|

CHIP CARDS: ARE CONSUMERS READY?

By Dahli Gray, CMA, CPA, CGMA, CFE
May 1, 2015
7 comments
5gray_opener_web_v2

Huge data breach attacks against Target, Home Depot, and other companies filled the news in 2013 and 2014. Yes, companies need better data security, but we consumers also need better security for our own credit and debit cards. Are we ready to embrace that?

 

U.S. LAGS BEHIND

 

The United States is behind in adopting more secure card technology. Most developed countries use credit and debit cards that have an embedded computer chip, and people make purchases using embedded-chip card readers that also require the user to enter a personal identification number (PIN). And there are other secure systems vying for a share of the payment market (see “Competing Payment Systems”).

 

gray_SBsystems

 

In the U.S., retailers generally have still been using older, less secure magnetic-strip purchase cards. But in November 2014, Walmart and its subsidiary, Sam’s Club, became the first major American retailer to switch to the more secure embedded-chip cards and accompanying technology. Other retailers, such as Target, soon began installing embedded-chip card readers. Yet they hadn’t turned the technology on as of February 2015 (http://bit.ly/1yv6ZWm).

 

Because banks and other card issuers are liable for losses, retailers and card holders in the U.S. have had little motivation to switch to more secure purchase cards. But liability for data breach losses may be shifting from card issuers to retailers and other organizations that accept consumers’ cards. This may motivate organizations not only to install embedded-chip card readers but also to start using them. The next step would be to teach consumers how to make purchases with the new cards. Unlike magnetic-strip cards, they can’t just be swiped through a terminal. (See “How to Use the New Chip Credit/Debit Cards.”)

 

WHO IS LIABLE?

 

The Fair Credit Billing Act (FCBA) limits U.S. credit card owners’ liability for unauthorized use of a credit card to $50 (see http://1.usa.gov/1GKtBVs). Since neither sellers of goods and services nor credit card owners have been held liable in this area, banks are taking action, and they aren’t asking card holders first. When a card expires, the bank replaces it with a magnetic-strip card that also has an embedded chip, so the banks are clearly making the transition. Nevertheless, it’s still up to retailers and other organizations to install and implement embedded-chip card readers.

 

Again, retailers soon may become liable. In her January 4, 2015, article for Business Insurance, “Target’s data breach liabilities mount as credit card issuers’ suit proceeds,” Judy Greenwald explained that “a federal judge’s refusal to dismiss litigation brought by credit card issuers against Target Corp. in the wake of 2013’s massive data breach is significant and could influence other courts to hold retailers liable in similar cases.” (See http://bit.ly/1yv7aRo.) And in his June 9, 2014, article for CNBC.com, “Chip-enabled ‘smart’ credit cards coming to America,” Herb Weisbaum revealed that “Visa, MasterCard, American Express, and Discover want the U.S. converted to chip-based credit cards by October 2015. After that date, they say, fraud losses will shift to the retailer if they don’t have point-of-sale payment terminals that read smart cards.” (See http://cnb.cx/1FKyWqg.)

 

Apparently retailers are preparing for the shift in liability. In her June 6, 2014, article in The New York Times, “The shift to safer chip-and-PIN credit cards,” J.D. Biersdorfer predicted that “most merchants will probably have the new equipment in place by October 2015 when new rules about fraud liability kick in.” (See http://nyti.ms/1EG7g9O.)

 

But what will consumer reaction be to this pending liability change? I conducted a study to find out.

 

A REVEALING SURVEY

 

I administered an online survey in February 2015 (see “About the Respondents”). The 207 respondents included individuals who were at least 18 years old and resided in the U.S. Overall, respondents support the use of embedded-chip purchase cards with a PIN. More than three-quarters of respondents (78%) answered yes to the first question of the survey: “Is the move to credit and debit cards with embedded chips and PINs a good idea?” Only 11% said no.

gray_SB_participants

 

The second question asked respondents to assume that in October 2015 fraud liability shifts from the financial institutions that issue the cards to card-accepting organizations and card-using customers. Cards with only a magnetic strip contain personal information that’s easily stolen. Should we replace them with embedded-microchip cards that require the user to enter a PIN—making personal information tougher to steal? An overwhelming 75% of those responding said yes, and only 12% said no. But 14% said that embedding a microchip is enough and a PIN isn’t needed.

 

gray_SBsecurity

 

WHO IS RESPONSIBLE?

 

The third question asked, “Which group of professionals should have done a better job of preventing, identifying, and resolving the data breaches that occurred in organizations such as Target and Home Depot?” Respondents placed this responsibility mostly on information technology (IT) professionals: 71% felt that IT professionals (such as computer managers and programmers) should have done a better job. Only 22% blamed managers (like CEOs), and just 7% felt that accountants were responsible.

 

The fourth question asked if other professionals could have done a better job at identifying or resolving the breaches. More than two-thirds of respondents (68%) said that internal auditors (including forensic accountants) should have done a better job, while 22% named management accountants, and 10% pointed a finger at external auditors and CPAs (Certified Public Accountants).

 

DID CONSUMERS TAKE ACTION?

 

To recap, survey respondents realize there’s a problem and overwhelmingly believe that old magnetic-strip cards should be replaced with more secure embedded-microchip cards requiring PINs. But have they taken any action? My fifth question was “After the credit and debit card data breaches of 2013 (for example, Target) and 2014 (for example, Home Depot), did you replace your cards that had only a magnetic strip with embedded-chip cards?”

 

Surprisingly, only 17% said they had replaced the old cards with embedded-chip ones, and 52% said they hadn’t. It seems as though concerns about data breaches and identity theft didn’t motivate surveyed card holders to acquire more secure cards. Since consumers aren’t yet held responsible for any financial losses from these crimes, perhaps they aren’t concerned enough to take action. We need additional research to determine what would cause more consumers to choose higher-security cards.

 

Meanwhile, banks are litigating against retail organizations to shift the data breach loss liability from the banks (card issuers) to the retail organizations. I expect more retailers to follow Walmart’s lead and begin using embedded-chip card readers. Would retailers be able to share this liability with cardholders? Time will tell.

 

dzink_SBusecard

 

HOW CAN MANAGEMENT ACCOUNTANTS HELP?

 

No matter what happens with liability, management accountants have an opportunity to play a bigger role in preventing, identifying, and resolving future data breaches.

 

Although most consumers surveyed didn’t blame accountants for the wave of data breaches and identity theft, there are still good reasons for management accountants to become more involved. Their expertise can be valuable to IT professionals and senior management. For example, management accountants could provide a cost/benefit analysis for replacing old card readers with new embedded-chip card readers. That analysis also could estimate the potential revenue loss from declining customer confidence in the ability of retailers and organizations to protect customers’ identities.

 

In addition, management accountants can be helpful in planning for possible cyber-crime losses. Data breaches can be costly for many reasons. After Target’s 2013 data breach, the company had a decline in revenues because of a drop in customer confidence. But Target also spent money attempting to build back customer confidence. For example, it gave consumers free credit surveillance coverage that notified them when suspicious changes or transactions occurred in their credit/debit accounts.

 

To plan properly, companies must estimate such revenue losses or increased expenses and budget for them. That’s difficult to do. But management accountants, especially those who are a CMA® (Certified Management Accountant), have the professional expertise to do that and much more. Their roles and responsibilities include managing functions critical to business performance, supporting management and strategic development, providing accurate and insightful information for better decisions, and doing long-term planning. All those functions will be vital for companies seeking better data security.

 

It’s time for management accountants to step forward and take this opportunity to become recognized partners in the battle against credit and debit card fraud.

 

Dahli Gray, CMA, CPA, CGMA, CFE, DBA, is president of Dahli Gray Consulting in Cockeysville, Md., and a professor with the graduate school of Keiser University. She also is a member of IMA’s Baltimore Chapter. You can reach her at (443) 465-4559 or dgray@KeiserUniversity.edu.
7 + Show Comments

7 comments
    Gail Farrelly May 4, 2015 AT 12:32 pm

    Loved the article. This is such an important topic. Dahli Gray is a terrific writer. Brava!

    mjennings May 5, 2015 AT 2:57 pm

    insightful exploration of the topic. Great work

    Jeremy Freeman May 6, 2015 AT 1:54 pm

    Dr. Gray,
    interesting article on the chips that should be placed in these cards. i find it particularly interesting how the united states is lagging behind in this technology space. from past experience myself, i know that i have used the chip reader before at a local wal-mart in Tampa, Fl. Another aspect of the chip, coming from the military, they have chips in all the id cards that we use and i am surprised that major credit card companies cannot integrate that into their system. but as we all know these major financial institution never want to take on additional liability then they have to. I enjoyed this article highly and the survey results speak volumes to what the consumers are wanting.

    Patrice IRONS May 6, 2015 AT 9:30 pm

    I found this article very enlightening, it will be interesting to see how soon banks, retailers and consumers move in the direction of chip cards. Thank you for sharing Dr. Gray.

    Kimberly Konka May 8, 2015 AT 9:54 pm

    A timely topic that I enjoyed reading and I learned a lot. Let’s see more on this topic!

    sabrina Williams May 9, 2015 AT 1:59 pm

    Dr. Gray

    Great Article! Interesting tips on the new chips cards. Still nervous about using my new card, due to the breach several years ago with Target and others stores.

    Sabrina

    Rodrigo villamarin June 12, 2015 AT 3:09 pm

    Dr. Gray,
    I found the information provided in this article very useful to educate individuals about the different options There are available to protect the consumer’s personal information.
    Unfortunately, most retailers are still using the less secure option when it comes to customer’s information protection. However, if the liability responsibility is shifted from the banking industry to the retail industry i am convinced we will see an increase in the implementation of Embedded chip Card technology.

You may also like