RETAILERS APPLAUD STATE AGS PUSH FOR BANKS TO ISSUE CHIP AND PIN CARDS

Arlington , VA - 11/16/2015

​​​The Retail Industry Leaders Association (RILA) issued the following statement after nine state attorneys general sent a letter to the CEOs of America's largest banks and card networks urging the adoption of chip and PIN technology in the United States. In the letter, state AGs rebut a number of misleading arguments and excuses that banks and card networks have made in recent months regarding their unwillingness to implement Chip and PIN.

Brian Dodge, RILA's executive vice president for communications & strategic initiatives, echoed the arguments made by the nation's leading consumer protection advocates and urged all law enforcement officials concerned with fighting card fraud to join the chorus of elected officials and policymakers demanding that America's credit card issuers implement Chip and PIN.

"The two-factor authentication offered by Chip and PIN is the gold standard in nearly every other industrialized nation in the world. There simply is no honest explanation for banks to refuse to provide American's with the same credit card security offered in Canada and Europe.

"Chip and PIN is the best available technology for widespread use today, and it's time for banks and card networks to meet the investment being made by retailers to install new payment terminals with credit cards that are proven to prevent all forms of fraud."

The letter from state AGs comes on the heels of comments made by FBI director James Comey and Federal Reserve Board Governor Jerome Powell in support of moving beyond signatures to secure American card payments.
FBI Director James Comey: "The experts at the FBI would say that PIN and chip is more secure than [chip] and signature." [Source]

Federal Reserve Board Governor Jerome Powell: "The deployment of EMV chip cards in the United States represents an important step forward. But we should not stop there," he said. "New approaches to authentication increasingly offer greater assurance and protection. Given the current technologies that we have at our disposal, we should assess the continued use of signatures as a means of authenticating card transactions." [Source]

RILA is the trade association of the world's largest and most innovative retail companies. RILA members include more than 200 retailers, product manufacturers, and service suppliers, which together account for more than $1.5 trillion in annual sales, millions of American jobs and more than 100,000 stores, manufacturing facilities and distribution centers domestically and abroad

By Kathryn Vasel

The shiny chip on your new credit card has definitely made it safer. But that doesn't mean you can let your guard down.

The FBI issued a warning Thursday that new chip-enabled cards are still vulnerable to fraud and that consumers need to be diligent when using their plastic.

"While [the new] cards offer enhanced security, the FBI is warning law enforcement, merchants, and the general public that these cards can still be targeted by fraudsters," the agency said in the release.

The microchip in the new cards issues a unique code for each swipe that helps authenticate a transaction. Old cards hold the payment data on the magnetic stripe on the back of cards, which is easy for fraudsters to steal and put on fake cards.

An October 1 deadline that shifted the responsibility of fraudulent charges between retailers and banks prompted the rollout of the upgraded cards.
While the new cards are safer, they didn't solve all theft exposures. The upgrade doesn't require a PIN to be entered at the point of sale, a process that is standard in many places in Europe and offers more security.

In its release, the FBI suggested using a PIN to verify transactions, but that's generally only possible when using a debit card. Plus, many debit card users haven't received a new card yet, because banks have tended to prioritize issuing upgraded credit cards over debit.

While some U.S. banks do require a PIN to be entered when using an upgraded credit card, most just require a signature, explained Philip Andreae, a vice president at digital security company Oberthur Technologies.

Read More

By Martha Coakley and Jon Hurst

Hardly a week goes by without a news report of a new cyberattack. As any consumer affected by fraud knows, the harm is real. The impact on businesses, government, and other targets is also real, and includes monetary harm and reputational damage that can devastate those so reliant on the trust of their customers.

Retailers recognize that their commitment to protect information must evolve and grow with the threat, and they have invested considerable resources to strengthen the barriers that protect information that passes through their systems. Retailers also recognize that cybercriminals are highly sophisticated, and that the tallest and thickest “walls” won’t always stand up to the volume of attacks. That’s why retailers believe that reducing the value of data behind their walls is equally important.

Cybercriminals, like most criminals, are money-driven. Sophisticated cyber thieves, often from overseas, relentlessly troll for valuable data they can sell to crime rings that use the stolen information to commit fraud. But there is a way to make the credit and debit card information less valuable or totally useless to potential thieves: It’s called Chip and PIN (personal ID number). It has been the standard around the world for nearly a decade, yet not embraced by banks and card networks in the United States.

Consumers are just now receiving credit and debit cards reissued with a microchip embedded in addition to the traditional magnetic stripe. The chip offers a higher level of security and is an important step in the right direction; but unlike cards issued in Canada, Europe, and the rest of the industrialized world, cards issued in the United States will not require a PIN. Cards delivered to our consumers will still rely on a signature, which allows for stolen-card use and forgeries.

The combination of an encrypted chip and private PIN substantially reduces the value of data to cybercriminals. If a criminal cannot use a stolen card or create a counterfeit card, the value and reasons to steal the data in the first place disappear.

When Britain began using both chip and PIN technology, fraud losses at retailers fell 67 percent, and lost or stolen credit card fraud fell by 58 percent. When hacking European businesses became less profitable, cyber thieves simply refocused their efforts on an easier target, US credit card numbers. Today, the United States represents half of all card fraud even though only about a quarter of the world’s transactions occur here.

Retailers have invested an estimated $8.6 billion in new point-of-sale equipment to accept these new chip cards. The experience at point of sale will change slightly; chip cards are “dipped,” not swiped. Unfortunately, one thing will not change: The US will continue to have the weakest card security in the world.

Given the clear consumer benefits of Chip and PIN, why are banks hesitating to require both? They argue that consumers will forget their PIN numbers; but whether it’s using an ATM or cell phone, we are all quite capable of using a PIN to prevent access to sensitive information. The truth is that, for banks and card networks, the status quo is lucrative; they don’t want to change.

There is no one answer to defeat cyberattacks, but we must recognize that criminals follow money through the path of least resistance. Banks should ensure new US cards are equipped with the same security features afforded consumers in other countries. We can all help push forward this important and overdue reform by demanding our banks to stop the delay — and to drop the signature and mandate the PIN.

Former state attorney general Martha Coakley is counsel at Foley Hoag. Jon Hurst is president of the Retailers Association of Massachusetts.

Read More

By Brian Dodge

Many people may not be aware, but come October 1, everyone in the United States will be issued new credit and debit cards by their bank or credit union, equipped with a "chip," to replace their existing cards.

The new "chip" cards are different because they generate a unique transaction code every time the card is used and helps protect consumer data from hackers.

Combined with a PIN number, this new technology has proven extremely effective in reducing fraud in Canada and Europe. Victories against card fraud seem to follow chip-and-PIN cards around the world. Since the United Kingdom made the widespread transition in 2004, retail fraud has fallen by 67%. Closer to home, Canadian debit card users saw a 55% drop in fraud last year.

But so far, the United States remains the only member of the Group of 20 that relies primarily on outdated magnetic-stripe cards, which were created in the 1960s and have been identified as a source of most U.S. data breaches.

While still functional, magnetic-stripe cards don't offer the same protection as the new cards will. As retailers invest in new and more secure terminals at registers, so too must the card issuers step up in replacing the cards in people's wallet.

Retailers nationwide have spent billions to replace old "swipe" machines with new chip credit card readers. But having the new cards is not enough.

Banks are only issuing "chip and signature" cards in the United States, a less secure standard as signatures can easily be forged. It has been reported by the Federal Reserve that including a PIN makes a transaction up to 700% more secure. Yet to date, banks are not issuing these cards to American customers.

Banks and card networks have made conflicting statements as to why they are issuing more fraud-prone credit cards to their American customers.

Continue Reading Here

By Aimee Picchi

If you live in America and use plastic to make purchases, chances are you've been alerted to fraudulent activity on your account.

America is now the favorite haunt of credit-card fraudsters, with a report from Barclays finding that 47 percent of all global card fraud affects cards issued to U.S. residents, even though the U.S. only represents 24 percent of card volume, according to Quartz. Barclays didn't immediately return a request for comment.

While some might suspect Americans have a target painted on the back of their credit cards because they live in a rich country, there's actually a technical issue that's attracting criminals. The U.S. lags other countries in its rollout of cards that are designed to stymie fraud. Most American credit cards still rely on magnetic strips, which are easy to copy, while Europe and other regions have moved forward with chip-and-pin cards, also known as EMV cards, which stands for Europay, MasterCard and Visa.

EMV cards include embedded microchips that store customer data, which is considered more secure because retailers and card processors don't store the card data in their systems. With magnetic strip cards, the card number is released to the retailer, which is why so many American retailers -- from Target (TGT) to Staples (SPLS) -- have been hit by hackers in the last few years.

The statistics on EMV adoption show a startling bifurcation between the U.S. and many other developed countries. In Europe, about 84 percent of cards are now EMV enabled, according to trade group EMVCo. The adoption rate in the U.S.? A measly 7.3 percent.

The impact on fraud on countries that have adopted EMV cards is startling, according to data in the Barclays report cited by Quartz. The U.K., which began adopting the new type of cards over a decade ago, has seen a 70 percent reduction in counterfeit fraud since then, the report said.

Read More

By Martha Coakley

Recently, there has been a lot of discussion around the new Europay, Mastercard, and Visa (EMV) technology as the October liability shift looms away from magnetic stripe and signature cards takes place. Through all of the discussion, there have been a lot of misstatements made by financial institutions regarding “chip-and-PIN” technology.

As a former law enforcement official myself, I was disappointed to read deliberately misleading comments coming from a former Federal Bureau of Investigation (FBI) official in a recent op-ed where it was stated that “fraud reductions provided by PIN appear to be fleeting and ultimately illusory.”

There are many benefits to “chip-and-PIN” technology, but the most significant benefit is that this technology has shown its fraud-fighting prowess around the world and in nearly every G-20 nation.
The United States has lagged behind many countries in adopting this fraud-reducing technology. And while other nations have protected themselves and their citizens, cyber-crime has migrated to the United States due to the fact we employ technology from the 1960s in our card payment process.

Read More

By Bret Swanson

Protecting Americans from online threats is clearly taking a rightful place at the top of Congress’ priority list, evident in the celebration of “Cyber Week” through Friday and the pending introduction of long-anticipated cybersecurity legislation.

Each month, it seems, we learn of another large-scale data breach at a major retailer or financial house — among them Target, JPMorgan and Home Depot. On a smaller scale, most of us have probably received a call from our credit card company or bank reporting “suspicious activity.” Have you stopped to think about just how outdated the technology of the credit card is? In an era of bits and bytes, PayPal and bitcoin, why are we still using raised plastic numbers and scribbles of ink?

Laziness? Inertia? Who knows? But it doesn’t make sense, and if America doesn’t act to correct this glaring technological deficiency, we have only ourselves to blame.

If the House takes up this bill, it will show the U.S. government is serious about confronting the new landscape of cyberthreats. It is a vast and complex issue, reaching areas such as health records, government offices and the entire cyber universe. A General Accountability Office report, for example, found that in 2013 U.S. federal agencies suffered 25,556 incidents involving possible loss of personal information, up from 10,481 incidents in 2009. The hacks of Sony and Apple iPhoto late last year, meanwhile, have finally drawn attention to the destructiveness and ugliness of cyber vandalism.

Cyber reform will likely cover a whole range of these high-profile threats. That does not mean, however, that Congress shouldn’t address the mundane problems affecting real people every day. Payment card hacks, while less sensational, are relatively well understood and could be mostly (and quickly) solved with a simple technological tweak.

Last year, credit card hackers and thieves defrauded consumers and their financial institutions out of an estimated $11 billion. More than half of the losses were in the United States, in large part because of America’s use of the 1960s plastic-and-ink technology. Much of the world has since leapfrogged to a more advanced, yet simple, “chip-and-PIN” approach. The chip is a tiny microchip that is more secure than both raised plastic numbers and easily foiled magnetic strips. The PIN is a personal identification number, familiar to debit card users, and far more difficult to hack than an ink signature.

Read More

By Robin Sidel
Big U.S. banks are steering clear of an advanced security measure used in credit cards around the world, opting for a system that is more convenient for shoppers but may leave them vulnerable to fraud.

This year, firms ranging from J.P. Morgan Chase & Co. to Discover Financial Services Inc. are expected to roll out more than a half-billion new credit cards embedded with computer chips that create a unique code for each transaction, making counterfeiting much more difficult.

In a retreat for the industry, however, the new cards don’t use some technology that could prevent fraud if a card is lost or stolen.

Instead of requiring customers to put in a personal identification number, or PIN, the new cards need users to authenticate credit-card transactions the same way they often do now, with a signature. PINs are widely considered to be more secure than signatures, which can be easily copied.

The more advanced “chip-and-PIN” technology has been adopted in Europe, Australia and Canada. The U.S. is one of the few developed countries not to embrace it.

U.S. bank executives said they are choosing the signature version so customers won’t be burdened at the checkout line to remember a new four-digit code.

Chip-and-signature cards “are such a big shift that we didn’t want to make it more difficult than it already will be” by requiring a PIN, said Jon Krauss, senior manager for card payment strategy at Discover. The Riverwoods, Ill.-based card company will be issuing signature-based chip credit cards in 2015.

Chip-based cards must be inserted into the bottom of the cash-register terminal instead of swiped. Consumers have to leave the card in the terminal until they sign for the purchase.

J.P. Morgan Chase, the nation’s biggest card issuer, had initially planned to issue chip-and-PIN credit cards in 2014, but the bank put those plans on hold after testing them with consumers, according to a person familiar with the bank’s strategy. The bank has issued millions of chip-and-signature cards.

Other big banks opting for the chip-and-signature cards include Bank of America Corp. and Citigroup Inc.

The push for the new cards in the U.S. comes as financial institutions are reeling from a recent rash of costly data breaches at big merchants like Home Depot Inc., Staples Inc. and International Dairy Queen Inc. Industry observers said many of those attacks wouldn’t have happened if consumers used chip cards and merchants had technology in place to accept them.

Financial institutions are motivated to bolster security, as they are typically on the hook for unauthorized transactions. That will change in October when merchants who don’t have the upgraded technology to accommodate chip cards will be responsible for the cost of any fraud that occurs when one of the cards is used.

Consumers don’t usually bear the financial cost of fraud but are usually required to provide paperwork denying they made the purchase.

U.S. lenders are expected to issue more than 575 million chip cards by the end of 2015, according to an industry-group projection. That would be roughly half of the one billion cards in circulation in the U.S.

Most of the banks are issuing the new chip-based cards as old ones expire, although consumers can often request a chip card before that.

Other groups are pushing for cards with the added layer of security provided by PINs. Target Corp. , which was rocked by a data breach at the end of 2013, is one of the few merchants whose customers are getting store-branded credit and debit cards with the PIN technology.

In October, President Barack Obama issued an executive order to replace government-issued cards, such as those that contain Social Security benefits, with new ones featuring chip-and-PIN technology starting on Jan. 1.

Even without requiring PINs, the chip-based cards significantly reduce the chance that stolen card data can be used to make counterfeit cards, essentially making the data useless to thieves. Counterfeiting is the biggest risk of large-scale cyberattacks like the ones on Home Depot and Target.

U.S. credit-card-fraud losses totaled roughly $18 billion in 2013, according to Javelin Strategy & Research, a consulting firm that is a unit of Greenwich Associates. About a third of those losses are attributed to counterfeit cards, according to consulting firm Aite Group.

The PIN system is only a defense for point-of-sale purchases and doesn’t provide additional protection for online sales.

The decision whether to issue cards that require a PIN or a signature “is a very strong debate” in the industry,” said Martin Ferenczi, president of North American operations for Paris-based Oberthur Technologies, one of several card manufacturers that is being swamped with orders for chip cards.

Merchants are also scrambling to install new technology at the cash register to accept the cards, spending billions of dollars on upgrades. A payment-industry group estimates that roughly half of U.S. merchant terminals will be ready to accept the new chip cards by the end of 2015, representing 80% of U.S. purchases.

The new chip cards also contain the old-fashioned magnetic stripe to accommodate merchants who don’t have the new technology.

“There is a lot of concern that PINs would create customer-service issues for consumers and merchants if a consumer can’t complete a transaction because they have forgotten the PIN,” said Randy Vanderhoof, executive director of the Smart Card Alliance, an industry group representing banks and credit-card companies.

But Merrill Halpern, assistant vice president of card services at United Nations Federal Credit Union, said the potential inconvenience isn’t a good enough reason to choose signatures over PINs. The credit union, based in Long Island City, N.Y., is one of the few credit-card companies that issues chip-and-PIN cards.

“We should be doing the most we can to fight fraud, and the only way to send that message is to stand clearly behind chip-and-PIN,” he said. The credit union has 100,000 credit-card customers, with about 40% of them living in the U.S.

The decision to issue signature cards instead of PINs is creating more tension in the already-fractious relationship between credit-card issuers and merchants, who have long fought over fees and other issues.

“It is absolutely a concern, and we believe [the new cards] are a half-measure,” said Andrew Szente, vice president of government affairs at the Retail Industry Leaders Association, a Washington, D.C.-based trade group. Banks, on the other hand, said many merchants don’t have PIN pads to accommodate the technology.

By Sandy Kennedy

President Barack Obama has declared this week National Consumer Protection Week, and his proclamation comes not a moment too soon. Millions of Americans have already felt the effects of a data breach, and threats of fraud and identity theft exist for everyone, everywhere. Currently, the United States accounts for almost half of all card fraud worldwide due to outdated payment card technology that is putting us at unnecessary risk.

America’s retailers are working with Obama to lead the shift toward a more secure standard of payment for all Americans: “chip-and-PIN” card technology.

“Chip-and-PIN” cards are a staple in other countries. The United States remains one of the few Group of 20 members that still relies primarily on outdated magnetic-stripe cards and as a result fraud has migrated away from other countries and to the United States. Since the United Kingdom made the transition, retail fraud has fallen by 67 percent. Closer to home, Canadian debit card users saw a 55 percent drop in fraud last year.
Two essential security features help make “chip-and-PIN” cards safer. First, the magnetic stripe – found on most cards issued by U.S. financial institutions today – is replaced by an embedded chip. The chip provides a more secure method of storage for the cardholder’s personal data and randomizes transaction information each time a purchase is made.

The second step, entering a PIN or personal identification number for each purchase, is just as essential. Instead of a signature that a thief could potentially reproduce, PINs remain known to the cardholder alone, rendering the card virtually useless if stolen. In a study of PIN use with debit cards, the Federal Reserve noted that entering a PIN could make transactions safer by as much as a 700 percent margin.

Why is it so imperative to implement “chip-and-PIN” technology? Simply put, the current system is broken. Magnetic-stripe card technology dates back to the 1960s and has hardly changed at all since its introduction. Our reliance on these plastic anachronisms has real consequences: security analysts at Trend Micro have blamed magnetic stripe cards for exacerbating data breach damage in the United States.

Read More Here

DETROIT - Since the Target data breach affected millions in 2013, American consumers have become painfully aware of how security on their credit cards stacks up against the security in other countries. In Europe and Canada, the "Chip and PIN" system is credited with cutting fraud dramatically. Consumer advocates have been calling for the same security in the U.S., but that's not happening as quickly as some would like.

Watch the Video

Currently, retailers and banks are targeting an Oct. 1 deadline to get most credit cards chip-enabled. Many may have noticed the encrypted chips appearing on newer credit cards. The chips are more secure because they cannot be copied and they create a unique code each time they are used.

"I think everybody's on the same page (with) wanting to make transactions more secure," said Alan Bergstrom, senior vice president and chief marketing officer at Community Choice Credit Union in Farmington Hills.

Bergstrom said his company is going full-speed ahead with the switch to chip credit cards. He said he expects the changeover for credit cards should be done by the end of September.

The timing is critical, because starting in October there's a shift in liability for credit card fraud. Currently, financial institutions absorb the cost of bogus transactions. In October, that responsibility will fall to whichever institution hasn't upgraded security.

"If a retailer doesn't have the proper reader to process that chip transaction, then the liability will be on the retailer," Bergstrom said.

By Peter Fricke

Computer chips are starting to make credit cards more secure, but card issuers are resisting calls to implement the additional protection of a PIN, saying it would be a burden to consumers.

In response to the recent spate of data breaches at major U.S. retailers and banks, the House Commerce, Manufacturing, and Trade Subcommittee held a hearing on Tuesday to discuss “elements of sound data breach legislation,” including the question of whether to mandate the use of PINs with credit cards.

In his testimony, Brian Dodge of the Retail Industry Leaders Association said that, “One area of security that needs immediate attention is payment card technology,” because the “woefully outdated” magnetic stripe technology still used on many cards today “is the chief vulnerability in the payments ecosystem.”

Retailers, he asserted, “have long supported the adoption of stronger debit and credit card security protections … [and] continue to press banks and card networks to provide U.S. consumers with the same chip-and-PIN technology that has proven to dramatically reduce fraud when it has been deployed elsewhere around the world.”

Research by the Federal Reserve, Dodge pointed out, has found that “PIN’s on debit cards make them 700 percent more secure than transactions authorized by signature.”

According to the Wall Street Journal, “chip-and-PIN” technology is already standard in Europe, Australia and Canada, making the U.S. “one of the few developed countries not to embrace it.”

Jon Krauss, senior manager for card payment strategy at Discover, told WSJ that the implementation of chip technology is “such a big shift that we didn’t want to make it more difficult than it already will be” by requiring customers to remember a new four-digit PIN when making purchases.

J.P. Morgan Chase, the nation’s biggest card issuer, toyed with the idea of issuing chip-and-PIN cards in 2014, but “put those plans on hold after testing them with consumers,” a person familiar with the market test told WSJ.

Read More

By Sandy Kennedy and Matthew Shay

The new Congress will have its work cut out for it this year as the House and Senate establish legislative priorities and adjust to changing dynamics on various priorities for the American people. While significant legislative debates no doubt lie ahead, one especially timely issue presents a common problem that Democrats and Republicans should be able to work together to solve.

Last year, Americans seemed to be hit with data breaches one after the other. A December poll found that just under half of us have experienced some sort of breach. The theft of personal information from more than 80 million J.P. Morgan Chase account holders’ last summer, and the highly publicized attack on Sony has brought this issue to light for many on Capitol Hill and in middle America.

Because hackers have targeted both retail stores and financial institutions, it is important for both sectors to work together effectively to provide greater security for the entire electronic payment sphere. When customers make electronic purchases in a store, they are doing so with a card issued by a bank or credit union. Both the store and the card issuer have a responsibility to put their customers’ security first.
Last year, 19 different business groups came together to establish the Merchant-Financial Cyber Partnership. Over the course of nearly 50 meetings, some 250 individual executives met to hear from outside experts and chart a way forward toward stronger data protection measures. Their recommendations, recently submitted to the new Congress, include updating the federal criminal code to better reflect the changing nature of the online underworld responsible for devastating cyber-attacks, along with increasing government research and introducing “safe harbor” liability protections for threat information shared in good faith.

These are basic principles that not only the business community, but elected leaders on both sides of the aisle and in both houses of Congress should be able to embrace. One group, however, has removed itself from the collaborative process: credit unions.

While a number of banking industry groups – including the American Bankers Association (ABA) and the Independent Community Bankers of America (ICBA) – are contributing members of the Merchant-Financial Cyber Partnership, credit unions have taken no part in the group’s activities. Instead, they seem to prefer poisoning the process by lobbing inaccurate and misleading statements that are in no way constructive to the process of bolstering payment security.

Credit unions continue to spread the false claim that retailers make no contribution to the costs incurred by data breaches. In a recent op-ed in The Hill, B. Dan Berger, CEO of the National Association of Federal Credit Unions, says this responsibility is thrust solely upon credit unions “often at great expense, without help or compensation from the breached entity.” He need only look no further than the terms his card issuers have negotiated with major card companies for proof that this is not the case. Merchants do indeed contribute to breach cleanup costs by contractual agreement. A small financial institution that provides its customers with MasterCard cards will receive payment from merchants to help with replacing any compromised cards.

One step that could be taken almost immediately to usher in safer electronic payments is the widespread American introduction of “chip-and-PIN” payment cards, known the world over as a safer alternative to magnetic stripe cards. But credit unions insist on standing in the way of this innovation. They ignore facts surrounding the greater protections “chip-and-PIN” cards provide their own customers including the Federal Reserve stating PINs can make payments up to 700 percent safer.

Read More

"For even more security, you'll be asked to enter a Personal Identification Number (PIN) for most merchant transactions."

Check out this video from the Navy Federal Credit Union

By Julian Hattem

The federal government is following through with President Obama’s call for new secure payment cards.

This month, the General Services Administration (GSA) will begin issuing new charge cards equipped with a microchip and requiring users enter a PIN number instead of a signature, it said.

Cards with those technologies are considered to be more secure than credit and debit cards with magnetic strips, which are much more common in the U.S. President Obama last October signed an executive order to transition all government credit cards and cards with people’s federal benefits — such as Social Security payments — to use the technology, in an effort to avoid identity theft.

By making the switch, the government “is quickly and efficiently providing greater security and even more value to the payment products and services we offer our government agency customers,” GSA federal acquisition services Commissioner Tom Sharpe said in a statement.

The new chip-enabled cards issued by GSA this January will be used by more than 350 agencies, organizations and tribal governments for purchases, travel and other purposes. More than one million new cards are expected to be issued this year.

Retailer companies have long pushed for financial services companies to switch to the new chip technology in combination with a PIN number. The calls have only mounted amid recent high profile data breaches at JPMorgan Chase, Target and other businesses in recent months.

“It’s time U.S. banks and card issuers follow the lead of the federal government, put aside excuses and quit dragging their feet on credit card security,” Andrew Szente, the Retail Industry Leaders Association vice president for government affairs, said in a statement. The trade group counts Target, Walmart and Whole Foods among its members.

Retail companies are still rolling out machines that accept the new chip and PIN cards, though old machines will still work with the new cards. Starting in October, businesses that have not upgraded their systems to accept the chip cards may be held liable in the event of a breach.

Read More

By Lydia Wheeler

On the heels of President Obama’s call for stronger cybersecurity protections on Monday, Sen. Mark Warner, (D-Va.) called on regulators to force banks to issue chip-and-PIN debit and credit cards to better protect American consumers from data breaches.

“The President’s measure takes strong steps towards ensuring cards used by the federal government have enhanced security authentication measures,” he said in a letter to Janet Yellen, chair of the Federal Reserve System; Martin Gruenberg, chair of the Federal Deposit Insurance Corp.; Thomas Curry, comptroller of the currency; and Richard Cordray, director of the Consumer Financial Bureau on Monday.

“I have concerns, however, that as merchants spend billions of dollars this year to upgrade their infrastructure to accept chip-and-PIN enabled cards, there is an insufficient emphasis being placed by federal banking regulators on ensuring a meaningful improvement in consumer safety with the corresponding issuance of chip-and-PIN debit and credit cards in the private sector. “

He asked why the financial institutions these regulators oversee continue to issue chip-and-signature cards when better anti-fraud technology and authentication measures exist.

The Retail Industry Leaders Association RILA) applauded President Obama for focusing on cyber and data security. Among the legislation unveiled Monday was the Personal Data Notification and Protection Act, a bill that would require all corporations to notify consumers within a month if their personal information had been exposed in a data breach.

“Retailers have demonstrated a commitment to working with policymakers to enhance cybersecurity, carefully steward customer data and strengthen consumer trust,” RILA President Sandy Kennedy said in a statement.

“We encourage all policymakers to recognize the importance of prioritizing the collaboration and flexibility needed to promote retail innovation.”

By Cory Bennett

The retail and financial sector are at odds again over who foots the bill following a data breach.

Major retail associations on Thursday attacked the credit union industry for waging a dishonest public campaign about the losses credit unions incur as a result of data breaches.

The retailers pointed to some internal documents at a major credit union trade group that didn’t mention data breaches as a possible source of financial losses in 2014 and 2015.

“Perhaps because the authors know that merchants pay most of those costs,” the retailers said in an open letter.

The omission doesn't dovetail with financial institutions' public statements, they argued.

“Seriously?” replied Jim Nussle, CEO of the Credit Union National Association (CUNA). The retailers’ conclusions are “a perverse and misguided interpretation” of the group’s internal documents, he added.

As data breaches — and the resulting fallout costs — have skyrocketed in 2014, industry groups have taken sides over who is responsible when customer data gets exposed.

Banks and credit unions insist they should be compensated for the costs of reimbursing fraudulent charges and reissuing credit and debit cards. Retailers argue they too are victims, and run up huge bills in the wake of a breach.

The argument has spilled into the courts. Major U.S. banks are suing Target, which lost 40 million customers’ payment card data as a result of a cyberattack.

“Data breaches at merchant locations have cost credit unions at least $90 million this year,” Nussle said. “In the case of the Target breach ... credit unions have yet to see any reimbursements from that retailer as a result of the violation.”

Retailers disagree. Studies show that following a data breach, costs are “borne almost equally among retailers and card-issuing institutions,” they argued in their memo. Many merchants also have agreements with card networks requiring retailers to compensate card holders for a certain percentage of any fraudulent charges.

Such statements are merely attempts “to help merchants dodge responsibility for the losses they cause when they fail to secure consumer’s private data,” Nussle said. “The leaps made in the document are, to us, a curious threat to any perception of reality.”

And so the battle continues.

By Sandy Kennedy

When it comes to consumer data breaches, everyone would acknowledge that 2014 was a difficult year. Major institutions both financial and retail were targeted with malicious cyber-attacks, and more than 80 million J.P. Morgan Chase accountholders had their personal information exposed in a single hack. Unfortunately, it came as little surprise when a Wall Street Journal/NBC News poll released at the end of the year found that just under half of all Americans had received notice of a breach compromising their data.
In the face of these cyber-attacks, retailers are committed to fostering and enhancing customer trust. The Retail Industry Leaders Association (RILA) is working with Congress to provide assistance and ensure merchants have the partners and tools to fight a growing and sophisticated enemy and protect Americans.

The time is right for Congress to pass legislation that enacts a single, preemptive national data breach notification standard. So far, 47 individual states have such laws on the books to protect breach victims. While these state efforts are admirable, federal legislation would go a long way toward clearing up regulatory confusion for businesses and financial institutions that operate across state lines. At a hearing of the U.S. House Subcommittee on Commerce, Manufacturing and Trade recently, Brian Dodge of RILA told Members that a federal standard would provide “a clear set of expectations” for consumers across the country.
And in his State of the Union address, President Obama asked Congress for comprehensive legislation to fight the growing threat of cyber-crime. As this legislation continues to take shape, America’s retailers support bipartisan efforts to make streamlined breach notification standards a top priority for this Congress.

The President specifically called for greater integration of intelligence in the face of online enemies, comparing this fight to the War on Terror. As attacks from state actors, cybercriminals and hacktivists increasingly target American businesses and financial institutions with more sophistication than ever before, U.S. retailers have been working to bring our industry and partners in government closer together to facilitate just the sort of integration the President is pursuing.

That is exactly what the RILA had in mind when we set up the Retail Cyber Intelligence Sharing Center (R-CISC) last year. Working with more than 50 major American retailers, along with security experts and federal law enforcement agencies, we organized the first retail Information Sharing Analysis Center (ISAC). The R-CISC is the cybersecurity resource for the industry, providing a conduit for information and best practices available for merchants large and small.

Acquiring and analyzing cyber-threat information is only part of the battle, however. It is also imperative to protect consumer data at the point of transaction itself. Here, too, government and retailers are leading by example.
The President recently announced the federal government’s latest progress in the shift to “chip-and-PIN” cards as their new standard. This is welcome news, as these cards use an embedded microchip to store information as opposed to the outdated magnetic stripe. They also require a personal identification number (PIN) for extra verification, making purchases even more secure, as virtually every other G-20 nation issues “chip-and-PIN” cards and these cards have proven to substantially reduce fraud.

Read More

By Paula Rosenblum

Cybersecurity is on everyone’s mind.

According to a report from IBM, more than 61 million data records were stolen through cyberattacks in 2014. Despite high profile attacks on the financial services industry, iCloud accounts, and the recent Sony data hack, the retail and wholesale industries were the most frequent targets.

While theft of customer information through cyberattacks is an important issue, there’s no doubt that the theft of credit card data gathered in in-store Point of Sale (POS) transactions are most critical.

Shoppers shrug off many of those thefts, but others, like the Target attack in 2013 created real problems for retailers, banks and consumers alike. Shoppers went to check-out lanes during the 2013 holiday season only to discover they had newly imposed debit card spending limits because their cards were part of the breach.

To quote a Customer Service Notice on top-five bank Chase’s web site:

Customers whose Chase debit cards or Chase Liquid Cards are at risk from the Target breach will experience temporarily reduced limits on ATM cash withdrawals and purchases until we can replace their cards. To minimize inconvenience to our customers we raisedthose reduced limits today to $250 at ATMs and $1000 in purchases per day in the United States. We may continue to change these limits if we think it makes sense, so please check chase.com for updates.

The timing of imposing those limits, in mid-December 2013, was enough to put a serious damper on shoppers’ holiday seasons. Pundits and customers alike called for a change in the way credit cards are processed in the United States.

The change seems pretty straight-forward: a move to a global standard, called EMV (Europay, MasterCard and Visa), or more commonly “Chip-and-PIN.” As early as 2010, EMV had reduced in-store data theft and fraud in the UK by 69 percent, according to a paper written by Douglas King for the Federal Reserve Bank of Atlanta. That’s a significant number, certainly significant enough to warrant serious consideration by both banks and retailers in the US.

Read More

By Cory Bennett

The spat between retailers and banks over who foots the bill and bears the responsibility following a data breach is ramping up heading into 2015.

A group of retail trade groups on Monday fought back against what they call a misleading survey from the Independent Community Bankers of America (ICBA), which alleged banks are shelling out millions of dollars because retailers can’t secure their networks.

With little legal framework to govern retail data breaches, merchants and banks have spent 2014 bickering about who is at fault in the wake of an attack.

Retailers argue that they are victims of malicious attacks and are rapidly improving their security. They are calling on banks to quickly adopt the chip-enabled cards, a more secure technology than the current magnetic strip. Banks counter that they are moving toward chip technology, but that it’s ineffective because of poor security standards by retailers.

The ICBA survey, released Dec. 18, said community banks had to reissue nearly 7.5 million credit and debit cards at a cost of $90 million in the wake of the massive Home Depot data breach, which exposed 56 million customers’ information.

“We continue to advocate that the costs associated with data breaches be borne by the party that experiences the breach,” ICBA Chairman John Buhrmaster said at the time. “Communities and customers should not suffer for the faults of retailers.”

This statement, and survey in general, contained “inaccuracies and misrepresentations,” said the group of retailers, which included the Retail Industry Leaders Association, the National Retail Federation and the National Restaurant Association.

Read More

By Sandra Kennedy

The millions of Americans who use credit and debit cards have a lot to look forward to in 2015. America’s retailers are leading the way toward greater payment security and more protections for consumers. Together with our partners including government, we are working to stop cyber-criminals and protect the personal information of customers.

In less than a year’s time, retailers hope to have “chip-and-PIN” card readers up and running in stores from coast to coast. If financial institutions also migrate to this technology on the payment cards they issue, we will be able to work together to achieve widespread introduction of vastly more secure “chip-and-PIN” cards into the United States.

In leading the migration, retailers are helping guide the country into the 21st Century. When the average American swipes the magnetic stripe of their credit or debit card at a payment kiosk, they may not know that they are using technology that banks have barely changed since the 1960s.

Cybercriminals, however, are only too aware of this fact. A recent report by Trend Micro found that the United States had more point-of-sale technology breaches than anywhere else in the world and magnetic stripe cards were specifically identified as the likely cause.

“Chip-and-PIN,” on the other hand, uses a more secure embedded microchip to store customer information and an individual personal identification number, or PIN, for each cardholder. Use of a PIN adds another level of security, many times more secure than other methods such as the “chip-and-signature” cards the financial institutions are issuing to customers. A cybercriminal can easily forge your signature, but they would have a much more difficult time figuring out your PIN. Many consumers already use PINs with their debit cards and a Federal Reserve study of debit card transactions found that those made using PINs were up to 700 percent more secure.

Much of the world is already aware of the benefits of “chip-and-PIN.” The United States is the one of the last remaining nations in the G 20 where magnetic stripe cards are still the norm. “Chip-and-PIN” cards have been helping cut fraud in other countries for years now. In fact, when a U.S.-based retailer with stores in Canada faced a data breach earlier this year, customers at Canadian locations remained largely unaffected. Toronto-Dominion Bank suggested a significant reason for this was our northern neighbor’s pervasive use of “chip-and-PIN” cards.

The Fed has already estimated that the United States could see a drop in fraud by as much as 40 percent once “chip-and-PIN” is adopted on our shores. The federal government is even joining retailers as “early adopters” of this technology. Starting next year, “chip-and-PIN” will become the new standard for government payment programs and readers for the new cards will begin appearing in government offices.

Along with the government, many different sectors of the business community are coming together to ensure a smooth transition. The Merchant Financial Cyber Partnership, made up of 250 executives from the retail, banking, hospitality, restaurant and other industries, released a comprehensive plan earlier this month to help chart the way forward for more secure technology for our customers.

Read More