PIN is no panacea

Over the past few months all payments stakeholders have taken a major step forward in payments security. Millions of Americans have received chip cards and thousands of retailers have taken steps to turn on chip readers, making those cards virtually impossible to counterfeit. Instead of a applauding this step forward, a small number of retailer trade associations have instead focused their efforts on mandating the use of PINs to authenticate transactions.

This single-minded campaign has generated bemusement among security experts who recognize that PINs would not stop merchant breaches, like those at Target, Home Depot or Michael’s and that PIN fraud has increased threefold between 2004 and 2012. And now, it is increasingly clear that this campaign doesn’t even align with the positions and experiences of many of the retailers who belong to these trade associations.

{mosads}A few weeks ago Macy’s and JC Penney both confirmed that while they plan to install chip readers, they don’t plan to offer PIN transactions. This isn’t particularly surprising, since the Federal Reserve has previously reported that roughly 2/3 of merchants are not equipped to accept PIN transactions.

Two weeks ago, Target decided to stop the rollout of their chip and PIN cards because customers kept forgetting their required PINs at checkout.  As we approach the second anniversary of the Target breach and the start of  holiday shopping season,  no one should be advocating for policy proposals that will actually hinder the rollout of secure technologies, like chip cards.

So, if PIN doesn’t solve the problems that retailer trade associations claim AND their own members are either moving away from PIN or learning first hand why a mandate is a mistake, why are they pushing for it? The answer is clear: To distract Congress from a conversation about common sense data security standards, which retailers continue to oppose.

The best way to help protect against cybercrime is to secure our customers’ data. For over a decade, the Gramm-Leach-Bliley Act has required financial institutions to safeguard sensitive data and to explain their information-sharing practices to their customers. Yet, while the financial services industry has gone above and beyond these rules over the past two decades, retailers have actively opposed being held to these basic common sense data security standards.

Retail trade associations are fully aware of the value of common sense security standards, but they have decided that instead of participating in discussions about how to create standards that are effective and proportional, they would rather invest in a noisy campaign to “demand” an authentication method that even their members believe is outdated.

Payments fraud and cybersecurity are genuine threats that we face today. We hope that the retail trade associations drop this charade and instead come to the table for a real conversation about how we can put in place effective data security standards and implement technologies like encryption and tokenization that can better protect all of us from cyber criminals.

Fine is president and CEO of the Independent Community Bankers of America.