U.S. Credit Cards Tackle Fraud With Embedded Chips, But No PINs

Jan 5, 2015
Originally published on January 6, 2015 11:00 am

This year, there will be an important change in the way Americans use their credit cards. More banks will be issuing cards with small computer chips, a move they say will protect against credit card fraud.

But banks are stopping short of another step that will make credit card usage even safer. And a lot of retailers aren't too happy about it.

Americans use their credit cards a lot, and most of the cards they use operate the same way. The credit card is swiped through a machine, and the machine reads the customer's personal information, which is stored in a magnetic strip on the back.

The problem, says Kevin Yuann of the Website NerdWallet, is that this magnetic strip is really easy for criminals to access.

"The Target breach, for example, or the Home Depot breach, someone skimmed all that card data and then printed out fraudulent cards," Yuann says.

Now U.S. credit card companies are moving to cards encoded with small chips, which have long been used overseas. Yuann says fraud will become a lot harder to pull off.

"That type of fraud won't be able to occur because the chip prevents someone from emulating a card that way," he says.

The U.S. has been slow to accept chip-encoded cards until now because most retailers didn't have the machines that could read them, and they didn't want to pay for them. But later this year, retailers that don't accept cards with chips will be responsible for any fraud that occurs as a result.

So the retail industry invested billions of dollars to buy the new technology. But Mallory Duncan of the National Retail Federation says the new cards won't be as safe as they could be. He blames the big banks.

"It's really disappointing to see that after all of the hacks that have occurred, the banks are only willing to take the steps to protect the banks and not the full protection we need," Duncan says.

As anyone who's traveled to Europe lately knows, using a credit card overseas usually requires entering a PIN just like you do with your bank card in the U.S. But the U.S. banks that issue credit cards didn't want to ask their customers to do that. So customers will just be required to provide their signature, which is the way they do now for the most part.

"Most credit card users in the United States, in fact the vast, vast majority of them, are not accustomed to using a PIN within a credit environment, so I think that that's something that was central to the decision of the credit card issuers," says Doug Johnson, a senior vice president of payments and cybersecurity policy for the American Bankers Association.

In essence, U.S. consumers aren't used to punching in a PIN when they buy something with their credit cards. Yuann says credit card companies did marketing studies and found out that requiring PINs would actually turn off U.S. customers.

"The banks want to make sure that cardholders use their card, and so they want to make it as easy for the cardholder," Yuann says. "And so until they see adoption of PIN across the system, no bank wants to be the only one with a PIN-only-enabled credit card."

But requiring PINs would make credit cards even safer — a lot safer, in fact. Bank industry officials brush aside this concern, saying this is all a temporary problem.

There's a new generation of credit cards coming that won't use numbers at all, not even account numbers. Until then, they say the new chip-encoded cards will provide an extra level of security, even if they don't go as far as a lot of retailers would like.

Copyright 2015 NPR. To see more, visit http://www.npr.org/.

Transcript

ROBERT SIEGEL, HOST:

This year, banks will be reissuing hundreds of millions of credit cards. The new cards will store information about the user on a computer chip embedded in the card. It's supposed to provide a higher level of security for credit card transactions. But the banks are stopping short of another step that would provide even better security against credit card fraud. As NPR's Jim Zarroli reports, a lot of retailers aren't too happy about that.

JIM ZARROLI, BYLINE: Americans use their credit cards a lot, and most of the cards they use operate the same way. The credit card is a swiped through a machine. The machine reads the customer's personal information, which is stored in a magnetic strip on the back. The problem, says Kevin Yuann of the website NerdWallet, is that this magnetic strip is really easy for criminals to access.

KEVIN YUANN: The Target breach, for example, the Home Depot breach - someone skimmed all that card data and then printed out fraudulent cards.

ZARROLI: Now, however, U.S. credit card companies are moving to cards encoded with small chips - the kind of cards long used overseas. And Yuann says fraud will become a lot harder to pull off.

YUANN: That type of fraud won't be able to occur because the chip prevents someone from emulating a card that way.

ZARROLI: The United States has been slow to accept these chip-encoded cards until now because most retailers didn't have the machines that could read them, and they didn't want to pay for them. But later this year, retailers that don't accept cards with chips will be responsible for any fraud that occurs as a result. So the retail industry has invested billions of dollars to buy the new technology. But Mallory Duncan of the National Retail Federation says the new cards won't be as safe as they could be, and he blames the big banks.

MALLORY DUNCAN: It's really disappointing to see that after all of the hacks that have occurred, the banks are only willing to take the steps that protect the banks.

ZARROLI: As anyone who's traveled to Europe lately knows, using a credit card overseas usually requires entering a PIN number, just as you do with your bank card in the United States. But the U.S. banks that issue credit cards didn't want to ask their customers to do that. So they'll just be required to provide their signature the way that they do now, for the most part. Doug Johnson is senior vice president of payments and cyber security policy for the American Bankers Association.

DOUG JOHNSON: Most credit card users in the United States - in fact, the vast, vast majority of them - are not accustomed to using a PIN within a credit environment. So I think that that's something that was central to the decision of the credit card issuers.

ZARROLI: In essence, U.S. consumers aren't used to punching in a PIN number when they buy something with their credit cards. Kevin Yuann says credit card companies did marketing studies and found that requiring PIN numbers would actually turn off customers. U.S. consumers don't like them.

YUANN: The banks want to make sure that cardholders use their card. And so they want to make it as easy for the cardholder - and so until they see adoption of PIN across the system, no bank wants to be the only one with a PIN-only enabled credit card.

ZARROLI: But requiring PIN numbers would make credit cards even safer - a lot safer, in fact. Bank industry officials brushed aside this concern, saying it's a temporary issue. There's a new generation of credit cards coming that won't use numbers at all - not even account numbers. Until then, they say the new chip-encoded cards will provide an extra level of security even if they don't go as far as a lot of retailers would like. Jim Zarroli, NPR News. Transcript provided by NPR, Copyright NPR.