Will the U.S. EMV Migration Be Secure Enough?

In the wake of the nearly 800 breaches that marked the year 2014, it is no surprise that the U.S. is moving full speed ahead toward converting all cards from the traditional magnetic stripe to the more secure EMV.  In 2015 over a half-billion new credit cards embedded with computer chips that create a unique code for each transaction will be hitting the U.S. market.

However, unlike consumers in Europe or Australia (where EMV has been the norm for at least a decade, not longer,) U.S. card-holders will likely be using chip-embedded cards that require a signature at the end, as opposed to ones that require the entry of a PIN.

U.S. bank executives said they are choosing the signature version so customers won’t be burdened at the checkout line to remember a new four-digit code.

J.P. Morgan Chase, the nation’s biggest card issuer, had initially planned to issue Chip and PIN credit cards.  However, after testing them with consumers, Chip and PIN was back-burnered in favor of the Chip and Sig protocol Chase ended up going with.  Chase is joined on that path by Bank of America and Citigroup.

Financial institutions are motivated to bolster security, as they are typically on the hook for unauthorized transactions. That will change in October, when merchants who don’t have the upgraded technology to accommodate chip cards will be responsible for the cost of any fraud that occurs when one of the cards is used.

Over 575 million chip cards are expected to be in consumer hands  by the end of 2015, according to an industry-group projection.

The decision whether to issue cards that require a PIN or a signature “is a very strong debate in the industry,” said Martin Ferenczi, president of North American operations for Paris-based Oberthur Technologies, a chip card manufacturer.  Target, the breached retailer that kicked off the festival of POS hacks that was 2014, is using Chip and PIN, as are U.S. benefit cards issued by the federal government.

“There is a lot of concern that PINs would create customer-service issues for consumers and merchants if a consumer can’t complete a transaction because they have forgotten the PIN,” said Randy Vanderhoof, executive director of the Smart Card Alliance, an industry group representing banks and credit-card companies.

But Merrill Halpern, assistant vice president of card services at United Nations Federal Credit Union, disagrees.

“We should be doing the most we can to fight fraud, and the only way to send that message is to stand clearly behind Chip and PIN,” he said. The credit union has 100,000 credit-card customers, with about 40 percent of them living in the U.S.