First it was Target, then Neiman Marcus. Word broke on Sunday that nationwide craft store chain Michaels suspects it too has been a victim of a data attack, leaving its customers’ credit and debit card information vulnerable.
Though the security breach has not yet been confirmed, reports of fraudulent activity on customers’ cards have come to light, leading Michaels to issue a warning.
“We are concerned there may have been a data security attack on Michaels that may have affected our customers’ payment card information and we are taking aggressive action to determine the nature and scope of the issue,” said Michaels CEO Chuck Rubin, in a statement to media.
At the same time, the recent attacks have many wondering why the United States has been so slow to adopt Chip and PIN technology, which critics say greatly reduce the risk of fraud. Each debit and credit card comes with a small microchip embedded. Instead of a clerk swiping the magnetic strip on the back of the card, the customer inserts it into the point-of-sale terminal and enters their PIN number, which is verified by the microchip. These so-called “smart cards” are used around the world – including in Canada and Europe – and have been for some time.
So how effective are they in reducing illegal activity? France claims to have reduced card fraud by 80 percent since Chip and PIN was launched in 1990s. In the United Kingdom, where Chip and PIN was introduced in 2003, an APACS study reports there was an immediate 67 percent reduction, worth £146.7 million, in face-to-face fraud on retail transactions. In some areas, there was a 98 percent reduction in fraudulent activity, and many retailers reported a 50 percent reduction in write-offs, resulting in direct savings of £100,000 each.
Considering even North Korea and Iran have adopted the technology, why is it so slow to arrive in the United States? The primary speed bump is cost. For starters, chip cards – also known as EMV cards – cost about five times more than traditional cards. Retailers would also have to upgrade their terminals, which could cost an upward of $5 billion.
The cost is prohibitive, but the U.S. losses are staggering. According to the Nilson Report, fraud in 2012 was the lowest for PIN-based networks. The U.S. represented 47.3 of global card fraud losses – which totaled $11.27 billion – but only accounted for 23.5 percent of volume.
“The absence of EMV cards and terminals in the U.S. contributes to fraud losses,” states a Nilson Report press release. “The U.S. is the only region where counterfeit card fraud continues to grow consistently.”
However, American retailers may soon become motivated to start the transition. Currently merchants cover the cost of one-third of fraudulent spending, but by 2015 the liability will increase for chip cards swiped in old machines – retailers will now be forced to cover 100 percent of the losses.
The card associations will also be offering perks for merchants who make the switch. Those who process a minimum of 75 percent of their volume on EMV terminals will enjoy reduced Payment Card Industry (PCI) reporting requirements and audit relief.
But don’t be too quick to assume Chip and PIN is a cure-all. In fact, the jury is out on whether the technology could have prevented the Target breach, which was caused by malware running on payment processing servers. And the advanced terminals aren’t immune to hacking – a 2010 report by Cambridge University researchers uncovered major flaws in the technology that allow rip-off artists to skim information.
The sad truth is no matter how advanced the technology, scammers will find new ways to exploit it. The best thing consumers can do is check their statements regularly and credit score at least once per year. Companies, however, have a much bigger responsibility to ensure they are protecting valuable customer data.