CLEVELAND, Ohio -- On the eve of the big rollout of credit cards that contain computer chips, a Federal Reserve governor said chip cards that require only a signature may not be safe enough.
But in Greater Cleveland, virtually all banks, including KeyCorp and PNC, are issuing credit cards that only require a signature, not a PIN or any other authentication.
The adoption of EMV chip cards in the United States " represents an important step forward," Jerome Powell, who's a governor on the board of the Federal Reserve, said in a speech last week.
EMV stands for Europay, MasterCard and Visa, which collaborated to adopt the cards two decades ago. The chip cards and the point-of-sale terminals to read them are the norm in Europe, Asia and Africa. Banks and merchants that don't issue or accept chip cards by October will be liable for any fraud, per requirements from MasterCard, Visa, American Express and Discover .
Chip cards protect consumers against data breaches and counterfeit cards. Chip cards are safer than cards with magnetic strips because the information you need for an in-person purchase is stored in the chip and isn't visible to someone looking at your card.
Further, each purchase is authenticated individually and that authentication code can't be re-used. So even if your payment information is stolen as part of a breach like those at Target and Home Depot, it can't be used to create a usable counterfeit card.
Your account is vulnerable, however, if you lose a chip card that requires only a signature, because a thief can scribble anything on the receipt or signature pad and there's virtually no chance it will be flagged.
But if the cards required a PIN, a lost card wouldn't be as problematic and it would provide another layer of security (if only peace of mind) in case of a data breach.
Powell of the Federal Reserve said credit cards with computer chips and signatures are nice. "But we should not stop there," he said.
"For many years, traditional authentication methods like signatures and static passwords have been used to verify that an individual is authorized to initiate a payment," Powell said. "New approaches to authentication increasingly offer greater assurance and protection.
"Given the current technologies that we have at our disposal, we should assess the continued use of signatures as a means of authenticating card transactions," Powell said, adding that "it is important to layer security tools and procedures. Methods to devalue payment data, like tokenization and encryption for data at rest, in use, and in transit, mitigate the effect of a data breach."
"Powell's words echo what retailers have been saying all along, which is that outdated technology has been putting American consumers at risk for far too long," the Retail Industry Leaders Association said in a statement, adding "chip-and-PIN card technology is the most secure standard of payment."
But the vast majority of banks are going for "the least complex, least costly path," said Randy Vanderhoof, executive director of the Smart Card Alliance of New Jersey, a not-for-profit, multi-industry association that promotes payment technology.
That means credit cards with signatures, not PINs.
At Huntington, the bank is in the process of converting its cards to chip technology with signatures, said spokesman Bill Eiler.
"We agree that additional layers of identity verification are a helpful tool to prevent fraud," he said, adding that the bank is "exploring additional options to improve security" at the point of sale and with online transactions.
At KeyCorp, however, the bank is using chip and signature technology for credit cards because that's what customers want, said spokeswoman Drez Jennings.
"Customer preferences drive our decisions, and in this case, customers told us that while they appreciate the additional security EMV cards provide, they are accustomed to signing credit card receipts," she said.
Key will use signatures for credit cards and PINs for debit cards. "We want banking to be easy, and that means making the card transition for our customers as seamless as possible," Jennings said.
PNC is also issuing chip credit cards with signatures, not PINs. "This is an industry evolution and we are moving with the industry," said spokeswoman Marcey Zwiebel.
"Right now the infrastructure is in place to support chip and signature. We can't speculate about when there may be infrastructure in place to support chip and PIN," Zwiebel said, adding that it's industry driven.
Fifth Third spokeswoman Laura Trujillo agreed that chip-and-signature is the standard for credit cards, but said the bank will "keep assessing the viability" of other security options.
Back at the Smart Card Alliance, Vanderhoof said chip-and-signature cards will help make a huge dent in credit card fraud and reduce the likelihood of future large-scale data breaches. Thieves will be less likely to try to steal information if it can't be used to commit fraud.
Stronger authentication besides signatures are available, including PINs and biometrics, and can help with lost or stolen credit cards, Vanderhoof said, but lost and stolen cards are a less serious problem than stolen account numbers and counterfeit cards.
And, the nation should walk before it runs. Chip cards are new.
"There is no compelling business reason to rush to choose which authentication approach will be best for the U.S. market in the future," Vanderhoof said, "while we are still focused on getting the entire market to adopt chip cards that is proven for solving the counterfeit problem that is pervasive today."