Mallory Duncan, general counsel for the NRF, said computer chip cards will initially require customers to provide a signature, instead of a distinct PIN (personal identification number), which won't eliminate online and phone fraud with a stolen or lost chip card.
He also said the financial burden -- now in the tens of billions of dollars -- of making the transition to chip card technology unfairly rests mainly with retailers, not banks and credit card providers.
"We and our customers should not bear the burden for flaws in a 50-year-old [magnetic card] system," Duncan said in a conference call with reporters on Tuesday. The transition to chip cards and chip terminals has "been all stick and no carrot and [the technology] doesn't work... We would like it to work and we want a secure payment system." The NRF is the largest retail association in the world, with 18,000 members.
The conference call was timed with Thursday's deadline for thousands of U.S. retailers to have installed payment terminals that can read computer chips on chip cards. Meanwhile, banks are sending credit and debit chip cards to their customers to replace less-secure magnetic stripe cards.
Retailers who have not installed the new equipment by the Oct. 1 deadline will incur the financial liability for fraudulent uses of a stolen or lost card. Banks will incur the liability if the payment terminals have been updated, just as they do today with magnetic stripe cards. Consumers face no liability under the new system.
While fraud with magnetic stripe cards is widely recognized as a problem by U.S. merchants, those retailers are also unconvinced that chip cards with signatures for purchases will be as secure as using a chip card with a PIN.
Chip card technology "is not a panacea for fraud, as advertised by the [financial] industry," said Liz Garner, vice president of the Merchant Advisory Group, who joined Duncan on the call. The advisory group is made up of 94 retailers, including some of the nation's largest, such as BestBuy and Target.
Garner said the financial services industry is using a "half-baked approach" by not insisting on a PIN when using a chip card. "If I walk down the street and maybe lose a chip card, anyone can pick that up and still use it to create fraud [by phone] or potentially in online transactions, which really makes no sense," she said.
Noting that the U.S. is the last industrialized country to adopt chip technology, it should make sense to add PIN protection. "We have a chance, but are going halfway, which is really unfortunate," Garner said.
Even some large retailers in her advisory group are not fully ready for the Oct. 1 deadline, she said. Some others, however, have activated chip card readers, and a few have added a requirement that consumers add their own PINs to make purchases. Still others are investing in advanced technology such as tokenization and end-to-end encryption to their chip card systems for more rugged security.
Analysts have said that banks are not pushing chip and PIN technology because banks feel it will be too difficult for consumers to learn a four-digit PIN for credit purchases. But Duncan said consumers have used PINs with debit cards for years without difficulty.
Some banks and credit card officials have said they prefer to wait and see customer buying behaviors with chip and signature approaches. Banks will ultimately be responsible for deciding whether to move from chip and signature to chip and PIN, as has happened in Canada in recent years, analysts have said.
It would make more sense for banks to promote PIN security along with the embedded chip cards, since conversion to the chip technology requires merchants to invest in millions of new card readers, which can cost up to $600 apiece, retailers said.
Retailers also bear the burden of explaining how to use a chip card to consumers, so why not introduce PINs for credit cards at the same time, Duncan asked. It typically takes a few seconds for a chip card reader to read a credit card once it is inserted into the reader, which is different from sliding a magnetic stripe card into today's readers.
Industry experts estimate there are 12 million payment terminals in the U.S., and Duncan estimated just 40% are upgraded so far. With the cost of new terminals and related software updates, he said retailers are spending "tens of billions of dollars" to make the transition, mainly to the benefit of banks which are now paying for fraudulent uses of cards and want to reduce that cost.
Duncan also said the overall conversion to chip cards, with banks sending out new cards, along with new terminals and related duties, could cost companies $30 billion to $35 billion.
Garner also said a majority of the advisory group's members face a backlog in getting access to new chip card readers or to get the new readers certified by EMVCo and others. Certification is needed to ensure that payment terminals work with the new cards and various payment networks.
Without certification, chip card readers cannot be turned on, which means that those retailers would incur fraud liability, Duncan said.
The backlog in certifications runs into months, possibly six months or more, according to Avivah Litan, a Gartner analyst, who attended a conference Monday where IT managers for the food service industry were expressing concerns about the delays.
EMVCo is an alliance of MasterCard, Visa and Europay, the originators of chip cards that have been widely deployed around the world. Visa and MasterCard could not be reached for comment at deadline.
The NRF has posted its concerns about the chip card transition on its website, including in an article called "Worth the Expense"
In recent months, credit card officials have defended the use of the chip and signature approach on the grounds that it is designed to protect primarily against counterfeit fraud, where a hacker breaks into a merchant’s payment system and steals card data which is used to create fraudulent cards.
The use of a PIN, card officials have said, would only address fraud when a person loses or has a card stolen, which is not a large category of fraud in the U.S. Retailers would not be liable for that kind of fraud after Oct. 1. Today, only half of U.S. stores accept PINs, even with debit cards. Banks and credit card officials decided they didn’t want to force those stores to require PINs for credit cards and also force the stores to assume liabilty for lost or stolen cards.