Fraud , Payments , Payments Fraud

Government Rolls Out Chip and PIN

But Will Banks Be Influenced by the Strategy?
Government Rolls Out Chip and PIN

As a result of President Obama's "Buy Secure" initiative, the federal government this month is kicking off its EMV rollout, which includes the issuance of chip-and-PIN cards for all federal employees and benefits programs.

See Also: 12 Top Cloud Threats of 2016

On Jan. 21, the U.S. General Services Administration announced that its SmartPay program, which provides credit cards for government employees, will begin its issuance of chip-and-PIN-enabled cards later this month. The rollout is expected to continue throughout the year.

The president announced his plan for EMV last October in the wake of high-profile card breaches, such as those that impacted Target and Home Depot. When BuySecure was announced, President Obama said he hoped the example the government was setting in moving to EMV would help to speed adoption of chip cards throughout the U.S. (see What's the President's Influence on EMV?).

Under BuySecure, the federal government will start issuing chip cards for Direct Express as well as SmartPay. Direct Express is the federal debit card program used to distribute benefits, such as for Social Security, Supplemental Security Income, as well as programs for veterans and others. No timeline for the Direct Express rollout has yet been announced.

Additionally, all POS terminals located in federal government locations, such as national parks and passport offices, are being upgraded to accept chip payments.

SmartPay Rollout

The GSA says the federal government will issue more than 1 million EMV-enabled credit and debit cards to employees by the end of the year. Dynamic data authentication standards for chip transactions will be used by all three of the banks - JPMorgan Chase, Citibank and U.S. Bancorp - that issue cards for SmartPay.

But Cara Battaglini, communications director for the GSA, says not all SmartPay transactions will be required to be conducted via chip-and-PIN. That's because many U.S. merchants are not yet equipped to accept chip transactions. As a result, all of the government's EMV chip cards will have magnetic stripes as well.

"If the merchant has a chip terminal, however, the transaction will require a PIN," she stresses.

PIN vs. Signature

Experts have questioned how much impact the government's chip-and-PIN initiative will have on other U.S. issuers, which for now are primarily focusing their attention on implementing chip-and-signature transactions.

Many banks contend that requiring consumers to enter PINs for credit transactions will be confusing, because credit transactions now only require a signature for authentication. What's more, they say the addition of the PIN will not have a great impact on reducing fraud, because the PIN only address lost and stolen-card fraud.

But retail groups have criticized banks and credit unions for taking that stance, noting that chip-and-PIN is much more secure than chip-and-signature. They argue that card issuers are using the consumer resistance argument as an excuse for not making additional investments to enhance their processing networks to accommodate PINs for credit purchases.

Retailers: PINs are Essential

Unless U.S. card issuers deploy EMV-compliant chip cards that require PINs for transaction authentication, little progress will be made in fighting card fraud, contends Mark Horwedel, CEO of the Merchant Advisory Group. He's hopeful that the government's leadership on the use of chip-and-PIN will lead banks and credit unions to change their approach.

"We believe it is a significant development when ... the U.S. government weighs in heavily on the side of PIN," he says. "We believe any objective party would easily reach the common sense conclusion that two-factor authentication is superior to one, and that signature is a worthless process that costs American consumers and merchants lost time and money."

On Jan. 12, Sen. Mark Warner, D-Va., a member of the Senate Banking Committee, questioned federal banking regulators about why card issuers were not following the federal government's lead by requiring banks to implement chip-and-PIN.

"I remain puzzled why many of the financial institutions your agencies oversee continue to issue and encourage use of chip-and-signature cards for the U.S. economy when better anti-fraud technology and authentication measures exist and, indeed, are prevalent in other countries, particularly the major economies," Warner notes in a letter to federal banking regulators.

Fraud expert Avivah Litan, an analyst at the consultancy Gartner, says that in other nations where chip-and-PIN is standard for EMV, card-present fraud has dropped significantly.

"It's very significant that the U.S. government is making a strong statement around the use of PINs with chip cards," she says. "The use of PINs reduces fraud on debit cards by 700 percent, so it just makes a lot of good common sense that card issuers should issue chip and PIN, rather than chip and signature cards for all types of cards - i.e. debit, credit, and prepaid. Consumers have no problems using PINs on their ATM or PIN debit cards - I just don't buy the argument that they will have trouble using PINs on their chip cards."

A Different Case for the U.S.?

But other payments experts say the government's move forward with chip-and-PIN technology likely won't lead to more banks following the same path.

Despite the government's push for chip-and-PIN, most of the EMV rollouts by U.S. banks and credit unions this year still will be chip-and-signature, predicts Julie Conroy, a financial-services analyst for consultancy Aite.

"Quite frankly, I don't see this [government initiative] having much of an impact on mainstream cards," Conroy says. "GSA cards don't face the competitive pressures that general-issuance credit cards do. They are used for a specific purpose, therefore not subject to the competitive struggle for top-of-wallet position."

Conroy says many card issuers also question the fraud-reduction benefits of chip-and-PIN versus mere chip-and-signature.

"They look at the opportunity to address the small proportion of fraud that is associated with lost and stolen card fraud, which is all the PIN helps with, versus the risk of going to the back of the wallet by having a more difficult user experience. The business case becomes a no-brainer for chip-and-signature, particularly when you look at the adjustments criminals have made in other countries to compromise the static PIN, and the fact that PIN-based fraud has risen back to the levels they were at before introducing chip and PIN."


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network