Information Security

Defending the digital infrastructure

alphaspirit - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Muddy waters for chip and PIN technology, banks won't sign off

The banks and the retailers have divergent views on how best to secure credit card transactions. Will the courts decide between signatures and PINs? Or will market forces win out?

Two opposing views on the future of chip and PIN cards in the United States have emerged, and for now, like most everything else in this country, it looks like we're leaving it up to the courts to sort the issue out.

On one hand are the retailers, led by Wal-Mart Stores, Home Depot and the National Retail Federation (NRF), who contend that the two-factor authentication provided by chip and PIN technology offers the highest level of security.  

Financial institutions, led by Visa, MasterCard and the American Bankers Association, say it's the microchip embedded in the card that matters because it combats counterfeit fraud -- use of fake cards that have legitimate account information -- which accounts for 70% of all card-present fraud.

EMV (Europay, MasterCard and Visa) chip technology is slowly becoming standard in the U.S., one of the last industrialized nations to support chip on chip transactions. When chip card holders make a purchase, each debit or credit card transaction is based on dynamic authentication rather than static account information stored on magnetic stripe cards, which can be easily copied. However, security issues with EMV implementations may still create opportunities for attackers. For example, EMV compliance does not require point-to-point encryption of personal account numbers (credit card numbers), creating concerns that primary account number data without tokenization may still be accessed in the merchant's networks or during external payment processing.

Another sticking point involves validation. After removing the chip card from a chip-enabled terminal in the U.S., card holders may have to sign the receipt to validate their identity and complete the transaction. And that's where the U.S. implementation diverges from the global standard, which relies on chip and PIN technology as an added layer of security.

At least two lawsuits have been filed surrounding this debate. Wal-Mart sued Visa in May in New York state court for the right to choose how customers verify debit card purchases at the payment counter. The retailer wants customers to verify a purchase with a PIN when they use a chip-enabled credit card. In the lawsuit, Wal-Mart claimed Visa has prohibited the retailer from requiring PINs only, forcing it to have the option of using a signature.

In an antitrust lawsuit filed in mid-June against Visa and MasterCard, Home Depot claimed that the credit card companies sought to block its adoption of chip and PIN technology following its migration to the EMV standards. In March, the retailer agreed to a preliminary settlement of $19.5 million, following a 2014 breach that exposed the data of 40 million cardholders.

Major credit card issuers required U.S. merchants to upgrade from magnetic stripe-only terminals to chip-enabled EMV systems (which also support magstripe) by October 1, 2015, or face greater liability for fraudulent card-present transactions.

The lawsuits allege that MasterCard chose to enforce the less secure chip and signature method because the financial service networks collect higher merchant fees for routing signature-based cards as opposed to PINs.

Both sides sound off

So, instead of political candidates squaring off along ideological lines, the chip-and-PIN-technology debate has two cornerstones of American business at odds with one another.

American retailers are much maligned today. Many have suffered from public relations nightmares after destructive data breaches, and there's a constant undertow about retailers not catching up with the rest of world when it comes to EMV chip cards and PINs.

J. Craig ShearmanJ. Craig Shearman

"When there's a serious breach, it's the retailer that takes the brunt of the reputational damage," says J. Craig Shearman, vice president of government affairs public relations at the NRF. "People don't think about the banks; they just know that Target or Home Depot have experienced a breach."

Shearman and the retailers contend that PINs are more secure than signatures and that the banks know this all too well.

"The banks won't let you take a $20 bill out of an ATM without a PIN, but they won't require a chip and PIN for a credit card transaction; it makes no sense," he says. "The banks say a PIN is static, it doesn't change, but if it's lost or stolen, the user can change it. You can't change a signature."

In a letter to Congress this past May, James Ballentine, executive vice president of congressional relations and political affairs for the American Bankers Association, countered with a bulleted list of talking points:

  • PINs only guard against lost and stolen card fraud, an already small and rapidly diminishing portion of overall fraud.
  • PINs do not prevent data breaches of substandard retailer systems.
  • PINs do nothing to stop counterfeiting or card-not-present fraud for online transactions and have the same inherent vulnerabilities as other static security features: They can easily be stolen and used to commit fraud.
  • Data shows that hackers target PINs: A report by the Federal Reserve Bank of Atlanta found that PIN debit fraud rates increased more than threefold over an eight-year period from 2004 to 2012.

"As new threats emerge, retailers' efforts to divert policymakers' attention to PINs means that we run the risk of not devoting requisite energy and resources to developing the cutting-edge technologies needed to thwart increasingly sophisticated hackers," Ballentine maintains.

The NRF's Shearman counters by saying that just about every security expert will confirm that two-factor authentication always wins out over a chip and signature scenario.

Michael Petitti, senior vice president of global alliances at Trustwave, points out that chip and PIN technology has reduced fraud in both Australia and the United Kingdom. However, he says the chip-and-signature option that now prevails in the U.S. has been a good first step.

"Chip and sign is fine for the next few years; people will get used to it as their credit cards expire and new ones with chips are issued," Petitti says. "But I do understand the perspective of the retailers. They are on the front lines in terms of reputation damage and fraud losses."

Some forward progress

Unfortunately, the chip and PIN issue has become complicated, which only adds to the confusion. Banks have issued debit cards with chips, but for now, when it comes to chip cards for the major credit cards, the U.S only has a chip and signature system. Target has rolled out a chip and PIN card of its own, and First Niagara Financial Group now offers credit cards and debit cards with a chip and PIN option, but that's about it as of late June. 

The United States represents the largest credit card market in the world, and there are many different levels of businesses. The big-box retailers have been rolling out chip cards for several years, long before the October deadline. But they have the resources and the technology expertise. Smaller retailers typically have to swap out only one or two machines, so it's fairly easy for them to accommodate the chip cards.

All this talk about the PIN versus signature is really a business issue; it's not about security.
Randy Vanderhoofdirector of the Smart Card Alliance and EMV Migration Forum

The NRF's Shearman says midsize retailers, especially regional supermarket companies and other grocers, have had the hardest time, mainly because they don't have as many resources as the big-box retailers, and revamping their networks to accept chip cards has taken some time.

The Strawhecker Group, an electronic payments advisory firm, estimates that the payment processors are on track to have more than 90% of their merchants EMV-ready by 2017 or later. That represents almost 4 million retailers.

Information from some of the nation's top retailers confirms the Strawhecker data. The Walgreen Company began transitioning drug stores to the new EMV technology more than three years ago when it installed new point-of-sale terminals. The upgrade involved about 60,000 POS terminals in 8,200 Walgreens stores.

Consumer electronics retailer Best Buy had EMV chip card readers in place and fully operational in all of its roughly 1,400 stores by October 2015. Drugstore chain Rite Aid also deployed EMV-capable terminals in all of its 4,600 stores nationwide by the October deadline. Rite Aid adds that when it receives EMV certification, it will continue to collect PINs on debit card transactions. Right now, the retailer collects signatures on every credit card transaction over $25.

Certification has also held back progress. The payment processors now have a backlog of companies in the queue, so many retailers have further confused customers by rolling out the POS terminals that accept chips, but not activating them because the company has not passed certification yet.

"People go to their local stores and they see that the new POS systems aren't activated and they wonder why," says Shearman. "It's really that the card industry has dropped the ball by not providing the resources to get all the retailers certified."

Paying for smart cards

Randy Vanderhoof, executive director of the Smart Card Alliance and director of the EMV Migration Forum, holds another view on the U.S. debate over chip and PIN technology.

Vanderhoof says both the bankers and retailers are simply acting in their own self-interest. He says it's more of a business issue. For the merchants, it simply costs them less to run the credit card transactions over PINs. And the banks make more money the other way and believe that it really is the chip that counts.

"Nobody disputes that the chip will reduce the majority of the counterfeit fraud in the marketplace," he says. "A PIN adds an additional layer of security, but only if someone steals your card and tries to use it. All this talk about the PIN versus signature is really a business issue; it's not about security."

No matter. The lawsuits are piling up, and both sides have fairly strident points of view. It may take several years for the courts to ultimately decide which side is right.

Meanwhile, retailers will continue to roll out new POS terminals that accept the new chip cards. Whichever side wins, signature or PIN, the new chip-enabled terminals can handle both methods, so the retailers will be covered no matter what happens.

Jared DrielingJared Drieling

Jared Drieling, business intelligence manager at The Strawhecker Group, adds that the U.S. has made steady progress rolling out EMV cards. EMV rollouts in most countries take five to seven years, and for all intents and purposes, the U.S. didn't start in earnest until October. "There's no question that we will slowly wean off the magstripe cards," he says.

Mobile payments, thanks to Apple Pay and Google Wallet, are also becoming commonplace and may be where the industry winds up in the next decade. But many retailers still require a signature with Apple Pay, and consumer acceptance of mobile payments has been slow.

If more banks like First Niagara decide that there's a business opportunity in selling credit cards with chip and PIN security and consumers sign up in droves, then chip and PIN technology will win out. The retailers are keeping the courts busy, but in the end, the market may outstrip even chip and PIN.

About the author:
Steve Zurier is a freelance technology journalist based in Columbia, Md., with more than 30 years of journalism and publishing experience. Zurier previously worked as features editor at Government Computer News and InternetWeek.

Article 2 of 6

Next Steps

Will the rollout of chip and PIN improve payment card security?

Is your company behind the curve on multifactor authentication?

Vulnerabilities found in chip and PIN security

This was last published in August 2016

Dig Deeper on Two-factor and multifactor authentication strategies

Get More Information Security

Access to all of our back issues View All