Smart cards, already used for credit transactions in about 130 countries, are coming to America. But it will be years before we all have these fraud-resistant credit cards in our wallets.
Though U.S. banks have been issuing the cards for a few years, the recent rash of data breaches at Target and other retailers has injected a sense of urgency into their efforts.
The big question is what type of smart cards the banks will issue. Will they require a PIN code for authentication or simply a signature?
(Read more: Identity theft rises as crooks get more creative)
Smart cards are far more secure than traditional credit cards, which store account information—unencrypted—on a magnetic stripe. These next-generation cards encrypt and store that data on an embedded microchip that generates a new code for each transaction. So even if your credit card number is stolen, it’s nearly impossible for a criminal to create a counterfeit card.
Point-of-sale credit card fraud has dropped dramatically where the smart cards have been deployed—in Europe, Asia, Mexico and Canada.
The changeover in this country will be costly—as much as $35 billion, by some estimates. Banks will have to issue billions of new credit cards. But most of the expense will be shouldered by retailers, which will need to install more than 10 million high-tech card readers.
According to the National Retail Federation, merchants are willing to spend that money if the banks issue the right kind of smart cards. Retailers want what are called chip-and-PIN cards, which require that a PIN be entered for each transaction.
Chip-and-PIN cards are used in the United Kingdom, France and Canada; chip-and-signature cards are the norm in Mexico and Germany.
(Read more: Why prepaid debit cards are appealing to so many)
At a news conference Tuesday, Mallory Duncan, the federation’s senior vice president and general counsel, called chip-and-signature cards a bad idea.
“It’s like locking the front door and leaving the back door open,” he said. “It would be a shame to spend all that money for a half-baked solution.”
The American Bankers Association said the marketplace should be able to accommodate both chip-and-signature and chip-and-PIN smart cards.
“It’s the only way for this complex payments system to continue to deliver convenience and meet the needs of consumers,” said Jeff Sigmund, the association’s senior director of public relations.
The pros and cons of PIN code authorization
For some, there’s no question that PINs should be required when using a smart card.
“A signature is a stupid form of authentication that dates back to medieval times when there were kings and queens and guillotines,” said Robert Siciliano of BestIDTheftCompanys.com.”It has absolutely no proactive security value.”
His view is that the chip verifies that the card is not counterfeit, and the PIN proves that you are the authorized user.
Others suggest that PIN authorization is not needed because of the difficulty in counterfeiting smart cards.
“Merchants see the PIN as a more secure option, but it doesn’t make a lot of sense to the banks because it really doesn’t do anything,” said Alphonse Pascual, a senior analyst for security, risk and fraud at Javelin Strategy & Research. “It would be like putting a new deadbolt on your front door and then putting gum in the lock. It’s the lock that’s protecting you, not the gum.”
There’s also the concern that Americans, who tend to have a variety of credit cards, would have a tough time managing multiple PINS.
“If the consumer doesn’t want to memorize all those numbers, they might choose the same PIN for each card,” said Randy Vanderhoof, executive director of the nonprofit Smart Card Alliance. “Using one PIN to protect 10 different cards in your wallet now exposes you to the potential for increased fraud.”
PIN technology could pose a challenge to credit card issuers, which must deal with users who can’t remember their PIN or need to change it. That was a problem when Canada switched to chip-and-PIN credit cards, but people eventually got accustomed to it.
How long will it take to make the switch?
There’s no government mandate or fixed time line. Visa, MasterCard, American Express and Discover want the country converted to smart cards by October 2015. And they’re using the threat of lost profits to move things along.
(Read more: Hotels data breach ire could lead to tipping point)
After that date, fraud losses would shift to retailers if their point-of-sale payment terminal can’t process smart cards and the transaction turns out to be fraudulent. (Smart-card readers will be able to accept both magnetic stripe and chip-enabled credit cards during the transition).
Target CFO John Mulligan told a congressional committee last week that his company hopes to have smart-card readers in stores by year-end. Target also plans to issue a chip-and-PIN version of its RED cards early next year.
Smart cards won’t stop all credit card fraud, of course. A stolen account number can still be used to make online or telephone purchases, when the card doesn’t need to be presented. Retailers and bankers know that, and they’re already exploring solutions.
“But for now,” Vanderhoof said, “deploying these chip cards is the most important step in the process.”