Merchant and Consumer Groups Seek Senate Support To Forego EMV Chip and Signature As Breach Concerns Rise
By Jeffrey Green (@epaymentsguy)
There’s no shortage of ‘answers’ in trying to put a stop to hackers set on throwing chaos into the way consumers transact at the point of sale, or online for that matter. Yesterday, the Banking, Housing and Urban Affairs subcommittee on national security and international trade and finance got its chance to hear some of them.
During the hearing, William Noonan, deputy special agent in charge, U.S. Secret Service, noted the advances in computer technology and greater access to personally identifiable information online, which have created a virtual marketplace for transnational cyber criminals to share stolen information and criminal methodologies. “As a result, the Secret Service has observed a marked increase in the quality, quantity, and complexity of cyber crimes targeting private industry and critical infrastructure,” he said in the text of his prepared testimony. “These crimes include network intrusions, hacking attacks, malicious software, and account takeovers leading to significant data breaches affecting every sector of the world economy.”
The recently reported data breaches of Target and Neiman Marcus represent only the most recent, well-publicized examples of this decade-long trend of major data breaches perpetrated by cyber criminals intent on targeting the nation’s retailers and financial payment systems, Noonan added. “The increasing level of collaboration among cyber-criminals allows them to compartmentalize their operations, greatly increasing the sophistication of their criminal endeavors and allowing for development of expert specialization,” he said. “These specialties raise both the complexity of investigating these cases, as well as the level of potential harm to companies and individuals.”
So how should the industry react to prevent further breaches? Those opinions provided during testimony at the hearing varied widely, though both consumer and merchant groups would like the card networks to give up requiring only signatures for smart card purchases at the point of sale.
Edward Mierzwinski, consumer program director at the U.S. Public Interest Research Group, called for myriad of changes, citing his belief that the greater risk from the recent breaches is less related to identity theft than it is to fraud on existing accounts. And he said it’s time for players on both sides of the transaction to focus more on protecting consumers than on managing their own risk.
“Up until now, both banks and merchants have looked at fraud and identity theft as a modest cost of doing business and have not protected the payment system well enough,” he said. “They have failed to look seriously at harms to their customers from fraud and identity theft – including not just monetary losses and the hassles of restoring their good names, but also the emotional harm that they must face as they wonder whether future credit applications will be rejected due to the fraudulent accounts.”
As a first step, Mierzwinski said, Congress should institute the same fraud cap, $50, on debit/ATM cards that exists on credit cards, or eliminate the $50 cap entirely, since it is never imposed because of the zero-liability policies issuers have voluntarily have imposed. Congress also should provide debit and prepaid card customers with the stronger billing-dispute rights and rights to dispute payment for products that do not arrive or do not work as promised, just as many credit card users enjoy, he said.
Mierzwinski also called on Congress to endorse a specific technology, such as EMV smart cards, and, if it does, require the use of PINs when initiating smart card transactions. “The current pending U.S. rollout of chip cards will allow use of the less-secure chip-and-signature cards rather than the more-secure chip-and-PIN cards,” he said. “Why not go to the higher-and-PIN authentication standard immediately and skip past chip and signature? As I understand the rollout schedule, there is still time to make this improvement.”
Also testifying was Mallory Duncan, senior vice president and general council at the National Retail Federation, which took shots at the Payment Card Industry data security standards, saying they have not addressed the obvious deficiencies in cards themselves and that the industry must move beyond the use of mag-stripe cards, a sentiment now shared by most payments industry players.
“Retailers have spent billions of dollars on card-security measures and upgrades to comply with PCI card security requirements, but it hasn’t made them immune to data breaches and fraud,” he said. “The card networks have made those decisions for merchants, and the increases in fraud demonstrate that their decisions have not been as effective as they should have been.”
Duncan shared Mierzwinski’s views that the card networks should forego chip and signature and go straight to chip and PIN. “To do otherwise would mean that merchants would spend billions to install new card readers without they or their customers obtaining PINs’ fraud-reducing benefits. We would essentially be spending billions to combine a 1990’s technology (chips) with a 1960’s relic (signature) in the face of 21st century threats,” he said.
The hearing began with testimony about the state of enforcement of data-security laws from representatives from the U.S. Secret Service and the FBI.