Chip and PIN Not a Cure-AllWe Need Retail Card Security Oversight, Buy-In from Card Brands
See Also: You've Got BEC!
Retailers tout the benefits of a shift from magnetic stripe cards to chip and PIN, using the EMV, or Europay, MasterCard, Visa, standard. Meanwhile, bankers push for shared fraud risk and more stringent regulatory oversight of the security practices of retailers (see Retail Breaches: Congress Wants Answers).
Card issuers have been reluctant to issue EMV debit cards, at least in part, because of ongoing debates with retailers over interchange fees.
The group we haven't heard from is the one with the most insight - the card brands. The card brands, not the retailers and banks, should be answering questions about why card fraud continues to grow.
So where are Visa, MasterCard, American Express and Discover?
Well, for the most part, these leading brands have stayed out of the debate, leaving groups such as the National Retail Federation and the American Bankers Association to fill in the gaps.
Visa and MasterCard
Chris McWilton, who oversees North American markets for MasterCard, on Jan. 30 provided an opinion piece to CNBC News supporting the U.S.'s migration to chip cards that conform to EMV (see MasterCard Exec: It's Time for EMV).
McWilton wrote: "This migration is about an upgrade that will drive both innovation and security for all parties, most importantly for consumers and cardholders. ... For too many years, different parties have relegated the EMV migration decision to a cost vs. benefits spreadsheet analysis. However, spreadsheets don't consider the cost of losing the public trust, which is immeasurable."
But the card brands have failed to push EMV, as well as support an infrastructure and payments culture that encourages collaboration among retailers and banks.
While Visa and MasterCard have tried to cater to the business needs and desires of the retailers and the banks, they have failed to adequately address security, and they have subsequently allowed the United States to become a prime target for card fraud.
A series of Congressional hearings kicked off on Monday to examine exactly why and how payments security failed to protect cardholder data compromised during the recent malware attacks against Target Corp. and Neiman Marcus (see Finger-Pointing at Breach Hearing).
Amidst all of this, there has been a lot of finger-pointing. The retailers blame the banks for not pushing the market forward by issuing chip cards that conform to EMV. The banking institutions blame retailers for not taking proactive steps to enhance card security.
An Interchange Issue
During Monday's Senate hearing, the National Retail Federation's Mallory Duncan stressed why EMV would have prevented card data from being exposed during the Target and Neiman Marcus breaches.
"Fraudsters rely on our system being so porous," he testified before the Senate Banking Committee's Subcommittee on National Security and International Trade and Finance. "What's needed is for networks and banks to issue cards that are not so easily compromised."
I think we all agree mag-stripe security is failing. But it's not fair to point the finger at the issuers.
What retail groups have failed to mention is that card issuers have been reluctant to issue EMV debit cards, at least in part, because of ongoing debates with retailers over interchange fees.
On July 31, a U.S. District Court overturned the Federal Reserve's offer of an interchange incentive for banking institutions that enhance their debit fraud protections (see Will Court Ruling Hurt EMV Rollout?).
With the incentive, card issuers that rolled out EMV or some other system to enhance debit fraud prevention would be eligible to receive 24 cents per debit transaction from the networks (see The Fed's Impact on Fraud Funding).
But the court ruling has left questions unanswered about funding for EMV rollouts. The Fed is expected to appeal.
Many issuers tell me they aren't letting the ruling stop their migration planning. And Randy Vanderhoof, executive director of the Smart Card Alliance, says "interchange is not an EMV issue."
Movement to EMV
Movement toward EMV on the credit side already has begun. Most, if not all, of the leading U.S. banks have issued chip cards for their credit portfolios. Full adoption on the debit side is more complicated because of the diversity of debit networks and the differing interchange fees associated with transactions on those networks.
I agree that a shift to EMV is smart, but we have a lot of details to iron out first. And getting all the various debit networks onboard is just one of the concerns.
The U.S. payments infrastructure is dynamic and complex, and we have competing interests at play here.
What I found most interesting at the Congressional hearings held Feb. 3 and 4 was the lack of discussion of standardization of security practices for retailers.
As the ABA's Steve Kenneally points out, ensuring security across the payments chain has to be a priority.
The Payment Card Industry Data Security Standard is not enforced uniformly. And being PCI compliant does not guarantee security among retailers.
"Banks are highly regulated," Kenneally says. "They have requirements they have to meet, and they are examined regularly by the agencies to make sure they are following the regulations. On the flip side, it's a lot less clear what regulations and rules and standards [merchants] have to follow and who's checking to see that they're actually doing it."
Banks are definitely more secure than retailers. And let's face it: When a breach occurs, it's the banking institutions that are often the first to detect it. They should not have to shoulder this responsibility alone.