Battle erupts over security of chip-enabled credit card readers

June 24, 2016

Jaikumar Vijayan

Retailers nationwide are in midst of rolling out payment terminals intended for cards embedded with smart chips, which are supposed to better protect consumers against financial fraud than cards with magnetic strips.

However, shoppers still aren’t adequately protected from hackers and identity thieves, The Home Depot and Walmart have claimed in separate lawsuits against MasterCard and Visa.

"Visa and MasterCard have pushed consumers to use payment card technology that Visa and MasterCard know is defective and subject to fraud and have colluded with each other and with the banks that issue debit and credit cards to do so," states the suit from The Home Depot filed last week in Atlanta federal court. Walmart filed suit against Visa last month.  

The lawsuits expose an intensifying battle between big box retailers and payment companies over the rollout of the so-called chip-and-PIN system that has been commonplace in much of Europe since 2005. Instead of requiring a personal identification number (PIN) for US customers, the lawsuit states, Visa and MasterCard have conspired to require customers verify their purchases only with a signature, which can be easily forged or copied.  

Retailers now say they need to pay to install PIN-enabled point-of-sale systems, and are still on the hook for potential breach fees, without any say in the process, according to Julie Conroy, research director at the Aite Group, a financial services consulting firm.

“At the end of the day the majority of the breaches, fines, and compliance costs end up impacting merchants,” Ms. Conroy said. 

Customers in most of the roughly 80 countries that use chip-and-PIN cards are required to enter their PIN number while the point-of-sale machines verifies their card’s chip as an extra layer of security. That method has reduced fraud in Britain by 67 percent, according to the UK Cards Association.

The US was the last developed country to adopt chip-and-PIN cards when they were introduced in October 2010, and a mere 37 percent of US businesses were capable of accepting chip-and-PIN payments in March of this year, according to a survey by The Strawhecker Group, a business consultancy firm. 

The Home Depot says customers are at increased risk of fraud by using signatures rather than a PIN. Credit card companies know this, the home improvement company alleges, yet have failed to make PINs mandatory. That's a major concern not only for customers, but at the stores where breaches occur, says the National Retail Federation (NFR), the world's largest retail trade group. 

Over the past few years, data breaches at major retailers such as Target, Home Depot, and TJX have resulted in extensive credit card fraud and staggering costs for the companies that suffered them. This year, The Home Depot agreed to pay $19.5 million to compensate the more than 50 million cardholders ensnared in a 2014 data breach. The home improvement giant also moved to roll out chip-enabled registers in all of its US stores following the hack.

In a letter to the US Federal Trade Commission last month, the NFR, which represents tens of thousands of businesses, accused MasterCard, Visa, and other card networks of inappropriately misusing their market power to shove security standards of dubious quality on retailers.

The standards, known within the industry as the Payment Card Industry Data Security Standards (PCI DSS), have been in effect for about 10 years. It specifies a set of high-level security controls, like maintaining a firewall and changing default passwords, that retailers are required to implement for protecting cardholder data. Larger retailers such as Home Depot and Walmart have a much more stringent set of requirements than smaller ones.

Retailers who suffer data breaches and are found to be noncompliant with PCI requirements face hefty fines and can be held responsible for reimbursing banks the costs associated with fraud and with canceling and reissuing new payment cards. Retailers have long viewed PCI as serving mainly the interests of the major card brands and card-issuing banks, the NRF says. To many, the standards were and continue to be an effort to get retailers to shoulder the major burden of fixing an aging and antiquated payment system and to bear the liability when things go wrong.

“From the very beginning there was lot of pushback on having standards imposed that we would have to abide by, that we would have to pay for and that we had no control over to make effective,” said Mallory Duncan, senior vice president and general counsel of the NRF.

The card networks' failure to impose a PIN requirement is just one example, Mr. Duncan says. PINs offer six times more security than signature-based transactions and yet are not mandated because they make less sense for the card networks, he said. As a result, the security benefits of using chip-enabled cards are only partially realized. 

Chip-enabled cards – or Europay MasterCard Visa (EMV) cards in industry-speak – are considered almost impossible to clone. Such cards, especially when used in conjunction with PINs, have played a big role in reducing fraud in the dozens of countries that have been using the technology for years. 

But without a PIN requirement, a stolen chip-card can still be used to make online purchases and conduct other so-called card transactions where the buyer isn't physically present. Almost 80 percent of credit and debit card fraud stems from such transactions, often over the phone or by mail.

“What we have today is these new chip cards that remain almost as fraud prone,” as magnetic stripe based cards, Duncan said. “We have had to spend billions of dollars to comply with the rules, but the rules provide very little by way of fraud reduction.”

Still, PIN use even without a chip-card is safer than relying purely on signatures for authentication, Duncan said.

MasterCard spokesman Seth Eisen said the card network is still reviewing Home Depot’s filing. He described the lawsuit as not surprising and as a “procedural step” related to a longstanding dispute over fees that merchants pay for electronic payments.

Mr. Eisen downplayed the concerns raised by Home Depot pertaining to the use of PINs. “MasterCard leaves the decision on how to verify the cardholder identity – PIN or signature – up to the merchant and the issuer,” he said. Whoever has the weaker security between the two will be held liable for counterfeit card fraud under present rules, he said.

A Visa spokesman said the network is aware of the lawsuit and deferred comments on the NRF’s concerns, to the PCI Security Standards Council, the body in charge of developing the standards. “PCI SSC is aware of the NRF letter and strongly disagrees with the unfounded assertions it contains,” said Stephen Orfei, general manager of the PCI security council.

One council member strongly rebuffed allegations that merchants do not have a voice in the council. "The notion that retailers do not have a voice in the PCI Data Security Standards is just absurd,” the member said. “The biggest retailers in America are members of the PCI Security Standards Council's Board of Advisors including Amazon, Walmart and Starbucks."