Soon after MasterCard and Visa announced a partnership to enhance payment security by accelerating the adoption of EMV chip technology, the National Retail Federation (NRF) took their plans to task.
In a statement, NRF General Counsel Mallory Duncan said, “We remain insistent that US retailers’ customers be given the same protections as consumers in more than 80 countries who have both a chip and a PIN securing their credit and debit cards.”
The safer EMV-based cards would replace their magnetic stripe counterparts, which have proven vulnerable to attack. By using encryption, EMV chips better protect data. And cyber criminals find them harder to counterfeit. While chip-based cards have gained a stronghold in Europe, the U.S. has been slow to embrace the technology, primarily because financial institutions and other industry players have been at odds over who would foot the bill for what amounts to significant changes to the current payment system.
But a series of high-profile retail data breaches at the likes of Target, Neiman-Marcus and Michaels has prompted the industry to shore up security on all fronts. The MasterCard- and Visa-driven alliance, which includes retailers, banks, credit unions, point-of-sale (POS) device makers and industry trade groups among others, intends to tackle a broad range of security issues but will initially focus its attention on accelerating the migration to EMV. “Only through industry collaboration and cooperation will we address the real and immediate issue of security and maintain consumer confidence and trust,” said Chris McWilton, president of North American Markets at MasterCard, in a statement. “EMV will be the next step in these efforts, alongside enhanced security solutions for online and mobile channels.”
NRF expressed concern that the group’s initial plans won’t go far enough because they don’t include the use of a PIN in conjunction with the EMV chip-based cards as is the norm in Europe. MasterCard and Visa have differed on the use of PINs with the chips, with MasterCard favoring a chip and PIN system.
“EMV chip cards are an effective deterrent to counterfeit card fraud, which is the largest category of fraud,” Randy Vanderhoof, the executive director of the Smart Card Alliance and director of the EMV Migration Forum, told SCMagazine.com in an email correspondence.
While adding a PIN to the EMV card does add an extra layer of security to prevent lost and stolen cards from being used, it also results “in additional cost and complexity to the issuance and customer management of chip cards for card issuers and will further complicate the transaction at the point of sale for consumers so opinions are mixed among all stakeholders,” he said.
By advising card issuers to migrate without recommending the use of PINs, Visa has been advocating “the fastest, least complicated way in order to get control over counterfeit card fraud as quickly as possible to address the biggest fraud problem, which is counterfeit fraud,” said Vanderhoof, who believes the industry will eventually support “a mix of options” in the future.
Still, NRF contends that implementing a chip-based system without the requisite PIN will compromise security.
“Easy-to-forge signatures are a virtually worthless form of authentication,” Duncan explained in a statement. “Insisting on chip-and-signature cards is like installing an alarm on the front door of a home while leaving the back door wide open. It doesn’t make sense when the technology exists to secure the entire house.”
The alliance is attempting to migrate to the new technology quickly, setting an October 2015 deadline for adoption.
[An earlier version of this story incorrectly referred to the National Retail Federation as the National Federation of Retailers.]