In a recent op-ed, the National Retail Federation painted a pretty dire picture of the state of payments security.  What was shocking about the piece was that it didn’t represent any of the security developments of the last few years.  However, it did represent the dangerous perspective that merchants don’t have a role to play in implementing security technology.  The truth is, the electronic payments system is interdependent and while the financial services industry has spent billions of dollars developing new technologies, they can only be so effective if merchants refuse to adopt, or even acknowledge, those technologies.  As a result, I thought it would be helpful to describe some of the actual tools that exist today that can create a more secure payments system. 

The most visible change is the migration to EMV or chip cards, which you may have noticed on the front of your credit or debit card.  Chip cards bring more intelligent security to your credit and debit card by using a unique one-time code to authenticate card transactions. When in place, this technology makes it nearly impossible for a criminal to make fraudulent purchases in stores with a counterfeit card, thereby eliminating the largest portion of fraud in the United States.  However (and this will be a recurring theme) this only works if merchants activate the chip readers at the point of sale. Merchants’ own surveys show that almost 50 percent of merchants are choosing to not adopt the new technology. We applaud the merchants that do turn on their chip readers as they will not only protect consumers, they will also have minimalized their liability exposure if someone uses a lost, stolen or counterfeit card at their store. 

ADVERTISEMENT

EMV alone is far from a panacea.  Criminals are always looking for new ways to steal data and that’s why we didn’t stop there.  As we learned in the mega-breaches at Target and Home Depot, fraudsters are more interested in stealing massive databases of card information than individual cards and there are two technologies to help prevent that. 

The first is tokenization, which is not only in the market today but serves as the backbone of systems like Apple Pay and Android Pay.  Tokenization masks sensitive data with “tokens” that have no resemblance to the data they carry, which means that even if someone were to hack a retailers’ system they wouldn’t be able to access card information.  So why doesn’t everyone use tokenization?  This security function on many card readers are unfortunately switched off because they want to protect a proprietary product that still hasn’t come to market. 

The second way to protect data is point-to-point encryption, which is available from more than a dozen companies today.  Point-to-Point encryption cryptographically protects account data from the point where a merchant accepts the payment card to the secure point of decryption, thereby keeping criminals from accessing card data.  While the financial services industry can offer this, it’s up to merchants to implement it.

The third problem is basic security.  Laws like the Gramm–Leach–Bliley Act require financial services companies to maintain basic levels of security but merchants have repeatedly refused to accept these basic standards that would better protect customer data. 

Lastly, even if merchants fail to implement any of these safeguards, banks and card networks use network-based monitoring to evaluate hundreds of factors in every transaction, in milliseconds, and determine whether or not it is fraudulent. Merchants are increasingly relying on this monitoring so that they don’t have to require a PIN or a signature – approximately 50 percent of transactions work this way today – and can reduce the amount of time customers spend in line.  While NRF might want to argue that PIN is the only way to limit fraud, their members’ business decisions say otherwise. 

In the end, innovation is happening and it is enhancing the payment system millions of Americans use to complete purchases every day. The financial services industry is committed to driving this innovation forward, constantly looking for ways to keep customers’ information safe and secure. But, we can’t go it alone. We need merchant trade associations to stop trying to halt progress and instead work with us to help everyone – merchants, banks and networks to implement a new and better solution that will protect consumers and reduce data breaches.

Nussle is the president/CEO of the Credit Union National Association (CUNA).