Big Banks vs. Retailers On Chip And Pin
Cybersecurity is on everyone’s mind and somehow, I’ve found myself in the middle of the conversation. What I’ve learned is completely befuddling. Hence, I posted the following piece on Forbes right before the NRF Big Show. If any reader has a better understanding than I do on this subject, please shoot me an email!
According to a report from IBM, more than 61 million data records were stolen through cyberattacks in 2014. Despite high profile attacks on the financial services industry, iCloud accounts, and the recent Sony data hack, the retail and wholesale industries were the most frequent targets.
While theft of customer information through cyberattacks is an important issue, there’s no doubt that the theft of credit card data gathered in in-store Point of Sale (POS) transactions are most critical.
Shoppers shrug off many of those thefts, but others, like the Target attack in 2013 created real problems for retailers, banks and consumers alike. Shoppers went to check-out lanes during the 2013 holiday season only to discover they had newly imposed debit card spending limits because their cards were part of the breach.
To quote a Customer Service Notice on top-five bank Chase’s web site:
“Customers whose Chase debit cards or Chase Liquid Cards are at risk from the Target breach will experience temporarily reduced limits on ATM cash withdrawals and purchases until we can replace their cards. To minimize inconvenience to our customers we raised those reduced limits today to $250 at ATMs and $1000 in purchases per day in the United States. We may continue to change these limits if we think it makes sense, so please check chase.com for updates. ”
The timing of imposing those limits, in mid-December 2013, was enough to put a serious damper on shoppers’ holiday seasons. Pundits and customers alike called for a change in the way credit cards are processed in the United States.
The change seems pretty straight-forward: a move to a global standard, called EMV (Europay, MasterCard and Visa), or more commonly “Chip-and-PIN. ” As early as 2010, EMV had reduced in-store data theft and fraud in the UK by 69 percent, according to a paper written by Douglas King for the Federal Reserve Bank of Atlanta. That’s a significant number, certainly significant enough to warrant serious consideration by both banks and retailers in the US.
In fact, US retailers are mandated to accept the chip portion of “Chip and PIN ” by the end of 2015, and many customers may have noticed they’ve received new credit cards with a new look. They have those very chips embedded in them. According to the Wall Street Journal, a half-billion new cards will be rolled out over the course of 2015. That’s the simple (albeit expensive) part.
What’s not so simple is that the major US banks are resisting implementing the “PIN ” side of the transaction. Instead, they are advocating a “chip and signature ” solution. These banks are united in their public explanation for bypassing the PIN side: it adds a burden to consumers who will have to remember a four-digit number.
This logic is very hard to follow. We remember our debit card PIN numbers, and have been entering them in stores and at ATM’s for years now. Every connected consumer has numerous passwords ( “must contain alpha, special characters, numbers and at least one capital letter! “) he or she keeps up with. Yet the banks appear to believe one more four digit PIN number will break consumers’ backs.
Both US retail trade associations, RILA (Retail Industry Leaders Association) and the NRF (National Retail Federation) have endorsed chip-and-PIN. These two trade associations represent both the largest and smallest retailers. They’ve practically begged the banking industry to move forward. In response, banks have dug in their heels more deeply.
When I suggested to a high-ranking banking official that I couldn’t follow the logic around his opposition to PINs, he suggested that I was looking for a simplistic answer to a complex problem. I think (and replied) that most thoughtful observers are really just looking for a straightforward answer. No straightforward answers have been forthcoming. How complex is a four-digit PIN?
It’s common to paint retailers as “cheap ” when it comes to security measures. But in this case, they’re on board. Retailers already must swap out all their credit card swipe machines and replace them with the chip readers in 2015. Many will also add in Near Field Communications (NFC) capabilities to support mobile payment technologies like Apple Pay, Google Wallet and Softcard.
Retailers are in. Why aren’t the banks?
Clearly, Chip-and-PIN will not help reduce fraudulent on-line transactions. In fact, by most accounts, we can expect that number to rise once the stores have been “buttoned down. ” That has happened in most countries where the technology has been implemented. But eCommerce represents roughly 10 percent of all retail transactions. Surely it makes sense to attack the 90 percent first.