Page 2 of 2
Javelin Strategy & Research puts the amount of fraud based on stolen card numbers in the U.S. at $14 billion. Fraud based on new card accounts created using stolen identities adds billions more — the total cost of identity fraud in the country is $37 billion.
Visa's move comes as industry experts are warning that U.S. merchants are set to become targets for fraudsters in other countries where payment systems already have tighter security. Since counterfeit magnetic-stripe cards are now difficult to use in other countries, these criminals will probably ship the cards to the U.S.
"There's already evidence that that type of channel for fraud is increasing in the U.S.," says Sullivan.
The U.S.'s status as a holdout has also started to cause problems for travelers. While most European stores and restaurants still accept magnetic-stripe cards, Americans are finding that their credit cards don't work in European automated kiosks, like the ones that sell tickets for the Paris Metro. Some U.S. banks, like Wells Fargo, have started issuing smart cards to customers who travel abroad.
Next year, Visa will start dangling this carrot in front of store owners: If they replace most of their terminals with ones that accept smart cards, they will no longer need to have their payment-system security checked every year. U.S. stores spend hundreds of millions of dollars a year for these audits, according to the NRF.
In an even more momentous shift, in 2015 Visa is shifting the liability for a certain kind of fraud from the banks to stores.
The specific case is this: If a customer presents a smart card in a store that can't accept it, then it will fall back to using the backup magnetic stripe on the card. If that transaction turns out to be fraudulent, the payment processor will be liable, and in practice, make the store eat the loss. Today, the bank would be liable for the fraud.
The change means that banks will have an incentive to put chip-based cards in their customers' hands, since their fraud liability will be reduced when the cards are used. For their part, stores will have a reason to install smart card terminals, because otherwise, their fraud costs could increase.
Javelin puts the cost of moving to chip-based cards at about $8 billion, mostly for upgrading payment terminals in stores.
The retail federation's Duncan calls Visa's move a necessary step, but not a fully satisfactory one. One of the shortcoming he sees is that it doesn't mandate the use of PIN codes with smart cards, so even if the cardscan't be copied, they could still be used on a signature basis if stolen.
Smart cards won't help secure online payments either, at least not initially, so that will remain an avenue for fraudsters. But they could help secure online transactions if paired with computers that can communicate with the chips, perhaps through accessory card readers. (American Express issued PC readers for its Blue smartcard in 1999. But the "smart" features on the card were proprietary to Amex, and saw very little use.)
Phone makers are also starting to build smart-card chips into cellphones, which could then be used in place ofcards at "contactless" terminals and perhaps help secure online shopping done through the phone.
The world's largest retailer, Wal-Mart Stores Inc. can't wait for smart cards to come fast enough. It's frustrated with the gaping security holes in the current payment system and wants to save money on card-acceptance fees that are inflated by fraud.
Wal-Mart has already installed terminals with slots for smart cards in all its U.S. stores, and it's working on getting the behind-the-scenes software working, so it can start accepting payments. It, too, sees PIN codes as essential to the security of the system.
"Signatures are a waste of time," says Jamie Henry, senior director of payment services at the company. "They add no value to anyone."