NRF Warns Against EMV Verification Flaws

While the expanding adoption of EMV cards in the U.S. has helped to largely eliminate card-present counterfeit fraud at the physical point of sale, some merchants believe that more can be done. In this month’s Digital identity Tracker, Stephanie Martz, senior vice president and general counsel for the National Retail Federation, talks with PYMNTS about why merchants believe that PIN verification for EMV cards is essential to further reduce fraud at the physical point of sale.

The shift from magnetic stripe to EMV chip cards marked one of the 21st century’s most widespread payment developments. Chip cards have been heralded for their improved functionality and security, but they have still failed to address critical authentication problems, leaving retailers to bear the brunt of these vulnerabilities.

“There has not generally been as reliable a system of authentication in the U.S. as there is in the rest of the world,” said Stephanie Martz, senior vice president and general counsel of the National Retail Federation (NRF), the world’s largest retail trade association.

EMV Cards’ Checkered Reputation In The US

EMV cards store payment data within integrated circuit chips rather than magnetic stripes. The name “EMV” originally stood for Europay, Mastercard and Visa, the three credit card companies that developed the system, but the standard is now managed by the EMVCo consortium.

The first EMV card was developed in 1994, but the technology did not begin circulating worldwide until the new millennium. Recent findings have shown that 76.7 percent of credit card transactions are now conducted via EMV cards, though such transactions are not evenly distributed. Europe was the first region to adopt EMV technology, and sees a transaction rate of more than 99 percent. Africa, the Middle East and most of North America are close behind, and almost 68 percent of Asia’s transactions leverage the technology. The U.S. comes in dead last, however, as only 59.2 percent of card-present transactions within the nation were conducted via EMV card between July 2018 and June 2019.

It may seem strange that the U.S. — which boasts the world’s most advanced technology companies — lags so far behind in EMV card usage, but Martz attributed the nation’s chilly reception to a perceived lack of speed.

“When chip cards first came in, they were a little slow, even for in-person transactions,” she explained. “People would get frustrated having to stand there waiting for more than the customary two seconds for the transaction to go through.”

EMV cards were, nevertheless, lauded for their improved security, as it was much harder for miscreants to falsify microchips than spoof magnetic stripe data. Mastercard found a 54 percent decrease in counterfeit fraud between April 2015 and April 2016, for example, while Visa saw a 58 percent year-over-year decline in counterfeit fraud in March 2017.

“[While] the rate of fraud for in-person transactions has certainly decreased with chip cards in terms of counterfeit cards, when it comes to lost or stolen cards, [fraud] is definitely still an issue,” Martz said.

EMV Cards Face Verification Hurdles

Martz said a lack of proper identity authentication measures contributes to the method’s weakness against the use of lost or stolen cards. EMV cards in Europe leverage chip-and-PIN measures to secure transactions, requiring customers to verify their identities as though they were withdrawing cash at ATMs. Meanwhile, signatures are the most favored authentication measure in the U.S., though this method has largely fallen by the wayside.

“Now, signature has kind of gone the way of the dodo bird for a large percentage of transactions,” she said. “And, frankly, signature was never really the most reliable way to authenticate transactions, as anyone who has been to a cash register and signed a receipt can tell you.”

This means that while EMV cards are more secure against counterfeiting than magnetic stripe cards, they are still utterly defenseless against the use of stolen or lost cards. Martz explained that the solution is to enforce the same PIN standards in both the U.S. and Europe.

“The fact that retailers are not able to require a PIN to authenticate transactions, and, moreover, that the card networks have not rolled out a form of multi-factor authentication, has been problematic,” she explained.

Who Watches The Verification Watchmen?

What is stopping the U.S. from adopting PIN-based identity verification? The biggest obstacle is that the major card networks are setting the standards for how payment networks operate, Martz said. Their interests lie not with protecting their users from identity fraud, but in developing anticompetitive standards to drive the use of their products.

The NRF has argued that security standards should instead be set by a neutral third party, which would ensure transparent standards and operations. The association stated that all credit card identity verification stakeholders should have equal say in the development of security standards that protect both consumers and retailers.

“We feel like if — in addition to the networks — [there were] banks, retailers and [FinTech firms] at the table, that would go a long way toward figuring out what kind of fraud we’re looking at, and what kind of authentication are customers willing to use that works,” Martz explained. “And then, we can all agree that any payment network that is deployed in the U.S. needs to support the following kind of technology for authentication.”

A collaborative panel that could bring together all identity verification players is just an idea for now, but it may become a necessity as verification fraud continues to plague EMV card users and retailers.