Why Europe Is not a Paragon of Credit Card Security

Americans following the media coverage of the latest big credit card data breaches in the U.S. are probably left thinking that they are living in a country that is actively aiding and abetting global crime networks, even as they are stealing card data on an industrial scale. The Europeans and others, we are constantly reminded, have long ago switched to the highly secure EMV (chip-and-PIN) technology, whereas the U.S. is stuck in the (distant) past, still clinging to the pathetically old-fashioned magnetic stripe. Why aren’t we doing, pundits ask, what those Europeans we so often look down upon have done a decade ago?

Well, it is certainly true that the U.S. has been slower in its EMV adoption than it could possibly be justified. The process started only a couple of years ago and it is not likely to be completed for some years to come. The reason for that lack of enthusiasm for the safer technology has mostly to do with money, as one might suspect, but we already covered that issue a month or so ago.

The reason I am reopening the subject is a new article I’ve just read in The Economist. It gives us a characteristically well-researched and informative account of the state of card fraud in the U.S. And I do agree with the author’s conclusion that an EMV adoption in the U.S. would “harmonise American and global standards, making it easier for Americans to use their cards abroad and foreigners to use theirs in America [and] [i]t will make mobile payments easier”. Actually, I don’t believe anyone would disagree with such a statement.

Where I find The Economist’s account lacking is in its depiction of Europe — the paragon of credit card security — as a hapless victim of American arrogance negligence. Where is the connection? Well, the author notes, correctly, that most of the fraudulent transactions involving European cards take place in the U.S. See, chip-based cards still carry a magnetic stripe, which allows them to be used for payment at U.S. merchants through a procedure known as “fall-back”. Crucially, however, such transactions still need to be authorized by the cards’ European issuers.

And here is where it gets very interesting and it is also where the aura of European data security prowess crumbles into dust. See, these organized criminal groups have done their homework and have learned that some European banks can’t be bothered to authorize transactions on weekends — they are closed (and this is Europe!)! However, using the mag-stripe technology, such transactions get processed anyway and, naturally, result in fraud as authorization is deferred until Monday. So don’t feel quite that bad about the Europeans just yet. But let’s get through this a bit more carefully.

Credit Card Fraud in the U.S.

So The Economist helpfully reminds us that the U.S. “leads the world in many categories: shale-gas production, defence spending, incarceration rates and, alas, payment-card fraud”. The Target incident in December resulted in the theft of the card accounts of about 40 million of the department store’s customers. A few months earlier, the same fate befell 152 million of Adobe’s customers and last month it was the turn of Neiman Marcus to have their data repository systems breached. And such massive thefts, The Economist observes, result in huge losses:

For crooks, there are rich pickings in such data. Total global payment-card fraud losses were $11.3 billion in 2012, up nearly 15% from the prior year. The United States—the only country in which counterfeit-card fraud is consistently growing—accounted for 47% of that amount, according to the Nilson Report: card issuers lost $3.4 billion and merchants another $1.9 billion.

Then we are reminded of a 2012 survey by the Aite Group and ACI Worldwide, which had found that “42% of Americans had experienced some form of payment-card fraud in the preceding five years”. So, yes, in case anyone was still wondering, credit card fraud in the U.S. is indeed a problem. But then we come to the point.

On European Victimhood

In its patentably florid style, The Economist informs us that:

Nor is it just Americans who are affected: foreigners whose card data is stolen often find the thieves have little trouble waltzing into stores and making purchases with ersatz cards. Europeans rack up more losses in this way in America than in any other country.

OK, now let’s waltz our way into some hard facts. Back in July of last year, I was shocked to learn that, on the black market of stolen credit cards, U.S. credit cards were by far the cheapest, with Canadian cards selling at a 50-percent premium and European ones being five times as expensive. I could make neither head nor tail of it and most of the commentary wasn’t exactly helpful, to put it mildly. Reuters’ explanation, for example, was that European cards were “more expensive because they have computer chips that make them more secure”. So? If European cards were more secure, hence more difficult to use in fraudulent transactions, surely they would be worth less, not more, to the criminals who buy such things!

Well, it was The Washington Post’s Andrea Peterson who eventually managed to explain the mystery away, in an excellent piece of reporting, which I should have written (I have no higher praise to offer). It turned out that the weak link in the system was not the older U.S. credit card technology, but the European payment processing system:

Merchants in Europe use chip-and-PIN security measures on credit cards. The chip contains all the same sort of information in the magnetic strips on U.S. cards, and after you swipe it you must also enter a PIN to complete the transaction like you would with a debit card. U.S. merchants aren’t set up for the advanced security features on European cards. So when European cards are used in the United States, they fall back to the old-fashioned magnetic strips used here.

But some European banks and credit card providers have a delay in processing transactions over weekends. So, fraudsters could clone European cards and go on weekend spending sprees, capitalizing on the delay while the transactions make it across the pond and through fraud analytics processing. The result: a wave of credit card fraud by American criminals targeting European victims.

As I noted back then, one would have thought that the suffering of substantial losses for years on end would have convinced the European payment processors in question to stop shutting their systems down on weekends, but evidently they could not be bothered by such a trifling matter. And anyway, it is so much easier (and gratifying), to just blame it on the Americans. Moreover, one would have expected that the appropriate European authorities would have long ago applied some pressure on the processors to make them mend their ways, but said authorities were instead busying themselves with cutting down interchange fees, which would almost certainly lead to higher bank fees for European consumers (I haven’t looked at the data since then, so I don’t know exactly how that has played out, so if someone has crunched the numbers, please let the rest of us know).

And, by the way, while it is true that U.S. card companies were also guilty of happily swallowing huge fraud losses, which could be greatly minimized long ago if they had adopted the EMV technology, their European counterparts’ failing is incomparably greater. Whereas, as we’ve explained several times before, the wholesale EMV adoption in a country like the U.S. is a hugely complex and expensive undertaking, keeping one’s payment authorization system up-and-running on weekends is not only quite a trivial feat to achieve, but it should be done as a matter of course.

The Takeaway

So, yes, the U.S. could and should have switched to the EMV system long ago — there is no excuse for not doing it. However, we should not be bashing ourselves over the head more vigorously than necessary and we should also keep in mind that consumers are fully protected against credit card fraud — the issuers and merchants are the ones who split the losses. And we should feel sorry about the Europeans even less — there are very simple things their credit card processors could and should be doing to minimize cross-border fraud, but are not doing. So, no, we can’t be blamed for European laziness and ineptitude.

Image credit: Wissenman.ru.