EMV Chip Needs PIN, Too: Data Security Groups
The need for enhanced credit card security measures, a diverse group of consumer advocates and national nonprofits called on government leaders to help make chip and PIN technology a U.S. reality.
"We feel Congress must urge the nation's largest credit card issuers – particularly the big banks and credit unions – to do everything they can to provide the best possible safeguards to protect consumers and their financial transactions," the letter reads. ProtectMyData, the Multicultural Media, Telecom and Internet Council, the Hispanic Technology and Telecommunications Partnership and DiverseTech signed the letter sent to Congress as well as the White House, the Federal Reserve and the CFPB.
Despite the ongoing transition from magnetic stripes to chip-enabled cards that encrypt data at POS terminals, those cards still rely on a signature as a secondary form of verification the letter argues. This is a non-credible element of security, the ad hoc group contends as it can be easily forged or ignored.
"We all know, chip-enabled cards must be coupled with the requirement that consumers enter a personal identification number to properly authorize a transaction," Debra Berlyn, leader of ProtectMyData, said. "The PIN requirement adds a distinct layer of security and complexity to each transaction that dramatically reduces fraud."
Since payment processes are increasingly diverse and connected to extensive networks and data centers, ensuring their security at the point-of-sale is a critical step in protecting American consumers and catching up to the rest of the world.
"It is important for legislators and the relevant government agencies to understand that extra security does not burden consumers. It frees them from concerns about the safety of their data," Kim M. Keenan, president and CEO of the Multicultural Media, Telecom and Internet Council, stated.
In October 2014, President Barack Obama issued an executive order requiring chip and PIN technology for government-issued credit cards and upgrading point-of-sale terminals at federal buildings.
Rosa Mendoza, executive director of the Hispanic Technology and Telecommunications Partnership, argued the order was unacceptable. "We appreciate the efforts of President Barack Obama to position chip and PIN as a common sense solution and applaud his efforts to make that technology available to public-sector employees," Mendoza says. "But the rest of America, including a growing Hispanic population that makes up 17% of the nation but only 6% of the federal workforce, needs the same protections.”
Given the widespread use of chip and PIN technology across the world, the group argued it is perfectly reasonable to expect the same standards here in the United States.
"We are the single last G20 nation to move forward with chips, and even when we do, we are only going halfway by not requiring PINs. This is despite the fact that the two-prong protection reduced in store fraud in Canada by 50% and 70% in the United Kingdom," DiverseTech Founder Jeremy White said.
In a an Experian/Ponemon Institute study, 59 % of respondents cited EMV chip and PIN cards as an important part of their organization’s payment strategy. But, only 53% of believed chip and PIN cards will decrease or significantly decrease the risk of a data breach.
In a separate announcement, the Payments Security Task Force joined with the PCI Security Standards Council and the EMV Migration Forum to launch a chip education curriculum and “pre-qualification” program to help streamline and simplify the EMV testing and certification process for Value Added Resellers and Independent Software Vendors.
“One of the greatest challenges in the move to chip is helping the millions of small and mid-sized merchants understand and adopt the technology,” Stephanie Ericksen, vice president of global risk products at Visa, said.
The optional program consists of three central components: An educational curriculum that provides a clear explanation of how to implement chip in the U.S.; a list of service providers independently accredited by the major payment networks to provide chip consulting and expertise; and, a pre-qualification process run by the accredited service providers to help VARs and ISVs begin the implementation and testing process.