Advertisement

Editorial:  Sacramento shouldn’t make a dumb move on ‘smart cards’

MasterCard's microchip-powered 'smart card' is already in use in Germany.
MasterCard’s microchip-powered ‘smart card’ is already in use in Germany.
(Martin Meissner / AP)
Share

Retailers, banks and credit card companies are in the process of shifting to a microchip-powered “smart card” that’s virtually impossible to counterfeit. Some California lawmakers are so enamored of the idea, they want to make it illegal here not to make the switch. But it’s not clear whose interests would be served by such a law, which would impose a California-only solution to what is clearly a national problem. What’s worse, it’s a national problem that private industry is already working in good faith to solve.

In a conventional credit or debit card, the holder’s account data and security code is recorded permanently on the magnetic strip on the back. Hackers have proved adept at retrieving that information, whether by tampering with card readers or breaking into retailers’ data vaults, enabling them to create counterfeits. Much of the developed world has moved on to smart cards that can change their security code with each new transaction, making it all but impossible to create working duplicates. But magnetic-stripe cards remain the coin of the realm in the United States, largely because of the cost of issuing new cards and installing new card readers.

This week, the California Senate is expected to vote on a bill by Sen. Jerry Hill (D-San Mateo) that would require banks to make at least 75% of the cards they issue after April 1, 2016, smart cards or an equally secure alternative. The measure, SB 1351, would set the same deadline for retailers to start accepting payment systems more resistant to counterfeiting than magnetic-stripe cards. The mandates would be delayed by 18 months for smaller banks and retailers, and they would not apply to government agencies.

Advertisement

One problem with Hill’s proposal is that the companies operating the four top payment networks — for example, Visa and American Express — are already force-marching their customers into the 21st century. Under the new contracts imposed by the payment networks, the banks that issue credit and debit cards and the retailers that accept them must switch to smart cards by October 2015. Whoever doesn’t adopt the technology will be liable for any losses caused by counterfeit cards. That’s a change from the current system, in which the bank that issues the card typically has to eat the loss.

Supporters of SB 1351 contend that the industry’s solution wouldn’t actually force retailers to make the change, and so many wouldn’t. They may be right about that, because some retailers are too small to attract hackers or encounter many counterfeit cards. They’d rather face the small risk of liability than have to invest in new card readers. And that’s a choice they should be able to make, given that they alone would be liable for the losses — not their customers.

Beyond that, smart cards would solve only one aspect of the fraud problem. They won’t deter online fraud, the theft of stored card data or the use of stolen cards. Hill’s bill would, however, raise costs for many small businesses, while also inviting lawsuits against retailers that take an alternative tack against fraud. Rather than trying to force banks and retailers onto the state’s upgrade path, lawmakers should see how much, if any, card counterfeiting remains after the industry makes its own switch.

Advertisement