I still remember the first time it occurred to me my credit card might be inferior—it was the summer of 2007, and I had just landed at Charles de Gaulle airport in Paris. When I finally made my way to the train station at the airport to buy a ticket into the city, the automated ticket machine firmly rejected my Bank of America MasterCard. As I soon discovered, it was an experience familiar to every American who has traveled to Europe: the moment when an automated payment machine (or a disdainful French shop clerk) realizes that you are trying to pay using a credit card without a microchip and that you want them to process your card’s magnetic stripe, an easily counterfeited relic of 1950s technology.
For years, when it came to credit-card security, the United States was the last major holdout in the developed world, continuing to issue cards with magnetic stripes rather than the more-secure microchip EMV cards (EMV stands for the three companies that pioneered the chip: Europay, Mastercard, and Visa). Finally, last October, retailers and banks in the United States were pressured to accept and provide EMV cards, initiating a transition that much of the world regarded as long overdue.
But despite having many other countries to use as models for how to go about updating credit-card technology, the first five months of the EMV transition in the United States have been fraught with delays, complications, and concerns about whether chip-enabled cards will really help mitigate fraud. Especially bewildering was the decision to provide chip-and-signature cards, rather than the chip-and-PIN cards (used in most of Europe) that require people to input a PIN in order to use their cards, rather than just signing for their purchases. If the whole point of the EMV transition is to bring U.S. payment technology up to speed with the rest of the world, why do most U.S.-issued cards still not allow for the more-secure PIN verification? Or, put another way, why is the United States so determined to have the least-secure credit cards in the world?
The fights over how America deals with credit-card fraud and who pays for it have flown under the radar in part because almost no consumers ever have to cover any of the fraudulent charges made on their cards. But this idea that cardholders are insulated from the effects of fraud is not entirely accurate—dealing with fraud is irritating and inconvenient, and they do, ultimately, pay for fraud through costs such as interchange fees and interest. Moreover, as industry actors get better at reducing the types of fraud that they have to pay for, there’s greater risk that fraudsters will shift their focus from counterfeiting cards to activities such as opening new cards under someone else’s name. Dealing with identity theft can be much more costly to individuals than dealing with stolen credit cards, and the legal protections shielding consumers from being held liable for those costs are much murkier than the clear-cut rules limiting an individual’s liability to $50 in most cases of lost, stolen, or counterfeited payment cards. So even though the EMV transition does not actually shift any responsibility onto card users to cover fraud costs, it could still have significant impacts on them in the long term.
Understanding the slow, tortured process of the ongoing transition to microchip cards in the U.S. requires a closer look at how all of the companies involved profit in different ways from credit-card transactions. Nearly every transaction involves three parties: a retailer that accepts the card, a bank that issues it, and a processor that facilitates the payments between the first two parties. For example, when I try to buy a train ticket at Charles de Gaulle with my Bank of America MasterCard, the French train system, Bank of America, and MasterCard all get a cut of the payment. But if someone else uses my credit card to make that purchase, those same companies have to figure out how to cover the costs since I, the customer, am not held liable for fraudulent charges. So rather than trying to eliminate fraud, all of these different companies are trying to reduce their own obligation to pay for it when it happens.
Consider two scenarios involving fraud: If a person who uses my Bank of America MasterCard to buy a French train ticket is actually a nimble pickpocket who nabbed my wallet, when I call up MasterCard to tell them I didn’t make the purchase, the charge disappears from my bill. But in all likelihood, by the time I call, Bank of America has already transferred money to cover the transaction, so now they’re out the cost of the ticket, since I’m not going to pay for it when my monthly bill comes due. But if the person who uses my Bank of America MasterCard to buy a French train ticket is instead using a counterfeit card made after stealing the data stored on a magnetic stripe from the database of a massive retail chain, that retailer may have to bear part, or all, of the fraud costs. In these cases, my experience is the same—I’m off the hook—but they work out very differently for the companies behind the transaction.
Since EMV cards are harder to counterfeit—and, if they require a PIN, also harder to use when stolen—one might think that Bank of America, and other issuing banks and retailers in the United States, would be eager to transition to the more-secure card technology and stop paying so much to cover fraudulent transactions. But microchips are expensive—so expensive, in fact, that for years banks found it more convenient to pay for fraud than to pay to put microchips in all of their customers’ cards, a cost that the consulting firm Javelin Strategy & Research estimated to be $1.4 billion.
But as the rest of the world went ahead with upgrading their cards, and more and more retailers such as Target and Home Depot experienced massive data breaches, this conclusion became increasingly difficult to justify. “As everyone else migrated to EMV, the U.S. became more of a beacon for global criminals,” explains Jeremy King, the international director for the Payment Card Industry Data Security Standards Council.
The U.S.’s weak standards actually hold back other countries in important ways. Microchips are much harder to counterfeit than magnetic stripes, but most payment cards—even in countries that have long since transitioned to EMV technology—still feature magnetic stripes because merchants in the United States still require them. That means that if you steal a French credit card with a microchip, you can still counterfeit the magnetic stripe relatively easily and use that fake card in the United States (or to make online purchases), even though you won’t be able to buy French train tickets with it.
Indeed, countries that have previously made the shift to chip cards have found that even though the rates of fraud have decreased for card-present transactions within their borders, the rates of cross-border fraud and card-not-present (for example, online retail) fraud have increased to the same degree. Or even more: A report released last summer by the European Central Bank found that the increase in card-not-present fraud had actually outpaced reductions in counterfeit fraud, resulting in an 8 percent net increase in fraud for European cards issued in 2013.
But it’s not enough just for issuing banks to become convinced to spend more than a billion dollars to embed a microchip in every U.S. payment card—the retailers and merchants who accept those cards also need to buy and install new terminals that can read those microchips. Replacing the 15 million payment terminals in the United States would cost roughly $6.75 billion, according to Javelin’s estimates. The microchips, when inserted in those terminals, generate a one-time code that is used to process the specific transaction, instead of relaying the number printed on the card. That’s why chips are so secure: If, later on, a database of those transactions is breached, the information stored in it is useless to counterfeiters because each transaction code can be used only once (unlike card numbers, which are used again and again).
This led to a stalemate: The retailers weren’t going to spend money for new terminals before the issuers had spent money on putting chips in customers’ cards. And the issuing banks weren’t going to spend the money on chips unless they knew that retailers would have the equipment to read those chips in stores.
What finally broke the stalemate was that the processors—companies such as MasterCard and Visa—decided it was time to move forward with chips. These companies were growing frustrated with their own obligation to cover fraud costs as well as the growing pressure from nations that had already implemented EMV for the United States to catch up with the global community.
The zero hour for chip technology that they dictated was October 1, 2015. Up until then, card issuers bore the majority of the fraud losses. A Federal Reserve report found that in 2011, card issuers had to cover 60 percent of all payment-card fraud losses, with merchants covering another 38 percent, and cardholders paying for the remaining 2 percent. In general, the issuing banks were largely responsible for covering losses due to counterfeit and lost-or-stolen fraud (that is, charges made on physical cards, whether those cards are fakes or stolen), while merchants bore more of the costs associated with card-not-present fraud (i.e. online charges made without a physical card).
But as of that day, the payment processors decided, if a fraudulent transaction occurred, then whoever had failed to implement the EMV technology would be responsible for covering the charge. So, if the card that was used to make the fraudulent payment had an EMV chip in it but the merchant who accepted it didn’t have the necessary equipment to read that chip, then it would be the merchant’s responsibility to cover the charge. But if the merchant did have a terminal that could read a chip, but the card issuer hadn’t provided a chip, then it would be up to the issuer to cover the fraud costs. This liability shift, at the heart of the massively time-consuming and expensive U.S. EMV transition, was not so much about reducing payment fraud, then, as it was about making sure someone else had to pay for it.
* * *
The reason that merchants, banks, and processors haven’t arrived at an agreement that settles on chip-and-PIN is that chips and PINs protect against two different kinds of fraud, which impact different parties differently. The microchip comes into play when trying to prevent counterfeit fraud because it makes it harder for a criminal to produce a copy of the card. And a PIN comes into play for protecting against lost-or-stolen fraud because it makes it harder for a criminal to use a card that’s lost or stolen unless they also know the PIN. That latter scenario is rare compared to the former, which means that banks are usually ok absorbing the cost of that fraud. Additionally, the Federal Reserve found, in 2011 issuing banks covered 83 percent of counterfeit fraud but only 67 percent of lost or stolen fraud, making counterfeit a higher priority for them. Merchants, meanwhile, were covering a larger portion of lost-or-stolen fraud than they were counterfeit fraud.
The disagreement over chip-and-PIN vs. chip-and-signature, then, primarily comes down to the competing interests of banks and retailers as each one tries to drive down the types of fraud that are most expensive for them. The issuing banks want to drive down counterfeit fraud—because they pay for the bulk of it—and they want to do it as cheaply as possible. And they don’t want to lose customers by making credit cards any more difficult to use. The merchants would also like to do things cheaply and without losing customers, but the cost of issuing PINs to millions of customers wouldn’t fall to them, and they have a greater interest in trying to drive down card-not-present and lost-or-stolen fraud, neither of which is impacted by the use of microchips alone.
The reason banks say they don’t want to issue PINs is that they’re worried it will add too much friction to transactions and make life difficult for their customers. “The credit-card market is pretty brutally competitive, so the first issuer who goes with PINs has to worry about whether the consumers are going to say, ‘Oh, that’s the most inconvenient card in my wallet,’’ says Allen Weinberg, the co-founder of Glenbrook Partners. “There’s this perception that maybe it’s going to be less convenient, even though some merchants would argue that PINs take less time than signatures.”
“Retailers have invested in the technology for chip-and-PIN but banks and issuers have only gone halfway and invested in chip-and-signature,” says Jason Brewer, a spokesperson for the Retail Industry Leaders Association. “Prior to this transition the United States had arguably the weakest card system and we’re still going to because we’re going to be using signatures. Most of us use PINs for our debit cards, or to unlock our iPhones. It’s laughable to suggest that American consumers can’t figure out how to use a four-digit PIN.”
Not surprisingly, the banks view the chip-and-signature decision somewhat differently—and are much quicker to criticize the merchants for not providing the necessary technology. “We wanted to really ensure that the smooth transition to chip happened first,” said Dina DeMerell, a director at JP Morgan Chase, of the bank’s decision not to provide its credit-card customers with PINs. “All the merchants are rolling out the capabilities at different times and not in exactly the same way and so we couldn’t guarantee that the experience if we added a PIN would be positive. Will we ever move to PIN in the future? That’s still an outstanding issue.”
Payment processors, meanwhile, have deliberately not chosen a side, which has led them to come up with some creative workarounds that don’t rely on microchips at all. Stephanie Ericksen, the vice president for global-risk products at Visa, pointed to the value of data analytics and geolocation tools in mitigating fraud. “Users could opt in to have their mobile-phone location associated with their account,” she explained. “If your phone is in New York and your card is being used in New York then we’d have much greater confidence that was a valid transaction than if your phone was in London and your card was being used in New York.” Additionally, tokenization—a process by which an online merchant generates a one-time code for an online transaction, similar to the way a microchip generates a one-time code for an in-person transaction—could help protect against card-not-present fraud.
So will the U.S.’s credit-card security ever match the rest of the world’s? “Will we eventually go to chip and PIN? I would believe so, I would hope so,” said Michael Moeser, the director of payments at Javelin Strategies. But what he sees now isn’t encouraging: The U.S. still has a ways to go before it’s ready to accept chips, with or without PINs. “Every time I go into a grocery store or a large chain I see the EMV terminal slot—and it’s been taped over,” he says.
For the time being, then, the credit-card industry will maintain a lousy equilibrium—one that permits the persistence of rampant fraud. “I would love to see fraud go down, but unfortunately, I don’t think that’s going to happen,” King says. “I do think it’s going to shift—experience has shown us that the criminals go to the next lowest hanging fruit which is the card-not-present space. When you’re buying goods over the Internet all you need is the person’s name and the expiry date of the card.”
Just as other countries have seen shifts to online fraud and cross-border fraud in the wake of these transitions, the United States can expect to see its fraud migrate online and elsewhere. Catherine Murchie, the senior vice president at MasterCard, said that as it becomes more difficult for criminals to counterfeit cards, due to EMV technology, there has also been a rise in the number of criminals who apply for new cards under stolen identities, instead of trying to counterfeit existing accounts. So, even if retailers, banks, and processors managed to greatly reduce the amount of fraud in their systems, criminals would likely just find another system to exploit. But at least then it would be someone else’s problem.