Trade Group CEO Argues that Without PINs, EMV Won't Cut Fraud

Mark Horwedel, CEO of the Merchant Advisory Group, which represents 85 of the largest U.S. merchants, says retailers are committed to enhancing point-of-sale security as part of their EMV rollouts.

But unless U.S. card issuers deploy EMV-compliant chip cards that require PINs for transaction authentication, little progress will be made in fighting card fraud, he argues.

"The banks and the card networks, to a certain extent, have done their best to make the public think these [recent retailer] breaches are all about the merchant community," Horwedel says during this interview with Information Security Media Group. "But the card itself is highly susceptible to fraud, and that's really up to the banks to address."

While banks and credit unions are issuing EMV-compliant chip cards, many are making the mistake of rolling out those chip cards solely for signature-based transactions, not transactions that require PINs, Horwedel says.

"Without a PIN requirement, there is really nothing to stop lost and stolen card fraud," Horwedel says. "In all other parts of the world where they have EMV, they have either started out with PIN or have migrated to PIN."

In the U.S., many banking systems are not equipped to process credit transactions with a PIN, he says. So rather than making investments to enhance their systems to accommodate the use of PINs, banking institutions are keeping it simple at the expense of security, Horwedel contends.

"Visa and MasterCard in other parts of the world are huge advocates of using the PIN," he says. "But here [in the U.S.], the banks' argument is that customers are not accustomed to using PINs on all transactions at the merchant point of sale."

PINs Confuse Consumers?

Banking institutions argue that requiring the entry of a PIN for a credit transaction will confuse consumers, Horwedel says. "But I think the reality is that most banking systems can't handle both chip and PIN."

In a Dec. 29 letter, sent by a handful of U.S. merchant groups to the Independent Community Bankers of America, MAG and others outline merchants' commitment to advancing and enhancing payments security, Horwedel says.

Horwedel acknowledges that it's unlikely that banking institutions and merchants will come to agreement in 2015 about how EMV cards should be deployed.

In the wake of big-box merchant breaches, including Target and Home Depot, retailers and banking institutions have been at odds about who's to blame for counterfeit card fraud and why POS breaches occur.

Still, in spite of their differing opinions, merchants and card issuers are moving forward with EMV, which will be more prevalent by the end of this year, he predicts.

"The public awareness and concern over this should drive everyone to reach some better consensus about what we can do," Horwedel says. "But with just signature and not PINs, we aren't going to make a lot of progress."

During this interview, Horwedel also discusses:

Why specifications for tokenization in payments need to be established by an independent standards body, not the card brands;

How merchants pay for card fraud; and

Why enhanced cooperation and information sharing between merchants and banking institutions is going to take a long time to develop.

Horwedel has more than 30 years of experience in the payments industry. Before joining the Merchant Advisory Group, he served in a variety of roles, including CEO of Money Network, a PIN debit network, and director of payments at Walmart. Horwedel's accomplishments include pioneering shared ATM services, introducing PIN debit at the point of sale and successfully lobbying for the Durbin amendment to the Dodd-Frank Wall Street Reform Act.