The largest retail trade association says its members are ready to adopt more secure debit cards and credit cards to combat security breaches like those that most recently hit Target and Neiman Marcus over the holidays. But banks need to issue them.
The National Retail Federation said late Tuesday in a letter to Congress that it supported the widespread adoption of "PIN and chip" cards. These cards -- either debit or credit -- not only have the EMV-enabled microprocessor chip that better encrypts transaction and account data, but they also require personal identification numbers to complete a transaction. PINs add an extra layer of security on top of the EMV chip.
The NRF noted that Europe has largely adopted these cards and that the U.K. saw more than a 70-percent decline in card fraud after adopting chip-and-PIN cards. The group also noted that several large retailers already have installed PIN-enabled checkout terminals, "but the fact remains that retailers cannot do this alone," pointing its proverbial finger at banks for slowly issuing this type of card.
In fact, Target -- which fell victim to a sophisticated malware attack that exposed 40 million debit and credit cards -- piloted a program to accept chip cards from 2001 to 2004, but stopped it because use of the card had not gained critical mass in the U.S. market, according to a recent article in The Wall Street Journal.
In 2012, banks started to roll out chip card versions of their credit cards that targeted business travelers or globetrotters to make purchasing abroad easier. Train kiosks, tollbooths and unmanned gas stations in foreign countries often only accept chip cards as payment.
But the types of chip card given out by U.S. issuers so far are varied. Bank of America and several credit unions offer chip-and-PIN cards, while Citi and Wells Fargo offer the option of entering a PIN if a retailer supports it. Chase and U.S. Bank offer only chip cards with signatures, which are less secure if the cards are lost or stolen. It's easier to forge a person's signature than to guess a PIN.
Visa, MasterCard, American Express and Discover have not yet pushed for a certain type of chip card as they forcefully encourage retailers to transition to chip-enabled point-of-sale systems. The payment networks in 2011 and 2012 told retailers that they must be able to accept EMV chip cards by 2015 or take on fraud liability. (Gas stations have until 2017 to make the switch.)
Of course, chip-and-PIN cards wouldn't have prevented the entire breach that Target suffered during the holidays. In the breach, personal information, including names, addresses, emails and phone numbers of up to 70 million customers were compromised. This information was stored in Target's system and not picked up from card data.
That means retailers need to work on better computer security, too, while banks work on issuing more secure cards.
What do you think? Should we transition to chip-and-PIN, chip-and-sig or stick with what we've got?
Follow me on Twitter: @JannaHerron.