In the wake of the recent massive data breaches suffered by Target and Neiman Marcus, many banks and retailers have renewed the call for a change in the way that consumers in the United States pay for goods and services. Credit and debit cards in the United States generally use magnetic stripe technology on the backs of cards. With magnetic stripes, skilled fraudsters can fairly easily lift information from a credit or debit card and reuse that information.
The rest of the world outside of the United States has already moved to a much more secure and harder to hack system that contains smart chip-enabled credit and debit cards. Instead of swiping a magnetic stripe card, consumers insert their card into a terminal that reads the chip on the card, and then the consumer either enters a PIN or signs his or her name. With the PIN method, not only do hackers need to steal the card information with chip-enabled cards, they also need to somehow acquire the secret PIN that the consumer types in when making a purchase. This adds yet another layer of protection for consumers that is not currently required with magnetic stripe cards in the United States because even magnetic stripe debit cards can be swiped as credit cards and only require a signature. According to Krebs on Security, these new cards would at least raise the cost for fraudsters to steal consumer information. “It’s not that they can’t break the system – but it makes it more expensive for them to fabricate these cards.”
For the United States to switch to the new cards, retailers and banks would face high upfront costs in purchasing the terminals to read the cards and issuing new cards that contain a smart chip. Nevertheless, given the recent data breaches, the expense of adopting smart chip cards is becoming less of a hurdle when compared to all of the costs associated with the remediation of data breaches of Target’s magnitude. A primary hurdle to adopting the new system is the chicken and egg complex that is being fought between banks and retailers. Retailers do not want to incur the expense of new terminals to read chip-enabled cards until banks issue chip-enabled cards, and banks do not want to incur the expense of issuing chip-enabled cards until retailers purchase terminals that can read chip-enabled cards.
Indeed, retailers and banks pointed the finger at each other during the Senate Judiciary Committee hearing last week consisting of, among others, representatives from Target, Neiman Marcus, the National Retail Federation and the American Bankers Association. Senator Elizabeth Warren (D-MA) suggested that the blame for failure to implement widespread use of the chip-enabled cards was shared. “Banks have delayed; retailers have delayed; the government has delayed. Consumers have paid the price.”
Not wanting to delay any longer in the face of fierce criticism since its breach, Target promised to invest $100 million in new chip-enabled technology in its point of sale terminals and in Target REDcards that will be in place by early 2015.
Apparently ahead of the game, it seems that Visa was a pioneer on chip-enabled technology almost three years ago. In 2011, Visa announced a number of changes in its systems to encourage the use of chip-enabled cards and to phase out magnetic stripe cards. The change most likely to affect the chip-enabled card stand-off between banks and merchants is the liability shift for fraudulent transactions. According to Visa, liability for fraudulent transactions at the point of sale is largely absorbed by card issuers. Effective as of October 1, 2015 (October 1, 2017 for fuel-selling merchants), liability for counterfeit fraud may shift to the merchants if the merchant has not adopted, at a minimum, contact chip terminals that will allow the merchant to accept payment from chip-enabled cards. This liability shift is part of Visa’s initiative to force United States merchants to adopt chip-enabled cards in an effort to overhaul the United States credit card payment system and make it more in line with the rest of the world.
With a retailer as large as Target taking this monumental step in point of sale payment technology, together with Visa’s new liability shift coming in 2015 and new data breach regulations in 2014 seemingly inevitable, is becoming increasingly likely that the way U.S. consumers pay for goods over the next two years will change dramatically.