For optimal user experience, please upgrade your browser.
Public Policy

Credit card security: Separating myths from facts

Floating Widget

Floating Item Container

Floating Rate Widget




Please Select
Your Rating

With the recent theft of millions of consumers’ credit card numbers drawing headlines, the facts are frequently being carelessly mingled with misunderstandings, misleading statements and a certain amount of fiction. NRF would like to set the record straight. Here are some key myths and facts.

Myth: Retailers aren’t working to protect card data.

Fact: Maintaining the trust and respect of customers is retailers’ highest priority, and they have a vested interest in protecting consumers’ financial information – customers won’t shop in a store they don’t trust. Retailers have spent billions of dollars to protect card data using sophisticated computer systems with the latest in encryption, firewalls and other high-tech security measures. Retailers recognize that cyber theft can only be stopped with a united, multi-industry effort – banks, card networks and payment processors all have a role to play – and want to be part of that solution

Myth: Most cyber attacks and data thefts occur at retailers.

Fact: Data breaches at retailers account for 24 percent of incidents, while 37 percent happen at financial institutions, according to the most recent report from Verizon. And that’s true even though there are many more retailers than financial institutions. Other businesses ranging from manufacturing to transportation have also been hit. And government agencies as varied as the U.S. Army and the IRS see more than 60 data breaches per day.

Myth: Retailers don’t want to switch to PIN and Chip cards.

Fact: Retailers have been calling for PIN and Chip for years. Retailers want to move to move to modern cards that replace signatures with a secret personal identification number and which encrypt card data on an embedded computer micro-chip instead of storing it on a magnetic stripe. Cards like these are widely used in Europe and about 80 countries around the world, and a U.K. study found they have reduced fraud by 70 percent. A number of retailers have already installed the card readers and other equipment necessary for these new cards. But banks have been slow to issue them in the United States, instead proposing cards that would have a chip but still use a fraud-prone, easy-to-forge signature rather than a secure PIN to authenticate the transaction. That’s no match for 21st Century criminals.

Myth: Retailers don’t want to pay for the costs of PIN and Chip.

Fact: Retailers are willing to pay a fair share of the cost of conversion. But they want a system that will actually reduce fraud and protect everyone – consumers, retailers and banks alike. They don’t want to spend billions of dollars on a chip and signature system like that proposed by the banks that only addresses part of the problem when better systems are available. And since credit cards are a product that belongs to the banks, banks should share in the cost of equipment and software needed to accommodate their product.

Myth: PIN and Chip is the only thing retailers are doing to improve security.

Fact: Retailers don’t see even the best forms of PIN and Chip as a complete solution. Retailers are taking a “defense in depth” approach and are exploring additional security layers such as point-to-point encryption of data along with emerging technology such as mobile payments made using smartphones. Retailers have also sought to reduce the amount of data that card companies require them to retain: NRF asked in 2007 that retailers be allowed to keep only an approval code for each transaction, with banks retaining all card data that could be used to commit fraud. The card industry has yet to make the change.

Myth: Retailers don’t notify customers fast enough when card information is stolen.

Fact: A total of 46 states and the District of Columbia legally require retailers to notify customers of data breaches. But retailers work closely with law enforcement when customer data is stolen, and authorities often ask that they temporarily delay disclosure in order to avoid tipping off criminals that the incident has been detected and is under investigation.

Myth: Visa and MasterCard’s “EMV” cards would make data secure.

Fact: EMV – short for “Europay, MasterCard and Visa” – is only one brand of card system that uses a chip. And while the version used in Europe provides both a PIN and chip, the version currently proposed for the United States would not require a PIN, still allowing an easy-to-forge signature to be used. Retailers believe a PIN is essential to protecting card data.