Retailers and Credit Card PINs

by Raymond Pucci 0

As EMV slowly transitions, more consumers are receiving their chip cards, which ultimately will require setting up person identification numbers (PINs) as a fraud prevention tool. This will not be fraud-proof, of course, as online purchases involve card-not-present (CNP) situations, which is a fraudster’s dream scenario. Meanwhile, the banking industry believes that retailers have been given a pass by Federal watchdog agencies compared to the hoops bankers have to jump through to comply with a myriad of consumer protection and security regulations.

With credit card and identity theft prevention taking center stage earlier this month, it’s a natural time to ask: Just what does it take to protect consumers when they pay for goods and services? Hackers are growing bolder and increasingly more sophisticated, making the need for continued vigilance and action by all of us more important than ever before.

Electronic payments are safer than cash – it is much easier to get a card replaced than recover cash from a lost wallet – and the consumer benefits have grown over the years. From extended warranties to transaction dispute rights, electronic payment options like major credit/debit cards and mobile wallets provide an extra feeling of security.

So why aren’t many US chip credit cards being issued with PINs? Some retail trades have floated creative theories, but the real reason is rather practical – times have changed. When chip and PIN was deployed abroad years ago, most fraud came from genuine cards stolen from wallets and purses, not huge Internet data breaches that lead to counterfeit cards. The reverse is now true.

Today the scam goes like this: Hackers find a retailer with weak security, break in from thousands of miles away and download consumer account data (including PINs, where available). Trying to trip up the rare pickpocket with a four-digit PIN is not the solution to marauding international crime rings that often find retailer systems virtually unlocked.

But what about online transactions? Besides the ‘neural networks’ that scan transactions for fraud, financial institutions are implementing “tokenization” technologies, which substitute a one-time code in place of one’s credit card account number, and point-to-point encryption, which renders data unreadable on its journey through the payments network.

It appears that the stage is being set for the battle of the Washington K Street lobbyists between the retail and banking industries. Proposed legislation such as the Data Security Act of 2015 remain in committee in Congress, but it is highly unlikely that any significant bills will be seriously debated, let alone passed, during this election year. Both industries have deep pockets, and each side has strong allies on Capitol Hill, so the expectation is for this lobbying marathon to continue well into 2017 and beyond.

Overview by Raymond Pucci, Associate Director, Research Services at Mercator Advisory Group

Read the full story here