Credit Card Firms Endanger Customer Privacy With Outdated Technology

By Wayne Rash  |  Posted 2013-12-27
Security worries

Credit Card Firms Endanger Customer Privacy With Outdated Technology

You'd think that the solution to protecting your credit card information would be fairly easy. After all, EMV chip technology has been around for years, and most credit card issuers say it's available to customers. Outside the United States, this technology is widely used, to the point that it's frequently difficult to make a purchase without the chip embedded in your credit card. Had Target been using this technology, the massive data breach that affected 40 million credit and debit card accounts would never have happened.

Of course, there are two parts to this issue. One is for the store to allow the use of EMV-equipped cards, and the other is to get those cards into the hands of customers. The card readers for EMV-equipped cards are installed in Walmart stores I visited while I was preparing this story. A number of other merchants in the Washington, D.C., area that I visited had the proper card readers for handling EMV-equipped cards, but again, it was unclear whether they had the proper software in place to handle them.

By contrast, Walmart reportedly has implemented the acceptance of EMV-enabled cards in all its U.S. stores, where the retailer can accept both chip-and-signature and chip-and-PIN cards. Walmart point-of-sale (POS) terminals will prompt customers with a chip-equipped card to use the chip reader instead of the mag stripe reader. Clearly, if enough Walmart customers were using the right type of credit card, a major breach such as what happened at Target simply would not have happened.

Actually, getting a credit card with the embedded chip may be as easy as making a phone call, or it may be impossible, depending on who your credit card issuer is. If you're an American Express customer, for example, all it takes is a phone call to the company's customer service line, and you'll have a new card with an embedded chip in a day or two. When I called American Express, the agent offered to dispatch one overnight to my house.

A Capital One spokesperson told eWEEK in a Dec. 27 email: "We currently don't offer this technology." What's more, the spokesperson said that the bank has no plans to offer this more secure credit card in the future.

However, another Capital One spokesperson contacted eWEEK on Dec. 30 to say that this statement was incorrect. This spokesperson said the bank does plan to offer EMV chips to its credit card customers within the next year, according to the new spokesperson.

This isn't for lack of interest on the part of Capital One customers. One customer service agent for the bank told me early in the day on Dec. 26 that he'd already had four calls prior to mine asking for the EMV chip on their credit cards.

I called other credit card issuers looking for EMV chips. USAA and FIA Card Services offered to send out MasterCard cards with embedded chips immediately. Bank of America said they would provide cards with chips to some of their Visa cards customers, but not to all of them. I got the same answer from Chase, which offers chips on some Visa cards but not others. Some proprietary credit cards, such as the Sears Master Card, also don't offer cards with EMV chips.

The bottom line is that credit card users can get the more secure EMV-equipped cards if they want them, but those customers have to know where to call because not all card issuers offer them. Adding to the confusion, some card issuers only offer the more secure card to some, but not all, their customers. And, of course, some credit card issuers, including some major banks, don't and do not plan to do so.

Credit Card Firms Endanger Customer Privacy With Outdated Technology

This places the entire issue of secure credit card transactions into a chicken-or-egg situation of sorts. For retailers to see a requirement to accept EMV-enabled credit cards, they need customers who demand them. For card issuers, there needs to be customer demand. For customers to demand such cards, they need to be able to see a benefit, and they need to see that the cards are available.

The real sticking point here appears to be the banks, some of which apparently don't want to offer the increased security of the EMV card to their customers because it would raise their costs slightly. Other credit card issuers will send out the more secure EMV card on request to some, but usually not all, their customers. But in the United States, none of the banks are making the secure card their default.

The retail sector, having learned from credit card data breaches over the years, is rapidly coming on board to provide a way to protect their customers. If the reaction of Target customers is any indication, they are on board with greater security, if only they knew how to get it and where they could use those cards.

The banks, by contrast, are largely dragging their corporate feet. The only way to change this is for customers to demand change and for major retailers, including Walmart, to start pushing. Maybe the Target breach is enough to help that push, but if my communications with Capital One are any indication, not every bank is feeling the need.

Editor's Note: This article was updated with additional information about Capital One's plans to implement EMV chips in its credit cards.

Rocket Fuel