Wednesday, August 3, 2016
Some retailers believe that while requiring signatures with chip cards at the POS may protect against counterfeit payment card fraud, it is insufficient protection against other types of fraud. Some, such as Home Depot Inc. and Wal-Mart Stores Inc., have filed grievances against card brands and card issuing banks.
A new report by Aite Group LLC brings into question some retailers' claims that chip and signature is ineffective and inherently insecure. Chip Cards in the United States: The PIN, PINless, Debit, Credit Conundrum, published July 28, 2916, found the costs and challenges associated with implementing PIN technology may outweigh benefits for many U.S. retailers. The report includes quantifiable survey data on counterfeit and lost-and-stolen card fraud.
"With very little incremental risk for merchants and significant expense and implementation challenge for the payment ecosystem, it is difficult to justify a mandate to implement PIN as a credit card verification method," wrote Aite Senior Analyst Thad Peterson.
Mounting legal fees are also a factor in the EMV rollout. A June 24 article in The Green Sheet described Home Depot Inc.'s lawsuit against Visa Inc. and Mastercard, filed Jun. 15, 2016, that challenged the chip-and-signature verification method. The home improvement retailer is asserting its right to require chip-and-PIN verification for all credit and debit transactions at the POS, believing the practice will enhance security and enable the company to route debit card transactions to lower-cost debit card networks.
Home Depot's lawsuit followed a civil complaint by Wal-Mart Stores Inc. against Visa, filed May 10, 2016, that also sought to mandate PIN with EMV. The Green Sheet covered the complaint May 13, 2016, noting that Wal-Mart opposed the use of chip without PIN, which the company claimed was less secure and more expensive.
"PIN verification is much more secure than signature verification," the legal document stated. "It also enables Walmart to route transactions across PIN debit networks rather than signature debit networks, which saves Walmart (and its customers) money."
The Aite report noted that the simple act of adding a PIN pad to a POS device is neither simple nor cost effective, particularly for merchants who have never used PIN pads. The estimated cost of upgrading the installed base could exceed $4 billion, according to the study. The cost for card issuers could be more than $2.6 billion due to the expense of reissuing cards, establishing and maintaining a PIN management system, educating consumers, and modifying ATMs and interactive voice response platforms, the report authors wrote.
Aite researchers further noted that upgrading the entire U.S. installed merchant base would bring about a five-year fraud-avoidance benefit worth approximately $850 million, which, in their view, is insufficient to justify related costs and effort.
Additionally, it is the chip itself that mitigates counterfeit card fraud, which accounts for 45 percent of all fraud, so both chip and PIN and chip and signature transactions mitigate this type of fraud. An upgraded landscape of PIN pads would mitigate lost-and-stolen card fraud, which represents only 9 percent of total card fraud. In addition, only merchants with non-compliant EMV terminals are liable for lost-and-stolen fraud.
The Aite report acknowledges the contentiousness of the chip-and-PIN versus chip-and-signature debate, due to “widely disparate perspectives from various players in the ecosystem,” and noted that large retailers were generally more enthusiastic about implementing chip and PIN than their smaller counterparts. The authors found “misperceptions within the retail community about both the impact of lost/stolen card fraud as well as the tools that can be used to mitigate the risk of fraud.”
After surveying 361 U.S. merchants, the researchers found a disparity between perceived (1.7 percent) and actual levels (9 percent) of card-present fraud among the group. They also detected an array of under-utilized security measures, such as tokenization, encryption, checking customer IDs and implementing secure firewalls, which the authors suggested could potentially protect against fraudulent transactions.
“There appears to be a disconnect between the perceived value of chip-and-PIN implementation in the abstract and merchant expectations of fraud reduction,” the authors wrote. “Since merchants believe that lost/stolen fraud is only 1.7 [percent], the misperception related to both the amount of fraud and the impact that implementing PIN would have on the merchant’s bottom line is significant.” 
Editor's Note:
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
