Don't 'Pin' Card Safety Hopes on Static Technology

You'd never know it in your daily life, but October 1 marks a milestone in improving the security of your credit and debit cards. Behind the scenes, a major shift is taking place that will improve the incentives of retailers and financial institutions to protect customer data.

That shift is based on chip cards. If you live in the U.S. and have a credit or debit card, chances are you have at least one chip card in your wallet. An estimated 575 million of these new cards, which are embedded with computer chips designed to better protect consumers and merchants against fraud, are expected to be in the hands of consumers by the end of the year.

The chip protects customers by creating a one-time transaction code that renders financial data nearly impossible for criminals to replicate, sell or repackage. No longer will your data be vulnerable to hackers like those who stole the personal information of tens of millions from Home Depot and Target.

But instead of addressing the source of these data breaches, many in the retail industry are muddying the waters by insisting that chip technology be accompanied by personal identification numbers entered at the register. This is a mistake. It is the chip that matters, not the PIN. Static four-digit PINs are incapable of thwarting sophisticated hackers or disguising sensitive credit card information once stolen. The more time we spend discussing PINs instead of the real issues facing consumers, the more we risk letting the true enemy--criminal hackers--stay one step ahead.

PINs are only useful to stop fraud when cards are lost or stolen--a small and rapidly diminishing portion of fraud overall. According to the Aite Group, the real and growing fraud threat--for which PINs offer no real solution--is from counterfeit cards and online transactions, which together account for 82 percent of card fraud and is being addressed by other security innovations.

In fact, no major data breach over the last few years could have been prevented with PINs. In the cases of Target, Home Depot, Michaels and others, hackers were able to steal consumer data by gaining access through retailers' own computer systems. But chips, which use cryptography to protect data when inserted into a card reader, would have stopped those hackers. There would have been no useful information for them to steal.

The October 1 date aims to speed up the transition to chip cards by shifting liability for what happens if a data breach takes place. Until now, banks have taken the lead in protecting customers and making them whole if their card data is stolen. But with so many retail data breaches, the seams in the payment system have started to show. Starting Thursday, the party that does not support chip technology--whether a bank or a retailer--bears the loss.

That's why banks are working around the clock to issue the new cards and why retailers are working to put new terminals in place. You may have seen them in some stores--you dip your card instead of swiping it. By better balancing the liability, the new system will incentivize everyone to use the best available technology.

And most importantly, nothing changes for consumers, who will still receive zero-liability protection from their banks in most cases.

Banks' state-of-the-art advancements in payment security--from tokenization (which is used in Apple Pay) to biometrics to point-to-point encryption--are being deployed now. Innovation is necessary to stay ahead of the hackers, and imposing PIN requirements would go in the wrong direction.

It's ironic that some retailers are insisting on PINs when the huge security lapses were from the lack of effective protections of their own systems. It's time we stopped talking about static protections and start talking about new ways we can all partner to counter fraud. We all benefit when we work together to protect our customers.

Frank Keating, former Republican governor of Oklahoma,is president and CEO of the American Bankers Association.