What would happen if there was a drug that would cure 70 percent of people suffering from a widespread disease, but the drug company refused to make it available because clinical trials were underway on a new drug that might cure 80 percent of cases instead?



That’s exactly what’s happening in the U.S. credit card market, where the card industry is rolling out new “EMV” cards that include a computer microchip but are refusing to replace the fraud-prone signatures used to approve transactions with a far-more-secure personal identification number.





ADVERTISEMENT

Credit cards around the rest of the world use both a chip and a PIN, going back more than 20 years in some locations. The chip stores the sensitive data currently recorded on a low-tech, easy-to-copy magnetic stripe, making the cards difficult to counterfeit. By replacing an illegible and meaningless signature with a secret number known only to the legitimate cardholder, the PIN ensures that a lost or stolen card – or any card where the chip has been circumvented – is useless.Together, the chip and PIN have reduced credit card fraud 70 percent or more in other countries. A chip alone can’t do that. Without a PIN, a lost or stolen chip card is a bonanza for the person who finds or steals it, just as a magnetic stripe card is today.When it comes to counterfeit cards, the chip can already be disabled, and if criminals aren’t working on a way to counterfeit a working chip they’re falling down on the job.The card industry has come up with a number of excuses for not providing U.S. consumers with both a chip and a PIN.One is that shoppers can’t remember yet another password. That’s an insult to the intelligence of the American consumer, who has been using a PIN at ATM machines for more than 30 years.Another is that there are new technologies on the horizon that will provide even more security than a chip or a PIN. That’s true. But that’s where the drug trial analogy comes in.Yes, someday the advanced technology inside a smartphone, advances in encryption, “tokenization” or some technology yet to be invented will almost certainly make chips and PINs obsolete. Such steps are certainly at the “clinical trials stage.” But that technology isn’t here yet. Chip-and-PIN is.Chip-and-PIN can cure 70 percent of the disease of credit card fraud today. New technology might cure 80 percent, maybe more, a few years from now. But no technology will ever cure 100 percent – data security is a constant game of leapfrog where criminals respond to a 10-foot fence with a 12-foot ladder. Should a very good solution that works now be withheld during the pursuit of a better solution that might come too late?Chip-and-PIN is proven, tested technology. The infrastructure is in place in more than 80 countries around the world. Under an executive order signed by President Obama, the card industry is required to provide it on credit cards issued to government employees and for use at government facilities that accept credit cards such as national park gift shops.Consumers are those who stand to lose, and they told the National Retail Federation in a new survey that they’d tired of waiting. The survey found that 63 percent of those surveyed believe chip-and-PIN would provide more security than chip-and-signature. And 83 percent of those who think chip-and-PIN is more secure would consider it worthwhile even if they had to remember a different number for each card.If chip-and-PIN is good enough for the rest of the world, why isn’t it good enough for America? Don’t leave the patient to suffer while waiting for the perfect cure when a good cure is at hand.

Duncan is senior vice president and general counsel of the National Retail Federation.