Card users are clamoring for tighter security as concerns about breaches continue to hit the headlines. On Saturday, California’s motor vehicles department said it has been alerted by law enforcement to a potential security issue with its credit card processing.
Chip-embedded cards have cut fraud in Europe and Canada, and they are on their way in the U.S. But will peace of mind come at a price?
In Canada, where the chip technology called EMV is common, one bank has taken a hard line with a customer who claimed fraud on a PIN-protected chip-card transaction. Jason Monaco’s fight over a fraudulent charge shows how tighter security can put more financial responsibility on the consumer.
In a lawsuit reported by CBC News, the Toronto-area investment manager is fighting a charge of $81,000 (Canadian) that he says he did not make. At the exchange rate of 89 Canadian cents per $1, that’s about $72,000 U.S.
At first, card issuer CIBC credited his account for the amount, which somebody spent on a custom-built race car in 2010. As in the U.S., credit card networks have a policy of zero liability for consumers hit by fraud. But then CIBC reversed course and held Monaco responsible. Reason: the charge was a PIN-authorized purchase.
“It is not possible to process a chip-and-PIN transaction without the Visa card and the confidential PIN,” CIBC argued in its court filing. The card agreement that Monaco signed contains a long list of warnings to protect the PIN and never share it with others. Therefore, the bank argued, since the PIN was used, Monaco was on the hook. The card’s zero-liability policy applies only if the customer has complied with the agreement.
However, security experts quoted by CBC News disagreed with the bank’s assertion that a chip-and-PIN transaction is fraud-proof. Hackers, they said, have found ways to fool transaction networks into thinking that a valid PIN was punched into a merchant’s card terminal.
In the U.S., chip cards are expected to become the norm within a few years. In 2015, card networks say they will hold merchants responsible for fraud if they don’t support EMV transactions. As in other parts of the world, the cards can work with signature verification if a PIN system is unavailable.
Will new standards for merchants come with tougher rules for card users as well? The bank industry’s largest group says no, but it will take time to see how card issuers implement the new technology.
“The customer is not going to be held liable,” said Doug Johnson, vice president of risk management policy at the American Bankers Association. “It’s a recognition of the facts of life in our country.”
When EMV technology came to Canada and the United Kingdom, liability rules changed, Johnson explained. As in the U.S., merchants who did not invest in chip card readers were made to bear more of the cost of fraud. Separately, consumers were given greater responsibility. “There became a presumption that if the PIN was used, the customer was liable in some way for allowing the PIN to be used,” Johnson said.
However, he said, the situation is different in the U.S. “I think there’s a recognition that customers in our country support existing regulations to make the customer whole for fraud.”
Visa said there is not a separate liability standard for consumers using EMV cards. “From a U.S. point of view, w don’t have any plans to change the zero-liability policy,” Vice President of Risk Products and Business Intelligence Stephanie Ericksen said.
In a joint statement March 7, Visa and MasterCard announced the creation of a cross-industry group to help banks and retailers adopt EMV technology in the U.S. The technology makes it “nearly impossible for criminals to use the card for counterfeit fraud,” the statement said. The card networks’ EMV plan makes it optional to invest in PIN-authorized transaction systems, which provide a greater level of security than signature authorization.
Ericksen said that, while a PIN provides another layer of security — chiefly in cases where the card is lost or stolen — Visa recognizes that chip-and-PIN transactions can still be vulnerable. “It’s not foolproof,” she said. Fraudsters can obtain PINs via stolen mail or “shoulder surfing” at a transaction terminal.
The dispute between Monaco and CIBC is a special case, said Maura Drew-Lytle, director of media relations and communications at the Canadian Bankers Association. Yes, card users should choose PINs that criminals can’t guess and keep them secret. “But as long as you’ve taken reasonable steps, if a charge is unauthorized, it will be covered,” she said.
Clearly, Monaco’s transaction is not run-of-the-mill. Even with an exclusive, high-limit CIBC Aerogold Visa Infinite account, it’s not every day that you charge a race car. And this wasn’t the first time Monaco had trouble with fraud. He reported several unauthorized transactions in 2003 and 2005, he said in court papers. One of the merchants involved in the earlier transactions was linked to the 2010 fraud.
What about the stern language in CIBC’s card agreement that puts responsibility for PIN transactions on the cardholder? Canadian banks do include such terms in their contracts frequently, as a legal backstop, Drew-Lytle said. However, when a customer cries foul, banks’ actions are not as stringent as the terms sound, she added.
A review of more than 1,600 card agreements from U.S. issuers — warehoused by the U.S. Consumer Financial Protection Bureau — did not turn up language that blames cardholders for bogus PIN transactions. But none of the agreements addressed chip cards and EMV technology specifically. The contracts do say to carefully protect PINs used for withdrawing cash advances.
At Pentagon Federal Credit Union, an early adopter of chip cards in the U.S., the card management team is awaiting the new liability rules from Visa that will take effect in 2015, a spokeswoman said in an emailed response to questions.
State Employees Credit Union in Raleigh, N.C. is rolling out chip technology for its 300,000 credit cards, and an official said that the new technology could be undercut if card users are lax about PIN security.
“Consumers definitely need to be careful with their PINS,” said Leanne Phelps, senior vice president of card services. But the question of whether cardholders should be held to a higher standard has not yet been addressed. “It’s an interesting dilemma,” she said.
For consumers eagerly awaiting a new, high-security chip card to arrive, one thing is sure. If a new contract arrives with the card, you should read it carefully.