Federal workers will soon have access to enhanced credit card and data security made possible through an executive order signed by President Obama last October. But American consumers remain unlikely to receive these enhanced security benefits as a four-sided market of banks, card companies, merchants, and consumers disagree over what steps should be taken. A hearing Tuesday on Capitol Hill examined the need for legislation on data security, but credit card security, which affects over 75% of Americans, received scant attention in the hearing.
As previously reported by InsideSources, much of the world – including underdeveloped nations – use a two pronged security measure of computer chips and PINs. The chips prevent fraud by generating a unique code for each transaction. Meanwhile, the PIN is a four-digit personal code just as most Americans must use when taking money out of the ATM. According to the Federal Reserve, the use of PINs instead of signatures make transactions 700 percent more secure.
Consumer groups and some merchants have pushed to adopt chip and PIN. But according to a Wall Street Journal report, the executives at the big banks say a four-digit code is too much for consumers to remember. The banks will move forward with replacing magnetic strips with chips, but not opt for the PIN.
The claim from the banks may seem odd considering the same banks require PINs at ATMs, and consumers do not struggle with those. The difference, argue consumer and retail advocates, is that banks face more liability for the assets kept in their bank accounts but pass off liability on credit card transactions to consumers and retailers. Advocates say that the same protections afforded to government employees through Obama’s executive order should also be felt by the vast majority of Americans not working for the government.
Some in Congress are beginning to take note. Senator Mark Warner (D-VA) sent a letter to federal banking regulators calling for chip and PIN technology – not just chip and signature.
On Tuesday, the House Subcommittee on Commerce, Manufacturing, and Trade, chaired by Rep. Michael C. Burgess (R-TX), held a hearing titled, “What are the Elements of Sound Data Breach Legislation?” Burgess stated his subcommittee was aiming to move toward “agreement not only between the two sides of the aisle, but also between stakeholders with divergent interests.” The hearing reached beyond credit card security, but a representative of the retail industry made clear in testimony that chip and PIN should be top of mind.
“One area of security that needs immediate attention is payment card technology,” said Brian Dodge, Executive Vice President of the Retail Industry Leaders Association (RILA). “RILA members have long supported the adoption of stronger debit and credit card security protections. The woefully outdated magnetic stripe technology used on cards today is the chief vulnerability in the payments ecosystem. This 1960s era technology allows cyber criminals to create counterfeit cards and commit fraud with ease. Retailers continue to press banks and card networks to provide US consumers with the same chip and PIN technology that has proven to dramatically reduce fraud when it has been deployed elsewhere around the world.”
In conversations with InsideSources, some in the financial industry have noted that new technologies can further improve security and they’re hesitant to implement PINs in the short term. They say layering technologies like biometric validation and tokenized data are the direction the industry is headed.
Additionally, Congressman Gus Bilirakis (R-FL) asked in the hearing about another concern—online purchases: “My understanding is that a potential weakness [of chip and PIN] exists for online transactions because the payment card is not actually present. Doesn’t that mean that this technology and every other technology can be made obsolete by criminals that quickly adapt to new technologies?”
Dodge noted an immediate effect from chip and PIN of devaluing the data that businesses hold should criminals seek to obtain it from point of sale. As to the online threat and new technology, “Chip and PIN is the best technology that is available today, and we are years behind the rest of the world in catching up to it,” said Dodge. “When chip and PIN was introduced in Europe, we saw fraud flow in two directions: online in Europe and to the United States, because it became the lowest common denominator. As for long term solutions, we believe chip and PIN serves a near-term need, and we need to evolve to the next generation.”
Tuesday’s hearing featured only these brief mentions of chip and PIN as part of the data security discussion. It remains to be seen if calls for chip and PIN technology from Sen. Warner and others will make it into legislation. Much of the discussion thus far has focused on notifying consumers in the event of a breach, as well as preventing foreign hacks, such as the attack on Sony.
Consumer advocates say this is not enough. And some voices in the financial industry agree. Merrill Halpern, assistant vice president of card services at United Nations Federal Credit Union, told the Wall Street Journal: “We should be doing the most we can to fight fraud, and the only way to send that message is to stand clearly behind chip-and-PIN.”
Steve Pociask, president of the American Consumer Institute and an outspoken supporter of chip and PIN technology, believes President Obama’s executive order for government credit cards was a step in the right direction and now Congress must push the banks to follow suit for all consumers. “Unfortunately, the President can only do so much.” To make meaningful progress, he argues, “policymakers must have an honest dialogue about current roadblocks to chip and PIN technology. I hope policymakers will begin calling out big banks who claim that Americans are not smart enough to remember a four-digit PIN when making a credit card purchase. We take out cash from the ATM, shop online, and pay our bills using passwords and PIN codes we can recite from memory. Surely banks have a better excuse as to why they won’t upgrade the outdated security system in place?”
On the other side of the Capitol from Tuesday’s hearing, Senator John Thune (R-SD) told reporters a Senate Commerce subcommittee would be holding a hearing on data breaches soon. That hearing may help make clear whether Congress is on a course to include enhanced consumer credit card security in upcoming legislation.