The Target breach shows the need for chip-and-PIN cards
January 24, 2014 12:00 AM
On Sunday, police in Texas arrested two drivers carrying 96 fake credit cards, which authorities initially suspected were manufactured using numbers stolen in the massive Target credit-card breach. On the same day, South Korean authorities announced “the theft of personal information from more than 100 million South Korean credit cards and accounts.” As data heists become ever-more aggressive, it is increasingly necessary to switch from America’s hoary card-swiping to the chip-and-PIN cards that have made Europe safer.
The age when consumers paid with cash and checks seems as quaint and distant as the age when horses trotted down downtown avenues and gas lights flickered in the dusk. Seventy-eight percent of Americans have debit cards, and 70 percent have credit cards. Much of the credit- and debit-card revolution is real progress. Our transactions are quicker. Retailers who want to sell to customers without bundles of currency don’t need to operate their own mini-lending agencies.
But credit cards also carry costs; some Americans over-borrow and spend years paying off debt at high rates. While most consumers know how to prevent excessive debt — don’t spend the money — credit card fraud is a far more shadowy danger. And in no small part because of the now-primitive magnetic-strip technology that the cards generally use, credit card fraud has become one of the common hazards of life.
A few years ago, I spent hours arguing that I was not responsible for a $15,000 used car purchase in some remote English town. More than 5 percent of consumers either lose their cards or have them stolen annually, and each lost or stolen card is associated with about $600 in fraudulent use.
We can reduce the losses from credit card fraud by switching to so-called smart cards with chips that require PINs. There is a long-established global standard called EMV — for Europay, MasterCard and Visa — for smart cards, which are harder to reproduce en masse than magnetic-strip ones. The PINs they use are more secure than signatures, which are easy to imitate and often go unchecked anyway.
Britain implemented chip-and-PIN in 2004, and since then fraud from lost or stolen cards has declined by 61 percent. The fraud rate in face-to-face transactions in France has also fallen dramatically. In contrast, there’s a market in South Korea for stolen credit-card information because chip-and-PIN systems haven’t caught on in that country.
There are ironies in the fact that America remains an island of card swiping in a world that has largely embraced PINs. Target was an early pioneer of smart card technology in the United States, but the company dropped the experiment because it was slowing down checkout lines.
Adopting smart cards isn’t free. One estimate is that the cost of replacing cards and payment terminals would exceed $5 billion. I am not looking forward to typing in PIN numbers for the rest of my life. Moreover, thieves will surely figure out new ways to steal, by targeting online transactions and stealing PIN numbers. Chip-and-PIN is not a panacea, just the inevitable next step in an ever-escalating arms race with the hackers.
Reports now suggest that the code that compromised Target was written by a Russian teenager. If data theft on this scale is that easy, then we need to at least move to the global standard for smart cards — and be prepared to adopt future security improvements.
In Britain, the push toward smart cards came from an association of financial institutions; later, the government backed the group’s recommendations. Occasionally, a central institution in other countries, such as the European Central Bank, will give the process a push. And if the Consumer Financial Protection Bureau of the Federal Reserve Bank chose to nudge the United States towards chip-and-PIN by verbally exhorting the industry to move swiftly, it certainly wouldn’t hurt.
But especially in light of the potential for interference from — or backlash within — a fractious Congress, I’d rather see a private solution. The credit-card companies and retailers that carry most of the losses from fraud should have strong enough incentives to adopt the safer technology. Moreover, the Target data breach, which has affected as many as 110 million customers, likely ensures that Americans now will be more open to typing in a few numbers at the point of sale.
Edward L. Glaeser, a Harvard University economist, wrote this for the Boston Globe.
To report inappropriate comments, abuse and/or repeat offenders, please send an email to
email@example.com and include a link to the article and a copy of the comment. Your report will be reviewed in a timely manner.