The fight between Visa and Walmart over authenticating chip cards could have a negative outcome for everyone involved, regardless of which side wins.
In the melee between the two major players, strong authentication has been put on the backburner in favor of the respective economics of implementing EMV. While Visa and other payments providers say signature authentication for chip cards speeds up processing time over PINs, Walmart – in addition to backing PIN’s security features – has to pay Visa an extra 5 cents per transaction if it lets customers sign for debit transactions instead of requiring the PIN. Retailers like Walmart, which in general have the luxury to choose between any two unaffiliated networks as mandated by Durbin amendment, will be constrained to use Visa for signature transactions.
This operating model casts serious questions over the viability of long term success of the chip card technology as it suggests that payment companies and merchants are focused on the financial metrics at the cost of giving up security controls.
On which authentication approach provides better security, Walmart wins the argument. Visa’s decision to allow debit card customers to use a less secure signature verification system does not make sense from an information security standpoint and it defeats the very purpose for which this technology was rolled out in the first place.
Walmart was one of the few big U.S. retailers to immediately adopt the EMV technology when it became available, and spent millions on massive upgrades of its point-of-sale terminals. Early adoption by any retailer delighted Visa and MasterCard along with the major card-issuing banks. But with Walmart’s lawsuit earlier this month against Visa over the latter’s allowing signatures for chip cards, the honeymoon was short-lived.
Many of the large banks embraced the chip and PIN technology from the beginning as they are some of the biggest targets of cyber-attacks. Even some mid-size banks like First Niagara were early adopters too. First Niagara was among issuers that went to the extent of using chip and PIN for their credit as well as debit cards.
Typing in the PIN does add extra time to a transaction – eight to 12 seconds, according to JDA software group’s survey – and that obviously impacts customer satisfaction. But would we let customers drive a car without wearing seat belts because belts hinder driver comfort?
If Visa’s concern about PIN is processing efficiency, it could be looking at more alternative measures to improve technology and operating effectiveness that do not compromise security. Visa and Walmart have each been trying to reduce processing time through software upgrades, but apparently those efforts have not been enough for the two giants to sort out their issues.
Of course, at the end of the day, the true test of the effectiveness of EMV adoption in the U.S. will not be at store terminals but in how new card technologies affect incidents of online – or card-not-present – fraud. One only hopes that online retailers, issuers and card networks are serious about ramping up security for online purchases. In every country that has switched to EMV cards – and the U.S. is the last developed country to do so – online fraud has jumped, says online fraud expert Brian Krebs. "Fraud doesn't go away, it just goes somewhere else, and that somewhere else is always online," he says.
Banks need to consider two-form authentication such as sending customers a one-time passcode via email or text message to authenticate online transactions with the new chip card. And card networks and retailers need to mend fences over their contractual obligations with the common goals of strengthening card security, increasing EMV adoption among smaller retailers and educating customers about the benefits of chip cards.
Senthil Selvaraj is a former operational risk executive with Bank of America.