[IMGCAP(1)]For half a century, U.S. consumers have been accustomed to swiping and signing when making credit card purchases. But soon the magnetic stripe will go the way of Pan Am airlines and Bear Stearns.
Moves are already afoot in the U.S. to transition from the traditional magnetic stripe to a chip-and-signature system—the last major market in the world to embrace this chip technology.
It has not happened fast enough—and it still isn’t enough.
If you live in the U.S. and rely on credit cards, the odds aren’t in your favor; you may already have been victimized, or you will be before the transition takes place. Recently, a data breach involving grocery chain Supervalu Inc.—affecting nearly 1,000 stores—and a security firm’s claim that Russian hackers pilfered 1.2 million usernames and passwords—are some of the latest reasons for alarm, and action. Data breaches have also been reported in the past week at JPMorgan Chase and Home Depot.
Half of all global credit card fraud takes place within our borders, even though the United States is home to only a quarter of all credit card transactions. A Pace University report recently commissioned by ACCA (the Association of Chartered Certified Accountants) USA illustrated rampant abuse, how criminal technology has vastly outpaced security patches, and why solutions are urgently needed.
The global cost of cybercrime escalated to $113 billion from $110 billion last year, costing the average victim $298, a jump from $197 in 2012, according to Symantec’s The Norton Report. A significant portion of that involved payment card fraud, with estimates affixing an $8.6 billion annual cost to the U.S.
It’s not just at small corner stores or random ATMs. As larger household brands—such as Target and Michael’s—come under attack, the risk of being victimized is greater than ever. A recent Ipsos/Reuters poll found that one in three Americans have noticed fraudulent charges on their credit or debit card statements, and only 38 percent of Americans reported that their personal information had never been stolen.
This is a war being fought at the ATM, gas pump and every retailer large and small, at the intersection of street crime and tech crime. It’s a testament to why the adoption of chip-and-signature (or PIN) technology is long overdue.
The “new” system involves EMV technology, a chip-based means of securing payment transactions developed by Europay, MasterCard and Visa, as well as universal use of PINs to increase payment security.
The chip in an EMV card is an integrated circuit and embedded in the card for added security. The chip—which is virtually impossible to clone—enables a card to be used with EMV-enabled devices, including ATM and point-of-sale terminals.
EMV is a two-factor authentication protocol, with the chip and signature authenticating the consumer. Nevertheless, EMV cards can be used globally on devices that do not recognize the chip.
This is important because data skimmed from cards in Europe is usually sent to the United States, where criminals can clone cards and cash out the payment cards. According to Europol, 80 percent of fraud outside the EU, using EU payment cards, occurs in the United States, which translates into $1 billion in losses.
EMV technology has become the standard in Europe since it was introduced 12 years ago. But as other markets revolutionized their systems, criminals set their sights on the U.S. because of its now-antiquated system.
Sadly, there has been no mandate for the introduction of EMV in the U.S., unlike its introduction in the U.K., Canada and Mexico. And its implementation here will yield a significant liability shift, exacting significant financial tolls that likely will cause institutions to embrace the change.
Once EMV is fully implemented in the U.S., non-EMV compliant banks and retailers will be forced to absorb any losses associated with fraudulent transactions.
Merchants will switch systems, or they could be found liable if fraud happens and they’re using a swipe-and-sign system but a consumer’s original card has a chip. In the reverse, if a merchant has a new system but the consumer’s bank hasn’t issued a new chip card to the consumer, the financial institution could be deemed liable.
Yet, acquirers have been procrastinating with implementing EMV-compliant terminals. And understandably the switch requires not just a new way of thinking but considerable costs on many fronts.
But that shouldn’t preclude those on both sides of the fence from moving swiftly ahead. Sadly, the steps being taken are not enough. The EMV cards rolled out here differ from those adopted abroad: those use chip-and-PIN technology, requiring cardholders to input a PIN in transactions. That’s a measure that ACCA strongly recommends be duplicated in the United States, and we are heartened that JPMorgan Chase, for one, has announced it would start issuing such cards this year.
Over the next year, our financial institutions have an obligation to embark on a comprehensive public education campaign to ensure a smooth transition, and to avoid further delays.
Because in the interim, criminals will continue to target the United States—and every one of us is vulnerable. The transition to chip-and-PIN boils down to cold cash and common sense.
Warner Johnston is the head of ACCA USA. Founded in 1904, ACCA (the Association of Chartered Certified Accountants) is the global body for professional accountants with 170,000 members and 436,000 students in 180 countries.