At long last, the National Retail Federation has won the support of several U.S. attorneys general in its demand for chip and PIN security at the point of sale. But even this isn't enough.
The end goal is to get a wider public consensus on whether the long, expensive migration to EMV-chip cards was worth the effort without mandating that the cards are used with a PIN for all point of sale transactions.
"We are not seeking any legal, legislative or regulatory action," said Craig Shearman, vice president for government affairs public relations for the NRF. "We believe this is a war of public opinion, that the more consumers and public officials call for PIN, the more likely the banks are to do what they should have done in the first place and begin issuing PIN cards."
The card networks do not mandate the use of a PIN with EMV cards, although the networks' individual rules seem to guide their own issuers toward or away from the use of a PIN. EMV protects against card counterfeiting; the addition of a PIN protects against the use of a legitimate card that has been lost or stolen. The arguments against PIN use have to do with whether the cost and inconvenience of supporting PIN payments are outweighed by the added security in that scenario.
The PIN debate gained plenty of fire from the torrent of retailer data breaches, even though EMV would not have prevented the exposures at Target and other stores. But the headlines provided ammunition to merchants questioning both the need for EMV, if it couldn't really stop the major breaches, as well as the lack of PIN as part of the process.
That mindset is the most frustrating part of the PIN controversy, said Jason Oxman, CEO of the Electronic Transactions Association.
"It's unfortunate that this back and forth between some trade associations continues, and the volume and tone of the debate seems to be devolving," Oxman said. "It's unfortunate because it distracts from what has been a fairly unified approach to addressing counterfeit fraud through migration to EMV chips."
Because counterfeit fraud represents about two-thirds of overall fraud in stores, EMV was the most effective way to address that problem, Oxman said. "So the question now becomes whether we want to mandate PIN in the U.S. to address lost and stolen card fraud, which is about 8% of all fraud."
When taking into account that most merchants don't have PIN pads and don't carry liability for stolen and lost card fraud anyway, it makes it more difficult to justify such a mandate, Oxman added. "It's not a bad debate to have, it just doesn't belong as part of the EMV debate," he said.
Even as they argue, retailers and banks essentially want the same result. The last thing banks want is to stand in the way of stronger security, said James Chessen, chief economist at the American Bankers Association.
"We share the same desire [as retailers] to make sure customers are safe," Chessen said. "That's a shared interest, but there are obviously different ways to accomplish that."
The ABA fears a regulatory mandate for "a static technology, when the world is shifting very fast and new technology comes on line all of the time," Chessen added.
When the NRF or the Merchant Advisory Group or others call for PIN security, their complaints may simply be an ice-breaker to get the attention of lawmakers and regulators, said Julie Conroy, research director and fraud expert with Boston-based Aite Group.
"This is the result of a very strong and very effective merchant lobby that wants to continue to keep the topic of the cost of processing credit card transactions in front of Congress," Conroy said.
The merchant groups are pushing for PIN in an effective manner, "putting sound bytes together for an audience that doesn't really understand payments," Conroy added.
A perfect example unfolded at a Congressional small business committee hearing last month in which card brand executives spoke about the EMV migration and education process, but lawmakers steered the discussion to interchange pricing.
Another example is the FBI's recent public service announcement demanding that consumers use a PIN for all EMV card payments, despite the option not being provided by all issuers.
"Unfortunately, many of the statements were very misleading to the consumer, so we let the FBI know of our concern," the ABA's Chessen said. "The FBI listened, went back and revised it with a public service announcement that was much better informed."
For their part, the card brands and banks have generally been open to both signature and PIN authentication for EMV cards. The need for such flexibility is supported by the state of the payments habits in the U.S.
"Since about half of store merchants choose not to support PIN today and more than 60% of transaction volume does not require a signature or PIN for very low risk, everyday transactions, we caution against technology mandates for payments," said Stephanie Ericksen, vice president of risk products for Visa Inc.
Visa is looking beyond signature and PIN to new technologies and capabilities, such as biometrics, geolocation and advanced analytics as secure ways to verify cardholders in the future, Ericksen added.
The merchant groups' concerns are not falling on deaf ears. They say their message is getting to the right people, with some in the industry indicating that the U.S. will see more movement to PIN authentication as the EMV migration enters its next phase.
If the U.S. seems out of place in its refusal to mandate PIN use, it's because it is adopting EMV in a much different environment from how the technology came to Europe, Oxman said. "In Europe, when chip cards were first introduced 10 years ago, PIN was necessary because the terminal that authorized the transaction was offline; it was not part of a network," he said.
In the U.S., all terminals have online authentication and the PIN is not necessary to make the EMV chip card operate, Oxman said.
But those involved in the EMV migration have acknowledged that the Oct. 1 deadline set by the card networks was a catalyst for improving security at the point of sale, even if a significant number of issuers and merchants were not ready in time. The penalty for missing the deadline was a shift in fraud liability.
Still, the NRF and other trade groups are quick to assert their misgivings with the entire EMV process as well.
"The biggest thing we are hearing from our member companies on EMV is that they have installed the chip card readers, software and related equipment but haven’t been able to put it into operation because EMVCo has not sent out personnel to certify it," Shearman said.
The NRF is hearing about "months-long backlogs for certification, especially among smaller retailers," Shearman added. "Retailers have done their part but the card industry has dropped the ball."
However, at the stores where EMV is fully up and running, the early results are positive, Aite's Conroy said.
"The early feedback we are getting is that the U.S. is experiencing far less fallback [to using mag-stripe], at about 3%,"Aite's Conroy said. "In other countries, that number has been around 7%."