The retail EMV quagmire

Home Depot's lawsuit against Visa and MasterCard tackled the security problems of the EMV rollout. But what the retailer conveniently forgot to mention is far more germane.

Chase EMV United card
Credit: Martyn Williams

Retailers have this love-hate relationship with EMV, in that they love to hate EMV. It's slow, cumbersome, alienates customers and until a store fully deploys it, the liability shift is expensive. There's also a reasonable argument that the liability shift is not fair to merchants, since they are being punished for something that is often out of their control.

With that in mind, it's easy to understand why major retailers — Walmart last month and Home Depot last week — are suing Visa and MasterCard in an attempt to fight chip cards any way they can.

Of course, the retail argument isn't quite phrased that way. The party line is that the litigation is aimed not at stopping EMV but in making it more secure, by way of insisting on PIN authentication instead of the existing signature authentication.

In words lifted from the Home Depot lawsuit, this is Home Depot's argument (which is quite similar to a May lawsuit against the same two card brands from Walmart): "For years, Visa and MasterCard have been more concerned with protecting their own inflated profits and their dominant market positions than with the security of the payment cards used by American consumers and the health of the United States economy. Visa and MasterCard have pushed consumers to use payment card technology that Visa and MasterCard know is defective and subject to fraud and have colluded with each other and with the banks that issue debit and credit cards to do so."

Thus far, Home Depot's position is factually correct, but it is so deeply lacking in context as to be misleading. More on that in a moment. The immediate next lines in the Home Depot lawsuit are closer to truth-in-context, and those lines also reveal the retailers' true concerns: Visa and MasterCard "have also unlawfully fixed at high levels the so-called 'interchange' fees that merchants must pay when presented with debit or credit cards. As a result of their conduct, United States consumers experience the highest rates of payment card fraud in the world and United States businesses are subject to the highest payment card related fees in the world."

Interchange—the fee merchants pay for the privilege of accepting payment cards—is the only real issue behind all of these ongoing nasties between major merchants and the card brands.

Let's get back to the security issue. Fact: Signatures are indeed far less secure than PINs. (Note: I personally believe there should be criminal charges placed against anyone who says "PIN number," as the "n" in PIN already means number. It's akin to saying Personal Identification Number Number. When I hear a bank's recorded mailtree tell me to type in my "PIN number," I am not a happy camper. But I digress.)

The order of authentication security methods currently used today goes from signature, which is far weaker than PIN, which is far weaker than biometrics, such as the fingerprint scan on many smartphones. I'd normally say good/better/best, but given how laughably ineffective signature is today, it's more appropriate to say awful/better/best. Store associates don't receive training in handwriting recognition, so the incredibly few today who even bother to look at the signatures have no idea what to look for. The fact that many people, when prompted for a signature at a store, just make an X or draw a straight line (yes, I am one of those people) illustrates the ludicrousness of it as an authentication tool.

So, yes, Home Depot is quite correct that going with signature is absurd from a security perspective. But there are practical reasons why the card brands have done this and Home Depot knows those reasons quite well.

For EMV acceptance to happen, consumers have to use their cards and to use the chip capabilities of those cards. This is where we get into some industry back-and-forth. Visa/MasterCard say (correctly) that far too many merchants haven't activated their EMV capabilities yet. The merchants (correctly) counter that many of them are waiting months for card-brand certifications that permit them to activate EMV and that other merchants are waiting for POS vendors to upgrade their software.

This gets us into the liability shift, where merchants who have yet to activate EMV have to absorb fraud costs. That's a problem — I'll give points on this part to the merchants — because that rule pre-supposed that merchants would pay that fraud penalty if they failed to activate EMV because of their own sloppiness or hesitation. It was never made clear to merchant that they would absorb the fraud costs even if they did everything they could to activate EMV and the delay came from elsewhere. Come on, card brands. That's not playing fair.

Here's one thing in favor of the card brands. Remember that acceptance issue? After the merchants get permission and do activate EMV, it's up to consumers to use it. And EMV is slow, awkward and uncomfortable for them. To change the behavior of American consumers, the card brands argue that they have to move gradually.

In short, given that the process of making the payment — namely dipping rather than swiping — is changing, let's keep accepting the signature until consumers get more comfortable. It can always be switched later. Also, MasterCard, AmericanExpress and Visa have now all endorsed a way for a small number of merchants to make transactions seem faster by allowing the card to be removed during much of the transaction processing.

The card brands have a practical reason for initially using signature. Flipping the argument, it often appears that merchants don't really want EMV to succeed, and insisting that it immediately embrace PIN would help slow it down.

Here's another key fact: Even using the absurd authentication method of signature, EMV cards are far more secure than their magnetic stripe predecessors. The EMV cards (a.k.a. chip cards) are light-years more difficult to clone than magstripe. As a practical matter, it's almost impossible to cost-effectively clone an EMV card. It can be done, but it's too expensive to make it worth the effort of any thief. There are better, easier and more profitable ways to make a dishonest living.

Therefore, EMV kills card-cloning, which has been a common fraud tactic in the U.S.. If EMV does nothing beyond killing card-cloning in the U.S., it will have been worth it. So there's that. On the other hand, EMV advocates have often implied that EMV will negate far more fraud than it actually will. Other than killing card-cloning — which is still massive — it's not clear that EMV will significantly impact other kinds of fraud.

My point? Both sides in this EMV battle have good points to make, but they often conveniently forget to include context/background. Let's not let them get away with that.

This article is published as part of the IDG Contributor Network. Want to Join?

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon