EMV's Broken Promises In The US
At the end of October I am traveling to Amsterdam to speak at a conference. In preparation for the trip I called the two companies that have issued me
credit cards that I plan to use on the trip: American Express and Chase. While on the phone telling them that I was traveling abroad and didn’t want
to get hung up with any fraud protection for transactions on my trip, it occurred to me that this might be an opportunity to get a jump on EMV, otherwise
known as “chip and PIN”. What followed, in both cases, has proven to me that EMV is seriously at risk in the US. You can point fingers at retailers,
you can talk all you want about ignorant consumers who don’t care because they’re not liable. And all I will say is that the problem is much deeper
than that. And for that, I blame the banks. The card issuers. Here’s why.
I called American Express first. I’ve had a card from American Express with a chip in it for I don’t know how long. Two years, maybe? They sent it to me out of the blue, saying they had noted enough international travel activity on my account that I might find a chip-enabled card useful.
I used the card for the first time at an El Corte Ingles in Madrid, Spain. Happy to finally join the rest of the modern world, I slipped my American Express card into the chip reader, and then realized the major flaw in this plan: my card is not chip and PIN. It’s chip and signature. So the cashier looked blankly at me while I did not enter a PIN, and I mimed signing a receipt. “Firma,” I said, as the line stacked up behind me. “Necessito firmar.” After a few more minutes of alternating between that and pointing at the receipt that the POS terminal had already spit out, she got it. She pulled the receipt, dug around for a pen, and I signed. As I left, I saw her staring at the signed receipt like she’d never seen anything like it before. She probably had not.
That was my first lesson in all the ways in which chip and signature is the most idiotic thing ever invented. After that, I stopped bothering with the chip portion of my card while in Europe because it was just too confusing to store associates. It was easier to be a completely dumb American with a completely dumb American magnetic stripe card than to explain that my card issuer didn’t see fit to issue me a PIN to go with my chip. So much easier.
The pitfalls of this approach came home last November, when Brian and I travelled to Paris for a client meeting. The hotel was right along a metro train route that brought us within a block of our client’s office, which was so convenient. Except that the only way to buy tickets was at a self-service kiosk. With no mag-stripe reader. And while I could get the kiosk to read my chip-and-signature American Express card, because I did not have a PIN, I was out of luck. I could not pay.
With all this history in mind, I told my pleasant AMEX customer service rep that I was traveling to Amsterdam at the end of October and I would like a PIN for my chip-enabled card. This is approximately how it went:
AMEX Rep: We’re not issuing chip and PIN to American customers.
Me: Well, then, what are you going to do with the rollout of EMV next year? Won’t you be issuing chip and PIN then? Why can’t I get on the top of that list?
AMEX Rep: We won’t be issuing chip and PIN in the US. Only chip and signature.
Me: What? Why would you do that? My chip and signature card is useless in Europe. Why would you bring that here and not go straight to chip and PIN?
AMEX Rep: I don’t know why. All I can tell you is that it will be chip and signature.
Chase World Pay
After torturing the AMEX rep for a few more minutes, and growing increasingly frustrated, I decided to try my other card, the egregiously misnamed Chase “World Pay” card. It currently has no chip, but I had asked my local branch representative if it was possible to get a chip-enabled card and she had assured me that it was, so even after the very disappointing call with American Express, I foolishly still had hopes as I called the Chase customer service number.
To the Chase rep, I explained that I had a World Pay card that was really only useful in the United States, a situation that I found ironic and would like to fix so that I could actually use my World Pay card in other countries. The conversation that ensued was roughly the same as with AMEX, except worse, because I can’t even pry a chip-and-signature card out of Chase’s hands, not until October 2015, when they will only start issuing chip cards to US consumers. And again, they will not be chip and PIN. They will be chip and signature.
The most surreal part of the conversation went about like this:
Me: Okay, but how am I supposed to use my card in other countries? I mean, half of them are requiring their merchants to get rid of magnetic swipe even, so my card is completely useless at that point.
Chase Rep: Well, we recommend to just make sure you have plenty of the local currency with you when you travel.
This is what we have come to: rather than embrace chip and PIN, my bank would prefer to tell me to use cash instead.
So, back in the United States. Here we are, one year from liability shift. Home Depot, Target, Chase themselves, have all been cyber-attacked, among vastly more retail attacks. In some cases, chip and PIN might’ve prevented credit card information from being stolen. In others, not so much. Both Home Depot and Target have rapidly replaced their credit card capture devices. They might argue that those plans were already in place, but I’m a little more cynical – replacing those devices may not make any difference when it comes to data security, or it might. But either way, it is a public way to demonstrate that companies are responding “aggressively” to attacks. So, whether altruistically or not, retailers do seem to be doing their part to prepare for chip and PIN.
So what is going on with banks? I’ve heard rumors that mag-stripe cards cost about 30 cents, and chip-enabled cards cost about $3.00 – an issuing cost that will have banks dragging their feet as long as possible. I just can’t make that compute, though. I mean, I think I have 3 different companies paying to monitor my credit report for fraud right now, all thanks to data breaches. Last I checked, that wasn’t free. Granted, none of those are issuing banks. But after Chase’s brush with some pretty determined cyber-thieves, I have to believe they are spending a heck of a lot more than $3 times every card they issue on security and fraud detection. I sure hope they are. And when it comes down to it, if I as a consumer was given the option to pay $5 or even $20 to upgrade to chip and PIN, I wouldn’t even hesitate. I would do it.
And if it is the card that is the cost, then why bother with chip and signature? A chip and signature card costs just as much to make as a chip and PIN card. They both have a chip. In my darkest hour after taking my frustration out on hapless customer service reps, I thought that it must be to preserve their interchange fees. Chip and signature is less secure than chip and PIN. In fact, we just had a case in Denver where a woman’s purse was stolen, and in the hour it took to get through the police report, the thief had racked up $30,000 in purchases on the stolen American Express at the local high-end mall. This thief was flat-out brazen. She flashed the victim’s own ID when asked, and it wasn’t until the third or fourth stop that the clerk said “That doesn’t look like you” and the thief ran.
Chip and signature will not solve that kind of theft. And it doesn’t do anything to lay any groundwork to make online transactions more secure – which is where fraud will move next, once chip and PIN actually makes its debut. You need two-factor authentication for online transactions. Chip and PIN is two-factor. Chip and signature is not.
I’m sure there is a lot of expense involved in updating infrastructure to move from mag-stripe to the two-factor authentication of chip and PIN. I’m sure that’s an understatement. What I can’t believe is that even after all of the proof points, particularly in Europe and Canada, the last two EMV rollouts, we’re talking chip and signature for the US. I can’t believe that card issuers are sitting on their implementations after riding retailers like dogs to update their hardware to accept chip-enabled cards. After laying down threats: do it by October 2015, or be responsible for the fraud that occurs.
I can’t believe after going through all of these motions to move the industry and consumers to a more secure form of payment, it will be the card issuers that derail it all by mucking around with useless half-steps that don’t solve any problems and, in fact, create quite a few more.
And yet, here we are.