Today is the day that, by agreement between banks and retailers, the liability for a credit-card data breach will shift to retailers that haven’t prepared their in-store point-of-sales systems to accept new EMV chip-enabled credit cards.
But most retailers aren’t ready, and most consumers don’t have their cards in hand. Even worse, the ones that do probably don’t realize that the new cards aren’t nearly as secure as they could be — or as secure as retailers would like them to be.
'On track' or no?
Just 58% of the retailers, when they were surveyed last month by Randstad Technologies, which helps retailers with tech personnel and technology updates including for EMV card readers, were on their way to meet the deadline to be able to accept new chip-enabled credit cards. Perhaps more alarming, 42% said they either did not have plans to make the deadline or weren’t aware of plans to do so. And many banks have failed to get those more secure cards into consumers’ wallets, according to research released Wednesday from CreditCard.com. Just 40% of consumers, mostly in higher income brackets, have received the cards, the survey found.
The credit-card companies say things are on track.
"We're really where we expect to be, considering that Oct. 1 is the start line," Stephanie Ericksen, Visa VP of global risk products, told NPR. "We know it takes many countries about four to five years to get to greater than 90 percent of their volume to being at chip cards used at a chip terminal."
Chip-and-PIN (without the PIN)
But many retailers say that more time — and more secure cards — should have been the plan all along. While EMV (which stands for Europay, MasterCard and Visa) cards used in Europe, Canada, and much of the rest of the world require a personal identification number (PIN) as authentication, EMV here has by-passed that.
That solves an issue for the banks, which would have to make significant changes to process chip-and-PIN cards, but leaves even the new EMV chip-enabled cards less secure, said Mark Horwedel, CEO of Merchant Advisory Group, whose members are large retailers, on a conference call with reporters.
“We’ve shouted in the dark for a long time,” he said. “This is basically a facade — this claim [by banks] that the reluctance is consideration for the consumer. We’ve all used PIN numbers at ATMS for a long time. Let’s go to something that’s better.”
Horwedel noted that any added authentication wouldn’t have to be PINs, but says that the EMV cards simply aren’t secure enough as they are in this era of cyber-fraud. “There could be a biometric solution,” he told reporters. “That could be better than PIN, but there’s no timeline for that. It’s still in the development phase. It’ll be quite some time till we find a means besides PIN that will gain approval and acceptance.”
In an era when people of all ages input four-digit codes to unlock their own cell phones and to access their money at an ATM, it makes little sense, with fraud so rampant, that banks and the card companies have foregone PIN numbers, Jason Brewer, spokesman for the Retail Industry Leaders Association, told Wired magazine.
“If you only have one way of stopping the cyber thief, they’re going to put all their energy into getting around that,” Brewer says. “By not having the PIN, you’re only forcing them to figure out a way to get around the chip. There are already skimmers trying to figure out how to get around the chip. Why not do the two-factor authentication?”
The magnetic alternative
It doesn’t help that even the new card readers, once they’re installed, and the new cards, once consumers get them, still work with the old magnetic strip—a level of technology that has been compared to eight-track cassettes and is easily accessible to data-sucking thieves.
Many shoppers don’t even realize that the new card they got in the mail is chip-enabled and therefore more secure. If they use the magnetic-swipe feature, they’re losing out on the added security the new cards do provide.
Target, one retailer that has been ready to go with new EMV chip readers for months, has software that rejects an EMV chip-enabled card if it’s swiped through the magnetic strip reader. Target checkout clerks then tell the customer to dip the card into the EMV reader. Target’s move is understandable, considering its massive breach two years ago, says Dick Mitchell, solutions director at Randstad Technologies. But, he told Retail Dive, it’s also very helpful to a consumer populace that has had very little instruction in the matter.
“That’s a really good way to make this push into the side of EMV,” Mitchell says. “I’d like to see more of that.”
Retailers will continue to push for added authentication, be it PINs or some other method. But that will continue to be tough as long as consumers remain complacent about payment security. If, as retailers fear, EMV chip cards aren’t secure enough in the long run, if enough fraud moves online, as it’s expected to do, or if mobile wallets, which also employ PINs or other authentication, don’t catch on quickly enough, it may require something like Congressional action to move banks in the right direction, Mitchell says.
“I don’t think [banks and card companies] are going to make that switch unless customers demand it,” he says. “We have to be informed about this. Canada and the U.K. have had chip and PIN for a while, so once we realize that there are safer alternatives out there it could be a slam dunk. I don’t usually say this but I’m not opposed government intervention on this.”
One regional bank in New York state has bucked the trend and is indeed requiring PIN numbers when card holders use their EMV cards.
Justin Bigham, head of consumer product management at Buffalo-based First Niagara Financial Group Inc. said that, after careful consideration, the bank decided it was in consumers' best interest.
“It was not a quick decision,” he told the Wall Street Journal.
Mallory Duncan, SVP and general counsel for the National Retail Federation, praised the move.
“If they are issuing credit cards with chips and PINs, then they deserve kudos from the retailers and consumers everywhere,” Duncan told the Journal.
For many retailers, the answer could be in customers’ pockets—but not necessarily in their old-fashioned wallet.
“The mobile thing is key,” Merchant Advisory Group VP Liz Garner told reporters. “ One of the biggest barriers is mobile’s perceived lack of security. Retailers will have to do more with all the wallets and merchant applications to address the security behind those applications. A mobile wallet is more secure than a magnetic stripe. There’s more hardware on the phone [that can make it secure]. I think the they will be more consumers paying and engaging with retailers on their phone.”