What Home Depot's Chip-and-Pin Lawsuit Means to You

Consumer Reports

Mon, Jul 25, 2016, 11:16 AM

The news last week that Home Depot is suing MasterCard and Visa for allegedly forcing consumers to use unsecure credit cards raises the question: Wasn’t the whole point of the new chip-embedded cards to make payments safer? Given the delays the chip scanners are causing at checkout counters, you’d certainly hope so.

The answer is yes, the new cards were supposed to improve security. However, the Home Depot suit and a similar one recently filed by Walmart against Visa claim that the system was executed poorly, leaving credit card transactions vulnerable to fraud.

Here's what you need to know.

Why Home Depot is suing

Home Depot’s lawsuit, filed Monday in the United States District Court for the Northern District of Georgia, points out that consumers who use Visa and MasterCard cards at a register are asked to verify their identity by signing their name, instead of typing in a personal identification number (PIN). Signatures can easily be forged, the new lawsuit says, and cashiers aren’t trained to decipher the messy scrawls that most shoppers employ.

“Visa and MasterCard have pushed consumers to use payment card technology that Visa and MasterCard know is defective and subject to fraud and have colluded with each other and with the banks that issue debit and credit cards to do so,” it reads.

As a result, Home Depot is charged higher fees by the card issuers, the suit claims.

“The Interchange Fee on signature transactions is markedly higher than the fee on PIN transactions,” Home Depot’s complaint alleges. “According to data from the Federal Reserve Board, as of 2009, the average Interchange Fee for signature debit was 56 cents per transaction (or 1.53%) while the average fee for PIN debit was just 23 cents (0.56%).”

A Visa spokesperson told Consumer Reports, “We are aware of the lawsuit,” but did not comment further.

MasterCard is “still reviewing the claims,” communications vice president Seth Eisen said in a written statement. “MasterCard leaves the decision on how to verify the cardholder identity – PIN or signature – up to the merchant and the issuer.”

Home Depot argues that retailers don't truly have the option to choose the PIN method because the banks that issue the cards are not willing to move to that system, and that Visa and Mastercard have adopted rules that strongly favor chip-and-signature cards.

How a PIN improves security

To understand the controversy, you need a quick tour through the technology involved. Let’s start with the tiny chip you should have on the front of most or all of your credit cards by now. That EMV (short for “Europay, MasterCard and Visa,” the three firms behind this standard) carries on an encrypted conversation with the slot in an EMV card reader. In contrast, when you swipe the magnetic stripe on a card, the data exchange is unencrypted, and therefore easy to read by both the retailer's card reader and potentially by criminals.

Your reward for using a chip card inserted in a reader is protection from having your card cloned. As the lawsuit reads, "the data on a magnetic stripe can be easily copied (skimmed) with a simple card reading device, which enables criminals to reproduce counterfeit cards." Thirty-three percent of credit-card fraud involves a counterfeit card, according to Visa.

Chip-and-PIN cards add a step. They require you to authenticate the transaction by punching in a PIN, as though you were at an ATM. This is a form of two-factor authentication, in which a transaction requires both something you have (the card) and something you know (the PIN). The addition of the PIN stops the fraudulent use of lost or stolen cards at cash registers—a problem that accounts for 9 percent of all credit card fraud, again according to Visa.

The chip-and-PIN combination is already ubiquitous in other regions of the world, particularly in Europe.

However, a chip-and-PIN combination doesn’t make a credit card account immune to fraud. According to Visa, half of all credit card fraud cases occur through phone and online transactions. Such transactions can happen when a criminal has acquired a stolen card—even European merchants generally don't require credit card PINs for online purchases. Additionally, criminals can acquire account information through other means, such as phishing attacks in which users are tricked into providing account information in response to emails that appear to be from their financial institutions.

If the experience of European countries is any guide, those types of fraud cases may increase as chip-carrying cards become more widespread.

“We have seen card-not-present fraud steadily rise in Europe since EMV's rollout,” Stephen W. Orfei, general manager of the payment-technology group PCI Security Standards Council, said in a written statement. "EMV chip technology (PIN or signature) is not the silver bullet that some think it is.”

Why the U.S. didn't adopt PINs

In Europe, PINs were introduced decades ago, when many card terminals were offline: They couldn’t connect to card networks to verify a transaction. In the U.S., that’s not an issue.

Still, though, PINs do improve security. So why aren't they used here? The lawsuit alleges that Visa and Mastercard are putting barriers in the way of adoption to keep retailers' fees high.

However, according to one analyst, card issuers actually worried that requiring shoppers to memorize a PIN would discourage them from using the cards.

“Not all issuers were implementing a PIN; therefore, any card requiring a PIN was at a disadvantage in the competition to be ‘top of wallet’,” says James Wester, research director for global payments at the market-analysis firm IDC. “Also, the costs to issuers to implement PINs for credit cards is significant.”

Michael Thelander, a product manager at the security firm Iovation, made a similar point in an email. “Switching the world's largest, most distributed, and most fragmented credit card market to a chip-and-PIN plan would have been horrifically complex and expensive,” he wrote.

From some consumers' point of view, incidentally, the lack of a PIN can also be inconvenient. This used to trip up Americans overseas when they tried to pay at automated card terminals that needed a number. More recently, moves by card issuers to waive the PIN requirement for small transactions seem to have resolved that issue. (I had no trouble paying with a chip-and-signature card at ticket-vending machines in the Barcelona Metro and the London Underground earlier this year.)

How consumers can stay safe

First, if you insist on a chip-and-PIN card, you can get one; for instance, Barclaycard’s cards offer this option as do some credit unions. You can’t, however, add a PIN to a chip-and-signature card; your card issuer would have to replace it to make that switch.

However, some security experts advise consumers to keep the cards in their wallet and pay with their phones whenever possible. Mobile-payment apps such as Apple Pay, Android Pay and Samsung Pay boost security by generating one-time credit-card numbers for each transaction

That “tokenization” of the card number leaves nothing for a fraudster to use online, even if the store’s payment system is as hopelessly compromised as, say, Home Depot’s was in the data breach discovered in 2014. “Smartphone payments are definitely safer,” IDC’s Wester says.

At stores such as Whole Foods that accept mobile-payment apps but haven’t yet switched on EMV card readers at the same terminals, a phone’s security advantage becomes even greater.

The tokenization technology used in mobile-payments apps is promising to make online transactions safer as well—witness the “Apple Pay on the Web” Mac software Apple unveiled at its WWDC conference last week.

Long term, card issuers are working to incorporate tokenization into every channel of payment. According to PCI’s Orfei: “Our best defense is to devalue the data so that it is useless in the hands of organized crime, state funded actors, and criminals.”

Billionaire Warren Buffett Recently Cut This Stock From Berkshire Hathaway's Portfolio. It Just Dropped 53% In 1 Day. Here's What Investors Need to Know.
The insurer was accused by a short-seller of "extensive" fraud.
Motley Fool•23h ago
Google Fires Workers Protesting $1.2 Billion Israeli Contract
(Bloomberg) -- Alphabet Inc.’s Google has fired 28 employees after they were involved in protests against Project Nimbus, a $1.2 billion joint contract with Amazon.com Inc. to provide the Israeli government with AI and cloud services.Most Read from BloombergDubai Grinds to Standstill as Cloud Seeding Worsens FloodingElon Wants His Money BackSingapore Loses ‘World’s Best Airport’ Crown to QatarRed Lobster Considers Bankruptcy to Deal With Leases and Labor CostsTesla Asks Investors to Approve Musk
Bloomberg•7h ago
The stock market is headed for a hard 'reset' that could take years to recover from, CIO says
People's wealth could take a huge hit as the stock market peaks after one of the longest bull markets ever, according to an investment chief.
Business Insider•9h ago
Why AMD, Applied Materials, and Lam Research Stocks All Tumbled Today
Will Chinese "overproduction" of semiconductor chips swamp the market?
Motley Fool•14h ago
Opinion: These Will Be the 4 Largest Companies by 2035
These four stocks will be the cream of the crop by 2035.
Motley Fool•18h ago
Keep Calm And Get Ready: Here's What To Do During A Stock Market Correction
Even the best stocks fall in a bear market. Here's what to do during a stock market correction to protect your portfolio.
Investor's Business Daily•21h ago
Tech earnings season is coming, and AI is top of mind
Big Tech earnings are coming up, and Wall Street wants to know how companies are making money on their massive AI investments.
Yahoo Finance•13h ago
The Most Active Stock Trader in Congress Is Buying Shares of This Magnificent Stock-Split Stock
Wall Street's most-prominent stock-split stock of 2024 has been purchased on three separate occasions by a lawmaker who completed over 4,200 trades last year.
Motley Fool•48m ago
Forget Nvidia: Billionaires Are Selling It and Buying 2 of Its Biggest Artificial Intelligence (AI) Rivals Instead
Prominent billionaire money managers pared down their stakes in artificial intelligence (AI) titan Nvidia in the December-ended quarter and piled into two of the company's top architectural competitors.
Motley Fool•1d ago
Why Arm Holdings Stock Took a Dive Today
A downbeat report from ASML dragged down other AI stocks.
Motley Fool•11h ago

News

Life

Entertainment

Finance

Sports

New on Yahoo

Yahoo Finance

What Home Depot's Chip-and-Pin Lawsuit Means to You

Recommended Stories

Billionaire Warren Buffett Recently Cut This Stock From Berkshire Hathaway's Portfolio. It Just Dropped 53% In 1 Day. Here's What Investors Need to Know.

Google Fires Workers Protesting $1.2 Billion Israeli Contract

The stock market is headed for a hard 'reset' that could take years to recover from, CIO says

Why AMD, Applied Materials, and Lam Research Stocks All Tumbled Today

Opinion: These Will Be the 4 Largest Companies by 2035

Keep Calm And Get Ready: Here's What To Do During A Stock Market Correction

Tech earnings season is coming, and AI is top of mind

The Most Active Stock Trader in Congress Is Buying Shares of This Magnificent Stock-Split Stock

Forget Nvidia: Billionaires Are Selling It and Buying 2 of Its Biggest Artificial Intelligence (AI) Rivals Instead

Why Arm Holdings Stock Took a Dive Today