Adding PIN requirements to chip-based credit cards is essential for consumer security, according to panelists at the Protect My Data discussion on credit card security.

“Chip and PIN is a reasonable solution,” said Steve Pociask, president of the American Consumer Institute. “It’s simple, it’s a low-cost solution, and it’s an immediate solution.”

Most of the United States moved to enhanced credit card security in October 2015, when U.S. payment networks added fraud liability shifts as part of the Europay, Mastercard, and Visa (EMV) technology standards.

“In the months leading up to the Oct. 1 deadline, retailers across the country were responsible for upgrading their payment terminals to accept chip-enabled cards,” explained the president of Consumer Policy Solutions, Debra Berlyn. “In the event of fraudulent activity, the financial burden falls on whichever party was using the older payment technology.”

Chip-enabled cards are designed to reduce credit card fraud by producing unique authentication that makes it harder for people to steal card information.

“It creates a unique, one-time code that travels along with your account number when the merchant sends the instructions to the bank that issued the card,” explained Scott Talbott, senior vice president of government affairs at the Electronic Transactions Association. Though the chip provides added security, many argue that consumer data is still at too great a risk.

“We’ve realized that the chip alone is not enough for security,” said Camille Fischer, policy adviser for the White House Economic Council.

Berlyn agreed, saying that the most common second authentication feature, signatures, is “often widely ignored or easily forged.” She also noted that the White House Buy Secure initiative, which began in 2014, required chip and PIN authentication for all government transactions, giving credence to the notion that chip and PIN together provide essential authority.

“I think initiatives like the White House initiative are a great means to help educate consumers on the benefits of chip and PIN, so major kudos to the White House for the things they are doing to drive the market in the right direction,” agreed Liz Garner, vice president of the Merchant Advisory Group Liz Garner. She also cited a study that found only 1.3 cents for every $100 consisted of fraud on PIN-based debit cards.

Even with this consensus, obstacles stand in the way of employing PIN authentication on chip-enabled cards. The first problem is that banks lack the initiative to place PIN requirements on their cards, because they have already met liability requirements through their chip-enabled cards.

“It’s because the banks have shifted the liability to merchants,” Pociask said.

It is a liability that the merchants are already ill-equipped to bear. Talbott explained that about 9 million retailers need upgrades to their transaction systems to include chip readers. Retailers must go through a testing and certification phase that ensures the security of their processing systems before they can be allowed to use chip readers.

“Everything that stands between the merchants and the payment network has to be certified,” Talbott said. But there is a huge delay in that certification process.

“There are several small businesses, who testified last October, who said they were having challenges. And they’re still not certified,” Garner said. “That’s a huge problem when you look at the liability that went into effect.”

Another problem for chip-enabled cards and PIN requirements is  increased online transactions.

“The technology exists to securely use PIN online,” Berlyn said. “It’s just not widely used.”

Many of the panelists concluded that, in the need for PIN technology on chip-enabled credit cards, it was up to the banks and card providers to make the change happen.

“For us to have the choice, distributors need to provide a PIN,” said Garner.

Read More About
More Topics
Jessie Bur
Jessie Bur
Jessie Bur is a Staff Reporter for MeriTalk covering Cybersecurity, FedRAMP, GSA, Congress, Treasury, DOJ, NIST and Cloud Computing.