Banks and credit card companies think they should be the ones who select the best technologies to combat fraud, not the state Legislature.
During a recent legislative hearing, representatives from financial institutions and credit card companies argued that requiring one card technology over another merely sets the bar for security at a certain level rather than strengthens it. That in turn puts the focus on meeting that standard, versus putting investments toward continual improvements in credit card security.
“A mandate is just a cul-de-sac as far as advancement. How we can protect the ecosystem really is core to our business,” Patrick Dwyer, vice president of state government affairs for MasterCard, told the House Financial Services Committee that’s examining new computer chip technology for credit cards.
Credit card companies last Oct. 1 began sending out millions of new cards in the U.S. that use an embedded computer chip to store customer data. In use for years in Europe, the so-called EMV chip cards are billed as being far more secure and useful in reducing data breaches that occur during retail transactions and the cards themselves are harder to replicate.
The initial deployment of chip technology in the U.S. uses cards that require a customer’s signature to complete a retail transaction, rather than a personal identification number, or PIN, which is generally considered as more secure.
Dwyer urged state lawmakers to avoid any regulations that mandate the adoption of “chip and PIN” cards.
“We believe that innovation and, ultimately, security is best served by allowing issuers and the merchants to choose how to deploy chip technology based upon their business model and customer base,” he said. “This flexible approach incentivizes participants in the payment ecosystem to deploy the safest and most secure tools in their businesses and protect consumers from fraudsters.”
Members of the House Financial Services Committee did not indicate whether they may pursue legislation on the issue.
David Worthams, policy director for the Michigan Bankers Association, told legislators that the use of chip cards in Europe led to a 27-percent decline in fraud since 2007. He echoed Dwyer’s call to allow the credit cards companies to continue advancement in security technologies without the hindrance of any new mandate, which is problematic for states anyway because the U.S. Constitution grants Congress the power to regulate interstate commerce.
“In short, keep calm and innovate. Do not mandate,” Worthams said. “Create that environment for innovation and see how security standards increase throughout Michigan and indeed throughout the nation.
“When you have mandates, the tendency is to just get to the bar and not go any higher than the bar.”
The adoption of EMV chip technology in Europe has accelerated the problem with fraud in the U.S. with cards that use a more vulnerable magnetic strip, said John Mayleben, senior vice president of technology and product development at Michigan Retailers Association.
Mayleben cited data from Barclays that the U.S. now accounts for 47 percent of credit card fraud in the world but just 24 percent of overall transaction volume. Losses in the United Kingdom declined by 67 percent and lost or stolen cards fell by 58 percent with the adoption of chip cards, he said.
In the U.S., meanwhile, more than 3.1 million consumers had cards breached in 2014, more than triple the number of users who had issues during 2013, he said.
While the Michigan Retailers Association did not advocate for any new regulation, it does prefer chip cards that use a PIN.
“If I steal your card, I’m probably not stealing your PIN,” Mayleben said. “It’s fairly easy to sign someone’s name … but it’s a lot harder to know their four-digit number.”
As credit card companies deploy chip technology using the EMV standard in the U.S. and transition away from cards using magnetic strips, merchants need to adapt as well, said John Bourke, cyber insurance lead at AON’s Chicago office.
Bourke said he’s heard from many small retailers who don’t want to incur the cost of upgrading their payment terminals to accept chip cards or who don’t see the risk of putting off those upgrades.
“I don’t know if the individual merchants truly understand the downside,” Bourke told MiBiz.
That downside is that, beginning Oct. 1, 2015, credit card companies transferred liability for data breaches to the party using the lesser technology. In other words, if a retailer suffers a breach during a transaction and has not upgraded its payment terminal, they are on the hook, Bourke said.
Chip cards now getting issued have both a chip and a magnetic strip. Mayleben of the Michigan Retailers Association estimates that it could take five or six years before dual cards and magnetic strips disappear completely.
As that occurs, Bourke advises against new regulations favoring one chip card technology. Banks and credit card companies already have a vested interest in preventing fraud, protecting their customers and improving security, he said.
“There is no one out there who stands to save more by doing that,” Bourke said.
For small retailers who are reluctant to upgrade now to a new payment terminal, the cost of which can approach $800, the question comes down to balancing the cost with the risk, said Keith Brophy, director of the Michigan Small Business Development Center.
Many small business owners remain unaware of the change occurring in card technology in the U.S., Brophy said. Retailers who have yet to upgrade ultimately will need to do so in the years ahead as EMV cards get deployed and those using magnetic strips fade away, he said.
“The shift of the technology cannot be overlooked for small businesses. They will have to shift,” Brophy said. “It’s a question of do they shift now and avoid liability, or shift later and carry the liability on their shoulders.”