Credit Card Security Is a Farce


By Samuel Greengard

Imagine posting the combination to your safe on the actual safe. Now imagine placing the safe on the sidewalk in front of your house or business so that everyone who passes by has access to it. It doesn't take the brightest light bulb in the factory to figure out that the contents would likely vanish within a few hours.

Congratulations, you would have engineered the same system U.S. credit card companies have in place. According to a 2010 survey conducted by Lexis Nexis, retail merchants lose about $100 billion a year to fraud, and banks hemorrhage somewhere between $5 billion and $11 billion. And about half of all global fraud occurs in the United States.

While banks in Europe and many other regions have deployed chip cards—a.k.a. "smart cards" that encrypt data and generate unique codes that are used on a one-time basis—the U.S. is shackled with mag-stripe cards that provide virtually no protection. In fact, some merchants in other parts of the world won't accept U.S. credit cards, and China will ban them starting in 2015.

European banks also require PIN codes for certain types of credit card transactions.

The use of more secure systems reduces fraud by approximately 50 percent. A 2011 Consumer Reports article notes that counterfeiting plummeted by 78 percent after smart cards were introduced in France. That was 1992, by the way.

In other words, Visa, MasterCard and other credit card providers offer the technology to squash most fraud. But, apparently, banks and merchants aren't willing to upgrade their infrastructure to accept this technology.

Recently, someone tried to use my card number. Fortunately, the thief didn't have the security code or the expiration date. Plus, I had notified the bank that I would be out of the country at that time.

But try dealing with the problem when you're in Russia and your card is frozen. A long-distance call later, a representative in the fraud prevention department strongly suggested I replace the card because of the "high risk" of fraud.

I refused. After all, what's to prevent someone from obtaining the new number—and possibly the security code and expiration date—an hour or a month later? Why should I be forced to update a slew of auto pay and Web accounts when an actual breach hasn't occurred—and when the bank has liability and has done almost nothing to protect my card?

While the rest of the world races ahead with more robust security, the U.S. is stuck in neutral. This is exactly what happens when businesses focus on the lowest-cost approach and take a short-term view toward security and IT. In the end, things become more complicated and expensive for everyone.