Visa and MasterCard are using security measures prone to fraud, putting retailers and customers at risk of thieves, Home Depot says in a new federal lawsuit.

Share story

ATLANTA — Visa and MasterCard are using security measures prone to fraud, putting retailers and customers at risk of thieves, The Home Depot says in a new federal lawsuit.

It’s the latest large retailer to raise the security concerns, with a lawsuit filed this week in U.S. District Court in Atlanta. Last month, Arkansas-based Wal-Mart Stores sued Visa Inc. over similar issues.

Atlanta-based Home Depot says new payment cards with “chip” technology remain less secure in the U.S. than cards used in Europe and elsewhere in the world.

Even with chips, U.S. cards still rely on customers’ handwritten signatures for verification, rather than more secure Personal Identification Numbers, or PINs, Home Depot maintains.

“Regardless of how the cardholder’s identity is confirmed, the chip makes data much more secure, rendering it almost useless to create fraudulent cards or transactions,” MasterCard spokesman Seth Eisen said in a statement Wednesday.

MasterCard received the court filing Tuesday and is still reviewing it, Eisen said.

“We are aware of the complaint and will respond in due course,” a Visa spokeswoman said in a statement Wednesday.

A central issue in Home Depot’s lawsuit: Its accusation that Visa and MasterCard are conspiring to prevent adoption of more secure technology in order to maintain market dominance and profits.

“For years, Visa and MasterCard have been more concerned with protecting their own inflated profits and their dominant market positions than with the security of payment cards used by American consumers and the health of the United States economy,” Home Depot states in its 138-page lawsuit.

About 80 nations use cards with chips, and most of them — including England, France and Australia — also require a PIN, Home Depot said.

“Such cards offer an extra layer of security beyond the chip itself, by requiring the user to enter a four-digit PIN, thereby ensuring that the individual using the card is the card’s owner,” Home Depot states in its lawsuit.

“Signatures can be copied or forged, and cashiers are not handwriting experts trained to identify forged signatures.”

As a result, U.S. consumers and merchants such as Home Depot pay fraud-related costs that are “unrivaled in the rest of the industrial world.”

A chip in combination with a PIN is a form of “two-factor authentication,” said Craig Piercy, director of the online master of internet technology program at the University of Georgia’s Terry College of Business.

“It basically means that you have something with you — usually a physical thing — and something that you know. Both together are required to authenticate a user.”

Home Depot was targeted in a wave of data heists that began with Target’s pre-Christmas 2013 attack.

Home Depot’s 2014 data breach at stores in the U.S. and Canada affected 56 million debit and credit cards, far more than the attack on Target customers.

Hackers also stole 53 million email addresses from Home Depot customers.

Home Depot pushed hard to activate chip-enabled checkout terminals at all of its stores after the 2014 attack.

While common in Europe and outside of the U.S. for more than a decade, chip cards have only recently started seeing broader acceptance in the U.S.

Cards with chips, which issue a one-time code each time a transaction is processed, are far more secure than the 1960s-era magnetic-stripe technology that many cards still rely upon.

But the rollout has not been as smooth as banks and credit-card companies had hoped. Due to the cost of upgrading their equipment to accept the new chip cards, many merchants have not yet done so.

Even with chip technology, the lack of PIN requirements in the U.S. could lead to rising fraud in the future, as more transactions shift online where no physical card is presented, Home Depot said its lawsuit.