The issue
Over the past several years, U.S. banks have replaced traditional magnetic stripe credit cards with new EMV cards – short for Europay MasterCard Visa – that store data on an embedded computer microchip that makes the cards more difficult to counterfeit. During the same time, retailers have replaced magnetic-stripe card readers with new chip card readers.
Throughout the rest of the world, EMV means chip-and-PIN, which requires users to enter a secret personal identification number to approve a transaction the same as withdrawing cash from an ATM. But the cards issued in the United States are chip-and-signature, with transactions approved by an easily forged signature, and the major credit card companies no longer require even the signature (although retailers can choose to require it). While the chip can reduce counterfeit fraud, the absence of a PIN leaves no protection against the fraudulent use of lost or stolen cards and without backup in cases where the chip malfunctions or is circumvented.
Why it matters to retailers
Credit card security – a large component of overall data security – is one of retailers’ top priorities. U.S. retailers complained for years that traditional credit cards were fraud-prone, saying their magnetic stripes were easy to copy and that signatures were of little value in proving the person using the card was the legitimate cardholder. With magnetic stripe, banks usually absorbed the cost when a fraudulent transaction was made with a counterfeit card, but retailers were stuck with the cost when lost or stolen cards were involved, amounting to billions of dollars a year. As a result, retailers demanded chip-and-PIN, which protects banks, retailers and consumers alike by stopping both counterfeit and lost/stolen card fraud. When banks began issuing chip-and-signature cards instead, retailers were concerned that the opportunity to take full advantage of chip technology had been missed.
The switch to EMV came at considerable expense to retailers because merchants, not the card industry, were required to pay the cost of the new equipment, software and installation – an average of $2,000 per chip reader or more than $30 billion nationwide. In addition, changes in fraud liability rules unilaterally imposed by the card industry when EMV was introduced mean retailers now face increased liability. Retailers without a working chip card reader are usually responsible for counterfeit fraud if a chip card is used and remain responsible for most lost/stolen fraud.
NRF advocates for more secure credit cards
NRF has worked with policymakers, the news media and the public to raise awareness of payment card security issues and has repeatedly called on banks to chip cards with the PIN function enabled so retailers can choose whether to require a PIN.
NRF has argued that chip cards without PINs do not provide sufficient security and that a PIN alone – even without the chip – could more effectively stop both counterfeit and lost/stolen fraud. NRF has also said it is unfair for retailers to have to pay the cost of new EMV equipment that has reduced fraud costs for banks but not retailers.
While EMV cards have reduced in-person credit card fraud, NRF has highlighted studies by LexisNexis and others that have shown an increase in online card fraud, where the chip plays no role because only card numbers – not a physical card – are required.
The move to EMV was prompted, in part, by data breaches in which credit card numbers were stolen. But the chip only confirms that the card is not counterfeit and does nothing to protect card information stored in databases or being transmitted for payment processing. With the chip failing to address those issues, NRF surveys have found that retailers have moved forward on sophisticated security steps of their own, including point-to-point encryption, which protects card data being transmitted, and tokenization, which protects information stored in a database.
NRF is a founding member of the Secure Payments Partnership, a coalition intended to improve the security of the U.S. payments system ranging from credit and debit cards to emerging technology. The group – which includes financial services companies such as the Star and Shazam ATM networks in addition to retailers – has urged the card industry to make PIN or more advanced authentication available.
Among other proposals, the SPP has called for open payment card security standards rather than those mandated by the Payment Card Industry Security Standards Council, which is controlled by the major credit card companies. NRF has called the council an “inappropriate exercise of market power” that “fails to meet any of the standards established by the federal government” for impartial standard setting.