US Senator Makes a Plea for Chip-and-PIN Cards

In the wake of an unprecedented spate of damaging data breaches and point-of-sale (PoS) hacks, Sen. Mark R. Warner (D-Va.), a member of the Senate Banking Committee, has sent a letter to federal banking regulators questioning the lack of follow-up to better protect consumers. He also called for chip-and-PIN technology to be implemented across the board.

“While chip-and-PIN safety features now will be required for credit and debit cards issued to federal agencies, I urge federal regulators to push harder to require banks and card-issuers to adopt better anti-fraud security features more widely for American consumers,” he wrote.

He added, “Technologies like chip-and-PIN have resulted in significant reductions in fraud in many major G-20 countries, including the UK. Yet despite a series of data breaches affecting hundreds of millions of American consumers in recent months, American card issuers and financial firms continue to issue and reissue less-secure signature cards.”

Chip-and-PIN cards, also known as smart cards, have an embedded microprocessor chip that contains the information needed to use the card for payment, and is protected by various security features, so they’re a more secure alternative to traditional magnetic stripe payment cards. Most of the world has moved to chip-and-PIN cards already, but the US has been a stubborn holdout.

“Retailers have been urging banks to migrate to chip-and-PIN technology for years,” Warner’s office told Infosecurity, in a note. “Banks require PINs for ATMs withdrawals, but refuse to embrace PINs at the point of sale. To consumers, there is little difference between an in-store transaction and an ATM withdrawal, it’s just how they access their money. Why should one be substantially more secure than the other? It is time for the banks to put aside excuses and begin to put forward the most effective solutions.”

There are some positive moves afoot; after leaking millions of shoppers’ card information in the high-profile holiday breach last year, Target announced a goal for its accelerated, $100-million plan to move its REDcard portfolio to chip-and-PIN-enabled technology (and to install supporting software and next-generation payment devices in stores). Beginning in early 2015, it will begin accepting payments from all chip-enabled cards in its stores. In addition, the entire REDcard portfolio, including all Target-branded credit and debit cards, will be enabled with MasterCard’s chip-and-PIN solution. Existing co-branded cards will be reissued as MasterCard co-branded chip-and-PIN cards.

Also, Home Depot has confirmed that it will roll out chip-and-PIN terminals to all US stores in advance of the October 2015 deadline established by the payments industry.

On February 3, 2014, Warner chaired the first hearing in Congress in the aftermath of the Target breach. On the heels of that hearing, Sens. Warner and Mark Kirk (R-IL) called for the private sector to cooperate in creating Information Sharing and Analysis Centers (ISACs) to share information on data breaches, something the retail and financial services industries have pursued on a voluntary basis.  Additionally, the two introduced legislation in the last Congress to strengthen consumer protections for debit cardholders by capping liability for fraud at $50, the same amount as for credit cards. That went nowhere, but Warner said that he plans to re-introduce similar legislation in this Congress in coming weeks.

“I believe America should be leading the world in technological innovation and consumer financial protection,” Warner wrote. “Constant innovation in payment card security is essential, and I hope efforts are not limited to simply implementing PIN technology but also incorporate tokenization and other evolving technologies to ensure consumers are protected from theft of their financial data.”

What’s Hot on Infosecurity Magazine?