During a presentation at the Electronic Transaction Association’s Transact conference in San Francisco last week, Mike Cook, senior vice president and assistant treasurer for Wal-Mart, called signature “worthless as a form of authentication” and criticized the rollout of chip-and-signature cards in the United States.
Cook told CNNMoney that migrating to chip-and-signature is barely an improvement over magnetic-stripe cards, and said that Wal-Mart would have supported moving to a chip-and-PIN system. “The fact that we didn’t go to PIN is such a joke,” Cook said.
Cook added that in the Target and Home Depot breaches, not a single PIN debit card needed to be reissued. “The card number was worthless to the individual thief and fraudsters, because they didn’t know the PIN,” he said.
Magnus Carlsson, AFP’s manager of treasury and payments, noted that a common argument against chip-and-PIN is that retailers could experience lower sales due to a negative customer experience. “However, with large retailers speaking out in favor of PIN authentication, the bigger worry seems to be on actual fraud, and how to prevent it,” he said.
But the card brands argue that the enhanced security that PIN offers simply isn’t worth the expensive software upgrades. Stephanie Ericksen, vice president of risk products for Visa, sees no need for implementing chip-and-PIN because superior technology, like Apple Pay, has already emerged and is expected to become mainstream in the next few years.
Liz Garner, vice president of the Merchant Advisory Group (MAG), said Cook was “spot on” with his comments. “Authentication should be a secret password/PIN or perhaps nothing; signatures are incredibly easy to counterfeit,” she told AFP. “Merchants want to be able to ask for a second layer of security in high risk transactions. Issuing cards without a PIN or a password takes away the capacity from the merchant to ask for the added layer of security.”
According to Garner, if merchants received payment guarantee on plastic transactions, EMV card issuance might be rolling out differently because issuers would be more concerned with taking excess fraud out of the system. But since retailers bear about half of all fraud losses and more than 70 percent of all card-not-present (CNP)/internet fraud losses, issuers lack the incentive to put out the most secure products possible, she explained.
To be fair, some merchants won’t ask for a second layer of authentication like a PIN on low-dollar transactions, where fraud is exceptionally low—often less than 1 basis point. “But if the cards don’t have the PINs, there’s no way for the merchant to ask for it when it does make sense,” Garner said.
Treasury and finance professionals also likely agree with Cook, as evidenced by the results of the 2015 AFP Payments Fraud and Control Survey, underwritten by J.P. Morgan. While 92 percent of respondents said that EMV cards will substantially reduce fraud at the point-of-sale, 61 percent believe chip-and-PIN will be more effective than chip-and-signature.
Retail Group Pushes for EMV Deadline Delay
The Food Marketing Institute (FMI), a retail trade group that represents thousands of grocery retailers and pharmacies, sent a letter to Visa, MasterCard, American Express and Discover, asking them to delay the EMV liability shift until 2016.
In its letter, the FMI stressed that retailers will not be able to complete the migration by October 2015, largely due to a 16-week delay for delivery of equipment that can accept chip cards, The Wall Street Journal reported.
The FMI has yet to receive a response from the card brands, however, Visa and MasterCard told WSJ that they have no plans to delay the liability shift.
Garner applauded the FMI letter, noting that it laid out some significant concerns that she has heard from the MAG’s membership. “The biggest problem we have is that the networks have failed to deliver the programming specifications,” she said. “Contactless and common debit are still outstanding—the latter because the major brands refused to cooperate with the EFT networks for the past few years. In other markets, merchants were given these specs 24 to 48 months before the liability shift. The major card brands have seriously dropped the ball in United States and they need to address the marketplace reality of their own shortcomings and the challenges that coincide with this failure and their pre-determined timelines.”
The National Association of Federal Credit Unions sent a letter to the House of Representatives, criticizing the FMI’s request and urging lawmakers to support “strong data safekeeping standards” for retailers.
PCI SSC Issues Tokenization Guidance
Last week, the PCI Security Standards Council (PCI SSC) published security guidelines for vendors and service providers that develop tokenization products. Tokenization replaces primary account numbers (PANs) with tokens, which reduces risk for merchants by removing the need for them to store card numbers in their networks and systems.
The PCI SSC’s guidance provides voluntary best practices that address the overall development of tokenization services, including the generation of tokens, how tokens are retained for use and stored, and the implementation of products to address potential attack vectors and mitigate associated risks.
“Tokenization is one way organizations can limit the locations of cardholder data,” said PCI SSC Chief Technology Officer Troy Leach. “A smaller subset of systems to protect should improve the focus and overall security of those systems, and better security will lead to simpler compliance efforts.”
Digital Transactions noted that removing the PAN is what makes tokenization vastly superior to EMV. In an EMV transaction, the PAN is still transmitted and can be intercepted by hackers. While they would be unable to clone an EMV card due to the unique chip, the PAN could be used to create a counterfeit mag-stripe card for use where those cards are still accepted (the U.S.), or on the internet.
Tokenization has become a hot topic since the advent of Apple Pay. Apple Pay users only need to enter their card information once, and then they are assigned unique tokens for making purchases. Treasury experts agree that Apple Pay’s security will be the key to it catching on as a mainstream payment method.
However, Apple Pay’s security has come under fire lately due to fraudsters exploiting a vulnerability in the system. Criminals have been loading fraudulent card data into Apple Pay and using it to make purchases—primarily at Apple’s own stores, just to throw some salt on the wound. Banks that use Apple Pay have been making changes to their security procedures to mitigate the problem.