:format(webp)/cdn.vox-cdn.com/uploads/chorus_image/image/63705628/chip-and-pin.0.1537431126.0.jpg)
Retailers and consumers around the country are gearing up for the last rush of holiday shopping and preparing for New Year celebrations. Following last year’s whopping $616 billion holiday retail sales, consumer spending this year is projected to jump 3.7 percent, to more than $630 billion.
Against this backdrop, however, is no shortage of misinformation when it comes to new payment technologies and data security. While more than $100 billion in sales will happen online, the remainder of holiday shopping — and the vast majority — will happen at the cash register in brick-and-mortar stores. And many of this year’s shoppers will be completing their purchases with new credit and debit cards that now have an embedded microchip.
Consumers expect that each time they swipe or “dip” their credit or debit card, they’ll be protected from the possibility of fraud. But these chip cards, which continue to rely on our signatures as a second form of authentication, are not as secure as they could or should be.
These chip cards are the culmination of the recent transition to EMV (short for EuroPay, MasterCard, Visa) technology, which entailed replacing magnetic-stripe-and-signature cards with chip-and-signature cards. On Oct. 1, retailers and banks underwent a “liability shift,” whereby merchants across the country became responsible for upgrading their payment terminals to accept new chip-equipped credit and debit cards. In the event of a data breach or fraudulent financial activity, the burden now falls on whichever institution is using the older payment technology.
Regardless of the tit-for-tat details between retailers and the financial sector, many consumers remain confused about “dipping,” or inserting a card rather than swiping. This is only exacerbated given the fact that these cards still have a black strip on the back to facilitate the swipe, an action many are still left doing as businesses undergo a massive overhaul of their payment infrastructure.
As a result of this supposed improvement to our payment security, consumers expect that each time they swipe or “dip” their credit or debit card, they’ll be protected from the possibility of fraud with the best technology available. But these chip cards, which continue to rely on our signatures as a second form of authentication, are not as secure as they could or should be.
Chip-and-PIN technology, on the other hand, uses an advanced two-factor authentication system and has been used around the world for years. Along with the microchip, each card requires a unique PIN, or personal identification number, that consumers must enter upon making a transaction.
Consumers in many other countries have long since abandoned magnetic-stripe-and-signature cards, and as a result have seen significant declines in credit card fraud. Should a thief attempt to steal or counterfeit a chip-and-PIN card and use it for an in-store purchase, it would be useless without knowing the PIN. What’s more, we could extend those protections even further if we had more robust mechanisms available for consumers to securely use their PINs during online transactions. The technology exists to securely use PINs online — it’s just not widely used.
The big banks and credit card companies are cutting corners to cut costs, forgoing the added PIN feature to reduce the amount they would have to invest in new cards.
Despite the overwhelming evidence of chip-and-PIN’s success, Visa, MasterCard and other financial institutions have been issuing chip-only cards, arguing that consumers would have trouble remembering an additional passcode. In actuality, the big banks and credit card companies are cutting corners to cut costs, forgoing the added PIN feature to reduce the amount they would have to invest in new cards.
“There are two indisputable facts,” Conexxus Executive Director Gray Taylor recently wrote. “According to the Federal Reserve Bank, signature transactions have a 400 percent greater fraud risk than PINs, and consumers know that PINs are far more secure than signatures. (They can also, contrary to the card companies’ assertion, easily remember four-digit PINs!)”
As of late September, six out of 10 consumers had not yet received a chip-enabled card. And a recent survey from payments company Square reported that only “37 percent of the cards that Square vendors processed were chip cards.”
With the holiday retail rush upon us, and the lack of progress we’ve seen since the EMV transition, financial institutions should reevaluate the chip-only cards and instead consider the success of chip-and-PIN technology around the world. Consumers should feel confident that their financial information is protected at each and every register they encounter this winter. While it’s unlikely that PINs will be issued in time this year, the nation’s financial institutions should give serious thought to implementing PINs so consumers will be better protected next holiday season.
Debra Berlyn is director of the Consumer Awareness Project. She is also the leader of ProtectMyData.org. Reach her @dberlyn.
This article originally appeared on Recode.net.
