For the past three years, U.S. banks have been replacing traditional magnetic stripe credit cards with new EMV cards — short for Europay MasterCard Visa — that store data on an embedded computer microchip that makes the cards more difficult to counterfeit. At the same time, retailers have been busy installing new chip card readers.
Throughout the rest of the world, EMV means chip-and-PIN, which requires users to enter a secret personal identification number to approve a transaction the same as withdrawing cash from an ATM. But the U.S. cards are chip-and-signature, so transactions are still approved with an easily forged signature (which card companies are currently phasing out but not replacing with a more sophisticated means of authentication). And while the chip can reduce counterfeit fraud, the absence of a PIN leaves the cards with no protection against the fraudulent use of lost or stolen cards and without backup in cases where the chip malfunctions or is circumvented. NRF believes chip-and-signature offers only half the security EMV is capable of and has repeatedly called on banks to issue chip-and-PIN cards instead.
Chip-and-PIN, which has been used in some countries for more than a decade, is the world standard for credit card security, and retailers believe U.S consumers deserve the same level of security as shoppers elsewhere.
Why it matters to retailers
Credit card security — a large component of overall data security — is one of retailers’ top priorities. U.S. retailers complained for years that traditional credit cards were fraud-prone, saying their magnetic stripes were easy to copy and that signatures were of little value in proving the person using the card was the legitimate cardholder. With magnetic stripe, banks usually absorbed the cost when a fraudulent transaction was made with a counterfeit card, but retailers were stuck with the cost when lost or stolen cards were involved, amounting to billions of dollars a year. As a result, retailers demanded chip-and-PIN, which protects banks, retailers and consumers alike by stopping both counterfeit and lost/stolen card fraud. When banks began issuing chip-and-signature cards instead, retailers were concerned that the opportunity to take full advantage of chip technology had been missed.
The switch to EMV has come at considerable expense to retailers because merchants, not the card industry, have been required to pay the cost of the new equipment, software and installation — an average of $2,000 per chip reader or more than $30 billion nationwide. In addition, changes in fraud liability rules unilaterally imposed by the card industry in 2015 mean retailers face increased liability if fraud is committed with a chip card and the retailer does not have a chip reader. Retailers without a chip reader are now usually responsible for counterfeit fraud if a chip card is used, and remain responsible for most lost/stolen fraud when either a chip card or traditional card is used.
NRF advocates for more secure credit cards
NRF has argued that chip cards without PINs do not provide sufficient security and that a PIN alone — even without the chip — could more effectively stop both counterfeit and lost/stolen fraud. NRF has also said it is unfair for retailers to have to pay the cost of new EMV equipment that has reduced fraud costs for banks but not retailers.
Card companies have touted statistics showing that EMV has reduced counterfeit card fraud but have said little about whether it has had any impact on lost/stolen fraud. And a 2017 LexisNexis study showed an increase in online card fraud, where the chip plays no role because only card numbers — not a physical card — are required.
Despite the concerns, retail adoption of chip cards has been widespread. NRF surveys show 99 percent of mid-size and large retailers had chip readers in operation by the end of 2017 and that 81 percent of small retailers had done the same.
In the most recent development, all four major credit card companies — Visa, MasterCard, American Express and Discover — have announced that they will no longer require signatures on credit card transactions beginning this spring. NRF responded that doing so would not jeopardize security but that the card industry should take the next step and require the use of PINs.
The move to EMV was prompted, in part, by data breaches in which credit card numbers were stolen. But the chip only confirms that the card is not counterfeit and does nothing to protect card information stored in databases or being transmitted for payment processing. With the chip failing to address those issues, retailers have moved forward on sophisticated security steps of their own. An NRF survey found that by the end of 2019 80 percent of retailers expect to have adopted point-to-point encryption, which protects card data being transmitted. In addition, 89 percent are adopting tokenization, which protects information stored in a database. Some retailers have said the numbers would be higher if not for resources diverted to chip cards.
In 2018, NRF helped form the Secure Payments Partnership, a new coalition intended to improve the security of the U.S. payments system ranging from credit and debit cards to emerging technology. The group — which includes financial services companies such as the Star and Shazam ATM networks along with retailers for the first time — has urged the card industry to make PIN available among other steps.