Chipping In

Listen to this article

This time a year ago, we discussed fraud attacks on retailers’ point-of-sale systems, and informed you that one of the coming solutions would be the “chip and PIN” debit cards about to replace traditional swipe cards.

Since then, the chip cards have indeed emerged, as many pet retailers surely know as they’ve had to either invest in the new chip machines or answer lots of questions from customers as to why they don’t have one yet. It’s common at the moment to visit retailers—especially smaller ones—and find that they’ve affixed a hand-written note to their card readers: “Just Swipe Card. No Chip Yet.”

Those retails recognize how quickly the expectation has spread that retailers will have the chip cards.

But do the chip cards really do enough to prevent fraud? The way they work is by generating a one-time code that’s used for each transaction and then immediately discarded. The chip stores all the same information as traditional debit cards about your bank accounts and so forth, but it doesn’t permit one stolen number to be used to make a purchase.

Those who steal debit card numbers online will sometimes program card numbers into a counterfeit card and use it to make fraudulent purchases. I had it happen to me several times, including once when someone walked into a store in Austin, Texas, and bought more than $200 worth of merchandise using my debit card number, even though my debit card was sitting right next to me in Detroit.

With the chip card, it’s not enough to have someone’s account number. But it’s turned out there is a limitation to the effectiveness of the chip cards. Retailers can buy one of two different types of reader. One is the aforementioned chip-and-PIN, which not only requires the chip but also requires the purchaser to enter the four-digit pin required to make cash withdrawals at ATMs. This is pretty standard for debit purchases, of course, so you might expect this to be universal among retailers getting chip card readers.

But it’s not.

There are also chip-and-signature readers. These don’t require a PIN. They just require the purchase to sign one of those electronic signature pads.

The problem there? The chip-and-signature reader will still block a purchase using a faux card with a programmed stolen card number, because the number is not the information used to confirm the purchase. But what if the thief has stolen the customer’s actual physical card? In that case, the chip will connect successfully to the cardholder’s bank account, and the signature will affirm the purchase.

Contrary to what you might think, these POS systems don’t check signatures for authenticity, so even an extremely poor forgery will still get the thief in and out the door with the goods before anyone figures out there was fraud involved.

The chip-and-PIN reader, by contrast, maintains the PIN requirement as a reliable backup. So even if the thief has stolen the cardholder’s physical card, the chip-and-PIN reader will render the card useless, unless the thief also knows the cardholder’s PIN.

All of this, of course, involves only in-store purchases. If you sell pet products online, the chip cards will still work pretty much the same as the old debit cards. You’ll be asking users for card numbers, expiration dates and security codes. The chip-and-PIN technology is actually more than a decade old, believe it or not (U.S. banks have just been slower to embrace them), and in countries where they’ve been used for a while, fraudsters have grown more adept at taking their thievery online.

To the extent pet retailers are concerned about stopping thieves from making purchases in the checkout line, it seems clear that you’re better off investing in chip-and-PIN readers as opposed to chip-and-signature readers. Both will be reasonably effective at stopping the use of faux cards with stolen card numbers, but only the chip-and-PIN readers will stop the use of stolen cards. If your technology provider is only presenting the chip-and-signature reader as your option, I’d suggest you ask why. Cost could always be a factor, of course, but you have to weigh that against the potential loss you’ll suffer from a fraudulent purchase that a bank refuses to honor, not to mention the man hours you have to devote to dealing with incidents of fraud.

The fact of the matter is that determined thieves never stop trying to find ways around the security measures designed to stop them. I guess they’re creating jobs for the program designers who come up with this stuff if you want to look at it like that, but I could spend all day thinking of better ways to use technology than the never-ending cat-and-mouse game that goes on between digital thieves and the security techs tasked with stopping them.

In the meantime, pet retailers need to recognize not only that tools are available to make it harder for people to steal from them, but that some of these tools are more effective than others. If you’re going to protect yourself, you might as well do it right.