Feb. 13, 2014 at 10:52 AM ET
Smart cards — already used for credit transactions in about 130 countries — are coming to America. But it’s going to be several years before we all have these fraud-resistant items in our wallets.
The nation’s banks have slowly been issuing these new cards for a few years, but there's a new sense of urgency because of the recent rash of data breaches at Target and other retailers.
The big question now is what type of smart cards will the banks issue? Will they require a PIN code for authentication or simply a signature?
Smart cards are much more secure than traditional credit cards, which store your account information — unencrypted — on a magnetic stripe. With these next-generation cards, that data is encrypted and stored in an embedded microchip that generates a new code for each transaction. So even if your credit card number is stolen, it’s nearly impossible for a criminal to create a counterfeit card.
Where they have been deployed — Europe, Asia, Mexico and Canada — point-of-sale credit card fraud has dropped dramatically.
The changeover to smart cards in this country will be costly — as much as $35 billion by some estimates. Banks will have to issue billions of new credit cards. But the bulk of the expense will be shouldered by retailers, who will need to install more than 10 million new high-tech card readers.
The National Retail Federation (NRF) says merchants are willing to spend that money if the banks issue the right kind of smart cards. Retailers want what are called “chip-and-PIN” cards, which require you to enter a PIN for each transaction.
Chip-and-PIN cards are used in Britain, France and Canada. Chip-and-signature cards are the norm in Mexico and Germany.
At a news conference on Tuesday, NRF senior vice president and general counsel Mallory Duncan called chip-and-signature a bad idea.
“It’s like locking the front door and leaving the backdoor open,” he said. “It would be a shame to spend all that money for a half-baked solution.”
The American Bankers Association (ABA) said the marketplace should be able to accommodate both chip-and-signature and chip-and-PIN smart cards.
“It’s the only way for this complex payments system to continue to deliver convenience and meet the needs of consumers,” said Jeff Sigmund, ABA’s senior director of public relations.
The pros and cons of PIN code identification
For some, there’s no question that PINs should be required to use a smart card at the store.
“A signature is a stupid form of authentication that dates back to medieval times when there were kings and queens and guillotines,” said Robert Siciliano of BestIDTheftCompanys.com. “It has absolutely no pro-active security value.”
The way he sees it, the chip in the smart card verifies that the card is not counterfeit and the PIN proves that you are the authorized user.
Others suggest PIN authorization is not needed because smart cards cannot be easily counterfeited.
“Merchants see the PIN as a more secure option, but it doesn’t make a lot of sense to the banks because it really doesn’t do anything,” said Alphonse Pascual, a senior analyst for security, risk and fraud at Javelin Strategy & Research. “It would be like putting a new deadbolt on your front door and then putting gum in the lock. It’s the lock that’s protecting you, not the gum.”
There’s also the concern that Americans, who tend to have a variety of credit cards in their wallet, would have a hard time managing multiple PINS.
“If the consumer doesn’t want to memorize all those numbers, they might choose the same PIN for each card,” said Randy Vanderhoof, executive director of the non-profit Smart Card Alliance. “Using one PIN to protect 10 different cards in your wallet now exposes you to the potential for increased fraud.”
PIN technology could create a challenge for credit card issuers who would have to deal with people who couldn’t remember their code or need to change it. That was a problem when Canada switched to chip-and-PIN credit cards. But eventually, people learned to handle it.
How long will it take to make the switch?
There’s no government mandate or fixed timeline. Visa, MasterCard, American Express and Discover want the country converted to smart cards by October 2015. And they’re using the potential for monetary loss to move things along.
After that date, fraud losses would shift to the retailer if they don’t have a point-of-sale payment terminal that can process smart cards and the transaction turns out to be fraudulent. (Smart card readers will be able to accept both magnetic stripe and chip-enabled credit cards during the transition period).
Target’s chief financial officer, John Mulligan, told a congressional committee last week his company hopes to have smart card readers in stores by the end of this year. The company also plans to issue a chip-and-PIN version of its RED cards early next year.
Smart cards won’t stop all credit card fraud. A stolen account number can still be used to make online or telephone purchases where the card does not need to be presented. Retailers and bankers know that and they’re already working on possible solutions.
“But for now, deploying these chip cards is the most important step in the process, Vanderhoof said.