Wall Street Journal: Why New Credit Cards May Fall Short on Fraud Control
Banks Take Measures Against Counterfeiting, but Opt Not to Use PINs, Considered More Secure Than Signatures
Read the full article here: http://on.wsj.com/1BA7NFE
By ROBIN SIDEL
Big U.S. banks are steering clear of an advanced security measure used in credit cards around the world, opting for a system that is more convenient for shoppers but may leave them vulnerable to fraud.
This year, firms ranging from J.P. Morgan Chase & Co. to Discover Financial Services Inc. are expected to roll out more than a half-billion new credit cards embedded with computer chips that create a unique code for each transaction, making counterfeiting much more difficult.
In a retreat for the industry, however, the new cards don't use some technology that could prevent fraud if a card is lost or stolen.
Instead of requiring customers to put in a personal identification number, or PIN, the new cards need users to authenticate credit-card transactions the same way they often do now, with a signature. PINs are widely considered to be more secure than signatures, which can be easily copied.
The more advanced "chip-and-PIN" technology has been adopted in Europe, Australia and Canada. The U.S. is one of the few developed countries not to embrace it.
U.S. bank executives said they are choosing the signature version so customers won't be burdened at the checkout line to remember a new four-digit code.
Chip-and-signature cards "are such a big shift that we didn't want to make it more difficult than it already will be" by requiring a PIN, said Jon Krauss, senior manager for card payment strategy at Discover. The Riverwoods, Ill.-based card company will be issuing signature-based chip credit cards in 2015.
Chip-based cards must be inserted into the bottom of the cash-register terminal instead of swiped. Consumers have to leave the card in the terminal until they sign for the purchase.
J.P. Morgan Chase, the nation's biggest card issuer, had initially planned to issue chip-and-PIN credit cards in 2014, but the bank put those plans on hold after testing them with consumers, according to a person familiar with the bank's strategy. The bank has issued millions of chip-and-signature cards.
Other big banks opting for the chip-and-signature cards include Bank of America Corp. and Citigroup Inc.
The push for the new cards in the U.S. comes as financial institutions are reeling from a recent rash of costly data breaches at big merchants like Home Depot Inc., Staples Inc. and International Dairy Queen Inc. Industry observers said many of those attacks wouldn't have happened if consumers used chip cards and merchants had technology in place to accept them.
Other groups are pushing for cards with the added layer of security provided by PINs. Target Corp. , which was rocked by a data breach at the end of 2013, is one of the few merchants whose customers are getting store-branded credit and debit cards with the PIN technology.
In October, President Barack Obama issued an executive order to replace government-issued cards, such as those that contain Social Security benefits, with new ones featuring chip-and-PIN technology starting on Jan. 1.
Even without requiring PINs, the chip-based cards significantly reduce the chance that stolen card data can be used to make counterfeit cards, essentially making the data useless to thieves. Counterfeiting is the biggest risk of large-scale cyberattacks like the ones on Home Depot and Target.
U.S. credit-card-fraud losses totaled roughly $18 billion in 2013, according to Javelin Strategy & Research, a consulting firm that is a unit of Greenwich Associates. About a third of those losses are attributed to counterfeit cards, according to consulting firm Aite Group.
The PIN system is only a defense for point-of-sale purchases and doesn't provide additional protection for online sales.
"There is a lot of concern that PINs would create customer-service issues for consumers and merchants if a consumer can't complete a transaction because they have forgotten the PIN," said Randy Vanderhoof, executive director of the Smart Card Alliance, an industry group representing banks and credit-card companies.
But Merrill Halpern, assistant vice president of card services at United Nations Federal Credit Union, said the potential inconvenience isn't a good enough reason to choose signatures over PINs. The credit union, based in Long Island City, N.Y., is one of the few credit-card companies that issues chip-and-PIN cards.
"We should be doing the most we can to fight fraud, and the only way to send that message is to stand clearly behind chip-and-PIN," he said. The credit union has 100,000 credit-card customers, with about 40% of them living in the U.S.
The decision to issue signature cards instead of PINs is creating more tension in the already-fractious relationship between credit-card issuers and merchants, who have long fought over fees and other issues.
"It is absolutely a concern, and we believe [the new cards] are a half-measure," said Andrew Szente, vice president of government affairs at the Retail Industry Leaders Association, a Washington, D.C.-based trade group. Banks, on the other hand, said many merchants don't have PIN pads to accommodate the technology.