We're finally ready to get serious about credit card fraud in the U.S. Is your IT department ready for the changes that are heading its way?
U.S. merchants and credit card issuers must implement the EMV credit card standards, requiring embedded chips, by October 2015, or they will be held responsible by Visa, MasterCard and other large credit card companies for the cost of any fraudulent in-person transactions.
Europe's credit cards have been more secure available than those in the U.S. for years. The financial losses caused by fraud hadn't been high enough in the U.S. to spur any change, and businesses were willing to absorb the losses. But then criminals started to target the easier-to-clone U.S. cards, and U.S. credit card fraud doubled over the last 10 years. Still, while credit card fraud now costs the U.S. roughly $1.1 billion, that amount is overshadowed by the approximately $8 billion required to issue new cards and install new card readers in hotels, restaurants, stores and other credit card-reliant businesses.
In business, cost is usually the great justifier when it comes to change. But in this case, it just hasn't been sufficient. But things are changing, and that's because privacy concerns are providing the catalyst to migrate to higher- security cards. The revelations about National Security Agency spying were scary, and the Target breach and other high-profile data losses heightened privacy concerns. The public does not believe that businesses or the government adequately protects consumer data. The final impetus for the migration was the December 2013 Senate Commerce Committee report that revealed that private U.S. data brokers collect enormous amount of data and can identify who suffers from diabetes and who faces financial difficulties. They even know how much time someone spends watching YouTube!
EMV credit cards are significantly more secure than the current magnetic stripe. Each card contains a microchip that encrypts every transaction differently, making the cards extremely difficult to clone. Even if credit card numbers are stolen from a repository, the consumer's personal information is unavailable. The most secure credit cards, known as "chip and PIN," allow the consumer to retain physical possession of the card at all times. Rather than giving the card to a clerk, who could copy critical information, the consumer is handed a portable point-of-sale reader that requires a PIN to complete the transaction.
Although banks and merchants are still debating whether to adopt a full European-style chip-and-PIN approach or a hybrid chip-and-signature approach that would be more familiar to the U.S. consumer, either would be a significant improvement over the current situation.
Any organization that accepts physical credit cards (different technology is being deployed for e-commerce) should upgrade credit card readers to the EMV specification. Businesses such as restaurants, where a server or clerk usually handles the card, will have to update procedures, retrain staff and validate their new approach with their payment processor. In addition, organizations may need to expand their wireless network to accommodate portable card readers.
Although some banks already issue EMV-compliant cards, and a few large retailers (including WalMart and Kroger) are already rolling out EMV card readers, many companies will fail to meet the specified deadline, due to the large investment required. However, savvy retailers view EMV as an element of outstanding customer service. Address your customers' privacy concerns by publicizing your higher security standards as an extraordinary effort to protect their data.
Don't view EMV compliance as another pesky regulatory mandate. Instead, approach EMV as a market differentiator to attract and retain customers who value privacy protection. Let your non-compliant competitors suffer the legal, reputational and financial liability risks. Be the first in your market sector to adopt EMV standards, and win invaluable customer loyalty.
Bart Perkins is managing partner at Louisville, Ky.-based Leverage Partners Inc., which helps organizations invest well in IT. Contact him at BartPerkins@LeveragePartners.com.
Read more about retail in Computerworld's Retail Topic Center.