Even though the U.S. has suffered a flood of retail data breaches, the payments industry has to take a global view of any security measures it adopts.
In doing so, businesses and card issuers will view chip-and-PIN and tokenization technologies as key needs in the future, said Nancy O'Malley, chief payments system integrity officer for MasterCard Inc.
The U.S. payments industry appears headed toward a mix of chip-and-signature and chip-and-PIN cards as the country moves to replace current magnetic-stripe technology. MasterCard supports the more secure chip-and-PIN process, while Visa favors chip-and-signature as an easier method for merchants to adopt and consumers to utilize.
"You have to look at the preferred global solution, and that is chip-and-PIN," O'Malley said during a discussion at the Chicago Payments Symposium today.
PIN is preferred in the long-term, said Reed Luhtanen, senior director of payments policy for Wal-Mart Stores Inc. "However, many issuers are not supporting PIN at this time," Luhtanen said.
Wal-Mart has no problem supporting PIN and feels consumers will adjust to typing a PIN over time, he added.
A broader view of payments security is needed because consumers travel around the world and expect their transactions and card data to be safe, O'Malley said. In addition, businesses using cards for payments want to expand into new regions and do it safely, she added.
While both signature and PIN will represent a security upgrade over mag stripe, it cannot be considered the "end all" for data security, O'Malley said. "The payments infrastructure needs tokenization, because we need more measures to keep data safe."
The need for devaluing data through tokenization, or replacing card data with a series of characters meant to be useless to criminals, has garnered more industry attention in the wake of several breaches.
The payments industry needs technology that devalues the card data because fraudsters are steadily developing new attack vectors, O'Malley said.
"Criminals are good innovators in malware design and implementation, and we could never keep pace because things are always changing," O'Malley added. "Solutions that devalue the data are absolutely the way to go."
The "persistent and ever-changing" threat to data security was clearly evident in feedback the Federal Reserve Financial Services unit received in interviews with payments industry stakeholders, said Barbara Pacheco, senior vice president of the Federal Reserve Bank of Kansas City.
The financial services unit conducted a payments security landscape study to help the Fed better understand the end-to-end security needed for payments, Pacheco said.
Ultimately, the payments industry has to "share fraud and threat information and make sure that security standards are being developed and adopted in a way to keep pace with the threat environment," Pacheco added.