Target and Chip-and-PIN
On Friday, my wife and I canceled two debit cards and two credit cards, all four linked to two accounts which may have been compromised thanks to a point-of-sale hack that took place at all Target stores since Black Friday. Chances were that at least two – possibly three – of the cards had been swiped during the relevant time period, and especially with respect to the debit cards, I wasn’t willing to sacrifice my checking account to some thief, regardless of so-called “consumer protections” and anti-fraud measures that may exist. The hassle of reversing fraudulent charges – especially from a debit card – is exponentially higher than the hassle of canceling the cards and waiting for new ones.
But it’s all a hassle, nonetheless.
One debit card will be mailed in 1 – 2 weeks. The other one was issued on-the-spot at a branch in Clarence, but has yet to be activated because it takes at least 1 – 2 business days to hit the system. The credit cards will be here in a week or so.
Small #firstworldproblem aside, it was a fun adventure trying to pay for some last-minute Christmas gifts with a personal check. At Swarovski, it was a half-hour long process, and although we had explained why we had no debit card, the flummoxed clerks insisted on pleading with us to maybe use a credit card, or perhaps a debit card for our transaction. Or would we like to perhaps use our non-existent debit card to withdraw cash from the ATM just there? Our check was rejected at Ann Taylor. I called the bank, and they said it wasn’t they who declared the check suspect, and confirmed an ample available balance to cover $140. Old Navy simply doesn’t take checks. But they’d be happy to open up a charge account for us! JC Penney was surprisingly swift. Premier Liquor on Maple takes no checks without going through a pre-approval process. We paid cash at other places.
It was, all in all, an eye-opening experience. Until I didn’t have one handy, I hadn’t realized how reliant I had become on my Master Card branded debit card.
In the United States, merchant points-of-sale and ATMs rely almost exclusively on the magnetic strips that we’ve been using since the 1970s. Not so in other countries, including our neighbor, Canada. Many countries now rely on what’s called a chip-and-pin system, which uses an added level of encyption and is safer than a magnetic strip (although nothing is foolproof). It’s known in the industry as “EMV“.
It is exceedingly easy for a resourceful and motivated thief to buy and install a cloning system, whereby a swipe of your card records every single detail contained on that card – including the security code – and produce clones of the card using any piece of plastic with a magnetic strip, including a hotel room key. The chips on chip-and-pin cards is much more expensive and difficult to duplicate.
The Wall Street Journal reports EMV is expected to become the standard in the US in 2015, but what’s the holdup? This is not a new technology, and most of the stores that you and I frequent already have chip-and-pin capabilities (it’s the slot in the front of the reader at Wegmans).
When we traveled to the UK in 2005, chip-and-pin was already in almost exclusive use, and when we dined in some restaurants, they would bring the credit card terminal to you at your table for payment – your card never left your possession and could not be swiped through a cloning device. This system is now commonplace in Canada. I haven’t had it happen even once in the United States. Ever.
In the US, implementation will take place between 2015 and 2017 through a “liability shift” – if a merchant has not yet switched his POS system to accept EMV by a given date, he will be liable for fraudulent charges on the legacy swipe system.
This Target fiasco, involving 40 million possible cards, has inconvenienced me to a certain degree, and in at least one instance made a potential sale not happen. It doesn’t mean I won’t go to Target anymore, or that EMV is a 100% secure alternative, but if there is a marginally more secure alternative available, we should implement it as soon as possible.