U.S. LAGS BEHIND
The United States is behind in adopting more secure card technology. Most developed countries use credit and debit cards that have an embedded computer chip, and people make purchases using embedded-chip card readers that also require the user to enter a personal identification number (PIN). And there are other secure systems vying for a share of the payment market (see “Competing Payment Systems”).
In the U.S., retailers generally have still been using older, less secure magnetic-strip purchase cards. But in November 2014, Walmart and its subsidiary, Sam’s Club, became the first major American retailer to switch to the more secure embedded-chip cards and accompanying technology. Other retailers, such as Target, soon began installing embedded-chip card readers. Yet they hadn’t turned the technology on as of February 2015 (http://bit.ly/1yv6ZWm).
Because banks and other card issuers are liable for losses, retailers and card holders in the U.S. have had little motivation to switch to more secure purchase cards. But liability for data breach losses may be shifting from card issuers to retailers and other organizations that accept consumers’ cards. This may motivate organizations not only to install embedded-chip card readers but also to start using them. The next step would be to teach consumers how to make purchases with the new cards. Unlike magnetic-strip cards, they can’t just be swiped through a terminal. (See “How to Use the New Chip Credit/Debit Cards.”)
WHO IS LIABLE?
The Fair Credit Billing Act (FCBA) limits U.S. credit card owners’ liability for unauthorized use of a credit card to $50 (see http://1.usa.gov/1GKtBVs). Since neither sellers of goods and services nor credit card owners have been held liable in this area, banks are taking action, and they aren’t asking card holders first. When a card expires, the bank replaces it with a magnetic-strip card that also has an embedded chip, so the banks are clearly making the transition. Nevertheless, it’s still up to retailers and other organizations to install and implement embedded-chip card readers.
Again, retailers soon may become liable. In her January 4, 2015, article for Business Insurance, “Target’s data breach liabilities mount as credit card issuers’ suit proceeds,” Judy Greenwald explained that “a federal judge’s refusal to dismiss litigation brought by credit card issuers against Target Corp. in the wake of 2013’s massive data breach is significant and could influence other courts to hold retailers liable in similar cases.” (See http://bit.ly/1yv7aRo.) And in his June 9, 2014, article for CNBC.com, “Chip-enabled ‘smart’ credit cards coming to America,” Herb Weisbaum revealed that “Visa, MasterCard, American Express, and Discover want the U.S. converted to chip-based credit cards by October 2015. After that date, they say, fraud losses will shift to the retailer if they don’t have point-of-sale payment terminals that read smart cards.” (See http://cnb.cx/1FKyWqg.)
Apparently retailers are preparing for the shift in liability. In her June 6, 2014, article in The New York Times, “The shift to safer chip-and-PIN credit cards,” J.D. Biersdorfer predicted that “most merchants will probably have the new equipment in place by October 2015 when new rules about fraud liability kick in.” (See http://nyti.ms/1EG7g9O.)
But what will consumer reaction be to this pending liability change? I conducted a study to find out.
A REVEALING SURVEY
I administered an online survey in February 2015 (see “About the Respondents”). The 207 respondents included individuals who were at least 18 years old and resided in the U.S. Overall, respondents support the use of embedded-chip purchase cards with a PIN. More than three-quarters of respondents (78%) answered yes to the first question of the survey: “Is the move to credit and debit cards with embedded chips and PINs a good idea?” Only 11% said no.
The second question asked respondents to assume that in October 2015 fraud liability shifts from the financial institutions that issue the cards to card-accepting organizations and card-using customers. Cards with only a magnetic strip contain personal information that’s easily stolen. Should we replace them with embedded-microchip cards that require the user to enter a PIN—making personal information tougher to steal? An overwhelming 75% of those responding said yes, and only 12% said no. But 14% said that embedding a microchip is enough and a PIN isn’t needed.
WHO IS RESPONSIBLE?
The third question asked, “Which group of professionals should have done a better job of preventing, identifying, and resolving the data breaches that occurred in organizations such as Target and Home Depot?” Respondents placed this responsibility mostly on information technology (IT) professionals: 71% felt that IT professionals (such as computer managers and programmers) should have done a better job. Only 22% blamed managers (like CEOs), and just 7% felt that accountants were responsible.
The fourth question asked if other professionals could have done a better job at identifying or resolving the breaches. More than two-thirds of respondents (68%) said that internal auditors (including forensic accountants) should have done a better job, while 22% named management accountants, and 10% pointed a finger at external auditors and CPAs (Certified Public Accountants).
DID CONSUMERS TAKE ACTION?
To recap, survey respondents realize there’s a problem and overwhelmingly believe that old magnetic-strip cards should be replaced with more secure embedded-microchip cards requiring PINs. But have they taken any action? My fifth question was “After the credit and debit card data breaches of 2013 (for example, Target) and 2014 (for example, Home Depot), did you replace your cards that had only a magnetic strip with embedded-chip cards?”
Surprisingly, only 17% said they had replaced the old cards with embedded-chip ones, and 52% said they hadn’t. It seems as though concerns about data breaches and identity theft didn’t motivate surveyed card holders to acquire more secure cards. Since consumers aren’t yet held responsible for any financial losses from these crimes, perhaps they aren’t concerned enough to take action. We need additional research to determine what would cause more consumers to choose higher-security cards.
Meanwhile, banks are litigating against retail organizations to shift the data breach loss liability from the banks (card issuers) to the retail organizations. I expect more retailers to follow Walmart’s lead and begin using embedded-chip card readers. Would retailers be able to share this liability with cardholders? Time will tell.
HOW CAN MANAGEMENT ACCOUNTANTS HELP?
No matter what happens with liability, management accountants have an opportunity to play a bigger role in preventing, identifying, and resolving future data breaches.
Although most consumers surveyed didn’t blame accountants for the wave of data breaches and identity theft, there are still good reasons for management accountants to become more involved. Their expertise can be valuable to IT professionals and senior management. For example, management accountants could provide a cost/benefit analysis for replacing old card readers with new embedded-chip card readers. That analysis also could estimate the potential revenue loss from declining customer confidence in the ability of retailers and organizations to protect customers’ identities.
In addition, management accountants can be helpful in planning for possible cyber-crime losses. Data breaches can be costly for many reasons. After Target’s 2013 data breach, the company had a decline in revenues because of a drop in customer confidence. But Target also spent money attempting to build back customer confidence. For example, it gave consumers free credit surveillance coverage that notified them when suspicious changes or transactions occurred in their credit/debit accounts.
To plan properly, companies must estimate such revenue losses or increased expenses and budget for them. That’s difficult to do. But management accountants, especially those who are a CMA® (Certified Management Accountant), have the professional expertise to do that and much more. Their roles and responsibilities include managing functions critical to business performance, supporting management and strategic development, providing accurate and insightful information for better decisions, and doing long-term planning. All those functions will be vital for companies seeking better data security.
It’s time for management accountants to step forward and take this opportunity to become recognized partners in the battle against credit and debit card fraud.
May 2015