Shift to chip-and-pin cards could ease retailers’ cyber risk worries

By Erin Ayers on June 20, 2014

chip-and-pin-dt-431x300Underpinning corporate worries about data breaches and consumer concerns about identity theft is the debate over who holds the blame for breaches at U.S. retailers – the stores or banks that continue to use magnetic card strip technology many consider outdated.

For consumers, the decision might already be made. According to a recent survey from the Brunswick Group, the public feels that retailers are more at fault for theft of customer data. Seventy-five percent of respondents said that retailers need to take “significant action” to protect the consumer information in their systems and that current efforts to prevent “infiltrations” are not enough.

“It is no longer acceptable for retailers to look to banks and issuers to protect customers; instead, the onus is on retailers to address the issue head on in their security systems,” Brandon Borrman, partner at Brunswick Group, stated. “What is clear is that the traditional approach to addressing the inevitable data breach, no longer works. Consumers, press and regulators expect more transparency and clarity, and companies must be prepared.”

The National Retail Federation (NRF) said it has pressed for years for a shift to more secure credit and debit cards – cards that use a computer micro-chip and personal identification number (PIN) for transactions, rather than a magnetic strip and signature. Called either chip-and-PIN or EMV (after Europay, MasterCard and Visa, who spearheaded the effort), advocates say smart cards offer much lower risk of fraud. In the case of data breaches, criminals can’t simply steal smart card numbers and craft a counterfeit card. They might look similar to traditional magnetic strip cards, but chip-and-PIN cards are called “the most secure cards currently available.”

According to the NRF, the United States has been slow to pick up on this technology, making the country one of the last major nations to do so.

“Americans still use 1960s card technology – embossed numbers and the magnetic stripe – to combat 21st century cybercriminals. Criminals have a 50-year head start,” asserted the NRF. “When a criminal captures the information stored on a magnetic stripe card, it is easy for them to counterfeit and commit fraud. Thieves often use simple magnetic reader/writer machines—similar to what hotels use to create magnetic room key cards—to make counterfeit credit cards. In fact, thieves can use any card with a magnetic stripe to act as the cloned credit card—including a hotel room card, another credit card or sometimes even a driver’s license.”

The NRF has clashed over the introduction of chip and pin cards in the U.S. with card issuers.

“Even though such cards are widely used in Europe, the card industry has been slow to offer this technology in the United States. Instead, the card industry wants to issue cards that would have a chip but could be used with either a PIN or signature, defeating a key security provision, and wants the retail industry to bear the cost of replacing the millions of card readers currently in use,” stated the NRF in its official position on the issue.

Researchers at the University of Cambridge in the U.K. have sharply criticized the chip-and-PIN technology, demonstrating in a recent paper ways the EMV system could be hacked and credit card information stolen. Chip-and-PIN cards can be intercepted at point of purchase and cloned, according to the paper called “Chip and Skim” by Mike Bond, Omar Choudary, Steven J. Murdoch, Sergei Skorobogatov, Ross Anderson of Cambridge’s Computer Laboratory. This team has been studying vulnerabilities in this process for over four years, delving into cases where customers claimed fraud, but banks refused refunds, relying on the perceived security of chip-and-PIN.

“Since the introduction of EMV, the banks have operated a “liability shift” as they describe it, which means that when a transaction is disputed, then if a PIN was used the customer is held liable, while if no PIN was used the transaction is charged back to the merchant. Disputed transactions where the bank’s records show a PIN was used are seen by the banks not as frauds against the customer but as attempted frauds by the customer (or perhaps negligence by the customer),”

In the U.S., the change is coming. Mastercard and Visa have pinpointed October 2015 as the deadline for issuing smart cards to customers. Other retailers are making the shift sooner. Following its high-profile data breach in December, Target announced that it would shift its store “REDcards” to the chip-and-PIN technology. The company said in April that it would devote $100 million to the card modernization effort to improve safety.

The change may go far in abating consumer worries about data breaches, especially for retailers who seem to be primary targets for hackers. The Brunswick survey indicates that the retail industry faces the most risk in the fight against data breaches. Retail breaches present concerns for 94 percent of consumers surveyed, and well over half of them (61 percent) felt stores share as much responsibility for the theft as the criminals involved. However, many fewer consumers (34 percent) blame the banks that issue the credit and debit cards.

The NRF says that it has recommended retaining only approval codes for transactions and data required to resolve customer disputes. Banks would retain all the information that could be used for fraudulent purposes, retailers suggest.

That is not currently the case. The survey also revealed that consumers feel strongly that retailers should pay for any losses that result from the breach, not banks. And some consumers – 34 percent — make their dissatisfaction known by avoiding stores that have had data breach troubles.

Those actions combine with investor confidence to hit retailers where it hurts – their stock market value. The survey showed that 13 companies that recently went through a data breach showed a “sustained drop” in their average daily stock price. Research further showed that after six months, those companies’ value had failed to rebound.

“A data breach hits a company at the cash register, on Wall Street and at the heart of their relationship with the customer,” said Mark Seifert, partner at Brunswick Group. “If consumers don’t feel the retailer is doing enough to protect their data, they will protect themselves by shopping elsewhere.”

erin.ayers@zywave.com'

Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].