- The Washington Times - Monday, September 21, 2009

Next-generation security for debit and credit cards is on hold in the United States as banks and retailers argue over who should pay for a new system.

Americans continue to use plastic for more and more transactions, at checkout counters, over the phone and on the Internet, despite increasingly frequent security breaches. But the banking industry’s losses have not been large enough to spur a consensus on financing the estimated $8 billion cost of moving beyond the aging magnetic-stripe technology now in use, analysts and consumer advocates say.

“Up until now, it hasn’t been that necessary, but in the last few years, hundreds of millions of cards have been compromised,” said Avivah Litan, a Gartner Research analyst.

“The question is, how much more fraud do the banks want to tolerate?”

Authorities aren’t sure how many of the 130 million accounts Albert Gonzalez was accused of hacking last month had money stolen from them. Prosecutors said last week that Mr. Gonzalez has agreed to plead guilty to previous data-theft charges.

The industry is tight-lipped on fraud losses, although they are known to be in the billions each year.

“They don’t ever reveal the exact numbers, so we don’t know,” said Ms. Litan. “All we know is there are a lot of breaches and there’s a lot of money being spent on security in the wrong places.”

The “chip and PIN” system used for payment cards in much of the world greatly reduces the risk from cyberthieves.

Although this smart-card system isn’t foolproof, in most cases a thief would need to physically possess your card in order to withdraw cash or make an unauthorized charge. With magnetic-stripe technology, hackers can reprogram a dummy card with your account information.

A microchip embedded in each smart card contains the user’s account information, and some transactions also require a PIN number.

The “chip and PIN” system is used in Europe, Mexico and elsewhere, Ms. Litan said. It will be rolled out in Canada next month.

Everyone along the electronic-payments food chain agrees that more security is needed, from the banks that issue the cards to the retailers that accept them to the payment processors whose networks transmit essential information.

It’s just that retailers think the banks should pay more and that banks think the retailers and payment processors should pay more.

Every consumer would need new cards — by some estimates, Americans hold more than a billion of them.

Even more daunting, every card-swipe machine in the country would need to be replaced.

Nagraj Seshadri, senior product marketing manager at security company Sophos, said it cost $1.6 billion to roll out “chip and PIN” in Britain. Since the U.S. population of 300 million is five times greater, it could cost $8 billion to do the same here, he said.

Yet the value of purchases made in the United States with Visa Inc.’s debit and credit cards alone exceeded $1.6 trillion last year. And this country is a big bull’s-eye for hackers around the world.

“I think the U.S. is targeted because there’s more and wealthier people on the Internet and we’re more active in e-commerce,” Ms. Litan said.

Wayne Ivey, a 27-year Florida police officer and fraud victim who started the state’s task force on the issue, said one in 10 Americans will be targeted for identity theft by next year, according to FBI estimates.

“Every security measure that we can put into place is a step in between us and an identity thief,” he said.

Ms. Litan noted that there are cheaper card-security technologies, such as touchless scanning.

“I can understand why the U.S. has resisted. It’s very expensive to move to chip and PIN. The banks here haven’t wanted to spend the money on it. On the other hand, it’s badly needed.”

The banking industry says that it is willing to pay for new cards but that retailers would have to pay for new card-swipe machines.

“It’s not very expensive for financial institutions to embed a chip in a card,” said Doug Johnson, vice president of risk management policy for the Washington-based American Bankers Association.

“But that presumes you have a retail environment willing to bear the cost of changing the point-of-sale mechanism, and that’s, frankly, one of the largest sticking points.

“The retailers, in general, do not bear the larger costs associated with fraud, the financial institutions bear that cost, so there’s little incentive for the retailers to put that system in place,” he said.

David Hogan, chief information officer of the National Retail Federation in Washington, takes exception.

“It’s kind of interesting they would say that,” he said. “That would be like the Treasury Department telling retailers that you have to pay extra to use the new $20 bill because it’s more secure.

“The retailers don’t create the credit cards. Visa and MasterCard and the banks do. We’re using magnetic-stripe technology, it’s over a generation old, easily. It’s their payment system, and its flawed.”

Linda Foley, founder of the Identity Theft Resource Center in San Diego, said retailers and payment-processing companies are responsible for more data breaches than banks.

Companies such as Heartland Payment Services and retailer TJX Cos. Inc., both victimized by Mr. Gonzalez, pay a huge price for that, and rightly so, she said.

“The old formula that a lot of them are still using is, ‘What is the cost of fraud or loss versus the cost of putting in a new system,’ and it’s the wrong formula.

“You have to consider what is your fraud loss, what is the cost of losing your customers, the decline of your stock price, what’s the cost of your fraud resolution units and the loss of your reputation?

“The same things keep happening over and over again, and yet we haven’t learned from that,” Mrs. Foley said, adding that legislation will probably be necessary to force companies to strengthen the system.

Susan Grant, director of consumer protection at the Consumer Federation of America, agreed.

Greater legal rights for fraud victims to dispute transactions and sue over lapses would spur action, she said.

“Until consumers are able to bring private actions for lack of adequate security, there probably won’t be enough incentive to business to invest in higher degrees of security,” Ms. Grant said.

Copyright © 2019 The Washington Times, LLC. Click here for reprint permission.

The Washington Times Comment Policy

The Washington Times welcomes your comments on Spot.im, our third-party provider. Please read our Comment Policy before commenting.


Click to Read More and View Comments

Click to Hide