trades have an opportunity to join banks in supporting the strong data standards found in the bipartisan Data Security Act of 2015. It is disappointing that they continue to spend lavishly on PIN mandate ads to distract from the need for this pro-consumer legislation. We think that most retailers want to be part of the solution, and we urge them to prevail upon their trades that strong security standards are in everyone’s interest.
Innovation is critical, but it only matters if all parties—including banks, payment networks, retailers and consumers themselves—work together to keep the system secure. Rather than debating the merits of a single, static tool, we need to stop arguing and come together to develop and implement dynamic technologies capable of protecting us from the common enemy we are all trying to defeat.
Sharp is senior vice president and executive director of the American Bankers Association's Card Policy Council.