VARs: Must The EMV Solutions You Are Providing Accept PINs?

By Christine Kern, contributing writer

As U.S. consumers began using EMV cards this fall, many retailers began to push for the use of personal identification numbers (PINs) along with the new chip credit cards to create an additional layer of security to protected financial information.

Business Solutions Magazine reported that the National Retail Federation (NRF) submitted a statement to Congress arguing that chip-and-signature cards do not provide enough security to protect cardholder data, and pressuring small businesses to install EMV transactions readers was unwise. Lance James, chief scientist with cyber intelligence firm Flashpoint, told Reuters, “The PIN is definitely a must. It’s one extra step that provides true two-factor authentication.”

Most banks issuing chip cards have argued that PINs are not necessary; however, VISA continues to contend that “It’s the chip, not the PIN” that is essential for card security.

This month nine attorneys general sided with concerned retailers. Together, they sent a joint letter to the nation’s top credit card companies and banks urging for the use of PINs rather than signatures with the new chip-based credit cards. The letter was signed by the attorneys general of Connecticut, Illinois, Maine, Massachusetts, New York, Rhode Island, Vermont, Washington state, and the District of Columbia and was addressed to chief executives at Visa, MasterCard, American Express, Discover, Bank of America, Capital One Finance Group, Citigroup, and J.P. Morgan Chase.

“This is further proof that top law enforcement officials and security experts agree that continued reliance on an illegible scrawl isn’t good enough to protect American consumers when the technology of a secret, secure PIN is readily available,” said NRF senior VP and general counsel Mallory Duncan. “Banks and credit card companies should heed the advice being given them and immediately implement chip-and-PIN. That’s the standard used around the world and U.S. consumers deserve nothing less.”

“The chip-and-PIN approach is considered by many to be the gold standard currently for payment card security,” the letter asserted. “Countries that have implemented chip-and-PIN cards have seen significant reductions in fraudulent transactions.”

“There can be no doubt that this is a less secure standard since signatures can easily be forged or copied or even ignored,” the letter continued. “Unlike signatures, PIN numbers can be changed easily and as frequently as needed by the consumer. Absent this additional protection, your customers and our citizens will be more vulnerable to damaging data breaches. This is something we cannot accept.”

The NRF has led the charge arguing that PIN-and-chip cards should replace signatures, and last month the Federal Bureau of Investigations issued a warning urging the use of the safer PIN technology.