Digital Transactions Authoritative, insightful and timely information for payments professionals
When news broke last month about a major card-data breach at Michaels Stores Inc., an arts-and-crafts chain, two things came to mind: 1) this type of fraud seems never to end, with Michael’s being just the latest in a long and somber line of retail and processor breaches; and 2) the advent of EMV cards in Canada (the subject of this month’s cover story, page 26).
The two matters are connected because chip-and-PIN cards on the global EMV smart card standard are widely acknowledged as light years more secure than mag-stripe cards. By now it’s a sad and all-too-familiar story: Criminals can rig point-of-sale devices to collect card credentials, make fake cards with the captured credentials embedded on their stripes, and withdraw cash from ATMs anywhere in the country. Much of the equipment these fraudsters need is readily available on online auction sites.
Most of the industrialized world knows this, and has been moving to the EMV standard, which replaces the mag stripe with a secure computer chip. As our story shows, Canada is now in the process of rolling out the standard, and its experience offers much from which U.S. payments strategists can learn. In April, two major U.S. banks, Wells Fargo & Co. and JPMorgan Chase & Co., said they will issue EMV cards to customers who frequently travel abroad. And one of the biggest credit unions in the country, Raleigh, N.C.-based State Employees Credit Union, has started to reissue EMV cards to its entire debit card base, which totals to 990,000 cards.
As encouraging as these moves are, they remain curiously tentative. All three institutions are issuing, not chip-and-PIN, but chip-and-signature cards. The plastic will be authenticated by chip but cardholders will sign for transactions, just as they do now. Their argument is that the process is familiar to customers, who would be confused if they had to enter a PIN for a credit transaction. Plus PIN management on the card in the field can be a major headache for banks and processors.
This is too bad. We’re not quite prepared to agree with Jamie Henry, a payments executive at Wal-Mart Stores Inc., who told a recent smart card conference that signatures are “worthless” (see page 7 for more). But clearly they are nowhere near as secure as PINs. Wal-Mart is preparing for chip-and-PIN, and other major stores could follow suit soon.
To be fair, SECU says it plans to switch to PINs next year. And Wells says it will support PINs but prefers signatures. We hear rumors that other big banks may launch full-bore EMV programs later this year. For the sake of payments security, let’s hope so.
John Stewart, Editor
john@digitaltransactions.net
