Illusive Blog January 21, 2016

Joseph Carson: Thoughts On Discrepancies In Credit Card Fraud

By The Illusive Networks team


We recently spoke with Joseph Carson, the Head of Cyber Security at ESC Global Security and Head of Product at Arellia, to discuss the current state of data protection as well as the evolution of cyber insurance.

In this second part of our four-part series, Carson shared his thoughts about discrepancy in credit card fraud between the US and Europe.

The Current State of Credit Card Fraud: US vs. Europe

Years ago, the European Union, Australia and Brazil agreed to do away with common magnetic strip credit cards in favor of new chip and PIN cards. However, the US fell behind the curve, and only agreed to make the switch to chip and PIN by October 1, 2015.

Tweet: #CyberCriminals have victimized retailers for years, which has resulted in mass theft of cc numbers & identitiesCyber criminals have victimized retailers for years, which has resulted in mass theft of credit card numbers and identities from point of sale systems.


Even though the transition to chip and PIN cards in the US has been shaky at best, supporters hope the US can experience the same drop in credit card fraud that Europe has enjoyed. However, Joe Carson explains the fundamental flaw in this logic:

“There’s always this talk about how the US was a more frequent target of credit card fraud because it remained on the magnetic strip,” said Carson.

“But that’s actually not entirely true. The difference is not related to the credit card itself –  it’s about the accountability of the transaction.”

The Role of Accountability in Reducing Credit Card Fraud

While the US places credit card accountability almost entirely on the consumer, European regulations place the burden of liability on retailers — giving them more of an incentive to protect credit card data.

“For example, [in the US], if I go into a shop, swipe my card and only use my signature, then the accountability is on credit card companies for just $500 or $1,000,” Carson continued. “Anything more than that…and the individual is held accountable.”

Such lax liability regulations make it difficult to expect retailers to take transition to chip and PIN cards seriously. In the case of credit card fraud, the retailer still gets paid and the credit card company still makes money from the fraudulent payment; in the US, there’s simply no incentive to avoid fraud.

“In Europe, you’re accountable only in the case that your card and your PIN are used together,” said Carson. “If my card is used in Europe without the PIN, the responsibility is entirely on the company that accepted the card – not the credit card company or me, but rather the person who accepted the card.”

Tweet: Companies in the US don’t feel inclined to go to great lengths to defend customers from #CreditCardFraudThe problem isn’t that chip and PIN cards aren’t more secure than old mag strip cards. Rather, the issue is that companies in the US don’t feel inclined to go to great lengths to defend customers from credit card fraud.

According to Carson, if accountability in the US is modified, the woeful 42% of retailers still without support for chip and PIN cards will change their ways overnight.

Technology is important in all cyber security matters — but making something as simple as accountability more logical can go a long way toward reducing crime.


Recommended for you: