Discover, American Express and Mastercard have all recently said they would stop requiring U.S. customers to sign when they buy something with a card.
This was a welcome development and roundly applauded by merchants — a nice change from the often contentious relationships that have marked this industry.
This consensus should lead to a similar one on doing the best we can to stop fraud.
Signatures, of course, did nothing to prevent fraud. That is why everyone (though we’re still waiting on Visa) agreed they could be dropped.
The consensus is also there on making sure the right person is trying to use a card, though sometimes rhetoric obscures this consensus. The agreed upon way is used millions of times a day at ATMs throughout the country: we all simply enter a personal identification number, or PIN. Those four-digit numbers have proven effective in cutting fraud to a tiny percentage of what it is when not using a PIN.
If it didn’t work, banks wouldn’t require PINs at ATMs. Merchants agree, and several have tried to require PINs on some or all of their debit transactions in order to protect against fraud. Oddly, Visa has fought those efforts with fines and lawsuits.
Why would Visa try to fight for more fraud? It might help to understand that when fraud does occur, the decision about who shoulders that cost boils down to a choice between the merchant and the card-issuing bank. While the card network (such as Visa) gets to decide who loses on the fraud, one thing is clear — Visa isn’t the one losing the money.
That raises real questions about how payment card fraud-prevention decisions are made. The card networks make these decisions themselves through their operating rules and control of payments organizations like PCI and EMVCo.
Merchants and banks — businesses that actually pay for fraudulent transactions — don’t get a vote. Instead, the networks that don’t have skin in the game make decisions behind closed doors.
Sure, Visa, Mastercard, PCI and EMV Co claim they listen. After all, there are advisory boards in place. But the secrecy surrounding the real decision-making is just one indication that the decision makers don’t listen to advisory boards.
Visa and Mastercard like to say it is retailers that are slow to improve security. But consider my industry, convenience stores. We’ve been ready for PINs for three decades — and we’ve been waiting for tighter security that never came.
It’s time for the secrecy and mystery around EMVCo to finally change. Payment card security and fraud protection are too important to leave to the networks alone.
Merchants, banks and consumer representatives should not be locked out of the process. And that decision-making should be open and transparent so that everyone can see and understand that what’s being done really is the best thing to improve security.
This is crucial because the U.S. is a magnet for fraud. In fact, we have more of it than any other country in the world. The need for change is obvious: The dominant card networks like Visa and Mastercard have made U.S. card security decisions for decades without including the other folks needed to make them the right way. And their decisions have given us more card fraud than anywhere else.
It is long past time to try something new, by moving to the best way we have right now to prevent fraud — using PINs — and changing the way we make card-security decisions so that everyone with a stake gets a say and the process is open and transparent.
Given the current track record in the U.S., just about any change is bound to be better than what Visa and Mastercard have given us.