Costly shift to new credit cards will not fix security issues in US

New technology about to be deployed by credit card companies will require US consumers to carry a new kind of card and retailers across the nation to upgrade payment terminals. But despite a price tag of $8.65 billion, the shift will address only a narrow range of security issues.

Credit card companies have set an October deadline for the switch to chip-enabled cards, which come with embedded computer chips that make them far more difficult to clone. Counterfeit cards, however, account for only about 37 percent of credit card fraud, and the new technology will be nearly as vulnerable to other kinds of hacking and cyber attacks as current swipe-card systems, security experts say.

Moreover, US banks and card companies will not issue personal identification numbers (PINs) with the new credit cards, an additional security measure that would render stolen or lost cards virtually useless when making in-person purchases at a retail outlet. Instead, they will stick with the present system of requiring signatures.

Anre Williams, president of global merchants services at American Express, cited cost and complexity as reasons for not issuing PIN numbers, which would require a much larger investment by card issuers. "It is the PIN management system that takes the effort," Williams said, in part because of the additional customer support it requires.

Chip technology has been widely used in Europe for nearly two decades, but banks there typically require PINs. Even so, the technology leaves data unprotected at three key points, security experts say: When it enters a payment terminal, when it is transmitted through a processor, and when it is stored in a retailer's information systems. It also does not protect online transactions.

"The simplest way to circumvent chip-and-PIN is to use a stolen card number to make an online purchase," said Paul Kleinschnitz, a senior vice-president for cyber security solutions at card processor First Data Corp.

Analysts predict that credit card fraud at brick-and-mortar retailers will fall after the introduction of chip-enabled cards, but that online fraud will rise, as has happened in other countries using the technology. Research and consulting firm Aite Group estimates US online card fraud will more than double to $6.6 billion from $3.3 billion between 2015 and 2018.

Retailers and security experts say it would make more sense for the United States to jump instead to a more secure system, such as point-to-point encryption. This technology is superior to chip-and-PIN, which first was deployed about 20 years ago, because it scrambles data to make it unreadable from the moment a transaction starts.

But the newer technology would cost as much as twice what the chip card transition will cost, and does not have the older technology's long track record.

Moreover, some security experts say that mobile payment services such as Apple Pay, a service from Apple that stores data on the cloud, have the potential in coming years to secure payments without the need to swipe or tap a card at all.

The dispute over the effectiveness of dueling payment security systems offers insight into a broader battle over who bears liability for breaches: retailers or the financial firms that extend the credit.

Currently, card issuers are generally liable for fraudulent charges. After the October deadline, if a retailer is not using a terminal that can read the new cards and a security breach occurs involving a chip card, the retailer will be liable, though consumers will still deal with their banks in the event of a fraudulent charge. If the retailer is chip-and-PIN enabled, the card issuer will be liable.

The liability issue has engendered anger on the part of some retailers, but it has also provided an incentive for compliance with the new standards.

"When banks and card companies are only concerned about shifting the liability to the retailer, you have to comply first," Brooks Brothers Chief Executive Officer Claudio Del Vecchio said. "And then think of solutions that will fix your problems."

The clothing retailer expects to meet the October deadline, but Del Vecchio declined to give details on the cost involved.

Banks and card companies argue that chip-enabled cards are a needed first step toward defending against the use of lost, stolen, or counterfeit cards. "The first thing we need to do as a country is secure face-to-face transactions," said Carolyn Balfany, senior vice-president of product delivery for MasterCard, one of the companies involved in setting the new standards known as EMV, which stands for Europay, MasterCard and Visa.

And there are reasons that banks and card companies haven't yet embraced newer, more secure systems.

"A payment standard that is accepted globally will substantially reduce transaction costs for them," Rick Dakin, chief executive officer of cybersecurity risk and compliance firm Coalfire. "Also they have already done the heavy lifting for EMV so they are ready and pushing for it," he said.

Dakin, who is advising a group of banks on payment security, said no industry standard exists for the newer point-to-point encryption systems, and banks and card companies are hesitant to make large-scale investments before the standards are set.

Banks and card companies said a chip card alone can make stolen data less useful for hackers and the technology has worked in reducing counterfeit card fraud in Europe and elsewhere.

Security experts said the shift cannot prevent massive consumer data breaches of the sort that recently hit Target and Home Depot. But the technology will make it more difficult to use stolen data.