The Fraud Blog with Tracy Kitten

Bankers: Retailers Are Wrong About EMV

But Some Admit Resistance to PIN Is About Time and Money
Bankers: Retailers Are Wrong About EMV

An interview I conducted this week about why retailers say shifting to EMV credit cards without the PIN is a fruitless fraud-fighting effort spurred a debate among our readers about what needs to be done to ensure ongoing security of U.S. card payments.

See Also: How to Take the Complexity Out of Cybersecurity

In a comment posted about the interview, one reader, using the handle OneEyeOpen, contends that retailers are merely using the chip-and-PIN versus chip-and-signature debate as a way to shift attention from their own "lax" security practices.

"Retailers, by and large, are LAX, yes I said it, LAX, in their control of payment data," OneEyeOpen writes. "If FIs (banks and CUs) stored data with as much reliability as the merchants, our payment system would be non-existent. ... If the merchants accepted their security deficiencies and worked with the banks and FIs [financial institutions] and payment card industry, we would actually get somewhere and SOON. But instead, we are left to scramble for interchange that merchants are trying to hammer out of our pockets."

Also fueling the discussion is an article published earlier this week in The Wall Street Journal about why chip-and-PIN transactions are widely deemed superior for security when compared with signature-based transactions.

A majority of U.S. card issuers, including the country's leading banks, such as JPMorgan Chase and Bank of America, have decided to launch their EMV credit card programs with only signatures for authentication at the point of sale, rather than the entry of a PIN, which is customary in most EMV-compliant markets.

Most U.S. banks and credit unions say they have opted for signature-based EMV credit transactions because they don't want to confuse consumers who are accustomed to entering PINs only for debit purchases. But retailers argue that's not the case, and that banking institutions are merely trying to get around implementing stronger technology and infrastructure that can sustain PIN-based purchases.

Mark Horwedel, the CEO of the Merchant Advisory Group, told me in this recent interview, which spurred all of the debate, that the additional authentication layer provided by the entry of a PIN would have a huge impact on reducing fraud.

"Visa and MasterCard in other parts of the world are huge advocates of using the PIN," Horwedel said. "But here [in the U.S.], the banks' argument is that customers are not accustomed to using PINs on all transactions at the merchant point of sale."

Horwedel contends that argument is hollow: "I think the reality is that most banking systems can't handle both chip and PIN."

Card issuers' reason for not requiring PINs, he claims, is that they don't want to make big investments to upgrade their systems to accept and process credit transactions, which currently only require a signature.

Readers React

Horwedel's statements generated reaction from the banking community, which is largely in support of using only signatures for authentication of EMV credit transactions.

Gregory Albano, in a Jan. 6 comment posted to Horwedel's interview, says Horwedel's views are "very one-sided."

"The PIN only addresses fraud when the card is lost or stolen, and in the U.S. market, lost-and-stolen fraud is very small in comparison with counterfeit card fraud," he writes. "Also, as we looked at other geographies - and our research has substantiated this - as you see these geographies go chip-and-PIN, the lost-and-stolen fraud dips a little bit, but then the criminals adjust. So, in the U.K., the lost-and-stolen fraud is now back above where [it] was before the migration. The criminals there have adjusted, and that increased focus on capturing the PIN gives them more opportunity, because if they do figure out ways to compromise that PIN, then they can perpetrate ATM fraud and get more bang for their buck. ... As you weigh that potential for attrition versus the potential to address the relatively small amount of fraud that is lost-and-stolen fraud, the business case for chip and signature is really a no-brainer."

Another commenter, Jack Thomas, suggests the real problem retailers have with signature-based credit transactions is that they aren't making money on interchange.

"Most in the FI world see big-box retailers as competitors [that are] trying to squeeze every dime out of interchange and offer our services without the security they deserve yet turn around and want the FIs to pay for secure technology themselves," Thomas writes.

Another Point of View

But Merrill Halpern, assistant vice president of card services at New York-based United Nations Federal Credit Union, a U.S. pioneer in the use of EMV-compliant chip cards, tells The Wall Street Journal that signatures alone are not enough.

UNFCU has been issuing chip-and-PIN credit cards since 2010, although the credit union has yet to issue EMV chip-and-PIN debit cards (see EMV and the U.S.: Member Convenience Drives Change) .

"We should be doing the most we can to fight fraud, and the only way to send that message is to stand clearly behind chip-and-PIN," he tells The Journal.

In a separate statement provided to me on Jan. 6, Halpern says: "Issuers who are concerned about maximum security and the ability for cardholders to make offline PIN transactions at unattended terminals (often in Europe) typically opt for chip and PIN. Issuers who seek a speedy implementation, which meets the minimum requirements of the card associations for 4Q 2015 [the fraud liability shift date] may opt for chip and signature, and avoid the time and overhead of issuing PINs."

All major card brands have set October 2015 as the liability shift date for fraud that results from U.S. card transactions that are not EMV-compliant. After that date, the card issuer or retailer that is not EMV-compliant will be responsible for fraud losses that result from counterfeit card use.

Banks: PINs Could Confuse Customers

Some banking groups have argued that changing consumer habits is going to take time, and that asking cardholders to conduct credit-card transactions with PINs will be too much of a shift to expect in the beginning. After all, consumers will already be undergoing a major shift by having to learn how to use their chip cards, which will interact differently with POS devices than current their legacy magnetic-stripe cards.

But the resistance to chip and PIN is really all about cost.

It would be costly for most banks and credit unions to upgrade their systems to accept PINs for credit transactions before the October 2015 liability shift date. That's why so many banks are pushing to make EMV-credit transactions signature-based - at least for now.

One reader who commented on Horwedel's interview suggested banking institutions should give consumers a choice about whether to use PINs or signatures for their credit transactions. And that sounds like a good idea to me.

In fact, Halpern says some of the country's largest card issuers are already planning to introduce software that can be used to deliver PINs to enrolled mobile devices via SMS that can be used to authenticate EMV card transactions.

That's a good sign, and one that suggests banks are already thinking about the next steps they need to take.



About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.