A new survey conducted for NRF shows small retailers have nearly caught up with large merchants in making the switch to chip-and-signature credit cards — even though virtually half say the cards would be more secure if easy-to-forge signatures were replaced with a secret personal identification number.
The survey found that 60 percent of small bricks-and-mortar retailers had installed chip card readers by this spring and another 10 percent expected to have done so by July, bringing the total so far to 70 percent. The number is expected to reach 81 percent by the end of the year. (Online retailers aren’t affected because the chip doesn’t work unless the card is physically present.)
That compares with 86 percent of mid-size and large retailers surveyed last year who said they would have chip readers in place by the end of 2016, with 99 percent planning to do so by the end of this year.
With each chip reader averaging $2,000 when installation and other costs are factored in, small retailers have generally lagged behind larger retail companies with deeper pockets in the changeover from traditional magnetic stripe cards.
Small retailers have made the switch despite concerns the new cards don’t provide all the security they are capable of: Of the 750 surveyed for NRF by research firm GfK, 49 percent said their businesses would be more secure if credit cards required a PIN, which is standard in most parts of the world where chip cards are used. Only 16 percent disagreed, with the remainder neutral.
Nonetheless, 63 percent said their businesses could not afford to risk increased liability for fraudulent transactions, which retailers have faced since a change in card industry rules took effect in October 2015. In the past, banks paid fraud costs when a card turned out to be counterfeit; the cost has now been shifted to retailers if the card has a chip but the retailer doesn’t have a chip reader.
Not all affected small retailers are making the move: The survey found 19 percent have no plans to adopt chip cards, with 55 percent of them saying it is because their businesses are not at high risk for credit card fraud.
The survey results are not surprising. NRF has said for years that chip-and-signature cards are far less secure than chip-and-PIN. The chip makes it more difficult to create a counterfeit card, but counterfeits are still possible and the chip does nothing to prevent lost or stolen cards from being used. As we’ve often said, a chip without a PIN is like locking the front door but leaving the back door wide open. A PIN alone could stop most credit card fraud without the need for a chip — or the expensive new equipment needed to read a chip.
Virtually all U.S. banks have refused to include PINs on their credit cards, choosing to keep transactions on lucrative signature processing networks run by Visa and Mastercard rather than open them up to the dozen or more competing networks that can process PIN transactions.
Beyond the PIN issue, chip cards do nothing to keep card data from being stolen from computer systems. The chip transmits an encrypted code that confirms that the card is not counterfeit, but the actual account number and other card data are still transmitted in the clear.
Despite those shortcomings, the change in fraud liability rules effectively coerces many retailers into adopting chip cards: A coffee shop can afford to lose the cost of a doughnut if a customer uses a counterfeit card, but a jeweler selling rings that cost thousands of dollars can’t take the chance.
Overall, U.S. businesses are being forced to spend $30 billion to switch to chip cards that fall far short of the advances in security that are needed. That’s money that could be better spent on encryption, tokenization and other technologies that actually keep card data from being stolen in the first place. If the card data can be made secure, the physical cards become much less of an issue.
Retailers have been demanding truly secure credit cards for years. It’s time for banks to deliver. read moreBy Mallory Duncan