Occasionally, we’ve commented on the shoddy state of US credit card payment infrastructure. One of the noteworthy aspects of the fiasco of recent US retailer security breaches is that the media has more or less ignored the question of what could have been done to forestall these incidents, which in the case of Target involved as many as 70 million customers, and Neiman Marcus, under (but presumably not much under) 1 million.
And make no mistake about it, the US is seriously behind world standards. I did a credit card study in 1997 in which I visited 5 continents, specifically countries that were the high end of the third world such as Korea, Costa Rica, and South Africa. Smart cards, also known as chip cards, were the norm in many and were being rapidly adopted in others.
Georgetown law professor Adam Levitin, in a new post at Credit Slips, explains the security advantages of these cards:
We don’t know all of the details about what happened at Target and Neiman Marcus, but there’s a really obvious weakspot in the US payments infrastructure that should be corrected, irrespective of whether it would have prevented the Target and Neiman Marcus breaches: the use of two-factor authentication, namely chip-and-PIN cards, which are standard outside the US and have been effective in reducing fraud.
Why don’t we have chip & PIN here? Because the banks don’t want to pay for it because they don’t bear most of the fraud costs. The banks/payment networks are the least cost avoider of identity theft, but because merchants are eating most of the fraud costs, the banks have instead have opted for a complex set of security standards for merchants (PCI Security Standards) that are of dubious effectiveness.
Chip & PIN cards have two key security features. First, these cards have a microchip inside that frustrates easy physical copying of the cards. With our current mag stripe cards, I can copy the information off the mag stripe with a small reader and then use that to make a new card. Not so easy if I also have to copy the information on a microchip embeded in the card. Second, these cards require a PIN to use. The PIN creates what is called two-factor authentication. The first factor is the information on the card itself (from the chip and mag stripe). The second factor is the PIN. Thus, even if my card is stolen, the card isn’t useful without the PIN. Chip and PIN isn’t impossible to crack, but it is a lot harder. And that’s the name of the game in identity theft.
Levitin stresses that the media accounts are making the retailers look like the ones at fault, when the banks bear considerable culpability. Very few articles have mentioned the fact that better technology exists and is standard outside the US, and the ones that go there still underplay how far the US is behind and how the banks are driving this bus. Reuters comes closer than most and still misses the banks’ responsibility, starting with the headline, With data vulnerable, retailers look for tougher security:
Mallory Duncan, general counsel of the National Retail Federation that represents Target, Wal-Mart and other big stores, said in an interview on Sunday that the trade group encouraged its members to upgrade to the higher-security cards even though they cost more than old systems that store data on magnetic stripes….
It is not clear the new “Chip-and-PIN” cards would have prevented the breaches at Target and elsewhere. At the very least they make stolen data harder to re-use, a reason the technology has caught on widely in Europe and Asia.
They have met with much less enthusiasm in the United States, in part because losses to fraud – just 5 cents for every $100 spent via plastic – have been manageable for merchants and their banks. But rising fraud rates, and the risk of identity theft, could change the calculation..
Investigators believe that hackers used malware that captured data on customers from the magnetic stripes on their payment cards.
Now let’s unpack this a bit. First, I have trouble believing merchant losses are that low. The big reason is I doubt smaller merchants capture and report that information, and I wonder how many big ones do. The merchant’s loss isn’t the amount he was stiffed for (the purchase amount, which is easy to track), it’s his costs in the item (cost of goods + allocated overheads, most important, sales costs) + the cost of dealing with the fraud incident. Second, for most (again, I’d suspect all) retailers, shrinkage (inventory losses, due to theft, most often employee theft) is a bigger number, and therefore consumes more management attention. This point was made by NC regular readerOfTeaLeaves in a comment we featured in a 2011 post:
Small retailers (including every restaurant in the nation) pay when there are fraudulent cards. The system **should** notify the retailer at the instant of swipe if the card is fraudulent, but it does not always do this. But it gets worse: if a retailer swipes a card and that data is not encrypted, or the network is not fully secured, then the retailer eats the costs — at least, the retailers that I’ve heard gasping in shock have ended up eating it. One retailer that I know – a small operation – having spent tens of thousands for inventory software and a whole new cc/dbt system, just ended up spending **more** tens of thousands of dollars to purchase all new swipe machines that encrypt **at the instant of swipe**. Did the banks provide those machines for free to the retailer? Not a chance. Did the banks provide any kind of discount to retailers using those new encryption devices? Not a chance.
As for ‘innovating banks’, that’s an oxymoron.
I’ve written eComm code, and I’ve worked in the eComm layer and the very notion that banks innovate is ridiculous. They have done their utmost to control and capture eComm technologies, but that does **not** make them innovators. Nor does it make the credit card companies innovators (!). It makes them what they always were and always will be: agents who cream profits from transactions. They happen to be at the point where the money changes hands, and they take advantage of that fact (in an exploitive fashion, I will add).
What Congress does not appear to understand is that if they side with the banks, they are damaging the vitality of small and medium sized businesses who actually **innovate** — whether it is a local farm that wants to offer an organic produce service, whether it is someone setting up a new merchant site via Amazon’s services, or whether it is a salon chain that wants to offer people the chance to buy a Mother’s Day gift card online. All those people actually **innovate**, provide personal services, and create the economic exchanges that allow for cities to have budgets that pay for schools, roads, cops, etc.
There is no reason — economically — for banks to stick businesses with the costs of fraud over which they have no control, to stick businesses with extractive ‘percentage’ fees of transactions, or to play both sides of every transaction by charging BOTH the payer and the payee.
But even if “5 cents out of every $100” figure were accurate, notice how the blame is “oh those cheap merchants aren’t upgrading to the new systems” as opposed to what is really going on: the banks have been putting a steep price (you can be sure artificially high) on new equipment (the point of sale devices that swipe your card) so they can squeeze as much profit out of the old infrastructure. Why am I so confident the banks are overpricing? How the hell could merchants in vastly smaller markets like South Africa and Korea (and most of Europe pre-Euro, meaning specific-currency payment systems) afford earlier generations of these cards (when the chips and all the other elements of technology implementation cost more) if they were natively that pricey? The impediment is almost assuredly the price point the banks have set, and it’s a no-brainer, given the outcome here versus the rest of the world, that they’ve set it so as to discourage implementation. Similarly, most foreign markets have far higher security protections on debit cards. Smart cards with PIN protection are the norm. For instance, here is an incredulous comment on a post describing US payment card options:
I cannot believe how far behind the US are in terms of the CHIP & PIN technology…..I have a great card. It is a DEBIT card/Prepaid MasterCard from Bishopstown Credit Union in Ireland. I need a PIN to make a purchase in Europe and everywhere that recognises CHIP & PIN. I even get a text message to my mobile phone/cell each time I use it – CLEVER. All this from a Credit Union
By contrast, here in the US, we are only now discussing implementation of smart card technology, as a result of really bad press and consumer upset, for the banks’ most profitable card service, credit cards. Pathetic.