We have officially entered retailers’ favorite time of year: holiday shopping season. The next month should be joyful — but it might not be for consumers. Imagine unwrapping a notice that says your payment card was compromised at one of the dozens of merchants you visited on Black Friday or Cyber Monday.
It’s becoming a more frequent occurrence, and even though banks and credit unions typically make consumers financially whole for fraudulent transactions that result from a retailer breach, individuals are still deeply affected, spending hundreds of dollars to keep fraudsters from wreaking havoc on their credit history months, or even years, later.
We can significantly reduce data breaches, but it will take all stakeholders working together to develop innovative technology and support federal data security and breach standards.
An Electronic Payments Coalition review of Euromonitor International data provides an outline of what we should be doing.
First, smartcards are necessary. In the past two years, the United States has made significant strides in migrating to smartcards, also known as chip cards, equipped with the Europay/MasterCard/Visa standard. EMV is effective in combating counterfeit fraud, which occurs when a criminal skims another person’s card data, creates a fake card, and then uses that card to make purchases. While this transition is ongoing, initial data are promising. Visa found counterfeit fraud at merchants that can process EMV transactions was down 58 percent between December 2015 and December 2016.
This trend isn’t surprising. In countries that rely heavily on smartcards, we found counterfeit fraud was down 84 percent in the last decade despite the value of in-store transactions increasing 21-fold. That decline is three times larger than in countries where smartcards comprised less than 25 percent of payment cards. The Federal Reserve’s 2016 Payments Study also determined counterfeit fraud typically falls in countries that adopt smartcards.
Instead of focusing on PIN, a 50-year-old technology, as some merchant groups have suggested, we also need to layer new technologies on top of smartcards, especially if we want to address e-commerce and mobile payments fraud.
The Euromonitor data revealed that there’s no clear relationship between total card fraud and a country’s preference for using signatures versus PINs. Moreover, the Aite Group has found that a wholesale move to PIN in the United States would cost merchants, issuing banks, and credit unions roughly $7 billion to implement, but would save only $850 million in reduced fraud over five years. Any security benefit provided by PIN would be dwarfed by the cost of transitioning to this half-century old static method and would give users a false sense of security that this “fix” would protect them.
Our analysis also found that we must constantly innovate in order to stay ahead of criminals. Criminals adapt when countries implement anti-counterfeiting measures like smartcards. In Canada and Australia, which have adopted chip-and-PIN smartcards, card-not-present fraud increased three-fold and 13-fold, respectively, over the last 11 years. Card-not-present fraud, or online fraud, is the fastest-growing global card fraud segment. It’s a particularly attractive target for criminals given the growth in e-commerce/mobile payments and the lack of current infrastructure and technologies in place to combat it. (E-commerce sales in the United States increased 16.2 percent from the second quarter of 2016 to the second quarter of 2017, while total retail sales rose just four percent.)
This is why the payments industry has invested millions in new innovations, including peer-to-peer encryption, tokenization, and biometrics.
A holistic strategy to protect consumers’ financial information also must include federal data security and breach notice legislation. The Gramm-Leach-Bliley Act requires financial institutions to follow, but merchants still operate without federal data security and breach standards.
In the 114th Congress, the House Financial Services Committee overwhelmingly approved a bipartisan bill that would have put in place commonsense standards to protect data on both sides of the transaction. Retailers opposed this bill even though 90 percent of consumers agree that merchants should be held to similar data security standards as financial institutions.
With the number of data breaches increasing, we hope merchants will help us strengthen current law by supporting by similar data security standards and innovative security measures like smartcards, tokenization and biometrics. We stand ready to work with them — and Congress — to improve customer data security.
Molly Wilkinson is the executive director of the Electronic Payments Coalition.
Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.