Payments: A Primer on Card Payment Security and the Target Precedent
The retirement of CEO Greg Steinhafel, apparently related to the Target data breach last November, is shocking. While the proximate cause of the breach was weak security in the POS systems, the ultimate cause is Visa’s desire to preserve the status quo and, in particular, its favorable position in signature-authenticated transactions particularly debit.
- WMT is seeking damages because of this alleging in a March 24th complaint that: “Visa has long recognized that the magnetic stripe technology that its General Purpose Credit Card and Signature Debit Card networks utilize is inherently insecure and fraud-prone. Yet, Visa has shifted most of the costs of fraud losses to merchants in this country through the implementation of various compliance programs and liability rules”
The threat to Visa from PIN authentication is that it opens the door to competition from electronic funds transfer or EFT networks (particularly in debit given the dual-routing requirements that exist for PIN-, but not signature-, authenticated transactions) and to direct routing from merchant processor to issuer bank based on bank identification numbers. This direct BIN routing is facilitated by PIN authentication since the lower fraud costs (1.1 cents/$100 of spend globally vs. over 6 cents for signature) reduce dependence on network-level fraud risk management provided by V and MA.
- Indeed, in some countries, PIN authentication has supported the development of domestic payment networks, such as Interac in Canada and EFTPOS in Australia, where network fees are 2 cents/transaction or less vs. the 6 cents and 11 cents/transaction charged by V and MA for debit and credit respectively.
As a result, the US system has not evolved to chip-and-PIN technology (compliant with global Europay-MasterCard-Visa or EMV standards) now deployed in other mature card markets, and this is reflected in disproportionately high fraud: the US accounts for 47% of global fraud costs but only 24% of global card volumes. Recognizing this was unsustainable, Visa in August 2011 announced plans to accelerate EMV adoption in the US but initially advocated for a chip-and-signature standard (which protects against counterfeit fraud but not fraud on lost/stolen cards) rather than the overseas chip-and-PIN standard (which can protect against both since a lost or stolen card requiring PIN authentication is not useful without the PIN). Furthermore, with the goal of exerting more control over mobile transactions, Visa linked merchant incentives for adoption of EMV standards to deployment of Visa’s standards for contactless technology. WMT likened this to a Trojan horse.
In practice, there is such heightened scrutiny that Visa’s gaming of security initiatives in the US is not likely to succeed, and the Target implementation of EMV sets a precedent for other retailers. Target is implementing chip-and-PIN not chip-and-signature (although chip cards will carry a mag-stripe and allow signature-authentication so as to be usable at merchants that do not have chip readers); and is installing EMV-compliant readers for contact cards not contactless cards. As a founding member of MCX, Target is reserving the contactless (i.e. mobile channel) for the MCX standard.