High Tech Credit Cards and Fraud

Smartcard2 - Channel R The New York Times ran an article over the weekend about how even though “smart” credit cards are more advanced, there is almost no reason to expect them to be adopted here in the USA. That is an interesting story, which I will get to in a moment, but the article revealed an astonishing statistic that is worth the distraction.

Fraud losses for the credit card companies are currently running at just six cents per $100 charged. That is 0.06%. Put that into the context of the average fee paid by the merchant to the card company, around 1.8%. Or the 1% to 2% that we all expect to get back from our cards in the form of rewards.

0.06%, or as we finance types would call it, 6 basis points, is a very small number. In the context of a retail store it is the moral equivalent of zero. For most merchants it is an order of magnitude smaller than “shrinkage” i.e. theft of inventory.

I always assumed that the losses due to fraud were small. Visa and MasterCard have made it clear with their actions that they are not much concerned with it. Despite the buzz around ID theft, the card companies have been quietly reducing security to make card use easier and cheaper. In most places the customer now swipes it himself, meaning that the clerk no longer even sees the card. And merchants are no longer required to get signatures for smaller transactions.

The card companies also reduced the customer’s liability in cases of fraud and theft down to zero.

Obvious and relatively cheap, if not free, anti-fraud measures have not been implemented by the card companies. They could have required photos of cardholders on the cards, as a few banks once did. (Do any of them still do?) Or they could have required a PIN to use the card, which is, let’s face it, much more reliable than a signature. Or they could have simply allowed merchants to require customers to show ID.

Card companies have done none of these things and are unlikely ever to do them. Why would they? At 0.06%, the potential reward for any anti-fraud measure is tiny and unlikely to justify the cost. Indeed, I am wondering why they bother to do what little they do now. Why ever require a signature? I can charge thousands of dollars at Amazon without a signature. Why not Home Depot too? I am betting this will happen sooner or later. Probably sooner.

Europeans do not sign when they use a credit card. They punch in a PIN. Which brings me back to the topic of so-called smart cards. In Europe, credit cards have fancy looking chip in them which allows a portable device to validate a PIN on the spot, without accessing a central database.

That seems more advanced and even the Times article refers to the USA as being “far behind” Europe in this respect. But the only practical advantage of a chip is that it is harder for a criminal to forge one than it is for him to make his own magnetic strip. That is not much of a benefit, and it could not possibly justify the cost of upgrading the 13 million magnetic stripe readers in America.

Indeed, the Times leaves me wondering why smart cards were ever implemented in Europe. The story about high telecommunications costs in Europe in the 1980s, thus necessitating PIN validation on the spot, sounds plausible and clever, but it does not really work. There is plenty of space on a magnetic stripe to include an encoded PIN.

More likely, a confluence of two things inspired the adoption of what now looks like a pointless complication. First, I imagine that European card issuers saw putting chips in cards as a first step to something bigger. Once millions of chip readers were installed, future generations of even smarter cards would be able to do really great things. Those things never materialized.

The other reason is the more obvious one. Chips in cards are cool, and were particularly so in the 1980s. I think there was momentum behind smart cards in Europe because it seemed high-tech. And if it was something the Americans had not adopted yet, so much the better. As an executive with Target said when they introduced (an ill-fated) smart card in 2001, “What is most important to us is to keep our brand hip and hot and innovative.”

[Photo – Channel R]


  • By Neil, October 19, 2010 @ 1:49 pm

    Quick question about the source of the .06% stat: is this how much money the transaction network loses to fraud, or the amount of total credit card fraud?

    Knowing the the network has mitigated their liability substantially (passing off most fraud costs to retailers and banks, plus the unreported fraud by the many people who don’t verify their statements), the former number is basically meaningless, and it’s lowness might be more an example of the network’s monopoly power to impose bad contracts on their customers (the banks and retailers) rather than saying anything about the incidence of fraud.

    My primary appreciation of smart-cards, though, which have finally been adopted in Canada: now I can use them in automated machines in Europe. (Even after PIN adoption, manned machines still had swipe capability, but not most train and subway vending machines, parking lots, and anything else automated) Given my penchant to spend my vacations in Europe, this was a big thing for me.

  • By tm, October 19, 2010 @ 2:38 pm

    In that article we’re basically told that chip and PIN is more secure than our old fashioned magnetic stripes. By an industry spokesman. Very balanced reporting.

    It may come as a shock to all of us, especially NY Times journalists, that in the view of actual security people, these smart cards (e.g. “chip and PIN”) are not actually any more secure than ye olde magnetic stripe cards:

    So, if I were a bank, I would be in no hurry to force merchants to adopt something that provides me no benefit for a problem I could care less about. (But then again, why do banks make merchants go through PCI, which is frankly more onerous than replacing POS terminals and provides about as much benefit as smart cards?)

  • By Kosmo @ The Soap Boxers, October 19, 2010 @ 2:47 pm

    It’s in the best interests of the credit card issuers to keep that rate at .06%. Be too lax on security, and that number could multiply.

    We use our cards a lot (paying off every month and getting cash back), and have never had a fraudulent charge make it to out bill. We’ve been contacted twice by issuers about fraudulents charges. HSBC just started denying charges one day on our typical (i.e. NOT unusual activity) trip to the local mall. Not actually fraudulent activity … Chase did actually catch some attempted fraud (something on another continent – I forget the specifics, but it was about $1000)

  • By Frankie, October 19, 2010 @ 3:50 pm

    There is plenty of space on a magnetic stripe to include an encoded PIN.

    That would never work.

    With a strip, the terminal would have to read the PIN, then compare it to the PIN that was entered by the customer. It would be very easy to crack that code.

    With a chip – the terminal sends the chip the PIN and the chip confirms that the number is correct. The chip never has to transmit the valid PIN – it just confirms that the code it received is correct.

  • By Hibryd, October 19, 2010 @ 6:41 pm

    Woah woah woah, “Fraud losses for the credit card companies” and “Fraud losses for the merchants” are two entirely different things. Merchants are out the money and the merchandise, credit card companies are only out their lost transaction fees.

    Large merchants have stopped collecting signatures on small purchases just because 1) it’s time consuming, and 2) small purchases are unlikely to be disputed. I mean, if you steal someone’s credit card, are you going to waltz over to Starbucks for a latte, or are you going to buy a few thousand dollars of electronics online before the card is shut down? I believe Target is no longer collecting signatures on small-to-medium purchases made with “trusted” cards, meaning cards that have been swiped there before without incident.

  • By Hibryd, October 19, 2010 @ 6:50 pm

    By the way, I’ve both had my credit card information stolen AND been at the receiving end of a lot of obvious fraud at two companies I worked for.

    When I was at the receiving end, my employers didn’t lose too much money due to fraud just because most of the fraudulent purchases were so damn DUMB. Let see, they want 50 of our most expensive item and didn’t specify a size or color? Well, let’s ship that order out right now, then!

    By contrast, the people who stole and/or used my credit card information were much more clever. They even got it shipped to the same general area where my billing address was located. Too bad I couldn’t prosecute, the merchant couldn’t prosecute, and the credit card company didn’t care, so whoever stole my info got away with it.

    (By the way, calling up the issuing bank to let them know a customer’s card has been stolen? Total pain in the ass. 5-15 minutes waiting on hold, first with Visa/MasterCard and then with the issuing bank. They should just have a 1-800 number where merchants can report suspicious activity and then Visa or Mastercard does the actual follow-up.)

  • By Patrick, October 19, 2010 @ 10:46 pm

    No need to go to Europe: “chip” cards are quickly becoming ubiquitous in Canada.

    Oh, and the chip doesn’t just store your PIN. A very small amount of digging on Wikipedia goes a long way.

  • By Nick, October 20, 2010 @ 9:10 am

    When I was a pimply-faced teenager working a cash register I always thought that the folks coming through with their photos on their credit cards were pimpin’ it hard. I thought that was pretty high-roller stuff.

  • By Chad, October 20, 2010 @ 3:19 pm

    Just a thought, but another reason banks may be less inclined to take any action to decrease the amount of fraud could be that they are making tons of profit from credit monitoring programs that are sold based on the public fear factor regarding fraud. Decrease the fraud . . . decrease the fear . . . decrease the credit monitoring service profits. If your numbers are correct, I would say the banks are making out like bandits in the end once you offset any losses due to fraud with the profit from the monitoring programs. No wonder I get calls at least every other month from a certain bank trying to get me to buy into their monitoring program!

  • By Matt, October 21, 2010 @ 3:17 pm

    I usually agree with most of what you say, but I am having issues with this post. I bet it is mainly because of my current circumstance.

    I found out today I had my credit card information stolen. I am on vacation with my wife and I am relying on the card to get me through the vacation. Yes, I have a debit card with plenty of cash linked to it and I am able to use that, but I wanted to mainly use the credit card because I would be guaranteed against theft.

    Your low basis point is a decent measure based off of direct costs to the credit card company, but you are not discussing the cost to the consumer. My card information was stolen and the card closing has caused an impact much greater than 0.06% to me. It has seriously impacted my trip and my plans.

    Some of the measures you mentioned, such as checking for an ID, could have potentially stopped the thieves from stealing my information in the first place. The calculation does not include the direct impact I face.

  • By tm, October 22, 2010 @ 12:39 pm

    There is plenty of space on a magnetic stripe to include an encoded PIN.
    Security-wise this is basically the equivalent of hiding the front door key under the doormat. If you actually encrypt the PIN with something good, then how do you decrypt it so you can actually use the card?

    Some of the measures you mentioned, such as checking for an ID, could have potentially stopped the thieves from stealing my information in the first place.
    Those measures would not have stopped them from stealing your card information in the first place. There many ways your credit card could fall into their hands:
    * They could just steal it or copy down the info with the card in hand
    * Skimming the card (that is, using a fake card reader that’s installed on top of the real one, e.g.: http://krebsonsecurity.com/all-about-skimmers/ )
    * Hacking your browser
    * Hacking a merchant

    An ID check would make it slightly more difficult to use a forged card at a physical point of sale, but you’re asking a retail clerk to do a security job. It’s like asking the TSA to protect aviation. Also, that doesn’t stop someone at an online merchant, as long as they have the other relevant information (e.g. billing address, telephone #).

    …I wanted to mainly use the credit card because I would be guaranteed against theft.
    The “guarantee” means you’re not liable for fraudulent charges. It doesn’t mean that the process for reporting fraud is going to be good or that you won’t be inconvenienced. To put it another way, you have auto insurance to pay for losses in the event of theft, but you’re still going to be pretty damn inconvenienced if your car gets stolen.

  • By Corey, October 23, 2010 @ 12:39 am

    The New York Times ran another article today, Credit Cards Soon to Get a Makeover:

  • By coach shoe outlet, December 4, 2010 @ 3:36 am

    Sounding Out thanks is simply my little way of saying bravo for a fantastic resource. Take On my sweetest wishes for your incoming post.

  • By creditcards, November 10, 2011 @ 8:11 pm

    Hi, just wanted to mention, I liked this post. It was practical. Keep on posting!

  • By www.littlebarry.com, April 23, 2013 @ 2:27 am

    People sometimes tend to think, “if only I were a celebrity, everything would be better”.
    Women who are planning the wedding of their dreams can find plenty of fantastic information in Bride’s magazine.
    Every now and then, new stars emerge and disappear in the blink of an eye and every smallest detail about the same becomes important celebrity news.

Other Links to this Post

RSS feed for comments on this post. TrackBack URI

Leave a comment

WordPress Themes