Chip-and-PIN Security Push To Pit Retailers Against BanksWhile the cost of breaches typically falls on the merchants, card issuers and banks would foot much of the bill for improving the security of the payment-card system
In the wake of widespread hacks of chain-store networks and the theft of credit- and debit-card data from point-of-sale (POS) systems, retailers are lobbying for better payment-card security -- an effort that has caused friction between the merchants and the financial institutions that issue cards.
On Monday, the Retail Industry Leaders Association (RILA) issued a pledge to strengthen the cybersecurity of its members by supporting federal legislation to require breach notification and information sharing, eliminate weak magnetic-stripe payment-card technology, and adopt the more secure chip-and-PIN architecture. The move to payment cards would require that retailers purchase or lease expensive chip-card readers, but the change will cost far more for the financial institutions that issue cards.
Yet without such changes, cybercriminals will continue to be able to defraud the U.S. financial and retail systems, says Brian Dodge, senior vice president of communications and state affairs for RILA.
"We know that criminals are getting better by the day at stealing information, whether it is from retailers or processors or even governments," he says. "So we need to be constantly working to stay ahead of that, and we need to collaborate to get the security of the payment system to keep pace with the criminals."
In late December, retail giant Target acknowledged that online thieves had breached its systems and installed malware on its POS terminals to steal credit- and debit-card data. The attackers collected financial details of approximately 40 million accounts, as well as other personal information on 70 million customers. The retail giant was not the only company hit; attackers have compromised a score of other retailers in the past year, including department store chain Nieman Marcus.
While Target and other retailers have taken the brunt of the criticism for the attacks, the industry has pointed the finger back at financial institutions. Last week, the National Retail Federation, which represents 12,000 retailers worldwide, weighed in on the issue as well, asking Congress to support additional legislation and advocating a change to chip-and-PIN technology.
In its statement, the NRF took solid aim at the financial institutions' history of reticence in adopting chip-and-PIN cards.
"For years, banks have continued to issue fraud-prone magnetic stripe cards to U.S. customers, putting sensitive financial information at risk while simultaneously touting the security benefits of next-generation PIN-and-chip card technology for customers in Europe and dozens of other markets," NRF CEO Matthew Shay said in a statement.
The American Bankers Association, which represents the vast majority of banks in the United States, pointed out in a heated statement that banks are the first line of defense for consumers, and frequently are not reimbursed for their costs caused by fraud.
"When a retailer like Target speaks of its customers having 'zero liability' from fraudulent transactions, it is because our nation's banks are providing that relief, not the retailer that suffered the breach," Frank Keating, president and CEO of the ABA, said in a statement sent to Congressional members (PDF). "It is often the case that banks must explain to their customers what has happened without the bank knowing where the breach has occurred."
The industry is slated to move to a chip-card standard by October 2015. Known as Europay-Mastercard-Visa (EMV), the standard will force retailers to support chip cards, but not require the use of PINs to secure the data on the cards. Offering the option to allow a simple signature for authorization does not protect the data on the card, says RILA's Dodge.
With the number of large breaches escalating, the U.S. payment card ecosystem may finally be ready to move to chip cards secured by PINs, says Avivah Litan, a security analyst with business-intelligence firm Gartner. Attempts to secure the various entities in the payment-card chain through the Payment Card Industry's Data Security Standard (PCI-DSS) have largely failed, she says.
"I think the banks are finally ready to go for it," Litan says. "While it's not a bad standard, PCI is just too prone to failure. We need to put the security where the data is, and that is what chip-and-PIN cards do."
There are at least three hearing on the retail breaches and the need for better cybersecurity in front of congressional committees next week. Both sides of the debate have called for "shared responsibility" moving forward, but whether that means they are willing to work toward speeding chip-and-PIN implementations remains to be seen.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio