Of Snake Oil, PINs and Breaches

Corporate Logo

Of Snake Oil, PINs and Breaches

Jason Kratovil is Vice President of Government Affairs for Payments at the Financial Services Roundtable

What would happen if there was a decades-old drug that was only effective for a very small number of patients, had potential bad side effects and was rapidly being eclipsed by more effective drugs, yet a vocal minority continued to push this drug as the cure-all, and wanted to require everyone to take it?

In all likelihood, no one would take this snake oil sales pitch seriously.

Yet, that’s exactly what’s happening in the echo chamber of Washington as a few merchant trade associations are working feverishly to convince policymakers that “Chip and PIN” is the panacea for preventing merchant data breaches and data security issues writ large. It’s a bunch of Gish Gallop: Just because they say it, doesn’t make it true.



Let’s weave together some non-fiction:

Card technology alone does not prevent merchant data breaches.

When a criminal robs a convenience store and runs off with all the cash from the register, do people blame the cash for allowing itself to be stolen? No. So you have to wonder about the logic that blames payment cards for retailers’ data breaches. It’s a remarkable logical fallacy.

In many of the recent high-profile data breaches, hackers gained access to point-of-sale terminals through compromised network security credentials (often at a merchant’s third-party vendor) and porous internal merchant systems that allowed the malware to work its way from entry points (like vendor payment portals) all the way to the checkout counter. From there, stolen data finds its way to the less virtuous parts of the Web, where the hackers attempt to sell the stolen payment card data. For the criminals who buy this information, it takes minimal investment to be able to create new, physical counterfeit cards which can be used to commit fraud. So it’s not surprising that…

…Counterfeit card fraud, which chips help prevent, accounts for many times more fraud than fraud from lost or stolen cards, which is the only thing PINs could address.

Think of fraud as a pie. According to data from Visa, the biggest slice — at about half of all fraud — is fraud resulting from online or other “card not present” situations. The next largest slice is from counterfeit card fraud at 33 percent. Having a chip on a card will dramatically reduce this number, as it is nearly impossible to duplicate a chip card. Fraud from lost or stolen cards accounts for just nine percent of fraud, and here’s something you may not know, which is …

…In almost every single case of lost or stolen fraud, merchants have zero financial liability.

MasterCard and Visa’s operating rules make this quite clear: the issuer is on the hook in almost every possible case of fraud resulting from a lost or stolen card. This is true whether there’s a chip on the card or not. Of course…

…Consumers have zero liability for any of these types of fraud.

Everyone knows this. Heck, even breached merchants tell affected customers to contact their bank because their bank will make them whole. Having that trusted relationship with consumers is something the financial industry is proud of, and is a motivating force behind much of the R&D our industry is doing to bring the next generation of dynamic authentication technologies to scale, which reminds me…

…PINs are static, and static data elements are not anyone’s vision of the future of security.

Retailer trade groups always fail to note a potential unpleasant side-effect of PIN usage: If compromised in a breach, PINs could give hackers direct access to funds in consumers’ checking accounts. After all, PINs are subject to compromise through criminal PIN skimming and other tactics.

[Cue tangent] Have you ever noticed that no matter how massive the merchant data breach, the initial media flurry lasts a relatively short period of time, diminishing to a trickle of “Worst Breaches of the Year” retrospectives?

I believe this happens because financial institutions are masters at catching and stopping fraud before consumers even see it, or in cases when fraud does hit a consumer’s account, making it painless to dispute the fraudulent charge and have it removed. With minimal to no consumer pain or frustration, the events don’t have long legs.

But imagine millions of Americans waking up to find their checking account balances drained because their PINs were exposed in a mass data compromise. That’s the nightmare scenario and it’s one of the reasons why payments innovators are abandoning static data elements, like passwords and PINs, and moving toward biometrics and other innovative ways to authenticate payments. [End tangent]

So what’s to be learned?

– In the same way you don’t treat an illness with expired or unsuitable drugs, you don’t solve modern data security challenges by applying or mandating yesterday’s technology, and you certainly don’t fix a problem by obfuscating the real cause.

– To fully address fraud and disincentivize hackers, payment card data needs to be rendered useless through technologies like EMV and tokenization. Static PINs flowing through point-of-sale systems creates a target-rich environment for criminals, which is not helpful to anyone’s efforts to deter criminals.

– Using a PIN to authenticate a transaction only helps prevent fraud in the case of a lost or stolen card – which accounts for just nine percent of credit card fraud. And the great news is that neither retailers nor consumers feel that financial pain – only the institution that issued the compromised card.

So while it’s nice of retailer trades to be so apparently concerned about the liability the financial industry has for lost or stolen card fraud in their advocacy for PINs, our members are content to keep innovating and looking forward, bringing to market the next generations of security measures to keep their customers safe.


Tags: , , , , , , , ,