Consumers may have to wait for more secure credit cards, says new report
Despite the hacking theft of some 40 million debit and credit card numbers from Target Corp. in December, most banks say they are not yet ready to begin large-scale distribution of the more secure cards that are common in Europe.
Issuers have said the Target breach has spurred them to work harder to meet an October 2015 deadline to replace the current cards with ones whose microchips generate unique codes for every transaction. So-called chip cards — also known as smart cards and EMV cards — make it more difficult for thieves to use fake cards made with stolen data.
Yet a report by a Boston-based consultancy, Aite Group, estimates 30 percent of credit cards and nearly 60 percent of debit cards will not have the new technology by October 2015.
After that date, the payment processors Visa and Mastercard have said, any card issuer or retailer that has not adopted the new technology will foot the bill for any fraudulent transaction that could have been prevented by EMV chips.
“It’s disappointing, because consumers needed more secure payments technology yesterday, not tomorrow,” said Christina Tetreault, a staff attorney for Consumers Union, an advocacy group. “This technology has been around for decades.”
In Europe, chip cards have been in use since the 1990s. EMVCo LLC, the company that sets global standards for smart cards, says that more than 80 percent of European payment cards and nearly all point-of-service card readers are equipped with the more secure technology.
Aite Group’s report, issued this month, included interviews with 18 of the top 40 credit card issuers in the United States. Only one of the seven largest card issuers surveyed by Aite said it was planning to have all of its cards embedded with EMV technology by October 2015.
Aite Group also analyzed conditions in five countries that have made the switch to EMV cards and found that fraud committed with counterfeit cards has dropped by about half.
However, EMV technology has not curbed theft in one important area: purchases that are made online.
There, Aite found that fraud is on the rise around the world, even in countries with chip cards.
Credit and debit card theft is a growing problem globally, currently totaling more than $11 billion a year. The amount of theft has convinced at least one important player to accelerate the transition to chip technology: Target.
After the Minneapolis-based retailer was hit with one of the largest such thefts in history in late 2013, it said it would install chip-and-pin payment terminals in about 1,800 stores by September, six months ahead of schedule.
However, many other retailers around the country don’t have updated payment systems that can accept cards with the EMV technology.
Meanwhile, US customers may be able to get chip cards by asking their banks.
Again, adoption rates are low: Visa said that only 12 million out of 700 million Americans’ cards on its network include EMV technology.
But the credit card companies said they have made considerable progress, given the obstacles.
Randy Vanderhoof, who leads an association of banks and payment companies called the Smart Card Alliance, said the complexity of the US payments system has made a standardized rollout more difficult than in other countries.
US banks are expected to receive some 100 million new cards with the EMV technology this year. Putting the new technology to work, however, is another story. Currently, only about one-sixth of the 12 million credit card terminals installed by US retailers can accept EMV cards, Vanderhoof said, and businesses are moving at an uneven pace to update their equipment.
Banks, Vanderhoof said, “are trying to tie issuance of their cards to when merchants will be able to accept those cards.”
The payments industry also noted that the cards take time and money to produce. Industry specialists put the cost of microchip-embedded EMV cards at between four and 15 times that of simple magnetic strip cards. Replacing the 1.5 billion credit cards in Americans’ wallets would cost more than $1 billion.
Ed Mierzwinski, a senior fellow at the Washington, D.C.-based US Public Interest Research Group, said that even with EMV, credit card companies and banks could do more to protect consumers. For example, most banks still plan to have consumers sign for credit card transactions, instead of requiring a PIN, as is common in Europe. It can’t be faked like a signature can.
Julie Conroy, the researcher who wrote the Aite Group report, said that for many banks, the decision to use signatures instead of PINs is meant to prevent confusion among consumers, who typically sign for credit cards but use a PIN number with their debit cards.
”You’re going to have those quirks at the point of sale” if EMV credit cards use PIN numbers, Conroy said.
Banks and payment networks also say they were dealt a setback on issuing the new cards when Congress passed the 2010 Dodd-Frank financial overhaul law and included new rules about the use of debit cards. Those rules forced card issuers to spend years adapting EMV technology to the law’s provisions.
Conroy said that some card issuers had to put their EMV plans “on the back burner” during the fight over Dodd-Frank.
“Now there’s just a mad scramble among those issuers to get their plans in place,” Conroy said.
Banks and payment experts predict consumers will need to learn how to use the new smart cards.
For instance, instead of simply swiping their cards through magnetic stripe readers or dipping them in and out, consumers will have to leave smart cards inside a payment terminal for the duration of the transaction for the chip to work.
Card issuers also say that just as with standard magnetic strip cards, consumers won’t be on the hook for fraud perpetrated with smart cards.
Still, consumer groups say fraud is a much worse inconvenience than adapting to more secure payment methods.
“The reality is that consumers do suffer aggravation and worry when their payment cards are compromised,” said Tetreault.
“This is the kind of thing that gives consumers headaches.”