The PIN debate: Retailers, banks divided on post-EMV card security

The EMV deadline has come and gone in the United States, but the debate over how the standard is being implemented is still a hotly contested issue.
Written by Natalie Gagliordi, Contributor

The EMV deadline has come and gone in the United States, but the debate over how the standard is being implemented is still a hotly contested issue.

Short for Europay, MasterCard and Visa, EMV is a secure payment standard that reduces fraud in face-to-face, card-present environments via the use of chip-embedded payment cards.

The chip creates a unique impression for each transaction, so the only data flowing through a merchant's point of sale (POS) terminal is a random numerical sequence. The combined chip and tokenization process makes it nearly impossible for data thieves to create fraudulent accounts or make counterfeit cards, because the chip itself can not be replicated.

As of October 1, a U.S. merchant is required to have updated his or her POS device and back-end software to begin accepting chip cards. Otherwise, the business owners are potentially liable for incidents of fraud (such as if a chip card is used in a non-chip reader) instead of the banks and card issuers.

But the EMV standards taking hold in the U.S. are viewed by many as only a half measure -- one that keeps a gaping hole in the security of the U.S. payment system.

Unlike other countries where EMV chip-card standards have been put in place, the U.S. is only requiring the issuance of chip-and-signature cards, not chip-and-PIN. The choice of supporting PIN is up to the banks that issue the cards and the merchants who accept card payments.

The difference between a chip-and-PIN card and a chip-and-signature card is the approach to transaction verification. The PIN approach requires users to enter a four-digit Personal Identification Number that corresponds to information contained in the chip embedded in the card.

Chip-and-signature differs in that users verify their identity with a signature, no PIN required.

The signature verification approach is universally considered less secure than chip-and-PIN, and that's where the debate over EMV in the US begins to heat up.

In the weeks following the official EMV migration date, merchant groups, consumer advocacy groups and even the Federal Bureau of Investigation (FBI) called attention to the need to adopt chip-and-PIN in order to take full advantage of EMV security.

The FBI issued a public service announcement on October 8, which mostly praised the new standards for helping to increase payment security -- yet warned the cards were still vulnerable to fraud. The FBI also said the chip cards will do little to stop stolen or counterfeit cards from being used online or in telephone purchases.

The FBI encouraged merchants to require their customers to use a PIN and advised that a government-issued photo identification card should be asked for when customers use a signature.

The warning marked the second time the federal government came down publicly in favor of PIN.

Last year President Obama signed an executive order called the BuySecure Initiative. It asserted chip-and-PIN technology must be applied to all newly issued and existing government credit cards, while also facilitating the transition to chip-and-PIN POS terminals within Federal agency facilities that transact with the public.

The FBI's message was welcomed by the National Retail Federation (NRF), the world's largest retail trade association, which along with the Merchant Advisory Group, has argued for years in favor of PIN usage with chip cards.

In fact, a day before the FBI issued its PSA, the NRF was testifying before the House Committee on Small Business, lobbying chip-and-signature cards without a PIN would not stop data breaches, and that small businesses should not be required to install the upgraded POS hardware needed to accept them at the expense of more effective technology.

But the FBI's original PSA was at some point taken down and replaced by one that reads as significantly less severe. The American Bankers Association (ABA) reached out to the FBI and asked them to revise their statement, an ABA representative confirmed to ZDNet.

The ABA took issue with FBI's wording, positing it was not in line with the current state of the U.S. marketplace and could cause confusion for consumers.

The NRF, however, finds that notion particularly irksome.

"Credit cards have been used with PINs around the world, it's the way they are used in every place but the U.S.," said Craig Shearman, vice president of government affairs relations at the NRF. "And Americans have used PINs with debit cards. So we can't understand why the banks are so resistant to using them."

Shearman said the NRF is pushing for the banks to use all of the security that chip cards are capable of providing. Otherwise, he said, it's like "locking the front door but leaving the back door wide open."

The NRF's position is while chips do make the new cards more difficult to counterfeit, the chip still can be circumvented given a smart enough hacker. What's more, the chips do not address the issue of lost and stolen cards from being used in person or online -- something a PIN could also address even without the chip.

Steve Pociask, president of the American Consumer Institute Center for Citizen Research, holds a similar position as the NRF, arguing big banks and card processing networks stubbornly maintain an anti-PIN mindset even though they are well aware that PINs are more secure.

"Along with their trade association, they essentially argue that we should ignore the documented benefits of chip-and-PIN payment cards across the world and adopt a half-measure here at home instead," Pociask said in an emailed statement to ZDNet. "They continue to foolishly argue that consumers are unable to remember PINs to conduct transactions that newer, better authentication technologies are just over the horizon if we continue to wait, and that PINs will do little to prevent online fraud."

Like the NRF, Pociask pointed out how hundreds of millions of retail bank accounts in the U.S. require PINs with debit cards to conduct transactions.

"Surely, if financial institutions believe PINs are secure enough to protect American bank accounts, they should agree to couple them with chip-equipped cards to ensure consumers' credit transactions are more secure," he added.

However, according to Visa representative Sandra Chu, the credit card processor is not taking a position against PIN and stressed how the choice to utilize PIN technology is up to the banks and merchants. As for the banks, Shu noted financial institutions still remain liable for lost and stolen fraud -- which is what PIN addresses -- whether or not the card is used with the magnetic stripe or the chip.

Looking ahead, the U.S. is still in the very early stages of the EMV migration. By most estimates, transaction volume from EMV cards will not reach 90 percent for at least three years.

Until then, the NFR is hoping for "meaningful change" in the direction of PIN adoption.

"We think the banks are going to have to move to pin eventually," Shearman said. "Over 60 percent of consumers preferred PIN, and there's obviously a huge debate over this now. I think PIN is where it has to go, and it's just a shame the banks are squandering the opportunity to do everything at once. They are leaving it up to a second wave that is going to have to come later."

More on EMV:

Editorial standards