Co-written by Jon Hurst
This entry originally ran as an op-ed in the September 25, 2015 edition of The Boston Globe.
Hardly a week goes by without a news report of a new cyberattack. As any consumer affected by fraud knows, the harm is real. The impact on businesses, government, and other targets is also real, and includes monetary harm and reputational damage that can devastate those so reliant on the trust of their customers.
Retailers recognize that their commitment to protect information must evolve and grow with the threat, and they have invested considerable resources to strengthen the barriers that protect information that passes through their systems. Retailers also recognize that cybercriminals are highly sophisticated, and that the tallest and thickest “walls” won’t always stand up to the volume of attacks. That’s why retailers believe that reducing the value of data behind their walls is equally important.
Cybercriminals, like most criminals, are money-driven. Sophisticated cyberthieves, often from overseas, relentlessly troll for valuable data they can sell to crime rings that use the stolen information to commit fraud. But there is a way to make the credit and debit card information less valuable or totally useless to potential thieves: It’s called Chip and PIN (personal ID number). It has been the standard around the world for nearly a decade, yet not embraced by banks and card networks in the United States.
Consumers are just now receiving credit and debit cards reissued with a microchip embedded in addition to the traditional magnetic stripe. The chip offers a higher level of security and is an important step in the right direction; but unlike cards issued in Canada, Europe, and the rest of the industrialized world, cards issued in the United States will not require a PIN. Cards delivered to our consumers will still rely on a signature, which allows for stolen-card use and forgeries.
The combination of an encrypted chip and private PIN substantially reduces the value of data to cybercriminals. If a criminal cannot use a stolen card or create a counterfeit card, the value and reasons to steal the data in the first place disappear.
When Britain began using both chip and PIN technology, fraud losses at retailers fell 67 percent, and lost or stolen credit card fraud fell by 58 percent. When hacking European businesses became less profitable, cyberthieves simply refocused their efforts on an easier target, U.S. credit card numbers. Today, the United States represents half of all card fraud even though only about a quarter of the world’s transactions occur here.
Retailers have invested an estimated $8.6 billion in new point-of-sale equipment to accept these new chip cards. The experience at point of sale will change slightly; chip cards are “dipped,” not swiped. Unfortunately, one thing will not change: the US will continue to have the weakest card security in the world.
Given the clear consumer benefits of Chip and PIN, why are banks hesitating to require both? They argue that consumers will forget their PIN numbers; but whether it’s using an ATM or cell phone, we are all quite capable of using a PIN to prevent access to sensitive information. The truth is that, for banks and card networks, the status quo is lucrative; they don’t want to change.
There is no one answer to defeat cyberattacks, but we must recognize that criminals follow money through the path of least resistance. Banks should ensure new U.S. cards are equipped with the same security features afforded consumers in other countries. We can all help push forward this important and overdue reform by demanding our banks to stop the delay — and to drop the signature and mandate the PIN.
Former state attorney general Martha Coakley is of counsel at Foley Hoag. Jon Hurst is president of the Retailers Association of Massachusetts.