Is U.S. Ready for Chip & PIN?

EMV Chip Cards Are Here, But Debate is About Security Vs. Cost
Is U.S. Ready for Chip & PIN?
Is the U.S. ready for chip and PIN payment card authentication? Or are American financial institutions and merchants too invested in current technologies to even consider such a move?

The chip and PIN debate has been re-ignited by two recent announcements:

  • United Nations Federal Credit Union (UNFCU), a $3.1 billion New York-based institution, is going to start issuing chip and PIN Visa-branded credit cards to its globe-trotting Platinum portfolio members who currently have trouble using U.S.-issued cards overseas.
  • Wal-Mart, the big box retailer, essentially drew a line in the sand at a recent industry event, where a spokesperson challenged the U.S. to migrate from its current magnetic-stripe cards, saying "It's time for Chip-and-PIN in the U.S."

Proponents say, indeed, it's time for the U.S. to adopt the EMV standard. EMV, short for the Europay, MasterCard, Visa standard, is the chip and PIN-based standard used to store card data as mandated by EMVCo. EMV has been adopted in virtually every part of the world -- including Canada and Mexico -- for the storing of payment-card data. One of the security advantages: EMV cannot be skimmed. ATM skimming has been a significant source of payment card fraud against U.S. institutions and customers.

But the U.S. maintains a vested interest in mag stripe-based cards and the devices associated with them, and industry experts don't foresee an imminent move to EMV.

"We have a very complex and fragmented payments card environment," says Viveca Y. Ware, senior vice president of regulatory policy for the Independent Community Bankers of America (ICBA). "Thousands of banks use various payments networks and third-party processors. Banks will have to ensure that their networks and processors have the capability of processing chip card transactions before issuing the cards. Millions of merchants will need to purchase and install new terminal hardware and make sure their processors have chip capability. It's very much a chicken-and-egg scenario."

UNFCU's Move: Serving Global Members
UNFCU's unique membership, which includes United Nations staff, specialized agencies, U.N. retirees and their families, illustrates why a move to EMV for U.S. cardholders made sense. The credit union saw an ever-increasing rate of mag-stripe card rejections for its members traveling overseas.

Merrill Halpern, card services manager for UNFCU, says the move to EMV is one the credit union has been contemplating for a couple of years as a way to enhance member services and improve security. UNFCU has signed with smart-card technology provider Gemalto to roll out EMV to the U.S. membership.

"(Card fraud) has been greater overseas," Halpern says. "And, again, because we're a U.S. financial institution and our members are so global, basically if there's any fraud scheme operating anywhere in the world, we're going to get it. ... Our mag-stripes are available to be skimmed wherever, as are any of the U.S. issuers'."

UNFCU's rollout includes only Visa credit cards, but Halpern says the institution's MasterCard debit portfolio could sometime in the future fall into the fold, depending on member feedback.

"We felt that in order to start this and get some hands-on experience that we needed to start with a small amount, so that we can handle it in a quality manner, and then be assured that everything was in order before we moved on to the other credit segments and eventually debit," Halpern says.

In a statement about the deployment, Visa says it expects both contact and contactless chip technologies to provide opportunities for the introduction of dynamic data into card transactions, which would be a critical advancement against fraud.

"Moving toward more dynamic data and away from static data is a key part of Visa's global security strategy," Visa says. "To the extent that more financial institutions decide to issue chip cards, either broadly or just to individuals that travel internationally, Visa is ready to support such deployments. Based on our many years of leadership supporting chip migration in other countries, there would be no barriers to Visa's ability to support chip in the U.S."

The EMV Advantage
Proponents say EMV-compliant cards are less prone to fraud than their mag-stripe counterparts.

According to First Data Corp., payment card fraud losses in the United Kingdom -- the first region to implement EMV -- dropped from 18 basis points to 12 basis points between 2001 and 2008 as a direct result of EMV adoption.

Further, APACS, the United Kingdom's payments administration, says the United States' reluctance to adopt the chip and PIN standard creates inherent vulnerabilities for U.K. cardholders. According to APACS:

  • Domestic card fraud in the U.K. dipped 32 percent in 2007;
  • But counterfeit card fraud jumped 46 percent that same year, "due to fraudsters copying U.K. cards and using these stolen cards in countries which do not yet have chip and PIN."

U.S. Reluctance: Cost, Convenience, Security
Despite UNFCU's move and Wal-Mart's call to action, industry experts don't foresee a sudden migration by U.S.-based institutions and merchants.

The transition to smart chip cards will be an "evolution, not a revolution," says ICBA's Ware.

The biggest barrier: the expense associated with replacing POS and card-reader hardware, in addition to the issuance of EMV-compliant credit and debit cards.

Javelin Strategy & Research estimates an EMV rollout across the United States would cost about $8.6 billion, including:

  • POS terminal replacements -- approximately $6.75 billion;
  • EMV card issuance -- around $1.4 billion;
  • ATM upgrades -- approximately $500 million.

Don Rhodes, director of risk management for the American Bankers Association, says UNFCU's decision will likely have little impact on other banking institutions.

"I really don't think it's a significant move for the broader U.S. financial-services industry," Rhodes says. "It's really indicative of this particular credit union's rather unique membership base. ... In considering this technology, I think all U.S. financial institutions -- banks as well as credit unions -- are concerned about customer convenience, as well as security and reducing card-fraud loss."

But Rhodes says other measures to combat card fraud in the United States, such as Verified by Visa and MasterCard SecureCode, have been relatively successful. Unless card fraud begins to spike, U.S. FI's aren't likely to make any significant investments in new technology.

"I think the jury is still out (on what the next card technology will be)," Rhodes says. "I think it may be too early to tell. I think that there have been some good card fraud reductions at the point of sale in countries that have adopted the chip and PIN technology. The problem is: That technology does not really do anything for card-not-present transactions, such as telephone, online or mail-order."

Card brands, as well as some of the country's larger institutions, will evaluate fraud trends to see if a change in card technology in the future is necessary, Rhodes says. "Cost, convenience and security are all three factors that the issuers as well as the brands and merchants have to look at."


About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.