Target Rolls Out Chip & PIN CardsU.S. Breach Poster Child Avoids Chip & Signature for Its REDCards
See Also: 2016 State of Threat Intelligence Study
"We are in the process of reissuing all of our REDcard credit and debit cards [as] chip-and-PIN cards," spokeswoman Molly Snyder tells Information Security Media Group.
Target says it opted to use PINs - rather than signatures - for its EMV-compatible cards because of the extra security offered by PINs. "Requiring a PIN offers an additional layer of security to help protect against someone using your card if it is lost or stolen," the company notes in a related FAQ. "Using a PIN instead of a signature for transactions adds an extra layer of protection for our guests against fraudulent purchases."
The retailer first announced the move in 2014, noting that "the REDcard portfolio includes proprietary Target debit and credit cards in addition to Target-branded Visa cards, which will move to MasterCard as part of the plans."
Target says it began sending the new MasterCard chip-and-PIN cards to cardholders in August and plans to complete that process by the spring of 2016. It says that anyone who forgets their card's PIN code can reset it by calling a toll-free number or by using Target's REDcard website.
The retailer's REDcards are issued by TD Bank USA, which says that its own TD Bank-branded cards will - mostly - be chip-and-signature-based. "TD Bank is issuing chip-enabled debit and credit cards that require chip and signature at the point of sale," says bank spokeswoman Amber Lutz. "This approach aligns with the U.S. payments industry standard, and will provide a better shopping experience for our customers." But the bank says it is also now beginning to offer TD Commercial Plus chip-and-PIN cards aimed at its commercial customers who travel internationally.
Target's move is notable because the vast majority of card issuers in the United States have chosen to issue EMV-compliant chip-and-signature cards rather than using PINs, which are standard in other regions where payment cards that comply with the EMV standard are in use (see EMV Struggle: 7 Lessons from Europe).
Other U.S. PIN adoptees include just a handful of small banks, plus the U.S. government, which, thanks, to President Obama's "Buy Secure" initiative, has been issuing chip-and-PIN cards for all federal employees and benefits programs (see Government Rolls Out Chip and PIN).
Merchants Want PINs
The widespread adoption of chip and signature in the United States has come despite merchants' organizations urging card issuers to adopt the stronger chip-and-PIN option, arguing that it's retailers' brand names that get dragged through the mud when they suffer a payment card breach. Likewise, an Oct. 8 FBI alert urged consumers to choose chip-and-PIN cards whenever possible. After catching flak from card issuers, the FBI retracted that alert, issuing an updated alert on Oct. 13 that omitted some references to PINS and included the following warning: "Although EMV cards provide greater security than traditional magnetic strip cards, an EMV chip does not stop lost and stolen cards from being used in stores, or for online or telephone purchases when the chip is not physically provided to the merchant."
Implementing EMV without a PIN will lessen EMV's impact on U.S. fraud, contends Liz Garner, vice president of the Merchant Advisory Group.
For that reason, U.S. card brands that chose a chip-and-signature approach made a "strategic mistake," argues Tom Wills, who's a director at consultancy Ontrack Advisory. "The rationale given for not requiring the PIN is concerns that cardholders would be confused at having to use PINs on credit cards, which they're not used to, and for having to memorize multiple PINs for the different cards in their wallet. That's absolutely not true, as demonstrated in Europe, where people have been happily using their PINs every day for some years already."
Target's news follows the Oct. 1 EMV liability shift in the United States, which will make merchants that have not adopted EMV-compatible point-of-sale systems liable for any fraud they incur. Nevertheless, poor awareness about the liability shift - especially by small and medium-size organizations - as well as many larger organizations' cost-related concerns means that the majority of U.S. merchants are not yet EMV-compliant (see EMV Rollout: Are We There Yet?). Furthermore, card issuers and card brands have yet to replace all of their legacy magnetic-stripe payment cards with cards that sport an EMV-compatible chip, and experts say it may take several more years before that effort is complete.