If you’ve had the pleasure of traveling abroad during the last 15 years, maybe more, you’ve also most likely experienced the decidedly unpleasurable situation of your credit or debit cards “not working” or not being accepted unless you did some pre-emptive setup work with your bank. Yes, that’s when you insert your card into, say, an automated bus or train ticket vending machine and it either doesn’t work at all—or, you get through some of the purchasing process and are then prompted to enter your “PIN,” or personal identification number. Even worse, when you attempt to obtain cash at the ATM in your foreign destination, no PIN equals no cash.
Why your card doesn’t work
The explanation you’ll hear for this scenario is something vague like “American cards don’t use the same technology” as is used in other countries. Having other things on our minds, we usually just accept that answer and move on. But have you ever wondered what in the world is actually happening? In a nutshell, the answer is that the U.S. electronic payments industry has been dragging its heels with respect to implementing more-secure payment technology—technology that has been available for over two decades, beginning in 1994.
Those “chips” on your card and what they do
This technology is commonly called “chip-and-PIN” and is more formally known as “EMV” after the initials of its original developers, Europay, Mastercard, and Visa. The chip is the tiny silver or gold square that’s typically visible on the front of the card.
EMV transactions are more secure than the earlier magnetic-swipe transactions because for each transaction, unique data specific to the individual transaction is created that cannot be reused in a subsequent purchase. There’s also a complex series of interactions — more intricate than were required for magnetic stripe cards — that must be completed between the chip and the card reader before the transaction goes through. With the old-style magnetic stripes, it was relatively easy for thieves, once having your stolen physical credit/debit card in hand, to make a counterfeit clone of your card; the sophisticated equipment now required to replicate the chip makes this no longer viable for most criminals.
The EMV protocol is also used in what’s known as “contactless” payments, in which, due to a tiny NFC (near-field communication) antenna built into another chip on the card, you can essentially “wave” your card at a receiving POS (point-of-sale) device: no stick-your-card-in-the-slot is required. And NFC is also a feature in devices such as many smartphones and smartwatches, with the IoT (internet of things) industry promising more.
The holdup we’re facing
You’d think that with the huge volume of U.S. card transactions, and the large losses due to fraud — over $24.71 billion in 2016, according to the trade publication Nilson Report — the U.S. digital payments industry would want to rush to make things more secure. But life isn’t so simple, especially compared with the situation in some other countries.
First, the U.S. ecosystem of card (or any electronic) payments is much larger than in any other country, simply because of the large U.S. population and decentralized banking system. For instance, there are slightly over 11,500 financial institutions in the U.S., according to a 2017 report. And that’s substantially down from prior years; roughly 16,000 existed in 2006, and even more before.
But compare that with Canada, which has a comparatively miniscule 85 banks and a little over 300 credit unions. Or Australia, with a total of 136 card issuers. Then there are the sheer number of U.S. “merchants,” or retailers, of whom there were an estimated 3.8 million in 2018. The cooperation of all of these organizations—and of additional entities such as card-processors—is required to implement any new or changed system.
Then, there’s the difference in liability laws in the case of fraudulent payments, which in some other countries puts a greater burden on the card issuer than in the U.S. So in other countries, financial institutions have had more incentive to implement better card security.
Finally, there’s the cost of change. The cost of replacing each card is estimated to be between $2 and $4. By the third quarter of 2017, an estimated 855 million new, chip-enabled cards had been sent to customers—so, you do the math. Replacing the old POS terminals with chip-compliant systems across the U.S. is estimated to be costing retailers $6.75 billion. And, implementing PINs is another step that is estimated to cost another $7 billion, according to Visa, with this split about 60-40 between card issuers and merchants.
Change, but at a snail’s pace
After seeing little momentum when transitioning to EMV, in 2015 the major card networks announced (what to merchants would be) a drastic change in policy. After Oct. 1 of that year, the liability for card fraud would shift to the entity that was “responsible” for the lack of chip technology being used in the transaction. In practical terms, this was a way to force retailers to upgrade to new POS readers, because if a retailer didn’t have the proper equipment, the retailer would be liable for the loss due to fraud, instead of the card issuer.
Three years later, after some fits and starts, the change appears to be working. Visa reports an admirable 76% reduction in card fraud in March 2018 as compared with September 2015, before the new liability rules came into effect.
And, just as with EMV in cards that you insert, contactless transactions are taking much longer to ramp up in the United States than almost anywhere else, and for the same reasons: complexity of infrastructure and cost.
That missing something
There’s also a big “gotcha”: In the U.S., the EMV technology is, in almost all cases, missing the PIN part of the security solution due to the additional estimated $7 billion implementation cost. Visa cites a report from industry consultant Aite group to support this stance, which concludes that due to “…significant expense and implementation challenge for the payment ecosystem, it is difficult to justify a mandate to implement PIN as a credit card verification method.”
So there you have it. Because of the enormous size of the U.S. financial industry, resulting complexity, and plain old bickering among the relevant parties (mostly about the bottom line, what else?), your transactions are more secure in…well, where would you like to go? Name your foreign destination: in Europe, Canada, and places as far-flung as the Australian outback, your purchases are likely to be more resistant to fraud than they will be down the street from you in the good ole U.S.of A.