Payment card security revamp becoming chip vs. PIN tussle

National Retail Federation says quickest way to boost security is to require PINs for all credit-card transactions

1 2 Page 2
Page 2 of 2

An NRF spokesman on Wednesday insisted the trade group, which represents tens of thousands of merchants worldwide, is not saying there's no place for smartcards. "We are simply saying that PIN is most desirable. The card companies have insisted that PIN adoption would slow down the transition. If that is the case then simply go to PIN instead of in addition to chip," he said.

Other technology approaches like end-to-end encryption and tokenization also offer substantial fraud-prevention potential at a lower cost and with less risk of being locked into a proprietary approach like EMV, the NRF told the Senate Committee on Wednesday.

The debate over PIN versus signature authentication has a lot to do with money, said Avivah Litan, an analyst at Gartner.

"It's all about the banks wanting to maximize revenue," Litan said. "When a PIN is entered, they earn lower fees from the merchants. It's absolutely nonsensical that the banks would advocate for a less secure approach. It's all because they want to maximize the amount of money they make off the merchants."

This is not the first time that U.S. merchants and credit card companies have been at loggerheads over payment card security.

Groups like the NRF maintain that merchants are required to bear an unfair share of the costs of shoring up credit and debit card security and the cost of fraud that results from data breaches like that one at Target a few months ago. By some estimates, merchants end up paying 90% of the cost of unauthorized transactions compared to 10% by financial institutions, the NRF said pointing to a 2009 analyst report.

Despite this, retailers have little voice in how credit and debit card data and transactions need to be protected and are instead at the "mercy of the dominant credit card companies," the trade group said.

A Visa spokeswoman said the core reason for the move to chip card technology is to slow the use counterfeit and cloned credit and debit cards to commit fraud.

"Visa's focus is on moving the payments industry away from the use of static information that can be stolen, skimmed, or phished and re-used for counterfeit fraud," the spokeswoman said.

"That is why we set a roadmap for adopting EMV chip technology, which will help make compromised data useless to criminals."

The best approach for mitigating payment card fraud is to move away from the static data elements in magnetic stripe cards to dynamic data elements in EMV chip cards, the spokeswoman said.

In a recent interview with Computerworld, Visa's chief risk officer Ellen Richey said that nearly two-thirds of U.S. merchants can't accept PIN-based transactions today. For them, a mandatory PIN requirement would involve the same kind of payment terminal upgrade that would be required for EMV smartcards.

This article, Payment card security revamp becoming chip vs. PIN tussle, was originally published at Computerworld.com.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Copyright © 2014 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon