Last year’s big breach of credit card data at Target has rekindled interest in better security for card transactions. There are no silver bullets here, but one way to improve security is to adopt EMV, or “chip-and-PIN” cards, in which you have to enter a PIN when you buy something. This technology has been used in Europe for years, so it’s well known to all the banks and card issuers.
But we’re not getting it here. Sen. Al Franken asked several big card issuers why not, and they provided various answers. Here’s the answer from Capital One:
In the past, EMV technology has been plagued by a “chicken-and-egg” dilemma because EMV technology only reduces fraud if the overwhelming majority of retailers adopt point of sale technology that accepts EMV payment cards. Simply put, banks have been
historically reluctant to invest in payment card EMV technology without retailer adoption and retailers have been historically reluctant to invest in point of sale technology without bank adoption of EMV cards. This is why the development of EMV technology is a shared responsibility between the banks and the retailers.
You know what this calls for? Government action! It’s precisely what government is for. When you have a collective action problem that’s preventing you from accomplishing a clearly beneficial goal, federal regulations can get everyone on the same page quickly and efficiently. How do I know this? Because that’s how it worked in Europe.
In any case, we’re finally getting EMV technology in the United States starting in 2015. But in possibly the stupidest decision in the history of payment networks, we’re actually getting chip-and-signature cards. Why? I’ve been unable to find a straight answer to this. The banks vaguely talk about merchant resistance to getting new terminals that accept PINs, but that makes no sense. PIN terminals aren’t very expensive, and the cost would be effectively zero if you have a five or ten-year phase-in.
Alternatively, they make noises about American consumers not being used to PINs, but that doesn’t make sense either. We all use PINs for our debit cards already. We’d learn to use PINs for credit cards in about five minutes.
And then, to add insult to injury, the cards we’re getting will mostly be signature-only. That’s not a requirement of the technology, though. They could be “signature preferred,” which requires a signature if possible but accepts a PIN if not (at automated kiosks, for example). Why not do that? I truly have no idea.
Honestly, the whole thing is just a mystery. EMV technology is old and well-tested. Everyone knows how to make the transition because dozens of countries have already done it. It’s not wildly expensive. It wouldn’t spark a consumer revolt. So why are we getting idiotic signature-only PIN cards, which are probably the worst possible compromise imaginable? They require more expensive cards and upgrades to infrastructure, but they don’t provide much additional security and they don’t work universally outside the US.
It’s crazy. I wish that someone could explain to me how this clusterfuck happened. I can’t find a decent explanation that makes sense, and I’d really like to know. Anyone?
