Eric O'Neill is a former FBI counterintelligence operative.
Eric O'Neill is a former FBI counterintelligence operative.
Cash is no longer king in today’s commercial world. Credit and debit card payments have exploded in the last decade as the preferred method of payment for transactions worldwide. And with this drastic shift, banks and retailers must ensure consumer data is protected at all stages of transactions.
Chip enabled credit and debit cards, often referred to as smart cards,have drastically reduced fraud during the checkout process, and many banks and credit unions have made the necessary upgrades to protect their members from the latest developments in theft. U.S. financial institutions have invested millions to shield consumers from fraud, and equip merchants to be able to accept them as a form of payment.
When you go to the register, your data is much safer if you are using a chip-enabled card than if not. That is a fact. In addition, many retailers require card verification methods (CMVs), such as chip-and-PIN or chip-and-signature, as a way to verify the identity of the cardholder. There is a robust debate about which method is superior or more useful, but chip technology in and of itself is a positive step toward heightened data security.
A September 2017 report from the Electronic Payments Coalition gives an in-depth analysis of the state of payment card fraud, and the current methods that are being used to combat it. The report investigates this debate, which pits the U.S. standard bearer of chip-and-signature to verify a customer’s identity, with the chip-and-PIN method predominantly used in Europe. While some U.S. stakeholders have urged a transition to chip and pin, claiming it is more secure, the EPC report concludes there is no data to prove that chip-and-PIN decreases fraud. They found it is highly likely that any circumstantial decrease in fraud is a result of the chip itself, not necessarily the CMV being utilized. In addition to the enormous expense of overhauling the U.S. infrastructure in favor of chip-and-PIN, the time wasted will be a gift to bad actors, who will keep inventing ways to steal from hardworking people.
More importantly, this research shows these two methods are only the tip of the iceberg, and that this disagreement is hindering the industry’s progress toward new solutions.
The presence of the chip in a card is a good technological advancement that has benefited consumers, but the debate needs to move beyond chip-and-PIN and chip-and-signature in order to stay ahead of scammers and hackers. Biometrics, tokenization, encryption, and other methods should all be explored as a way to protect consumers
It is worth noting that bad actors have seized on other opportunities since chip-enabled cards have come on the market. The most prevalent types of fraud are counterfeit and card-not-present fraud, which are the two fastest growing categories in the U.S. As a result, the chip-and-PIN versus chip-and-signature is useless in both of these two instances, because they don’t involve the presumed owner physically swiping the card to initiate a transaction. The more prevalent card-not-present interactions become, such as making purchases online, the more attractive they are to hackers.
Guidance from Congress could go a long way in moving anti-fraud efforts by the industry forward. Financial institutions, like banks and credit unions, have strict consumer protection regulations to comply with, which retailers do not. With data breaches on the rise, consumers are demanding that merchants be held to a higher standard when it comes to protecting sensitive information. Creating a uniform federal standard for how personal information is handled is one piece of a comprehensive plan to strengthen our defenses.
But to stay ahead of criminals, all stakeholders that play a role in commercial electronic transactions – banks, merchants, credit card companies, networks, policy makers, and consumers – must come together to combat the fraud of the 21st century.
Eric O'Neill is a former FBI counterintelligence operative.