Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services

Credit card usage is growing annually and the figures reveal some very interesting trends. In 2006, the United States Census Bureau determined there were nearly 1.5 billion credit cards in use in the U.S., creating a similarly large opportunity for credit card fraud.  In fact, credit and debit card fraud is the #1 fear of Americans in 2009, superseding fears about terrorism, personal safety and even the consequences of the global financial crisis. (Source: Unisys Security Index: United States, March 2009).

The response in many parts of the world where card issuing companies bear financial responsibility for credit card fraud is to roll out chip and PIN technology, also known as “EMV” after the three companies that originally cooperated to develop the standard — Europay, MasterCard and VISA.  Twenty-two countries have already adopted this technology, including most of the European Union, Mexico, Brazil, and Japan, with another 50 countries in various stages of adoption during the next two years, including China, Canada and India.

But so far in the U.S., there has been little incentive to follow suit.  The card issuers cite the enormous cost of rolling out chip and PIN technology, estimated to be around $5.5 billion, and they rest safe in the knowledge that it is the merchants in the U.S., and not the card issuers, who are responsible for the financial costs of credit card fraud.

But is the United States being short sighted in its reluctance to adopt chip and PIN technology?  Have other countries that have adopted this technology actually seen a reduction in the amount of fraud?

So far, there appears to be mixed results.  In France, which introduced a chip-based PIN system in 1993, losses halved in the first year and counterfeiting fell by 78 percent.  By 1996, counterfeit charges had effectively been eliminated, according to the French national bank card association, Cartes Bancaires, and by 1998, banks were saving the equivalent of 0.1 percent of sales volume on fraud alone.  But in the UK, fraud has continued to rise, but interestingly, only in areas where chip and PIN technology makes little difference, including card-not-present fraud and overseas-use fraud.  What this suggests to me is that criminals are creative; and credit card fraud, like all security problems, requires a multi-layered solution.

As more and more countries move to adopt chip and PIN and make their retail data more difficult to hack, one real concern is that U.S. card holders and businesses become viewed as “low hanging fruit” and are targeted by hackers and identity thieves more frequently.  A recent survey by Actimize found that around 66 percent of bankers, card issuers or payment processors anticipate U.S. card fraud levels to increase, with 11 percent expecting a significant level of fraud growth in the near future due to progressing technology upgrades in Canada.

As the number of cases of attempted fraud threatens to rise in the U.S., local banks, card issuers and payment processors will come under increased pressure to find a solution that reduces their liability, even though retailers seem to be focused on user-friendliness over security, as evidenced by Amazon’s use of a  payphrase + PIN check-out system.  However, there are some contrary indicators.  The increased number of high profile security breaches in the States has resulted in laws like Massachusetts State Law 201.CMR 17:00 and the Nevada law requiring compliance with PCI DSS.

The reality is, however. that some of the biggest economic powers in the world have chosen the solution that they are backing — which is chip and PIN.  As the U.S. becomes an increasing target of fraud and as U.S. cards are rejected abroad, the long, slow and painful process of converting the American payment system to chip and PIN will begin.  The reliance on static account data stored on an easily counterfeited magnetic stripe card transaction is doomed to failure and the question really is not if, but when.