The news that a large retailer has filed a lawsuit against one of the card networks over whether newly-issued chip cards should use Personal Identification Numbers (PIN) as a secondary means of authentication at checkout, is a new development in a debate that has been well covered by contributors in the media. Despite all the attention, I can’t help thinking that the focus on PIN numbers verges on an unhelpful distraction.
It would be far better if all involved put their energies toward fighting the primary payment fraud threat to U.S. consumers – the ability of hackers to steal and exploit millions of card numbers at a time from vulnerable retailer systems. In any case, PIN authentication is an old technology which is very near to its sell-by-date.
To deal with this second point first, much has been made of the fact that when Europe moved to chip cards fifteen years ago, PIN was the standard form of secondary authentication – a hangover from ATM cards. By today’s technological standards, however, PIN is famously unsafe. Vast numbers of cardholders write their PIN down, or choose easy-to-guess or work-out numbers (a date of birth and 1234 are apparently favorites).
This is creating such problems that in the UK, where Chip cards have been standard for more than a decade, new banking rules mean that financial institutions may not have to reimburse cardholders whose PIN is written down and stolen.
Addressing this weakness involves moving authentication from “what the cardholder knows”, to “who the cardholder actually is”, with biometrics offering the best option for the very near future. There are plenty of examples of biometrics already in use in payments including Apple Pay, MasterCard’s “Selfie Pay”, and USAA’s biometrically secured mobile app, which, late last year, passed a million users. All of these shift the burden from the consumer for inventing and remembering a PIN and suggest that biometric authentication at checkout is very close. This begs the question why would anyone want to tie consumers to vulnerable PIN authentication when better technology is around the corner?
Understanding how chip cards fit into the pan-industry Payments Security Taskforce (PST) “roadmap” strategy to secure consumer data, wherever it is vulnerable, is critical to appreciating the great strides that are being made. Chip cards’ role is to reduce counterfeit fraud at the point-of-sale. The PST strategy allocates the task of preventing the type of devastating retailer data breaches seen at Target, Staples and others in recent years, to two technologies complementary to chip cards, which protect so-called card-not-present transactions (such as those made online), and data in transit at the point-of-sale, respectively. The focus of both of these technologies, “Tokenization” and “Point-to-Point Encryption” (or P2PE), is on devaluing cardholder data, so should a criminal get hold of it, it is worthless.
Tokenization technology replaces payment account numbers stored in a merchant’s system with “tokens” which only have meaning for the merchant and its payment processor, so they are useless if stolen. Tokenization is important because it delivers more security to contactless and InApp payments by including a dynamic component with each transaction that cannot be duplicated. It is this technology that secures Apple Pay, Samsung Pay and other new smartphone based payment platforms.
Point-to-Point Encryption (known as “P2PE”) rounds out the trio of critical technologies. P2PE protects data-in-transit at the checkout, often at the card reader, by encrypting it from the moment a card is swiped or dipped until the transaction is complete. This means that if hackers were to intercept it through the use of point-of-sale Malware, the data yield would be worthless.
The majority of the high-profile data breaches of the last few years involved criminal use of point-of-sale Malware. It is one of the ironies of the catastrophic Home Depot data breach that, according to an article in the Wall Street Journal, the Malware involved would have been defeated if P2PE systems already installed at the point-of-sale had been switched on at the time.
It is my hope as the dust settles around chip card implementation, chip technology will be seen in its proper context – as a single element of the tripartite PST strategy. Increased adoption of chip cards (with or without PIN systems), widespread use of tokenization, and rapid deployment of validated P2PE, is the best way to protect consumers and gives the very best chance of establishing a lasting upper hand over the criminals. It is critical that this takes place and merchants, the payments industry, policymakers and government do not allow themselves to be sidetracked.
Ruston Miles serves as Chief Innovation Officer at Bluefin Payments Technologies and speaks all over North America on payment trends and technologies. Ruston is a PCI Professional (PCIP), Certified Payment Professional (CPP), and a Certified Internet Business Strategist (CIBS).