MAG Insights

Announcements from the MAG & Featured Articles

America’s Payment Cards-Unsafe at any Swipe (MAG Quarterly- Volume Three, Issue Three)


By Dean Sheaffer, Senior Vice President Financial Services/Chief Compliance Officer, Boscov’s Department Stores, LLC

September 3, 2015

My first car wasn’t a Pinto, but it was almost as poorly engineered as the car with the infamous exploding gas tank.  The good news is that U.S. car manufacturers have learned from their mistakes and made modern cars dramatically safer than when I was a teenager in the 1970s. 

That said, can you imagine the uproar if the general public would have been forced to buy, install and maintain their own safer gas tanks, five-mile per hour bumpers or seat belts to retrofit 70s era automobiles before driving them?  Can you imagine the pressure the public would have put on the U.S. auto manufacturers if they failed to provide basic safety measures while the rest of the world made their cars safe?  Isn’t it just as ridiculous that the card networks hold merchants responsible for the gross design failures of the networks’ fraud-prone payment card products; and their failure to provide basic protections like PIN authentication while the rest of the world leap frogs the U.S.?

Certainly, there is no denying the fact that the U.S. has a problem with card fraud. We now account for nearly half of all card fraud worldwide while we conduct less than a quarter of the actual card purchase volume.

Banks issue cards with their customers’ sensitive information clearly printed on the face of the card and encode the magnetic stripe on the back of the card with the even more unprotected data. The banks, who require customers to use PINs at ATMs to protect themselves from unauthorized cash withdrawals, hypocritically fail to protect merchants from fraudulent transactions by requiring the same PINs be used at the merchants’ point-of-sale. The card brands try to cover the tracks of their issuing bank clients by explaining that U.S. cardholders are not smart enough to remember PINs or that it is too expensive for them to issue PINs for credit cards while at the same time enthusiastically endorsing PIN usage at merchants outside the U.S.

How did merchants get to be the ones responsible for protecting the card networks and the banks from the networks’ fraud-prone payment card products and systems? Merchants have nothing to say about the design and technical features of payment cards. All of the decisions are made by the networks and the big banks. Merchants are in the business of buying stuff, adding value and selling it to consumers – and at one time relied on banks to handle the technical aspects of payments. This is no longer the case.

Networks and banks have forced merchants to become payment experts, systems engineers, data security experts and forensic analysts; they have failed to modernize and protect their systems and have abused their relationships with merchants.  They overcharge for card payments and abdicate responsibility for keeping the public and the merchants safe from the damages associated with their own defective card products. This may be a decision they will live to regret.

The networks and banks have defied the rules of common sense and logic in holding merchants responsible for card fraud. They’ve spent Millions (perhaps Billions) of dollars to convince the public and policy-makers that card fraud is the fault of merchants while failing to upgrade their own disco-era technology. They’ve failed in adopting PINs in their credit card systems and failed by not moving to EMV, encryption and tokenization in a timely fashion while most of the rest of the world has already done so.

The Payment Card Industry Council (PCI) –  an organization that is supposed to focus on developing rules to help protect U.S. businesses from card fraud –  has instead focused its energy and efforts on finding ways to hold merchants accountable for card fraud and program compliance while ignoring fundamental changes that issuers could easily make, for example, by requiring PINs (or other forms of two-factor identification) to be issued on all financial products and getting rid of worthless signatures or by mandating a sunset date for magnetic stripes, or by speeding up EMV, encryption and tokenization in the U.S.

The mere existence of an organization like PCI should be questioned. How is it that the small group of network “competitors” gets to sit down together and inflict on the merchant community one-sided rules that effectively shift responsibility and liability to the merchants and let themselves off the hook by holding merchants accountable for protecting the public from the networks’ own defective payment card products? As long as the PCI Executive Committee- absent any stakeholder input except for five global card brands – manages the decision-making for PCI, these dynamics will not change and the U.S. will be positioned to maintain its inferior status as a global leader in card fraud. Perhaps regulators should be asking if the “value” PCI provides for consumers outweighs the anti-competitive harm this organization imposes on the U.S. payment system’s voiceless stakeholders.

Networks and issuers should look in the mirror for the reasons they’re experiencing card fraud. Why did they sit on their hands for decades knowing signatures were worthless in protecting against fraud? Why did they ignore EMV until recently, then force merchants to try to sprint to the finish line to move to EMV while withholding their support for the common debit application until it was too late for many of us? Why don’t they support PINs on all purchases over $50 when most of world has already moved or is moving to PINs? Why don’t they spend their Millions on upgrading their disco-era products instead of looking for more ways to hold merchants accountable for the inevitable fraud that occurs on their own defective products?

What would the public and regulators say if car manufacturers were still selling Pintos and telling consumers they have to become mechanics to install gas tanks, seat belts and bumpers to protect themselves and the public?  A defective product is usually obvious.  The defects in the U.S. Payment Card System are painfully obvious.  It is time that the issuers and networks take responsibility and fix their broken system so that U.S. merchants and consumer enjoy the same protections merchants and consumers in the rest of the world have come to expect.