Payment card security revamp becoming chip vs. PIN tussle
National Retail Federation says quickest way to boost security is to require PINs for all credit-card transactions
Computerworld - Industry efforts to shore up payment card security after the massive data breach at Target appear to be devolving into a battle over chip vs. PIN technology between retailers and credit card companies.
MasterCard and Visa want all U.S. retailers to install payment terminals capable of accepting Europay MasterCard Visa (EMV) smartcards by October 2015 or face increased breach liability exposure.
EMV chip cards are used widely around the world and are considered much safer than magnetic stripe cards, especially when used in conjunction with a Personal Identification Number (PIN).
However, retailers, which have to bear the bulk of the migration costs to EMV, say it's possible to improve U.S. payment card security quickly by simply implementing a mandatory PIN requirement for all credit and debit card transactions.
Just as PINs are required to withdraw money from ATMs, PINs should be required for all payment card transactions, they say.
"Protecting all cards with a PIN instead of a signature is the single most important fraud protection step that could be taken quickly," the National Retail Federation said in a statement Wednesday before the Senate Committee on Commerce, Science and Transportation.
"It's proven, it's effective, and it's relatively easily implementable," the statement said pointing to the ubiquity of PIN debit card use worldwide. "Chip is a desirable add-on. If speed of implementation is of importance, then substituting PIN for signature is preferable to implementing chip."
The NRF noted that one of the biggest problems with payment card security in the U.S. is that card companies only require a signature for a credit card transaction. PINs have proved to be a far better method for authenticating the identity of a user and are better for reducing fraud than signatures.
"PIN transactions have one-sixth the amount of fraud losses that signature transactions have," the NRF told the Senate committee. Yet, card companies have refused to make it a requirement because they can collect more fees with signature-based transactions, the NRF claimed.
EMV chip cards would be a step in the right direction, the trade group conceded, but only if the cards are used along with a PIN.
In the U.S., neither Visa nor MasterCard insists on a PIN authentication requirement for smartcards. Instead, cardholders will be able to authenticate their identities with a signature, as they currently do with magnetic stripe cards.
Visa has noted that adding a PIN requirement will add substantially to the cost of the EMV migration and the time needed to get it done. The has said that chip cards, even without a PIN, are substantially safer than magnetic stripe cards.
The NRF and other retail groups maintain that using a chip card without a PIN detracts from the fraud-prevention benefits of chip technology. Merchants would spend billions of dollars to install EMV-compliant card readers but neither merchants nor consumers would fully benefit from the technology.
"We would essentially be spending billions to combine a 1990s technology (chips) with a 1960s relic (signature) in the face of 21st century threats," the trade body said.
- IT Certification Study Tips
- Register for this Computerworld Insider Study Tip guide and gain access to hundreds of premium content articles, cheat sheets, product reviews and more.
- Jyske Bank extends brand message to more than one million visitors a month
- IBM WebSphere Portal software helps bank offer a clearly differentiated digital experience
- The Big Data Opportunity for HR and Finance
- If CEOs, CFOs, CIOs, and CHROs want to drive their businesses forward, they will need to quickly recognize the enormous value of big...
- SANS: Next-Generation Datacenters = Next-Generation Security
- This whitepaper takes a look at some new technology that may allow security teams to implement more flexible and capable protection models in...
- SANS: Protecting Virtual Endpoints with McAfee Server Security Suite Essentials
- SANS review of McAfees Server Security Suite Essentials that address some of the emerging challenges of securing virtual platforms and cloud environments.
- Safeguarding the Next-Generation Data Center
- Use of virtual and cloud servers has exploded. Unfortunately, security often lags behind. McAfee recommends looking at innovative solutions in order to erect... All Financial IT White Papers
- Is SQL Server AlwaysOn really as powerful? Tips and Tricks from the field With the introduction of AlwaysOn, Windows Clustering Services is now more critical than ever.
- What Does it Take to Deliver a Superior Customer Experience? The Two Top-Rated Online Retailers, B&H Photo and Crutchfield Electronics, Share Their Secrets Discuss practical CX tools and service methods such as contact center agents and the use of realtime speech analytics to help contact center...
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily...
- On Demand: Mastering the Art of Mobile Content Management Mobile device usage in the enterprise has skyrocketed, and it continues to escalate. IT must answer to users who demand access to their...
- DevOps with PureApplication System: Reduce cost and speed delivery with an integrated IBM Cloud solution Join this webcast to hear what ING Netherlands has been able to achieve while deploying DevOps tools from IBM Rational. An ING executive...
- All Financial IT Webcasts