In the midst of the Bears' ignominious defeat at the hands of the Packers, I saw a commercial advertising Visa's Superbowl for Life promotion. It's a sweepstakes. Users of Visa's signature debit and credit products are automatically entered with every purchase, but you can also enter by writing in. If you use a Visa PIN debit product (Interlink), however, you do not get a shot at the tickets.
The estimated odds of winning: 1 in 9,685,871,298. Compare that with the odds of having your identity stolen by using a signature debit product.
The loss rate (frequency * loss) is 3.75 times higher for signature debit than for PIN debit. (Other studies put it 7 times higher.) So for a one in 9.6 billion chance of getting Superbowl tickets for life, with an estimated retail value of $493,678, a consumer is quadrupling his or her chances of identity theft loss. That strikes me as a dubious bargain.
I've tried to back out the "cost" of a Visa lottery ticket. Assuming 15 signature debit transactions per month for 4 months (the duration of the sweepstakes) and an average transaction amount of $36.60 and a loss rate of 13bps, the average fraud cost per signature debit cardholder is $2.85. (The equivalent identity theft cost on PIN debit would be just 83 cents, based on $41.10 average transaction amount, 14.5 transactions/month, and 3.5bp fraud rate–I'm using the conservative numbers here).
So the real cost of entering the Visa lottery is about $2.00. Let's assume that the Visa odds are for a single entry, not for the typical cardholder's 60 entries. So we actually have 1 in 160 million odds. That's $2.00 to get a 1 in 160 million chance of winning half a million dollars.
Those are really crappy odds. You'd do better to play the state lottery (not that I recommend it).
California's MegaMillions costs $1 to enter, and the odds of winning the jackpot pari-mutuel are 1 in 175 million. The jackpot is currently at $63 million, and that has a present value (at a 5% discount rate) of about $18 million. So Visa is offering about 1/72d of the value of the California MegaMillions. And that's before figuring in the higher cost consumers pay for goods and services because of overpriced signature debit swipe fees. Priceless.
I mention all this because Visa has been arguing that network rewards are an important reason for letting consumers choose the network over which their debit card transactions are routed in opposition to the Fed's proposed Durbin Interchange Amendment rule-making.
This Visa argument is pretty silly from the get-go, as consumers don't choose what networks are on their debit cards (the bank does–the debit card comes with the deposit account), much less how the routing will go (more complicated, but a combination of the order of routing flags on the card and the networks handled by the merchant's processor).
But it's not just that the Visa argument is silly. It's actually dangerous. Visa's Superbowl for Life promotes the use of an inferior technology (signature debit) that poses real risks to consumers. Why? Because signature debit is more profitable for banks and by offering banks higher swipe fees, Visa is able to increase its transaction volume and hence its own revenue. Visa's PIN debit product, Interlink, has the highest PIN debit swipe fees around, but they're still less than Visa's signature debit swipe fees.
Yes, Visa has a "zero liability" policy, but let's get real about that. It's a vague network policy that is applied with the network's sole discretion. The consumer has no contractual privity with the network. The enforceability of the policy by consumers is dubious. In contract law terms, it appears that the "zero liability" policy is "mere puff". But like all Carbolic Smoke Ball puffs, it does make for great advertising.
Oh, the weirdest thing about this commercial: Visa's Superbowl for Life sweepstakes ended on December 31, 2010, and the winners were notified on or about January 10, 2011. So Visa's advertising on national prime time television for a non-existent sweepstakes. I don't know California sweepstakes law, but I've got to think this could raise some of unfair and deceptive trade practices or false advertising issues…. (And note that there's no class action waiver or binding mandatory arbitration by entering the sweepstakes.)
Comments
11 responses to “Visa’s Identity Theft (I Mean Superbowl) for Life Promotion”
If the Lions hadn’t been gypped on the touchdown call at the end of the first game of the season against the Bears, erroneously ruled a non-catch, the Bears wouldn’t have won the division. Green Bay would have won the division, on a tie-breaker. The Bears would not even have qualified as a wild-card team. From my point of view, as a long-suffering Lions fan, Da Bears got what was coming to them.
The linked studies show that a given fraudulent debit card transaction is much more likely to be entered with a signature than with a PIN.
The post asserts, based on this, that a customer using the signature (instead of the PIN) therefore exposes himself to a greater risk of fraud. Does this follow? Unless we believe that a PIN transaction exposes you more to PIN fraud, and a signature transaction more to signature fraud, it does not. In either case, the card number and other magstripe data are exposed. It probably doesn’t matter much whether the signature is exposed, given that no one checks that (except possibly against the card, which, for a thief using a fake card, would obviously match regardless).
So in either case, enough information is exposed to permit a thief to put through a fraudulent signature transaction. It’s only when the customer enters a PIN transaction that he exposes his PIN; so from that standpoint, a PIN transaction is actually more dangerous.
And it’s not clear how the studies accounted for card-not-present transactions; but if those account for a significant fraction of the fraud, and if those are entered “like credit cards” (i.e., if they get lumped with “signature”), then that further skews things.
Of course, the pricing difference is a scam, that persists only because the merchant who’s paying it isn’t allowed to pass the cost along to the customer who decides. But that’s a separate question.
LTK: I take your point about the data quality issues with any debit card fraud study, particularly as signature debit can be used for CNP transactions, which tend to have high fraud rates. But common sense should say that that signature is a much more vulnerable technology than PIN. It’s just simple math: one factor authentication will be weaker than two-factor authentication if there is a shared factor. I can go into a Starbucks and buy coffee using your signature debit card, irrespective of whether I know what your signature looks like. I can’t do the same with your PIN card unless I know the PIN. This isn’t to say that PIN is fail-safe, but if the cardholder takes reasonable protections, like not writing the PIN on the card and not using his/her birthdate, etc., and covers the PIN typing hand with the other one, it seems pretty secure. There might be problems with the data security once the PIN has been entered, but that’s another issue.
Greg Jones: Yeah, as much as I hate to say it, this Bears team was always kind of iffy. Never sure which Jay Cutler would show up, etc.
Your response still conflates two independent questions: whether it’s easier for a thief to enter a fraudulent PIN transaction or a fraudulent signature transaction; and whether a customer using his card legitimately exposes himself to a greater risk of subsequent fraud with a PIN or with a signature transaction.
It’s almost certainly easier for the thief to enter his fraudulent transaction with a signature, for the reasons that you cite above. But I don’t see any particular reason that a legitimate PIN transaction leaks less information than a legitimate signature transaction. There’s obviously nothing to stop a thief from eavesdropping on a legitimate PIN transaction, and using the stolen card details to enter a fraudulent signature transaction.
LTK: the data leak issue isn’t a PIN vs. signature issue. PIN vs. signature is simply authorization technology. If the data is stolen post-authorization (or even in transmission to authorization), there’s unlikely to be any PIN vs. signature security difference, but that’s because PINs are not designed to protect against theft of data in transmission. To accomplish that, you need end-to-end encryption and maybe some sort of tokenization.
Isn’t that the point? If there’s no meaningful security difference (i.e., if the customer doesn’t expose himself to a substantially greater risk of subsequent fraud with a legitimate signature transaction vs. a legitimate PIN transaction), then the “cost” of a customer’s choice to enter the lottery with a signature transaction is approximately zero, not $2.00.
There could be some other factor that I’m ignoring, that makes a legitimate signature transaction more dangerous in another way. But I don’t see any such mechanism proposed.
Or, you could mean that if everyone gave up on signature-based debit cards, then the banks would eventually get rid of the option, and everyone would benefit from the decreased fraud. That’s certainly true, but the customers are all choosing at the margin for their own personal gain. So it’s still in a rational customer’s interest to choose a signature transaction, if that gets him the lottery ticket, or the cashback, or the airline miles, or ….
There are plenty of reasons I always choose “Credit” (ie, signature or “offline” debit) when swiping my debit card. One, I get more time with my money (because there is no distinction between authorization and settlement on the PIN networks as there is on the offline/signature rails), as the signature transactions often take days to settle. Second, there is a meaningful distinction on the liability, despite your assertions to the contrary. Not just because the money takes longer to move on the offline/signature rails, giving me more time to spot defective merchandise or other chargeback triggers (we’ll put fraud aside for instant purposes), but also as a matter of federal law. Online/PIN transactions are not subject to the Reg Z/TILA protections that offline/signature transactions receive.
In my experience, the V/MC zero liability protections you dismiss above are actually functional (and V/MC requires that they be incorporated into the cardholder agreement), but more importantly are backed by the more functional $50 Reg. Z cap, as opposed to the less functional Reg. E protections that govern online debit. I believe Interlink also has a contractual “zero liability” policy, but presumably you’d not give that any weight either, and in any case it is backstopped by less favorable law.
And I question whether any of this implicates identity theft as your title suggests. The beauty of cards is that you can get a new one and move on. I’d shy away from retailers that take an SSN or DL#, because without those there isn’t much risk of ID theft.
Chris Phillips:
(1) The federal liability rules are the same for both signature and PIN debit. Both PIN/online debit and signature/offline debit are governed by Reg E/EFTA. Neither is governed by Reg Z/TILA. Reg E/EFTA is weaker, however, than Reg Z/TILA in terms of protecting consumers from unauthorized transactions.
(2) The Zero Liability policy is NOT incorporated in cardholder agreements. Take a look at agreements here. http://www.federalreserve.gov/creditcardagreements/Search.aspx
I looked at Citi, Chase, and CB&T agreements. Here’s the most complete language I’ve seen on this:
“You will not be liable for any unauthorized use that occurs after you notify us. You may, however, be liable for unauthorized use that occurs before your notice to us. In any case, your liability will not exceed $50.” That’s NOT the zero liability policy.
(3) I haven’t seen an account agreement that incorporates Interlink. I’d be happy to see one.
(4) Yes, you might get a little float from a signature debit transaction. But you can’t really rely on it. And that float is a pretty weak reason to use signature debit.
(5) most of what we call identity theft is payment card fraud. But no one has a great definition of the term.
I agree that visa signatures are at high risk for identity theft for the consumer. We must keep our personal information and most importantly our signature.
The ID thief in this particular case was able to initially get away with it because the payday loan lender used Teletrack, a subprime credit bureau that doesn’t receive fraud alerts from the three major credit bureaus – Equifax, Experian and TransUnion. Mr. Davis even admitted that “fraud alerts aren’t always going to be bulletproof. There are areas where someone can still compromise your information.”
Wow, I haven’t seen an account agreement that incorporates Interlink. I’d be happy to see one, thanx for the share.