Keil Hubert: In the US, forget the future of payments – I’ll be delighted with decade-old tech

I have a request: the next time you pay for something with your EMV purchase card, I want you to laugh at us Americans.

Specifically, laugh at how we’ve been fumbling our implementation of smartcard technology. Maybe all the derisive laughter coming from our “cousins” will finally cause major American retailers to shake off their indulgent torpor and get the technology deployment sorted. My third column for this publication was a “future of payments” article about how the USA was finally going to get Chip-and-PIN, and I wrote that more than three years ago. It’s still considered “future” tech today in the States. Even the new cards we’ve received have been mostly Chip-and-Signature models, much less secure than the real Chip-and-PIN designs.

Example No 1: my barber replaced his Point-of-Sale kit a year ago with new Chip-and-PIN models. To this day, those terminals have a strip of cardstock wedged in the card slot apologising that they can only take old-fashioned swipes. Examples Nos 2-5: my liquor store, takeaway pizza joint, and menswear shop still haven’t upgraded their archaic sales terminals with built-in card swipe readers. Heck, my regular petrol station still has the same swipe-only pay-at-the-pump units installed that they had when a criminal installed Bluetooth card skimmers on their pumps!

I’ve asked representatives from each of these businesses why they’re reluctant to get with the times and install Chip-and-PIN readers. Some reps told me that the technology “doesn’t work,” or that it “costs too much to use”. Others said they’d never heard of the technology and don’t understand why it’s such a big deal. I have yet to discuss the problem with a shop owner who actually understands the tech, wants to deploy it, and can’t get the gear. The hardware is available, it’s just not being implemented. This is maddening.

Back in August, I read about a Russian fellow who was convicted by the US Department of Justice for stealing more than 1.7 million American credit card numbers. The villain used malware to infect vulnerable PoS units across Washington State, forwarded the stolen card numbers to his server in Russia, and used cutout buyers to make fraudulent purchases with the stolen numbers (thereby turning the goods back into happily laundered cash). The DoJ reported that this crime ring netted over $169million (£129m) and affected over 3,700 financial institutions in the process. This was just one criminal mastermind running a relatively small operation, and he got away with enough cash to buy a fully armed F-35A fighter jet… and enough left over to live a long life of decadent luxury.

You’d think the exploits of this cyber-criminal would be sufficient motivation for small and medium business owners across the USA to quit screwing around and replace their old-fashioned, insecure, unencrypted swipe cards. You’d think so… but it isn’t happening. The only business where I can use an honest-to-God Chip-and-PIN EMV card in my city is at my local Target retail store. Why there? Probably because Target had over 110 million credit card numbers stolen from its compromised PoS network back in 2013.

So, yeah. I’d like y’all to start making fun of us. Needle us unmercifully. If massive financial losses aren’t enough to get retailers to take action, then maybe embarrassment will finally do the trick. I really don’t care so long as it gets sorted. I’ve had five payment cards compromised since the UK first implemented EMV, and I’m sick to death of it. Forget the “future” of payments – I’ll be delighted enough with getting decade-old tech deployed…

Shares