Wednesday, 1 June 2011

Will US actions to counter card skimming be too little, too late?

Cindy Merrit, Assistant Director of the Retail Payment Risks Forum of the of the Federal Reserve Bank of Atlanta in the US, has just published an article in the blog 'Portals and Rails' headed 'Stemming the rising tide of card breach incidents: PCI compliance or chip-and-pin?  It is a well written blog and is part of an increasing amount of coverage being given to the topic of chip and PIN (EMV) in the US. 

In 1942 Great Britain experienced its worst ever military disaster when Malaya and Singapore fell to the advancing Japanese army - not in 100 days as the Japansese had planned, but in just 70 days.  The British High Command took a long time to face up to stark reality (the main defences in Singapore were all facing the wrong way anticipating an attack from the sea, not overland through Malaya), despite repeated calls to action from an experienced and aware minority of officers.  One of that minority subsequently published a book entitled "Too little, too late!"

That is the heading that comes to my mind when reading inside views from the US on the growing problem of card skimming.  It is quite clear that, despite the costs of shifting to chip and PIN, the US market will have to do it - yet there is still a great deal of prevarication and avoidance of reality.  Cindy Merrit correctly points out  - "The vulnerabilities inherent in mag-stripe technology are expected to contribute to ongoing skimming attacks in the future, not to mention the associated credit and debit card losses. Other countries, including Canada and many in Europe, that have converted to the EMV chip technology standard have effectively mitigated skimming."

I would use stronger language and state that the continuance of mag-stripe only cards in the US will definitley lead to an increase in skimming attacks as the rest of the world continues to roll out chip and PIN.  If anyone can provide statistics for such attacks in the US it would be great to see the actual picture.  It is not just Canada and many European countries that are moving to chip and PIN, it is all 31 countries in the Single Euro Payments Area, Canada, Australia, South Africa and many many others......... China UnionPay has stated that by 2015 all Chinese Payment Cards will be chip only.  The bad guys know this which is why they are increasing their efforts in the US, secure in the knowledge that skimming techniques honed to perfection in other parts of the world will still generate revenue for them in the US long after Chip only cards have appeared in other markets.

Continuing to try to secure the magnetic stripe on payment cards will soon become yesterdays war for the payment card industry in much of the world, leaving the US to fight on virtually alone.  As skimming related losses in the US continue to rise, and my assumption is that they will, too little too late could well be how history will judge the actions taken by those in the payment card industry in the US.  Yes a coordinated move to EMV in the US will be challenging and expensive, but the cost of delaying the inevitable will continue to rise !

No comments:

Post a Comment