MC: Pick Any Chip-Card Security You Want, as Long as It's PIN

MasterCard Inc. does not explicitly require the use of a PIN with chip cards in the U.S., but its sliding scale of liability leaves little other choice.

A key element of MasterCard's long-awaited U.S. roadmap for conversion to the EMV chip-card standard is a shift in fraud liability to the party in the payment process that provides the least security.

The "liability hierarchy," which will take effect in 2015, rates the security of different card-acceptance methods, says Craig Vosburg, MasterCard group executive for U.S. market development.

Under MasterCard's system, announced this week, a magnetic-stripe card would be the least secure and a chip-and-PIN card the most secure, he says. Chip-and-signature's security rating falls between those two.

"We are trying to avoid an approach where we are requiring or mandating, but rather one with flexibility but an understanding of the implications," Vosburg says.

MasterCard's stance on liability shift indicates the card network intends to "move the needle to chip-and-PIN instead of chip-and-signature," says Mark Horwedel, chief executive of the Merchant Advisory Group.

"If the merchant has chip-and-PIN capabilities, but the issuer has only chip-and-signature, the liability falls to the issuer, or vice versa," he says.

If a consumer loses a chip-and-signature card, someone else could still use it, at least for one transaction, Horwedel says. "But if someone finds a lost chip-and-PIN card, they can't use it without knowing the PIN," he says.

This is music to the ears of merchant organizations that have made their preference for chip-and-PIN clear while awaiting MasterCard's stance on the issue. The Minneapolis-based Merchant Advisory Group last month called for industry consensus on an EMV roadmap but emphasized its support for chip-and-PIN.

The merchant group was responding to statements from Visa Inc., which has suggested to merchants and issuers that they can drop the use of a PIN with chip-cards. In a Jan. 13 blog post, Visa said that equating the EMV standard with chip-and-PIN is a "myth," and that in the U.S. "there's no need for the offline authentication that was the genesis of chip-and-PIN."

With regard to Payment Card Industry data-security standard compliance, the MasterCard plan offers compliance testing and fee relief based on account-data volume, Vosburg says. A merchant running 75% of card transactions through an EMV terminal with both contact and contactless capabilities by 2013 would receive 50% relief on PCI testing. By 2015, a merchant running 95% of his transactions through an EMV terminal would receive 100% relief, he says.

"The merchant has the ability to make the choice to invest in the most secure equipment and to protect [itself] to the greatest extent," Vosburg says.

The Smart Card Alliance, a New Jersey-based not-for profit association that advocates use of smart cards, is encouraged by MasterCard's approach, says Randy Vanderhoof, the alliance's executive director.

MasterCard "addresses the questions of, 'What does the U.S. really need?' not just from a fraud-protection standpoint but from a consumer-experience standpoint," Vanderhoof says. "When all of the PCI compliance testing is done, it is still important to know how the consumer interacts with the different payment methods into the future."

MasterCard was "more forthright" than Visa about a U.S. EMV migration moving the country to the next generation of technology, says Brian Riley, senior research director and analyst with Needham, Mass.-based TowerGroup.

"For now, the merchants' key issue should be, 'Why is this being funded on the merchant side?' " Riley says. "The merchants should be saying, 'We have to pay for these new terminals, so what do we get out of it?' "

For reprint and licensing requests for this article, click here.
Consumer banking Bank technology
MORE FROM AMERICAN BANKER