NFC smartphones: The answer to retail hack attacks?
Recent massive data breaches at Target and Neiman Marcus have reignited a campaign by retailers to get U.S. consumers to carry “PIN and chip” credit and debit cards to replace the decades-old magnetic stripe cards used by 90 percent of Americans.
Such PIN and chip cards would do what dozens of newer-model smartphones with NFC chips are already doing while using payment apps like Google Wallet and Isis. So why isn’t the focus on promoting near-field communication smartphones instead of PIN and chip cards?
The answer is complicated and political, primarily because there are questions over who is liable for a data breach—the retailers or the financial institutions and their associated card processing companies such as Visa and MasterCard. It is also expensive to install point-of-sale (POS) terminals in millions of retail locations and at ATMs that can read chips on the newer contactless cards, as well an NFC signal from a smartphone.
It also doesn’t help that Apple hasn’t included NFC chips in its popular iPhones. “Apple’s refusal to integrate NFC functionality is a blatant roadblock [to better security], there’s no other way to put it,” said Yankee Group analyst Jordan McKee in an email to Computerworld on Friday. “If Apple continues to resist NFC, it will hamper the success of any initiative that has placed bets on NFC, but I don’t picture Apple staying away from NFC forever.”
Retailers endorse alternative
Earlier this week, the National Retail Federation, representing 12,000 retailers, sent a letter to congressional leaders expressing the NRF’s support for PIN and chip payment-card security, noting that such technology allows PINs to be encrypted unlike a magnetic stripe card. In the U.K., the technology has reduced fraud by 70 percent, the letter states.
The letter also suggested that U.S. banks should lead the adoption of PIN and chip cards for U.S. consumers, although the letter doesn’t detail how that should occur.
”It’s unclear to us that the card network members will move to a PIN and chip world,” said Mallory Duncan, general counsel at the NRF, in a telephone interview. “We are hopeful that the banks do the right thing and issue PIN and chip cards.”
Duncan said the NRF would support use of NFC smartphones for payments as well as new payment cards. “We are open to any technology to make the entire payment system more secure,” Duncan said. “The minimum of that would be PIN and chip, but we are aware of such capabilities in new smartphones that allow levels of encryption that are much higher and that might be preferable.”
PIN and chip cards have long been synonymous with Europay MasterCard Visa (EMV) smartcards, which major card processors have promoted around the globe under an EMV standard. The standard requires merchants by October 1, 2015, to accept liability for any fraudulent transactions that occur at non-EMV sales terminals effective October 1, 2015. The rule essentially means merchants must begin installing new point-of-sale terminals, which can cost several hundred dollars apiece.
Duncan said “there are many different views” on the way security works with EMV, which has meant the NRF won’t take a position on the EMV standard “until there is more clarification.”
Yankee analyst McKee said some payment card issuers have already begun the EMV rollout process in the U.S., but he conceded that EMV is not the magic bullet against fraud.
”I don’t believe EMV would have prevented breaches like at Target and Neiman, but it certainly would have lessened the impact significantly,” McKee said. “NFC-based payments on smartphones align very closely with EMV and would serve similar benefits [to PIN and chip cards]. Without question, chip-based payments, whether through a physical EMV card or an NFC-enabled smartphone, are considerably more secure than magnetic stripe transactions.”
Financial institutions urge scrutiny
Banks and credit unions have made it clear that what happened at Target and Neiman Marcus could not have been avoided entirely had there been widespread use of EMV in the U.S.
”We shouldn’t get hung up on a particular payment channel, whether it’s a chip on a card or in a phone or software or using barcodes at Starbucks,” said Michele Johnson, director of legislative affairs at the Credit Union National Association (CUNA). She said that before EMV smart cards can take hold in the U.S., there will probably be a need for a hybrid card with both a chip and a magnetic strip, so consumers can buy things at stores where smartcard terminals are not installed.
Updating consumer payment security will be “a very massive undertaking,” Johnson added. “It’s important to know that EMV would not have made that big of a difference at Target because a physical PIN and chip card doesn’t address online fraud where a card is not present.”
Rather than focus on a particular payment technology, the CUNA believes “there should be some level of responsibility for companies like Target [when there’s fraud] and we want to see a credit security framework. We would like Congress to look at merchants and their responsibility,” Johnson said.
McKee said the October 2015 EMV deadline will push wider adoption of NFC smartphones and payment terminals, although it’s clear that Americans are still wedded to their old magnetic-stripe credit cards given what has so far been limited use of mobile payment service Google Wallet and Isis.
The pathway to better consumer credit security is unclear, politically charged and will probably involve Congress stepping in to act in some way. “There will never be a silver bullet to prevent fraud,” McKee said. “Building a system so secure that it eliminates all fraud would render it unusable.”