Comment: Is the US Next to Implement Chip and PIN?

Diaz wonders: Just how long will it take before US payment cards look like these?
Diaz wonders: Just how long will it take before US payment cards look like these?

With almost every other developed country in the world now moving toward Chip and PIN technology to support the Europay, MasterCard and VISA (EMV) standard, the continued use of magnetic stripe cards in the US has looked out of order for quite some time. The reasons behind the US stance are complex, but it seems now that some important voices are calling for a change.

At a recent NACHA conference in Seattle, Wal-Mart threw its weight behind the technology, announcing that its stores already have the hardware in place to accept Chip and PIN cards and that later in the year, it will be accepting one or more Chip and PIN programs. At the same conference, a T-Mobile executive also backed a move to EMV, warning that the U.S. is becoming the “weakest link” in card fraud and that banks must listen to what merchants are asking for.

It is good to see retailers putting their head above the parapet, and there is clear financial incentive for them to switch to a Chip and PIN system. The example set by the UK and Europe in terms of reducing card fraud is clear, and a few sums based on a 2009 survey by LexisNexis about the “True Cost of Fraud” show that US merchants could potentially save about $50bn by moving toward an infrastructure that supports EMV.

A shocking figure in this report is that US merchants pay about $100bn in fraud losses due to unauthorized transactions and fees/interest associated with chargebacks. This figure is nearly 10 times greater than the cost incurred by banks.

The expense to upgrade the card payments infrastructure to use EMV, however, is not insignificant, which is one factor that has held retailers and acquirers back. But if EMV upgrades are timed to occur when other changes are planned, then the additional cost could be far smaller.

For example, many merchants and acquirers are changing their networks to enhance cardholder data protection by deploying end-to-end encryption or other approaches within their networks. Changes to networks that add EMV messaging can be made at the same time, with little additional cost. Similarly, if EMV capability is added to the point of sale (POS) at the next cycle of POS renewal, then there will be only a marginal difference in cost.

For consumers, the transition to Chip and PIN would create a shift in culture. As American consumers currently have limited or no liability for transactions on lost, stolen, or counterfeit cards, they do not see the additional security of EMV cards as a benefit.

Entering a personal identification number (PIN) during purchases is seen as getting in the way of a simple swipe-and-sign transaction. Issuers also have little incentive to move to EMV, as they can charge higher interchange rates on magnetic stripe transactions.

In spite of this, some issuers (for example, the United Nations Federal Credit Union) have unveiled plans to issue credit cards that comply with the EMV standard. What has driven them forward is an understanding that as more and more countries adopt EMV, Americans who travel internationally are finding it increasingly difficult to use their cards abroad. In theory, EMV-enabled retailers should continue to accept magnetic stripe cards but, in practice, lack of experience with non-EMV cards means they are often rejected.

While the transition to Chip and PIN would improve security of the US payments infrastructure, it is important to note that it is not a panacea for completely eliminating fraud. Card transaction data still needs to have greater protection, so it is important for retailers, banks, payments processors, POS terminal vendors and other entities involved in the payments infrastructure to continue their focus on end-to-end data protection schemes that limits exposed vectors for fraudsters to exploit. This is especially true as we look to the future. Online purchases continue to grow strongly, and Chip and PIN does not inherently address potential fraud for phone or internet transactions.

Taking into account all these factors, it is difficult to predict when – if at all – the US will move to EMV. But the voices calling for change certainly seem to be getting louder.

The most recent advocate is an executive vice president of the Federal Reserve Bank (FRB) of Atlanta's Retail Payments Risk Forum, who recently questioned whether it was time for government to develop a plan for the country to move toward EMV. He brings up an intriguing point: As we’ve seen in Europe and Canada, it takes more than a few vocal entities to initiate change. Instead, a unified industry or government approach is needed for the train to start rolling.

For the migration toward EMV to happen, the business and security benefits of EMV and the disadvantages of US isolation – as the rest of the world abandons magnetic stripe cards – must outweigh the costs to upgrade and the incentives to resist change. When and if this will happen is extremely hard, if not impossible, to predict.

Jose Diaz is the director of technical and strategic business development at Thales e-Security, a leading global provider of data encryption solutions to the financial services, high technology manufacturing, government and technology sectors. Diaz has more than 10 years of experience in the payments systems security space, including five years in a technical sales capacity. His background includes more than 17 years of working in product development and communication system design, and he has four patents for his work in digital communications.

What’s hot on Infosecurity Magazine?