Payment card security revamp becoming chip vs. PIN tussle

National Retail Federation says quickest way to boost security is to require PINs for all credit-card transactions

Industry efforts to shore up payment card security after the massive data breach at Target appear to be devolving into a battle over chip vs. PIN technology between retailers and credit card companies.

MasterCard and Visa want all U.S. retailers to install payment terminals capable of accepting Europay MasterCard Visa (EMV) smartcards by October 2015 or face increased breach liability exposure.

EMV chip cards are used widely around the world and are considered much safer than magnetic stripe cards, especially when used in conjunction with a Personal Identification Number (PIN).

However, retailers, which have to bear the bulk of the migration costs to EMV, say it's possible to improve U.S. payment card security quickly by simply implementing a mandatory PIN requirement for all credit and debit card transactions.

Just as PINs are required to withdraw money from ATMs, PINs should be required for all payment card transactions, they say.

"Protecting all cards with a PIN instead of a signature is the single most important fraud protection step that could be taken quickly," the National Retail Federation said in a statement Wednesday before the Senate Committee on Commerce, Science and Transportation.

"It's proven, it's effective, and it's relatively easily implementable," the statement said pointing to the ubiquity of PIN debit card use worldwide. "Chip is a desirable add-on. If speed of implementation is of importance, then substituting PIN for signature is preferable to implementing chip."

The NRF noted that one of the biggest problems with payment card security in the U.S. is that card companies only require a signature for a credit card transaction. PINs have proved to be a far better method for authenticating the identity of a user and are better for reducing fraud than signatures.

"PIN transactions have one-sixth the amount of fraud losses that signature transactions have," the NRF told the Senate committee. Yet, card companies have refused to make it a requirement because they can collect more fees with signature-based transactions, the NRF claimed.

EMV chip cards would be a step in the right direction, the trade group conceded, but only if the cards are used along with a PIN.

In the U.S., neither Visa nor MasterCard insists on a PIN authentication requirement for smartcards. Instead, cardholders will be able to authenticate their identities with a signature, as they currently do with magnetic stripe cards.

Visa has noted that adding a PIN requirement will add substantially to the cost of the EMV migration and the time needed to get it done. The has said that chip cards, even without a PIN, are substantially safer than magnetic stripe cards.

The NRF and other retail groups maintain that using a chip card without a PIN detracts from the fraud-prevention benefits of chip technology. Merchants would spend billions of dollars to install EMV-compliant card readers but neither merchants nor consumers would fully benefit from the technology.

"We would essentially be spending billions to combine a 1990s technology (chips) with a 1960s relic (signature) in the face of 21st century threats," the trade body said.

An NRF spokesman on Wednesday insisted the trade group, which represents tens of thousands of merchants worldwide, is not saying there's no place for smartcards. "We are simply saying that PIN is most desirable. The card companies have insisted that PIN adoption would slow down the transition. If that is the case then simply go to PIN instead of in addition to chip," he said.

Other technology approaches like end-to-end encryption and tokenization also offer substantial fraud-prevention potential at a lower cost and with less risk of being locked into a proprietary approach like EMV, the NRF told the Senate Committee on Wednesday.

The debate over PIN versus signature authentication has a lot to do with money, said Avivah Litan, an analyst at Gartner.

"It's all about the banks wanting to maximize revenue," Litan said. "When a PIN is entered, they earn lower fees from the merchants. It's absolutely nonsensical that the banks would advocate for a less secure approach. It's all because they want to maximize the amount of money they make off the merchants."

This is not the first time that U.S. merchants and credit card companies have been at loggerheads over payment card security.

Groups like the NRF maintain that merchants are required to bear an unfair share of the costs of shoring up credit and debit card security and the cost of fraud that results from data breaches like that one at Target a few months ago. By some estimates, merchants end up paying 90% of the cost of unauthorized transactions compared to 10% by financial institutions, the NRF said pointing to a 2009 analyst report.

Despite this, retailers have little voice in how credit and debit card data and transactions need to be protected and are instead at the "mercy of the dominant credit card companies," the trade group said.

Visa and MasterCard did not immediately respond to a request for comment.

This article, Payment card security revamp becoming chip vs. PIN tussle, was originally published at Computerworld.com.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Read more about financial it in Computerworld's Financial IT Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags TargetFinancial ITvisasecuritymastercardSena

More about GartnerTopicTransportationVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place