Walmart's Focus on PIN in Card Debate Is Misguided
The debate over whether signatures or PINs are a stronger security feature overlooks the fact that neither is the most important defense against fraud.
The goal of adopting chip cards to provide tighter security is a noble one. But by going partway, authorizing transactions with signatures rather than four-digit codes, banks are watering down that security, at least for lost and stolen cards.
There is an old saying by Mark Twain, "Never let the truth stand in the way of a good story, unless you can't think of anything better." Recently, Walmart filed a lawsuit against Visa complaining the company won't let it require PINs on transactions made with chip-enabled debit cards.
"PIN is the only truly secure form of cardholder verification in the marketplace today, and it offers superior security to our customers," Walmart said in a statement. "This suit is about protecting our customers' bank accounts when they use their debit cards at Walmart."
Of course, we all agree that customers should have the safest electronic transaction experience possible. However, a PIN mandate will not prevent online or mobile fraud. If a PIN is stolen from a retailer's system, it is possible that a criminal could access the customer's entire account and commit fraud.
Just look at what happened in Fredericksburg, Va., when thieves put electronic skimmers on checkout card machines at a Walmart there. The breach led to shoppers' debit and credit cards being compromised and used to make cash withdrawals.
The two high-profile data breaches at Target and Home Depot occurred because hackers used malware to collect customers' credentials, including PINs, from the retailers' systems. Those breaches affected 56 million cards in the Home Depot breach and 40 million in the Target breach.
Walmart's lawsuit overlooked security defects of using PIN. The average American keeps four cards in his or her wallet. That means four separate PINs to remember. For those who would opt to have the same PIN, all accounts would be compromised in the case of a security breach.
The statement by Walmart also doesn't hold up to rapidly changing technology. In chip-enabled cards, the technology preventing fraud is the actual chip. This challenges the notion that, as Walmart put it, "PIN is the only truly secure form of cardholder verification."
The company should understand that even if the chip card data is stolen, it is nearly impossible for that data to be used to conduct counterfeit fraud because of the unique, one-time use code generated by the microchip to verify each purchase.
Merchants who upgraded to chip cards are already seeing a drop in counterfeit fraud by as much as 18%. That has likely less to do with whether a PIN is enabled on the card or not. About two-thirds of all in-store credit card fraud comes from counterfeited cards. Regardless of how the transaction is authenticated (signature or PIN), chip cards will significantly reduce that statistic.
According to Visa data, about 50% of U.S. transactions qualify as "no cardholder verification method (CVM)" transactions and don't require PIN or signature authentication because they are low-risk, low-dollar transactions.
Additionally, there has been a movement away from PIN in both Canada and Europe. PIN has long been the standard in Europe, but earlier this year Visa Europe reported that about one in seven transactions were made with a contactless chip card, which doesn't require PIN or signature authentication because of the limited fraud risk and ability to speed up checkouts.
In 2014, a study by Forrester Research reported that the $263 billion in annual online transactions made by U.S. consumers in 2013 was expected to grow by 57.4% to $414 billion in 2018. With online fraud rising, a solution such as mandating PIN security for transactions that do not address digital commerce can only go so far.
We need baseline national security standards to help retailers better protect consumers' data. Retailers are not held to any federal security standards. A recent Morning Consult poll found 90% of consumers agree that stores and retailers should be held to similar standards as banks and other financial institutions to keep data secure and private.
Consumers deserve protection of data they supply in the course of buying goods and services. Banks and other financial institutions exceed the requirements of the Gramm-Leach-Bliley Act to safeguard their customers' information. In contrast, retailers do not abide by the same safeguards. They need to step up to protect consumers' sensitive information and privacy, including the development of information security programs and safeguards against personal information getting in the wrong hands.
Given the numerous recent big-box retailer data breaches, the Data Security Act of 2015 provides common sense standards that protect consumer information when in the hands of retailers. Unfortunately, retailers aren't in favor of these standards and have resorted to making claims about the bill that are simply untrue. For example, the retailer groups claim that this bill would subject millions of front-line employees who work the cash register and stock shelves to an intrusive background check. The truth is that the bill is patterned after a Federal Trade Commission rule. The FTC standard is flexible, calling for reasonable security measures "appropriate to the size and complexity of the covered entity," "the nature and scope of the activities," and "the sensitivity of the consumer information to be protected."
If retailers were accountable for implementing these measures, it's likely many of the recent high-profile data breaches could have been prevented.
The bill enjoys widespread bipartisan support with 23 Republican and 16 Democratic co-sponsors. Additionally, the House Financial Services Committee overwhelmingly approved of the bill with a bipartisan vote of 46 to 9. Importantly, the legislation will establish standards that are scalable and flexible to the size and risk profile of the covered entity.
The electronic payments industry has every reason to make consumers' payments as secure as possible. But the insistence of Walmart and other retailers that PIN authentication be required is not consistent with that goal. Mandating one technology that will become obsolete as cyber threats change hurts consumers because it funnels valuable time and resources away from developing innovative, behind-the-scenes technology to protect card data.
A truly secure payments system requires a wide array of dynamic authentication technologies, including EMV, tokenization and end-to-end encryption.
Retail groups calling for continued inaction on security measures are standing in the way of their customers' best interests. Financial institutions, payment networks and processors, and retailers must all do their part and work together to ensure sensitive payment information is protected for consumers.
Molly Wilkinson is the executive director of the Electronic Payments Coalition.