The Green Sheet Online Edition
August 22, 2016 • Issue 16:08:02
Chip and PIN debate roils retail, payments sectors
Ten months after the October 2015 EMV (Europay, Mastercard and Visa) liability shift, retail and payments analysts have mixed opinions on U.S. approaches to implementing EMV chip card technology. The biggest source of contention appears to be centered on the chip-and-PIN versus chip-and-signature debate.
Some retailers believe that while requiring signatures with chip cards at the POS may protect against counterfeit payment card fraud, it is insufficient protection against other types of fraud. Some, such as Home Depot Inc. and Wal-Mart Stores Inc., have filed grievances against card brands and card issuing banks.
A new report by Aite Group LLC brings into question some retailers' claims that chip and signature is ineffective and inherently insecure. Chip Cards in the United States: The PIN, PINless, Debit, Credit Conundrum, published July 28, 2016, found the costs and challenges associated with implementing PIN technology may outweigh benefits for many U.S. retailers. The report includes quantifiable survey data on counterfeit and lost-and-stolen card fraud.
"With very little incremental risk for merchants and significant expense and implementation challenge for the payment ecosystem, it is difficult to justify a mandate to implement PIN as a credit card verification method," wrote Aite Senior Analyst Thad Peterson.
Lengthy, expensive court battles
Mounting legal fees are also a factor in the EMV rollout. A June 24 article in The Green Sheet described Home Depot Inc.'s lawsuit against Visa Inc. and Mastercard, filed June 15, 2016, that challenged the chip-and-signature verification method. The home improvement retailer is asserting its right to require chip-and-PIN verification for all credit and debit transactions at the POS, believing the practice will enhance security and enable the company to route debit card transactions to lower-cost debit card networks.
Home Depot's lawsuit followed a civil complaint by Wal-Mart Stores Inc. against Visa, filed May 10, 2016, that also sought to mandate PIN with EMV. The Green Sheet covered the complaint May 13, 2016, noting that Wal-Mart opposed the use of chip without PIN, which the company claimed was less secure and more expensive.
"PIN verification is much more secure than signature verification," the legal document stated. "It also enables Walmart to route transactions across PIN debit networks rather than signature debit networks, which saves Walmart (and its customers) money."
The PIN debate
The Aite report noted that the simple act of adding a PIN pad to a POS device is neither simple nor cost effective, particularly for merchants who have never used PIN pads. The estimated cost of upgrading the installed base could exceed $4 billion, according to the study. The cost for card issuers could be more than $2.6 billion due to the expense of reissuing cards, establishing and maintaining a PIN management system, educating consumers, and modifying ATMs and interactive voice response platforms, the report authors wrote.
Aite researchers further noted that upgrading the entire U.S. installed merchant base would bring about a five-year fraud-avoidance benefit worth approximately $850 million, which, in their view, is insufficient to justify related costs and effort.
Additionally, it is the chip itself that mitigates counterfeit card fraud, which accounts for 45 percent of all fraud, so both chip-and-PIN and chip-and-signature transactions mitigate this type of fraud. An upgraded landscape of PIN pads would mitigate lost-and-stolen card fraud, which represents only 9 percent of total card fraud. In addition, only merchants with non-compliant EMV terminals are liable for lost-and-stolen card fraud.
Perception versus reality
The Aite report acknowledged the contentiousness of the chip-and-PIN versus chip-and-signature debate and noted that large retailers were generally more enthusiastic about implementing chip and PIN than their smaller counterparts. The authors found "misperceptions within the retail community about both the impact of lost/stolen card fraud as well as the tools that can be used to mitigate the risk of fraud."
After surveying 361 U.S. merchants, the researchers found a disparity between perceived (1.7 percent) and actual levels (9 percent) of card-present fraud among the group. "There appears to be a disconnect between the perceived value of chip-and-PIN implementation in the abstract and merchant expectations of fraud reduction," the authors wrote. They also detected an array of underutilized security measures, such as tokenization, encryption, checking customer IDs and implementing secure firewalls, which the authors suggested could potentially protect against fraudulent transactions.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.