This week, Target's CEO appeared before the Senate Judiciary Committee to discuss the recent breaches that led to the loss of 40 million credit card numbers, as well as information pertaining to 70 million customers. Although malware placed on Target's system is what exposed the data, most of the committee's time was spent censuring traditional swipe-and-sign cards. Officials from Neiman Marcus (which also suffered a data breach), consumers bureaus, and Symantec also testified, calling for a movement away from the system we have in place now, to a chip-and-PIN system similar to Europe's.
The Wall Street Journal followed up with MasterCard’s Carolyn Balfany, who is leading the company's transition to the new, more secure payment system, called EMV. (The term “EMV” was trademarked in 1999 and stands for Europay, Mastercard, and Visa.) In 2012, MasterCard and Visa decided on a timeline, setting October 2015 as the deadline for the switch away from swipe-and-sign cards, which are notoriously easy to gather information from.
”Chip-and-PIN makes it much harder to copy a card when data is stolen,” a Symantec representative testified before the committee on Tuesday. “It also makes it harder to steal data in the first place due to encryption. It also makes physically stealing a credit card less useful, since you don’t have a PIN.”
Balfany's interview with the WSJ explained some of the history behind America's reluctance to move to the more secure system. According to her, the high rates of fraud in Europe, as well as a need for offline transaction processing (with EMV payments “the card and the terminal can authorize a transaction independent of communication with the bank’s systems” ), led to the adoption of chip-and-PIN payments early on. “Both those factors were not driving factors here in America,” Balfany told the WSJ.
She also discussed how MasterCard and others subscribing to the EMV system will work out liability for fraudulent purchases during the transition:
[I]f a merchant is still using the old system, they can still run a transaction with a swipe and a signature. But they will be liable for any fraudulent transactions if the customer has a chip card. And the same goes the other way – if the merchant has a new terminal, but the bank hasn’t issued a chip and PIN card to the customer, the bank would be liable.
The key point of a liability shift is not actually to shift liability around the market. It’s to create co-ordination in the market, so you have issuers and merchants investing in the migration at the same time. This way, we’re not shifting fraud around within the system; we’re driving fraud out of the system.
What with the recent rash of credit card fraud in national retailers, "driving the fraud out of the system" may come too late for many.
reader comments
167