Message to Chase: You know how to stop card hacking, so do it already
On Tuesday I got a message from the good people at the fraud alert center at JPMorgan Chase: They’ll be sending me a new Chase credit card because “a security breach at The Home Depot” may have put my old one at risk.
What gets me about this is that it’s the second nearly identical message I’ve received from Chase this year. The first one arrived almost exactly eight months ago. At that time Chase said they were sending a new card because the old one “was identified as at risk from Target’s data security breach.”
So here’s my message to Chase. You know exactly how to stop these repeated data breaches. Do it already! Stop making me pay for your stupidity and greed.
The technology to eliminate data breaches at retailers has existed for years. It’s in widespread use almost everywhere in the developed world except the United States. It’s the smart card, which carries an embedded chip encrypted with the user’s account information instead of a black magnetic strip, which can be easily hacked.
In Europe, users swipe their smart cards at the point of sale, then plug in their secret PIN. The card never leaves their possession, and if it’s stolen it’s worthless without the PIN. Target- and Home Depot-style hacking is almost nonexistent in Europe. It happens in the U.S. with increasing frequency and on an ever larger scale -- Home Depot’s breach compromised an estimated 56 million cards -- because we’re a soft target. (So to speak.)
At last, spurred by the serial data breaches at Target, Home Depot and other big consumer chains, the credit card industry is preparing to roll out smart cards in America ... next year.
But of course they’re going about it in the dumbest possible way. Mother Jones’ Kevin Drum, who for years has assiduously tracked American business’ refusal to adopt the smart card, reports that the version that will prevail in the U.S. is the chip-and-signature card -- you swipe it and then sign on the payment screen.
“Chip-and-signature cards are still hard to counterfeit,” Drum writes, “but they can be used by thieves just as easily as current mag stripe cards.”
Chase, my card issuer, is preparing to roll out smart cards -- but they’ll be chip-and-signature, not chip-and-PIN cards. Chase is trying to convince its customers that this is a virtue: “This card does not require a PIN,” it brags on a customer service site. Typically, the bank places the burden of explaining the difference to retailers on the customer. If a merchant demands a PIN, the bank says, “Explain to the merchant that your card is Chip with Signature and a PIN is not required or necessary.”
This is extremely dumb.
The reason for American card issuers’ unconscionable slowness in converting to smart cards is, as usual, money. It will cost an estimated $35 billion to convert the U.S. to smart cards, including retailer terminals. The retailers will be shouldering most of that cost -- but according to retailer lobbyists, they want chip-and-PIN cards. They won’t be getting them.
The inconvenience of the existing system falls, naturally, on customers. When my new Chase card arrives, I’ll have to provide the new number to every retailer or service to which I make automatic payments.
There are dozens of them, including some whose names I forget until a payment is due and gets bounced, because the number’s been changed. It is, to be sure, a pain in the prat, and this will be the second time I’ve had to go through the exercise this year. The same probably goes for you. Here’s a good bet: It won’t be the last. Drum’s words to American card issuers are appropriate: “Do your jobs, folks.”
Keep up to date with The Economy Hub by following @hiltzikm.
