Chip-and-PIN adoption still slow

24.03.2016
Supposedly, credit card transactions in the U.S. were going to become considerably more secure by last Oct. 1 – the deadline for merchants and card-issuing banks to be ready to process so-called “chip-and-PIN” cards instead of the legacy “swipe-and-signature” kind.

Some of them are – estimates of the percentage of merchants now equipped with the new terminals range from 17 percent to 37 percent. But even the high estimate isn’t what most people would call “critical mass.”

And if the reality is closer to the low end, that means, as security blogger Brian Krebs put it in a post last month, “U.S. consumers currently can expect to find chip cards accepted in checkout lines at fewer than one in five brick-and-mortar merchants.”

And even those one-in-five transactions are likely not what was envisioned – many merchants, even if they “dip the chip,” are having the customer sign the receipt rather than validate it with a PIN.

That mystifies Sami Lane, chief technologist at CloudPassage, who said the decision by banks not to require the PIN, “must mean they think consumers are too dumb to do it.

“I think it was a tactical error,” he said. “What it means is if you lose your card, somebody else can still use it. There’s no extra protection.”

Lane, Krebs and others are also wondering why the overall transition to what is also known as the EMV (Europay, MasterCard and Visa) standard is so slow.

The deadline could not have come as a surprise. Visa announced the impending shift from “swipe-and-signature” cards in August 2011, more than four and a half years ago. The EMV Migration Forum was created by the Smart Card Alliance in July 2012.

It is not new, cutting edge technology either. EMV, which makes it more difficult to steal credit card data at point-of-sale (POS) terminals, has been in use in Europe for more than a decade.

And while last October’s deadline for the shift to occur was not a legal mandate, it puts merchants at much higher risk of having to eat the cost of fraud. If a customer presents a chip-enabled card, but the retailer processes it as a swipe and signature, the merchant, not the issuing bank, is responsible for the cost of any resulting fraud.

Yet, even facing that risk, merchants are slow in adopting the not-so-new technology.

Why There are a number of reasons. Krebs, in his post, pointed to a column by Allen Weinberg, co-founder of consulting firm Glenbrook Partners, who offered several.

Lane agreed with those reasons, and added another – the design of the terminals is, “terrible. It is not user friendly,” he said. “That’s a big part of the friction. If it was designed to be obvious, it would be much easier.”

Friction is not simply a matter of training customers either, he said. “The act of dipping and waiting is always inherently slower than the swipe.”

Others while agreeing that the transition is slow, insist there is reason for optimism. Jeremy Gumbley, CTO and CSO at Creditcall, agrees that, “the payments industry dragged its feet” in preparing for EMV, in part because of “multiple false starts” that left some companies doubtful that the deadline would actually be enforced.

But he contends that while things “need to be better, we’ve come farther along than people want to give the U.S. EMV migration credit for – there has been tremendous traction.”

Gumbley said the goal for adoption by now was 33 percent, “and we’re at 37 percent and we can expect that number to continue to climb throughout the year.”

Jason Oxman, CEO of the Electronic Transactions Association (ETA), agreed that while the transition may be slow, it is steady. “Nearly 600 million chip cards are in U.S. consumers’ wallets already,” he said. “Almost 1 million merchants have already upgraded to chip readers. And this is without any mandate – legal or business – to upgrade.”

He added that a transition that is, “unprecedented in its complexity and scale” takes time. “The transition from analog to digital television in the U.S. started in 2009, and the last television stations didn’t switch to digital until 2015 – six years later. It took the mobile phone industry 13 years to reach 25 percent adoption,” he said.

Indeed, Jeremy King, international director of the PCI Security Standards Council, said the U.S. transition is vastly more complex than what faced the UK., which had, “around 1.5 million merchants and needed to issue around 100 million cards (when EMV was launched). In the U.S. you have more than 28 million merchants and more than 400 million cards to issue.”

Added to that complexity, he said, is the reality that, “EMV is a global standard, and one critical factor is that every EMV card has to work correctly with every EMV terminal.”

When it comes to customers, Oxman said they will adjust quickly to the change, especially if they are made aware of the improved security it offers. He said an ETA survey found that only 13 percent of consumers said they would prefer the magnetic stripe cards even if they are less secure.

Gumbley called the “friction” problem, “a short-term inconvenience. As we’ve seen in other countries that adopted chip cards years ago, consumers will soon get over it.”

Eric Jackson, managing director, compliance services at Fidelis Cybersecurity, said customers would already be over it if they had not been given a choice. He said it was a major mistake for the payment card industry to allow the option of chip-and-signature along with chip-and-PIN.

While the terminal may take a few seconds longer to authenticate a card, “I think customers would tend to think it is quicker because they do not have to sign anything,” he said, adding that, “decades of consumer trust in ATMs and PINs would have aided the transition.

“The best way to reduce friction is to have 100% adoption and not offer the alternative,” he said. “If people do not have a choice, they accept or pay cash.”

To small merchants who continue to resist the change because of complexity and cost, Gumbley offers both a stick and a carrot. “Smaller retailers should view the process like filing your taxes,” he said. “You can delay the process, but you can’t avoid it. And the sooner you do, the sooner you reap the rewards.”

The problem is that many merchants don’t see improved security as that big a benefit – they think they are too small to be a target, so for them it amounts to all stick and no carrot. Lane noted that “retail margins are really thin, so it is really tough for them to absorb the cost of something like this.”

Beyond that, EMV does nothing to protect against online, or card-not-present (CNP) purchases.

But Andrew Komarov, chief intelligence officer at InfoArmor, said while he understands the frustration of small merchants, they are indeed targets, if they lag behind others in security.

“We see a real hunt on in areas with low integration level of EMV,” he said. “The bad actors exchange information about banks and institutions without it, and then target them.”

And advocates note that there are benefits that go beyond the chip card – Gumbley said one is that the new terminals can support point-to-point encryption (P2PE), which improves security for both the chip transactions and those that still use the mag strip.

Another is that the new, chip-enabled terminals can also process NFC (near field communication) payments – the kind offered through digital wallet services like Apple Pay and Android Pay.

While the percentage of consumers with NFC devices is still low, it is expected to grow since it is available for both Apple and Android devices. Lane said moving to that payment method would be more secure and much more convenient for users than chip-and-PIN.

“The pain (for consumers) of the transition would be removed,” he said. “From a security geek perspective, I would love that development.”

Jackson, for one, thinks the debate over EMV, swipe-and-signature and even NFC puts the focus in the wrong place.

“I think the industry and consumers would have been better off if more emphasis had been placed on advanced payment technologies such as tokenization and end-to-end encryption,” he said. “These technologies help protect the data in any type of transaction.”

(www.csoonline.com)

Taylor Armerding