Heavy debit card use raises fraud alerts
Banks' credit option more vulnerable to hackers
Debit card use has soared in recent years, raising security questions for banks that promote the popular plastic.
For every $1 they spend, customers of Citizens Bank and TD Banknorth who tap the "credit" button at the cash register or sign a receipt get one reward point that can be redeemed for car rental discounts, clock radios, or other goods. But they don't get points if they tap the "debit" button and enter a personal identification number, or PIN.
Banks prefer the credit option for debit cards because they make more money in fees. For a $200 transaction, for example, they make $1.99 if the customer chooses "credit" and signs his or her name, according to one estimate, more than three times the 60 cents they make from customers who choose "debit" and enter a PIN.
Partly as a result of these incentives, signature transactions account for about 60 percent of all debit card us age.
But these credit transactions generate much more fraud than PIN purchases, studies show, since it's easy to fake a signature but hard to steal a PIN electronically. One study by Dove Consulting in Boston this year put fraud losses from signature debit card purchases at more than 12 times losses from PIN transactions - $245 million vs. $20 million.
The increasing fraud is drawing attention among analysts who follow the payment industry, following a growing number of cases in which hackers have accessed large batches of payment card information.
Banks and the two major card networks, Visa Inc. and MasterCard Inc., have been increasingly vocal about getting merchants to comply with security rules. Following a record-setting data breach at Framingham retailer TJX Cos., the Massachusetts Bankers Association, a trade group, filed a lawsuit in federal District Court in Boston alleging the company didn't take enough precautions against hackers.
But several security analysts say there's something to a TJX counterargument in a court filing recently that plaintiffs themselves are to blame for not pressing for tougher security rules. TJX didn't give many specifics, but outsiders say the filing is a reference to complaints retailers have made about the payment system in the past, such as the fees they pay when customers use payment cards.
"Banks are pushing for signatures where they can make more money, and at the same time they're saying TJX didn't do enough," said Aite Group's Gwenn Bezard, whose clients include many banks. Gartner Inc. analyst Avivah Litan said many banks "really are not that interested in secure payments" but rather are more focused on driving up fees by promoting signature transactions.
Credit cards lend consumers money for purchases and send them a bill at the end of each month. Debit cards subtract money directly from a customer's checking account for each transaction. Many consumers prefer debit cards as a budgeting tool, boosting debit card usage 12 percent annually. Bankrate.com counted 26.6 billion debit card transactions last year in the United States, versus 24.4 billion credit card transactions.
Merchants pay interchange fees to banks and other institutions that process purchases. Bezard estimates that in debit purchases verified with a customer's PIN, a merchant typically would pay 0.65 percent of the purchase price to the bank that issued the consumers' debit card, plus 12 cents, up to a maximum of 60 cents. If the consumer punched the "credit" button and signed for the deal, however, the fee rises to 0.92 percent of the transaction, plus 15 cents, with no maximum on the deal.
For a $42 transaction, the average amount spent in a signature purchase, the issuing bank would make 54 cents, compared with 39 cents if the customer had used a PIN. And because of the cap on PIN fees, the differences become much more pronounced for bigger purchases.
Some analysts and bank executives say the emphasis on signature transactions is justified. They note that banks and card networks have spent heavily to increase security of debit and credit cards overall with measures such as embedding hidden codes into the cards' magnetic stripes. Also, many merchants could do a better job of checking that consumers' signatures on receipts actually match the ones on the back of their cards. "I think the criminals have focused on the fact that some merchants don't protect data as well as they should," said Chris Allen, a Dove Consulting director in Boston.
Also, Bruce Spitzer, a spokesman for the Massachusetts Bankers Association, said the higher fees some merchants pay for signature transactions are justified by more liability protections they receive from card networks against some types of fraud.
Whatever the case, banks are pushing signature debit programs more than ever, according to a recent bankrate.com survey that described offers like one from Citibank in New York that gives consumers more reward points when they sign than if they enter PINs.
The survey also noted the offers by Citizens Bank and TD Banknorth in Massachusetts. A spokesman for Citizens, Michael Jones, said one reason the bank offers rewards only for signature debit transactions is that 75 percent of customers were using that method when the company adopted a program first set up by Charter One, the Midwestern bank Citizens bought in 2004. "We know most of our customers chose signature-based transactions," Jones said.
A spokesman for TD Banknorth, Jeffrey Nathanson, said PIN transactions present their own risks such as the chance a criminal might spy on someone entering their number, and noted that the bank offers liability protections for both types of debit usage.
"At the end of the day, the financial risk of fraud falls mainly on the institution, so we have a financial interest in trying to minimize fraud," he said. "The notion we're encouraging people to use a riskier form of payment in order to generate revenue, we fundamentally don't believe that," he said.
Ross Kerber can be reached at kerber@globe.com. 