February 14, 2014
Dear vendors working on ways to replace swipe-and-sign credit cards:
Consumers will never adopt a payment scheme en masse if it's less convenient than the current method. Why should they? Currently, retailers and card issuers assume the liability. I'm not on the hook for fraudulent charges. See a suspicious item that got past the card provider's fraud detection? Call the handy 800 number and have it removed. Worst-case scenario: I get issued a new card and have to invest 30 minutes to change standing accounts.
Look, it's not me. It's you. Retailers lose consumer data all the time, because PCI is still a joke, and card issuers continue to argue with retailers over who will pay for more secure point-of-sale systems. They're balking at reissuing cards with embedded chips in the US.
Why should I inconvenience myself to save their butts? Even if EMV-capable POS systems were widely installed by 2015 and issuers invested in changing over to chipped cards -- not at all a certainty -- that would do nothing for purchases where the physical card isn't present.
Not that we don't appreciate what you're trying to do. I recently saw a local TV news segment about the Boston startup Abine and its masked credit cards. For $5 a month, the company will issue me an electronic account that lets me generate one-time-use virtual cards every time I make a transaction online. Do you know how much I shop online? The company is also piloting physical OTP cards, like those from MtGox and others, that bear only a superficial resemblance to a standard credit card.
So let me get this straight: I can pay for the privilege of enduring glares as I hold up the line at the grocery store trying to explain the OTP concept to a bored 17-year-old clerk?
It's a nice thought. It really is. And a subset of privacy-aware consumers will adopt technologies like one-time-use or masked cards. They're the same people who use Bitcoins. Good luck going mainstream.
A more promising avenue is paying with your phone using an NFC wallet. Financial data, including credit and debit card numbers or prepaid balances, are stored on your SIM card or in the cloud. You just touch the phone on an NFC-enabled POS terminal and enter a passcode. This approach has potential, but there's no interoperability standard. Square competes with Google Wallet, which competes with Apple Passport. MasterCard competes with Visa, except where it doesn't. Individual retail chains such as Starbucks have their own iterations.
Oh, and most NFC systems reuse current retailer networks and POS equipment. Explain again how that's any more secure than a credit card, given the sad state of the regs that are supposed to protect us now?
PCI turned 10 this year. Verizon's 2014 PCI Compliance Report says use is up. Unfortunately, so is the cost of card fraud -- the Nilson Report says businesses lost $11.27 billion from it in 2012, or 14.6% more than the year before. But before you break out the tiny violins, only the largest merchants undergo formal PCI audits. Most businesses conduct self-assessments. In 2013, Verizon reports, only 11.1% of organizations were fully compliant with the PCI standard at the time of their annual baseline assessments, up from 7.5% in 2012. Only about 64% met even the most basic requirement: a firewall to protect cardholder data. A firewall. Think about that.
No wonder startups see opportunity. But beyond the I-have-an-opinion-on-Bitcoin demographic, this particular risk/reward ratio just isn't going to overcome the power of inertia.
"Even those who have been hit with hard-core identity theft won't buy in," Michael A. Davis, CTO of the endpoint security firm CounterTack, told us. "People are desensitized to fraud and ID theft. It's just part of life, especially when financial services companies absorb all the impact of the theft."
Of course, those costs eventually get passed along to consumers, but that passalong is opaque. Until there's a payment method that's as easy to use as today's swipe-and-sign cards and is as universally accepted, both online and in stores, most consumers will sit tight. Don't take it personally.
About the Author(s)
You May Also Like
3 Real-World Challenges Facing Cybersecurity Organizations
7 Steps to Build Quantum Resilience
The Definitive Guide to Understanding IP Addresses, VPNs and their Implications for Businesses
Solution Brief: Fortinet FortiFlex Delivers Usage-Based Security Licensing That Moves at the Speed of Digital Acceleration
Cyberthreats Racing Ahead of Your Defenses? Secure Networking Can Put a Stop to That