Advertisement

Cost has U.S. banks stalling on ID theft deterrent

Share

Leah Padow knows from identity theft. She recently had five accounts at three banks compromised.

The fraud occurred in mid-November, so it was apparently unrelated to the digital break-in at Target, which began after Thanksgiving and resulted in the card numbers and personal information of up to 110 million customers being accessed by hackers.

And it was apparently unrelated to the hack attack on Neiman Marcus, which began last summer and resulted in at least 1.1 million customers’ card numbers being jeopardized.

Advertisement

But that’s little comfort to Padow, 36, of the San Fernando Valley.

“You feel like you’ve been invaded,” she told me. “You feel threatened. You immediately have to drop everything and spend many hours trying to stop this from happening.”

Businesses clearly need to be doing more to safeguard customers’ personal information. I recently proposed that all corporate databases be encrypted and other security measures be put in place. I also called on lawmakers to impose hefty fines on any company that fails to protect people’s info.

But that’s only half the battle. What’s also needed is an overhaul of credit and debit cards to make them less vulnerable to fraud.

And we’re not talking rocket science here.

All we need to do is follow the example of about 130 other countries that have abandoned magnetic stripes, or mag stripes, on credit cards and equipped their plastic with harder-to-hack security chips. They also require that all card transactions include a personal identification number.

Everyone seems to agree that the United States needs to join the chip-and-PIN party. Frustratingly, though, various business interests are squabbling over who should foot the bill, rather than focusing on the best way to protect American consumers.

Chip-and-PIN cards became widely used in Britain a decade ago. Since then, fraud losses from counterfeit cards fell more than 63%, according to a 2012 study by the Federal Reserve Bank of Atlanta.

Advertisement

During the same period, the study found, the fraud rate involving mag stripe bank cards in the United States increased 70%.

“With a clear pattern of fraudsters targeting non-chip transactions, the United States faces a significant risk of continued escalating fraud as long as the payments industry relies on mag stripe technology,” the Fed bank study concluded.

The National Retail Federation supports a switch to chip-and-PIN cards. The industry group sent a letter to congressional leaders last week calling for an end to America’s use of “easy-to-hack 1960s technology.”

“For years, banks have continued to issue fraud-prone magnetic stripe cards to U.S. customers, putting sensitive financial information at risk,” said Matthew Shay, president of the federation.

Adding insult to injury, he said, U.S. banks don’t hesitate to tout the security benefits of chip-and-PIN cards for their customers in Europe and elsewhere.

The banking industry recognizes a need for change. It just doesn’t want to be saddled with the full cost of implementing a new credit card system nationwide.

Advertisement

Banks want retailers to help pay the tab, which could run as much as $8 billion to issue new cards and upgrade card readers in stores.

“Much has recently been made about the ongoing disagreements between the retail community and the banking industry over who is responsible for protecting the payments system,” Frank Keating, head of the American Bankers Assn., said in a letter to Congress after the Target hack was revealed.

“In our view, it is a shared responsibility of all parties involved,” he said.

Bankers and retailers aren’t looking for Congress to pass chip-and-PIN laws. Just the opposite: They want lawmakers out of their hair while they fight among themselves over a restructuring of card payments.

The big card networks — Visa, MasterCard, American Express and Discover — are already tired of the bickering. They’ve served notice that, as of October 2015, whoever hasn’t made the switch to chip-and-PIN technology will have to eat the cost of credit card fraud.

In other words, fraud-related losses will have to be borne either by a card issuer that has stubbornly stuck with magnetic stripes or a merchant that refused to upgrade its card reader.

Losses from credit and debit card fraud worldwide topped $11 billion in 2012, according to the Nilson Report, an influential newsletter that covers the card industry. Of that amount, it said, banks had to pay 63% of the cost and merchants 37%.

Advertisement

David Robertson, publisher of the Nilson Report, said chip-and-PIN cards represent “the strongest defense against counterfeit cards.”

The Nilson numbers suggest that banks accept the greater share of the “shared responsibility” of switching to safer card technology. Since they already cover about two-thirds of losses from credit and debit card fraud, they have the most to gain from a transition to chip-and-PIN systems.

But Doug Johnson, vice president of risk management for the bankers association, told me that a more equitable breakdown would be banks’ paying to replace all cards and merchants paying to replace all card readers.

Chip-enabled cards can cost as little as $1 apiece to produce, compared with about 25 cents for mag stripe cards. Card readers can run hundreds of dollars each.

“For merchants,” Johnson said, “it’s a cost of doing business.”

Movie studios said the same about theaters when the prospect of switching from celluloid to digital technology arose. They wanted theater owners to pay for installation of pricey digital projectors, even though studios would greatly benefit from cheaper digital distribution.

In the end, the studios helped subsidize theaters’ cost of putting in the new hardware. Banks may want to consider that.

Advertisement

Padow, the ID theft victim, doesn’t care who pays what. She just wants peace of mind, and if a chip in her plastic and a PIN to authorize transactions accomplishes that, let’s do it.

“This is something that should have been done years ago,” Padow said.

It was. Just not here.

David Lazarus’ column runs Tuesdays and Fridays. He also can be sen daily on KTLA-TV Channel 5 and followed on Twitter @Davidlaz. Send your tips or feedback to david.lazarus@latimes.com.

Advertisement