New Chip Cards Have Security Flaw, Retailers Say

Merchants worry that the chip ‘n’ signature cards being distributed in the U.S. by banks and other issuers are less secure than chip 'n' pin.
Katie Kuehner-HebertSeptember 30, 2015
New Chip Cards Have Security Flaw, Retailers Say

The chip-enabled credit cards now required in the United States by Visa and MasterCard won’t do enough to stop fraud, retail industry executives told Wired.

Thursday is the deadline for banks and retailers to adopt the EMV technology consisting of cards with a microchip that contains the data traditionally stored in the card’s magnetic strip. Any business that doesn’t have EMV readers in place could face increased liability for fraudulent transactions conducted with stolen cards or data.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

credit card close up EMV chipBut retailers say there is a flaw in the system. Instead of issuing chip ‘n’ PIN cards that offer two-factor authentication, banks and other card issuers are distributing chip ‘n’ signature cards that thieves can easily compromise.

“Chip and PIN has been proven to combat fraud dramatically,” Brian Dodge, executive vice president of the Retail Industry Leaders Association, told Wired. “But that’s not what American consumers are getting, and thus far banks have gone to great lengths to blur the lines between the two distinctly different transactions.”

The retail industry says the use of signatures with chip cards is less secure because signatures are easy to forge, and card readers don’t make any attempt to authenticate them. But the card industry says the power to combat fraud lies in the chip, not the PIN or the signature.

The chip contains a cryptographic key that authenticates the card as a legitimate bank card and also generates a one-time code with each transaction.

PINs add an extra layer of protection for cards that are lost or stolen but are not needed to protect against counterfeit-card fraud, according to Randy Vanderhoof, director of the EMV Migration Forum.

But Mark Horwedel, chief executive of the Merchant Advisory Group, said retailers have reported up to 35% of their fraud was due to lost or stolen cards.

“Most of the cost of counterfeit card fraud is eaten by the banks themselves, while the cost of lost and stolen card fraud is divided between merchants and the financial institutions,” he noted.

Over the past few years, large retailers like Target, Home Depot, and Walmart have spent more than $8 billion to install new card readers capable of reading the chips.

Image: Thinkstock