As most everyone knows, effective October 2015, the PCI Security Standards Council brought into effect a major change to all credit card contractual rules to encourage merchants and issuing banks to adopt EMV chip technology. Compared to the standard static magstripe technology, it is expected that placing an integrated circuit, or “chip,” into credit and debit cards, with the consequential ability to create a dynamic transaction code for each transaction, will be a great leap forward in the fight against credit card fraud. For the time being, however, all cards, even those with chip technology, will continue to be produced with magstripes. Thus most retailers will continue to have the election of whether they will read the card’s magstripe or chip (assuming a chip is present).
Because of the security improvement offered by chip enabled credit and debit cards, the now famous liability shift exists to incentivize merchants to adopt chip reading terminals at their checkout counters. Once instituted at a merchant’s location, customers will no longer “swipe” their card as part of their authorization of a credit card transaction. Instead, they will insert or dip their card into a slot at the bottom of the terminal. However, this technology requires merchants to invest in the appropriate terminals, train staff (and their customers) and often to re-work their point of sale protocol. In short, it is still a complicated cost-benefit analysis for many merchants.
As with all cards, magstripe and chip cards, multiple factor authentication still is required for every card present sales transaction. This is process is commonly referred to as “something you have,” i.e., that plastic card; and “something you know,” which for years meant that the card’s holder would place a unique signature on the sales receipt. And it is here in this second step of the authentication process where those nine Attorneys General now find disagreement.
As has long been the case, when a credit card is used in a retail transaction an invoice is printed, which must be signed by the customer. When one of the new chip cards is presently used and an invoice is rendered, this is referred to as “Chip & Sign.”
The twin authorization brother to Chip & Sign is Chip & Pin. In those transactions, the card holder would complete the authorization process by entering a “personal identification number” into a PIN reader, instead of signing the receipt. While Chip & Pin arguably presents the more fraud-proof authentication protocol, it is not without its real-world downsides. Commonly cited problems are that chip cards cost more to produce, and for consumers to replace when lost or stolen. Merchants in particular are impacted, as closing a sale with Chip & Pin necessarily requires the customer to remember his or her PIN (and the real possibility of slower checkout lines or even terminated sales), and requires the merchants large and small to investment in and program PIN readers at each checkout counter, among other considerations.
Further, acquirers of those merchant-consumer card transactions must retool and re-price for the extra verification process. And in the end, all agree (perhaps?) that almost no card payment system is full proof, regardless how expensive or burdensome it proves to be. Thus, whether the card associations, card issuing banks, merchant acquirers, merchants and cardholders prefers one authentication method over the other depends upon a multitude of variables.
It was through a long process of listening to all the stakeholders in the discussion that the PCI standard was adopted that permitted Chip & Sign authentication to continue and for others to voluntarily adopt Chip & Pin. There were of course strong arguments and voices on both sides of the issue. Indeed from the beginning, there were those who felt the encouragement of chip technology alone did not go far enough, but rather that the European and Canadian model of Chip & Pin should promoted or required. But other important stakeholders believed that a one-size-fits-all approach was inappropriate, and perhaps that it was simply too big of a change to American commerce to try to do everything at once. In the end, of course Chip & Sign was adopted, or at least preserved, as a method of authenticating card-present POS transactions.
And there lies the rub for those nine AG’s. They genuinely perceive that Chip & Pin is better. On November 17, 2015, nine state Attorneys General asked leaders at companies including MasterCard, Visa, Discover Financial Services, Bank of America, Capital One, Citigroup, American Express and JP Morgan Chase to move to full Chip & Pin technology as soon as possible. And they reached their opinion for one perceived reason. Essentially ignoring all the other variables, they opine that Chip & Pin is more likely to thwart more malefactors in their fraud schemes.
According to the AG letter, “There can be no doubt that this [chip and sign] is a less secure standard, since signatures can easily be forged or copied or even ignored at the point-of-sale”. In other words, while anyone without a conscience can forge another’s signatures on a sales receipt, all the malicious intent in the world will not permit someone to know what they do not, the defrauded cardholder’s PIN.
Specifically the Attorneys General of eight states, plus the District of Columbia, are the authors. The signers were the AG’s of Connecticut, District of Columbia, Illinois, Massachusetts, Maine, New York, Rhode Island, Georgia and Virginia. This effort was led in part by the AG’s of two states, Connecticut and Georgia, who had previously sent a letter to all 50 AG’s urging them all to sign on.
The National Retail Federation, who immediately welcomed the AG letter and argued that the burdens of using Chip & PIN cards are overstated, also supported the effort. This trade group also echoed concerns that Chip & Sign technology left too many holes for fraudsters to exploit, in comparison with Chip & Pin.
But is this province of state AG’s? After all, this is a private contractual matter between the banks, credit card companies, merchants and cardholders. The technology while not “rocket science” is a bit complicated. And the considerations as to whether and what form of the technology to adopt–not the least of which are costs and customer preference– present concerns and issues that may be better resolved by those with the expertise and closeness to the situation: the card companies, banks and merchants. What technology is best for some merchants may not be the same for all particularly given the costs of the technology, the customer reaction and the peculiar cyber risks faced by various retailers. Some merchants, small Mom and Pop businesses for example, may face relatively low risks of data breach and investing in the technology may not be justified. Also for example, Chip & Pin poses unique practical problems for restaurants and other businesses whose employees are partially compensated through tipping. And whether Chip & Pin is the best security measure is also questioned in several quarters.
Perhaps given this, there was immediate push back to the AG letter that received little press. For example, the Credit Union National Association (CUNA) and some 28 state credit union leagues sent a letter to all 50 AG’s who were solicited to join in the signing of this letter urging them to not do so. According to CUNA, mandating the use of PIN technology would not necessarily eliminate fraud or single-handedly secure the payments system. “The push is rooted in an outdated narrative that PINs will prevent breaches,” according to Shelton Roulhac, CUNA director of advocacy and legislative affairs. “The truth is that there is no single technology that is a panacea when it comes to preventing fraud and data breaches.” CUNA believes that the effective to way to meet the security challenge is to require all stakeholders to comply with the same strict set of standards.
Perhaps sensing these issues, while the nine AGs got lots of press from signing, the remaining 47 AG’s have so far refused to join this effort. One of these AG’s was Hawaii Attorney General Doug Chin. Together with the Hawaiian Banking Association, Chin felt that the effort focused too narrowly on chip and PIN technology and ignored the more advanced security offered by technologies such as biometric authentication.
So at this point, despite the hoopla, the whole effort seems to border on a fiasco. Certainly it could be argued that opposing Chip & Sign is little more than perfect being made the enemy of the good. And while it could be legitimately argued that the card companies once committed to the change should have gone whole hog instead of implementing improvements in phases, there is little doubt Chip & Sign offers improved protection over the old system. And, as noted above, a one size fits all approach makes little sense.