Five EMV Myths the Card Industry Wants You to Believe
Everyone agrees that electronic transactions should be as safe as possible, but a PIN mandate will not prevent online or mobile fraud.
Within the past 12 months, one large retailer after another has fallen victim to a massive data breach. But at least the pilfered data is getting harder for thieves to monetize.
A recent American Banker opinion piece was misleading in some parts and completely untrue in others about some of the issues related to authenticating new EMV cards.
The post by the Electronic Payments Coalition seemed aimed at making readers believe that Visa — currently embroiled in a legal battle with Walmart over whether PIN authentication should be mandated — is focused on developing the strongest EMV authentication policies possible. But in supporting Visa's insistence on having the anachronistic verification technology of signatures as an option, the coalition asserted a number of industry-spread myths in trying to argue that a PIN mandate isn't necessary. I dispel each of them below.
Myth: PIN doesn't prevent online or mobile fraud.
That is flatly untrue. There are in-market e-commerce PIN solutions that prevent fraud for e-commerce as effectively as traditional brick-and-mortar stores' PIN verifications. Acculynk, for instance, sells such technology that is used by companies like Sears, LendUp and American Airlines.
Myth: PINs were compromised in the Target and Home Depot data breaches.
In both of those breaches, the PINs weren't compromised. Yes, the criminals involved obtained encrypted PINs. But they were unable to decrypt them, which means that any card requiring PIN was not compromised and banks did not need to reissue the cards. A data breach, such as the ones suffered at Target and Home Depot, would have been far less harmful to consumers if all cards required PIN security at the point of sale.
Myth: Consumers are harmed more when PINs are compromised.
The EPC's Molly Wilkinson wrote, "If a PIN is stolen from a retailer's system, it is possible that a criminal could access the customer's entire account and commit fraud."
It's unclear how this could happen, but I assume Wilkinson means that fraudsters would use the card and stolen PIN to withdraw cash from an ATM.
Not only is it hard to imagine this scenario, but it conceals the real issue. A PIN still provides a strong layer of protection — both from criminals using cards to make purchases or to access bank accounts — that a signature does not. If a PIN is not required at the point of sale, the thieves can buy merchandise with only the card. Whether the money is fraudulently withdrawn as cash or used to purchase merchandise (which is easily liquidated), the customer's funds are gone. That's less likely if the point of sale, like bank-owned ATMs, is secured with PIN verification.
Even Visa knows PIN provides enhanced security. Throughout the rest of the world, Visa has touted the benefits of PIN. In Canada, Visa told consumers, "Because your Personal Identification Number (PIN) replaces your signature, the transaction is more secure." In the United Kingdom, Visa said in a submission to the Australian Competition Commission that "the decline in Lost/Stolen and NRI [Not Received as Issued] fraud ... is considered by Visa to be substantially, if not entirely, attributable to mandatory PIN@POS."
The company cannot have it both ways.
Myth: American consumers cannot remember multiple PINs.
Wilkinson argues that American consumers carry, on average, four cards and shouldn't be asked to remember different PINs for all of these cards. But this is obfuscation in the shroud of consumer convenience.
First, I believe the EPC is selling American consumers short. Most people have numerous passwords and access codes, which they manage effectively.
Further, it's probably not necessary for a consumer to have different PINs on all of their payment cards. Indeed, consumers only have two thumbs to use for biometric authentication, and it's far easier to change a PIN than to change one's thumbprint.
Finally, while the Merchant Advisory Group staunchly supports the implementation of PIN on all cards in the United States, this dispute between Walmart and Visa is limited to debit cards. It is rare for people to have more than one debit card.
Myth: The chip alone is sufficient to verify the cardholder.
Wilkinson makes the claim that "the technology preventing fraud is the actual chip." At best, that is half true.
The chip authenticates the card. In other words, the chip allows the merchant and the bank to know that the card being presented is the authentic card, not a counterfeit. The chip does not and cannot authenticate the cardholder. Only something that is not contained on the card — i.e. something only the cardholder knows, like a PIN — can authenticate the cardholder.
In fact, consumers are most affected by the types of fraud that PIN would address, but that are not addressed by the dynamic elements on the chip. Indeed, Federal Reserve data from 2013 shows that 88% of fraud losses incurred by debit cardholders are either "card not present" or "lost and stolen" — types of fraud that are not prevented by chip alone but would be prevented with PIN security.
The card networks won't hear any of this, though, because it's not in their financial interests.
Visa and its issuers are letting profits get in the way of common sense security solutions. Merchants can see it. Consumers will see it too.
Mark Horwedel is the chief executive of Merchant Advisory Group.