Card Not Present Fraud , Fraud Management & Cybercrime , Governance & Risk Management
State AGs Rally for Chip-and-PIN
But is the Argument Moot When it Comes to Truly Improving Payments Security?Attorneys general in nine states have added their voices to the debate over whether card issuers should move to chip-and-PIN as the rollout of EMV continues.
See Also: How to Take the Complexity Out of Cybersecurity
Connecticut Attorney General George Jepsen, along with eight other AGs, recently sent a letter to four leading U.S. banks and four card brands urging them to roll out EMV credit cards as chip-and-PIN, rather than chip-and-signature, which is the prevailing strategy.
The AGs note that the massive number of data breaches, which include payment card breaches, that have occurred in the last year have put consumers at risk. By implementing chip-and-PIN, consumers will not "continue to pay the price for [banks' decisions for] settling for weaker standards," the AGs contend.
"Implementation of chip-enabled cards in the United States is imperative in order to provide stronger payment security and assurance to consumers," the letter states.
The Dusty Chip-and-PIN Debate
Clearly, the additional authentication provided by the PIN makes chip payments more secure. What's more, the argument card issuers and the card brands are using to justify not implementing PINs is weak. They contend that consumers would find the use of PINs cumbersome and inconvenient.
I believe the decision to move forward with chip-and-signature had much more to do with cost, concerns about interchange and transaction routing, and a need for speedy deployment in the market than it did about customer convenience.
Retailers are continuing to attempt to sway public opinion in favor of chip-and-PIN - arguing that is offers superior authentication to chip-and-signature and enhances security. And now nine state AGs have jumped on that bandwagon.
But it's time to accept the implementation of chip-and-signature, which is well underway, and focus on adding more layers of security through encryption and tokenization.
Chip cards, whether authenticated with signature or PIN, are far more secure than, and superior to, magnetic-stripe cards. Chip cards can't be counterfeited, and if they are lost or stolen, EMV-compliant merchants won't be liable for fraud. And PINs really only have an impact on reducing fraud in lost-and-stolen scenarios.
Besides, EMV is building a bridge for mobile payments, which don't need PINs for authentication. Mobile payment transactions are authenticated through device identification and biometrics.
Setting priorities
Several analysts I talked to about the issue this week offer a similar point of view.
For example, Al Pascual, director of fraud and security at Javelin Strategy & Research, says politicians should be more focused on efforts to support stronger data security and breach notification than they are on the PIN versus signature debate.
"The value of EMV chip cards is in their resistance to counterfeiting, which is a multibillion dollar problem in the U.S.," Pascual says. "And it is here that neither PIN nor signature really matter."
Shirley Inscoe, a financial fraud expert at consultancy Aite, argues that the focus should be on a shift to mobile payments.
"Chip-and-PIN only adds the protection against lost and stolen cards to what chip and signature provides," she says. "But lost and stolen losses are very low compared to other loss types, such as counterfeit or card-not-present. ... If these officials are truly interested in protecting consumers, they should be asking banks to prioritize mobile payments and encouraging their constituents to switch to mobile payments. Mobile payments will not provide card information to retailers or merchants, so the data cannot subsequently be breached. This would better protect all parties involved."
EMV chip payments are likely to push more consumers and retailers toward mobile, adds Avivah Litan, a payments and fraud expert at the consultancy Gartner. And the benefit of mobile payments, such as Apple Pay, is that they can be authenticated without a PIN, "because they have the password of the cellphone plus the optional biometric," she says.
Nevertheless, she acknowledges that chip-and-PIN is "definitely more secure than chip-and-signature." Litan blogged back in October about the weak argument banks had made for not implementing chip-and-PIN.
Tom Wills, director of Ontrack Advisory, a consulting firm focused on payments innovation, portrays chip-and-PIN as nothing more than a temporary fix.
"As someone who's been critical of the 'chip and signature' decision, I'm solidly behind the AGs' request," Will says. "But just to put that into context, I would have way preferred that the U.S. industry leapfrog EMV completely - and the massive expenditure on card and terminal upgrades that EMV forces - and just start the migration to mobile, since that's clearly where the world is going. I've been saying that since 2008. The way I see it: Yes, we should have chip-and-PIN in the U.S., but it would basically be a Band-Aid.
So rather than focus on a Band-Aid solution, it's time to accept chip-and-signature and focus on adding additional layers of security, such as encryption and tokenization, until we make the transition to mobile payments.