Retailers, banks and credit card companies are in the process of shifting to a microchip-powered "smart card" that's virtually impossible to counterfeit. Some California lawmakers are so enamored of the idea, they want to make it illegal here not to make the switch. But it's not clear whose interests would be served by such a law, which would impose a California-only solution to what is clearly a national problem. What's worse, it's a national problem that private industry is already working in good faith to solve.
In a conventional credit or debit card, the holder's account data and security code is recorded permanently on the magnetic strip on the back. Hackers have proved adept at retrieving that information, whether by tampering with card readers or breaking into retailers' data vaults, enabling them to create counterfeits. Much of the developed world has moved on to smart cards that can change their security code with each new transaction, making it all but impossible to create working duplicates. But magnetic-stripe cards remain the coin of the realm in the United States, largely because of the cost of issuing new cards and installing new card readers.
This week, the California Senate is expected to vote on a bill by Sen. Jerry Hill (D-San Mateo) that would require banks to make at least 75% of the cards they issue after April 1, 2016, smart cards or an equally secure alternative. The measure, SB 1351, would set the same deadline for retailers to start accepting payment systems more resistant to counterfeiting than magnetic-stripe cards. The mandates would be delayed by 18 months for smaller banks and retailers, and they would not apply to government agencies.
One problem with Hill's proposal is that the companies operating the four top payment networks — for example, Visa and
Supporters of SB 1351 contend that the industry's solution wouldn't actually force retailers to make the change, and so many wouldn't. They may be right about that, because some retailers are too small to attract hackers or encounter many counterfeit cards. They'd rather face the small risk of liability than have to invest in new card readers. And that's a choice they should be able to make, given that they alone would be liable for the losses — not their customers.