Chip-and-PIN adoption still slow

The “chip-and-PIN” credit card system is more secure than the legacy “swipe-and signature.” But adoption of the new system remains slow — many small merchants find the cost of upgrading more significant than the increased liability risk from fraud

Supposedly, credit card transactions in the U.S. were going to become considerably more secure by last Oct. 1 – the deadline for merchants and card-issuing banks to be ready to process so-called “chip-and-PIN” cards instead of the legacy “swipe-and-signature” kind.

Some of them are – estimates of the percentage of merchants now equipped with the new terminals range from 17 percent to 37 percent. But even the high estimate isn’t what most people would call “critical mass.”

And if the reality is closer to the low end, that means, as security blogger Brian Krebs put it in a post last month, “U.S. consumers currently can expect to find chip cards accepted in checkout lines at fewer than one in five brick-and-mortar merchants.”

And even those one-in-five transactions are likely not what was envisioned – many merchants, even if they “dip the chip,” are having the customer sign the receipt rather than validate it with a PIN.

That mystifies Sami Lane, chief technologist at CloudPassage, who said the decision by banks not to require the PIN, “must mean they think consumers are too dumb to do it.

“I think it was a tactical error,” he said. “What it means is if you lose your card, somebody else can still use it. There’s no extra protection.”

samilaine

Sami Lane, chief technologist, CloudPassage

Lane, Krebs and others are also wondering why the overall transition to what is also known as the EMV (Europay, MasterCard and Visa) standard is so slow.

The deadline could not have come as a surprise. Visa announced the impending shift from “swipe-and-signature” cards in August 2011, more than four and a half years ago. The EMV Migration Forum was created by the Smart Card Alliance in July 2012.

It is not new, cutting edge technology either. EMV, which makes it more difficult to steal credit card data at point-of-sale (POS) terminals, has been in use in Europe for more than a decade.

And while last October’s deadline for the shift to occur was not a legal mandate, it puts merchants at much higher risk of having to eat the cost of fraud. If a customer presents a chip-enabled card, but the retailer processes it as a swipe and signature, the merchant, not the issuing bank, is responsible for the cost of any resulting fraud.

Yet, even facing that risk, merchants are slow in adopting the not-so-new technology.

Why? There are a number of reasons. Krebs, in his post, pointed to a column by Allen Weinberg, co-founder of consulting firm Glenbrook Partners, who offered several.

  • The new system creates “friction” in the checkout line – each transaction with a still-unfamiliar technology takes longer, and merchants don’t want their lines moving too slowly. They would rather customers be “trained” at somebody else’s store.
  • It is tough for smaller businesses to afford the expense and time it takes to install the new terminals, which include much more complicated software.
  • The new terminals have to be certified by payment processers, which can be a very long process – up to 22 months according to some estimates.
  • The software for restaurant terminals is not yet ready to handle tips and tip adjustment.

Lane agreed with those reasons, and added another – the design of the terminals is, “terrible. It is not user friendly,” he said. “That’s a big part of the friction. If it was designed to be obvious, it would be much easier.”

Friction is not simply a matter of training customers either, he said. “The act of dipping and waiting is always inherently slower than the swipe.”

Others while agreeing that the transition is slow, insist there is reason for optimism. Jeremy Gumbley, CTO and CSO at Creditcall, agrees that, “the payments industry dragged its feet” in preparing for EMV, in part because of “multiple false starts” that left some companies doubtful that the deadline would actually be enforced.

jeremygumbley

Jeremy Gumbley, CTO and CSO, Creditcall

But he contends that while things “need to be better, we’ve come farther along than people want to give the U.S. EMV migration credit for – there has been tremendous traction.”

Gumbley said the goal for adoption by now was 33 percent, “and we’re at 37 percent and we can expect that number to continue to climb throughout the year.”

Jason Oxman, CEO of the Electronic Transactions Association (ETA), agreed that while the transition may be slow, it is steady. “Nearly 600 million chip cards are in U.S. consumers’ wallets already,” he said. “Almost 1 million merchants have already upgraded to chip readers. And this is without any mandate – legal or business – to upgrade.”

jasonoxman

Jason Oxman, CEO, Electronic Transactions Association

He added that a transition that is, “unprecedented in its complexity and scale” takes time. “The transition from analog to digital television in the U.S. started in 2009, and the last television stations didn’t switch to digital until 2015 – six years later. It took the mobile phone industry 13 years to reach 25 percent adoption,” he said.

Indeed, Jeremy King, international director of the PCI Security Standards Council, said the U.S. transition is vastly more complex than what faced the UK., which had, “around 1.5 million merchants and needed to issue around 100 million cards (when EMV was launched). In the U.S. you have more than 28 million merchants and more than 400 million cards to issue.”

Added to that complexity, he said, is the reality that, “EMV is a global standard, and one critical factor is that every EMV card has to work correctly with every EMV terminal.”

jeremyking

Jeremy King, international director, PCI Security Standards Council

When it comes to customers, Oxman said they will adjust quickly to the change, especially if they are made aware of the improved security it offers. He said an ETA survey found that only 13 percent of consumers said they would prefer the magnetic stripe cards even if they are less secure.

Gumbley called the “friction” problem, “a short-term inconvenience. As we’ve seen in other countries that adopted chip cards years ago, consumers will soon get over it.”

Eric Jackson, managing director, compliance services at Fidelis Cybersecurity, said customers would already be over it if they had not been given a choice. He said it was a major mistake for the payment card industry to allow the option of chip-and-signature along with chip-and-PIN.

While the terminal may take a few seconds longer to authenticate a card, “I think customers would tend to think it is quicker because they do not have to sign anything,” he said, adding that, “decades of consumer trust in ATMs and PINs would have aided the transition.

“The best way to reduce friction is to have 100% adoption and not offer the alternative,” he said. “If people do not have a choice, they accept or pay cash.”

eric_jackson

Eric Jackson, managing director, compliance services, Fidelis Cybersecurity

To small merchants who continue to resist the change because of complexity and cost, Gumbley offers both a stick and a carrot. “Smaller retailers should view the process like filing your taxes,” he said. “You can delay the process, but you can’t avoid it. And the sooner you do, the sooner you reap the rewards.”

The problem is that many merchants don’t see improved security as that big a benefit – they think they are too small to be a target, so for them it amounts to all stick and no carrot. Lane noted that “retail margins are really thin, so it is really tough for them to absorb the cost of something like this.”

Beyond that, EMV does nothing to protect against online, or card-not-present (CNP) purchases.

But Andrew Komarov, chief intelligence officer at InfoArmor, said while he understands the frustration of small merchants, they are indeed targets, if they lag behind others in security.

“We see a real hunt on in areas with low integration level of EMV,” he said. “The bad actors exchange information about banks and institutions without it, and then target them.”

And advocates note that there are benefits that go beyond the chip card – Gumbley said one is that the new terminals can support point-to-point encryption (P2PE), which improves security for both the chip transactions and those that still use the mag strip.

Another is that the new, chip-enabled terminals can also process NFC (near field communication) payments – the kind offered through digital wallet services like Apple Pay and Android Pay.

While the percentage of consumers with NFC devices is still low, it is expected to grow since it is available for both Apple and Android devices. Lane said moving to that payment method would be more secure and much more convenient for users than chip-and-PIN.

“The pain (for consumers) of the transition would be removed,” he said. “From a security geek perspective, I would love that development.”

Jackson, for one, thinks the debate over EMV, swipe-and-signature and even NFC puts the focus in the wrong place.

“I think the industry and consumers would have been better off if more emphasis had been placed on advanced payment technologies such as tokenization and end-to-end encryption,” he said. “These technologies help protect the data in any type of transaction.”

Join the CSO newsletter!

Error: Please check your email address.

More about AppleCSOGoogleindeedNFCSmartVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place