The NRF says retailers want to transition to pin and chip payment cards to prevent breaches, but say they're dependent upon banks to issue the cards to customers. Banks say retailers are simply trying to shift the blame.
Photo credit: (Image courtesy stock.xchng/LotusHead)
With recent high-profile data breaches that have occurred at retailers such as Target and Neiman Marcus, the National Retail Federation on Tuesday held a briefing with members of the media to advocate for the adoption of pin and chip payment card technology within the retail and banking sectors.
“We’re here today because the question of data security and cyber theft in retail has become a very important debate in Washington,” said David French, senior vice president of government relations for the NRF. “We think that one of the most important elements of this debate is understanding how card technology is working or not working to protect the integrity of account numbers and… how easy it is for folks to take that information and monetize it and turn it into something criminals can use.”
Unlike the traditional swipe and sign method that most people are accustomed to when paying for merchandise with their credit card in a brick-and-mortar store, pin and chip technology utilizes payment cards with embedded chips inside that are inserted into a reader that also requires the customer to type in a unique pin for the purchase to be validated. This would in effect create two-factor authentication for retail transactions.
“The difference in those two transactions… is that number one, the chip validates that this was a real card, not a counterfeit card,” Tom Litchford, vice president of retail technologies for the NRF, said in a technology demonstration of a pin and chip card reader. “And, number two, by asking me to put a PIN in, it is making sure I’m authorized to use that card, so there are two levels of validation with this technology.”
According to Mallory Duncan, senior vice president and general counsel of the NRF, a large technology migration is going to have to take place for these new, more secure types of payment systems to become more commonplace in stores.
“It’s going to be a very expensive transition. The cost of the card is four or five times as high with a pin and chip than it is with traditional magstripe signature cards. So, that’s a lot of money on the part of financial services industry,” Duncan said. “On the part of the retail industry… every one of the (payment) terminals has to be replaced and depending on whether you’re counting just retailers or doctors’ offices and other places that are thought of as retail, it’s going to be between nine to 15 million (pieces of point-of-sale) equipment that have to be replaced. That’s equipment alone that averages over $1,000 per unit. You add in the software, training and everything else that goes into it, based on the studies we saw in Great Britain when they migrated to it, you’re probably talking $20 billion or $30 billion to swap out equipment. Collectively, we’re talking $30 billion or $35 billion to make the change.”
However, Duncan said that this transition is going have to start with banks issuing their customers these more secure smart cards or else it’s a moot point.
“Retailers would like to see this change, but we have to have our partners in the financial services industry issue the cards,” Duncan added. “No one wants to spend tens of billions of dollars to not see pin and chip cards out there or spend that kind of money on chip and signature. Then you’ve only got half a solution and it would be a shame to spend that much money on half a solution. If (banks) want their customers to feel safe and secure, they’re going to issue these cards we believe.”
For their part, however, many in the banking industry feel that retailers are shirking their responsibility to protect consumer data and believe that card security is only part of the issue. In response to the NRF's media briefing, the American Bankers Association, Consumer Bankers Association, the Independent Community Bankers of America, and the National Association of Federal Credit Unions, issued a joint statement on Tuesday:
“Once again, the NRF is more interested in pointing fingers than accepting responsibility for their role in protecting consumer data. That’s a distraction. Plain and simple, the Target breach – and the others recently in the news – had little to do with card technology and everything to do with failed computer security at major retailers.
“Chip-based technology should be part of the discussion, but it’s not the whole solution. Banks and retailers already have a plan in place to adopt its use – in addition to our own industry’s stringent federal data security requirements. Other technologies are emerging to address online and mobile payments fraud, such as tokenization, which is being spearheaded by financial institutions card networks and financial institutions card networks in their effort to protect consumers.
"Protecting consumer data is a shared responsibility, and merchants must have the same tough data security standards as financial institutions to thwart hackers."
French insists, however, that the retail industry is not trying to shift the blame.
“We’re trying to make sure there is a clear understanding about why the breaches occur,” explained French. “Breaches occur because the cards can be easily counterfeited and used fraudulently because the card technology is insecure. If the card technology was secure, then the breaches wouldn’t be nearly as numerous.”
However, even if banks and retailer across the U.S. were to adopt pin and chip card technology tomorrow, Duncan said it would still take a significant amount of time for the transition to take place.
“Obviously, when you’ve got billion of cards out there that have to be reissued and millions of terminals that have to be replaced, it’s not going to happen overnight,” said Duncan. “There’s going to be a huge expense involved, it’s going to take some time. In England when they did this, it took them a number of years to achieve (full adoption). I would be surprised if it didn’t take essentially the same amount of time here. The goal is to get started right away, so that we migrate to this technology… as quickly as possible.”