The electronic payments industry works tirelessly to ensure consumers’ private data and money are protected during each transaction. This includes improving current security measures and investing in innovative solutions on both sides of the payment equation.
PIN is old news in the security world, with other advanced and effective solutions already on the market. The banking industry originated PIN in 1967 for use at ATMs and is well acquainted with its strengths and weaknesses, including the serious consequences it has when compromised.
{mosads}While PIN has its uses, it is not relevant for many instances of fraud. Around half of total fraud in the U.S. occurs in online transactions and approximately one-third of fraud experienced by retail stores is due to counterfeit cards, both instances in which PIN does not protect.
On the other hand, where PIN is used, fraud is on the rise and has been for some time. A 2012 report by the Federal Reserve Bank of Atlanta found that PIN debit fraud rates have increased more than 333 percent since 2004. When a data hacker gets a hold of a PIN, it opens a backdoor for access to the consumers’ bank accounts at an ATM, which they will promptly drain.
A recent example of this breach occurred a few months ago in California and Colorado. Customers who used their debit cards and authenticated the purchase with a PIN at certain terminals in Safeway stores quickly saw their bank statements fall to $0. The thieves installed devices that captured and stored the customers’ PINs, which they then used at an ATM to drain the compromised debit card of cash.
Other unfortunate high-profile data breaches also demonstrate the simple fact that PIN is not a panacea and should be used in tandem with other security measures for preventing fraud. The major breaches experienced by Target and Home Depot could not have been prevented with customers using PIN.
Across the pond, as criminals have adjusted to the UK’s chip and PIN mandate, lost and stolen card fraud has been rising over the last few years resulting in a movement away from PIN in both Canada and Europe.
A major step forward has been the rollout of EMV or “chip” technology in debit and credit cards by the payments industry. Chip cards contain a microprocessor that protects information through encryption—a process that scrambles personal and financial data to make it virtually useless to criminals.
Retailers have also come out publicly in support of choice and innovation when it comes to payments security at checkout. According to an October 30, 2015 Reuters article, not all big box stores view PIN in the same light:
“Even though demands for PIN cards are being made by groups representing large retailers, some big merchants say they have no plans to offer PINs. “Our approach is chip and signature,” said Macy’s Inc spokesman Jim Sluzewski. JC Penney Co Inc. said it has no plans to introduce PINs and has yet to begin processing any chip transactions.
Just as one security solution cannot protect consumers, one sector of society cannot resolve all cyber threats. According to a Morning Consult poll, 90 percent of consumers agreed stores and retailers should be held to similar standards as banks and financial institutions to keep customer data secure.
Businesses, standard-setting bodies, policymakers and law enforcement must all work together to protect the financial and privacy interests of consumers.
We must also look to the future, not the past. Mandating the use of PIN does not prevent online or mobile fraud. Americans spent $263 billion online last year and that dollar number is expected to grow 57.4 percent by 2018 to reach $414 billion. PIN is just one security technology and a mandate would not address digital commerce security, which is critically needed in today’s increasingly mobile-oriented world.
In fact, in recognition of the evolving nature of payment card fraud threats and of the variety of tools that can be employed to address these threats, even the Federal Reserve does not mandate use of one specific technological approach to payment card security.
And it’s not just the regulators that understand why a mandate just won’t work. , 83 percent of those polled in the recent Morning Consult survey say they would prefer to have options when it comes to secure payment processing.
An all-out push for PIN delays development and implementation of other technologies that can be deployed in the changing threat landscape. In addition to chip cards, security experts are working on measures such as tokenization, biometrics and end-to-end encryption to protect purchases made with and without a card present. A combination of these measures presents a far more robust solution to modern cyber threats than a PIN mandate could ever hope to achieve.
Instead of stonewalling progress by a misinformed campaign to mandate old technology, the big box retailers need to get on board to help protect the people that visit their checkout counters. A good start would be supporting the national data security standards such as those outlined in the Data Security Act of 2015—and moving forward with innovative payment security solutions.
Molly Wilkinson is executive director of the Electronic Payments Coalition