The introduction of Chip and PIN is now spreading across Europe. Dutch retailers have been using a bank card PIN system for several years and in 2005 British retailers introduced this technology for credit card payment security. This has resulted in a drop in credit card fraud practices, but also challenged retailers in terms of meeting credit card compliancy, a quick and smooth rollout of the system and minimising investment costs.
Elsevier Food International, Vol. 11, Number 1, February 2008
For consumers in the UK it is hard to believe that just a couple of years ago only a signature was required when paying for groceries by credit card. Payment transactions are now authorised by entering a personal identification number, a secret numeric password known as PIN. The introduction has had a great effect on combating credit card fraud in British retail. Fraud was cut by £150 million in the first two years. Now Chip and PIN is gradually being rolled out completely across Europe. France is one of the frontrunners, but in Italy only one per cent of cash machines has been upgraded for Chip and PIN processing. Europe as a whole is years behind the adoption of this payment security system. APACS, the UK Payments Association, is lobbying in Europe to get the rest of the continent Chip and PIN enabled. As there are neither common standards in Europe nor a common platform, pan-European retailers according to APACS cannot develop a single Chip and PIN strategy. Therefore a country-bycountry approach is needed. However, the good news is that many lessons can be learned from the Chip and PIN introduction on the British Isles.
Costs The costs of introducing an Europay- Mastercard-Visa (EMV) Chip and PIN programme are impressive, as British retailers experienced. Grocers face technical changes in terms of upgrading or premature investments in card reader devices. They also have to get their electronic payment network and security set-up ready for the change and have to train their retail staff. Meeting compliancy is one thing. Once installed and validated, systems have to be updated according to the latest security requirements and standards. Being up-to-date will keep financial departments busy and raise demand for consultants that deliver expertise. So costs will not end with implementation alone. Some of these costs are not even technology related. For instance, customers need to be informed about the introduction op Chip and PIN. In a case study conducted in the UK on the High Street, it turned out that most consumers have taken the transition smoothly.
Acceptance was very high. Once the technology was rolled out, UK consumers became used to it and increasingly demanded to shop in this secured way. However, the case study also showed that a small number of customers for multiple reasons are unable to use Chip and PIN. One problem is that people cannot remember the code. Supermarkets have to put an effort into reaching this group and find a solution, especially during the transition phase.
Benefits But Chip and PIN not only adds costs. Its smart technology also offers new possibilities and benefits to retailers. Most important and a major advantage is that chip cards provide increased security against counterfeit card fraud. With Chip and PIN, skimming the magnetic stripe and consequently cloning the card is a thing of the past, as is abuse of stolen cards, unless criminals know the PIN code. Of course this is primarily in the shopper’s interest but the retailer also benefits. A validated Europay-MasterCard-Visa (EMV)-chip and PIN transaction guarantees payment from the bank to the retailer that offers a more secure paying environment.
|
Those who fail to comply, receive no money and will have to pay for the fraud themselves.
|
Chip and PIN can also increase efficiency at checkouts. Credit card handling time is reduced, which saves time at the POS. After entering the PIN, the authorisation process is computerised. The print is stubbed on the receipt and the transaction is completed with significant savings on the till roll as a result. The magnetic stripe and signature process in contrast is still partly paperwork and encompasses more steps. For instance, printing two receipts for retailer and client, handing over a pen to the customer to write the signature, followed by a visual check of the signature. Moreover, signed copies have to be stored for many years. By using Chip and PIN this is no longer necessary.
Entering the PIN and processing the card in validated equipment is vital to unique identification but the card’s embedded microchips have more sales potential. They may support future additional services such as loyalty schemes and electronic purse or commerce. These are new opportunities for retailers. Chip and PIN will also extend the possibilities of self-scanning and payment (see side bar about Tesco). Combating anonymous card fraud is already a reality in British supermarkets.
P.C.I. Compliancy Retailers that introduce Chip and PIN have to meet Payment Card Industry (PCI) Data Security Standards. The PCI was created by major credit card companies to safeguard customer information. Visa, MasterCard, American Express, and other credit card associations mandate that merchants and service providers meet certain minimum standards of security when they store, process and transmit cardholder data. Complying with these standards means that merchants, payment processors and service providers must ensure their systems are secure.
Retailers that introduce Chip and PIN have to meet Payment Card Industry (PCI) Data Security Standards.
The PCI Security Standards Council, an open global forum for account data protection, has developed a Standard Self-Assessment Questionnaire intended to assist, for instance, retailers in self-evaluating their compliance with the Payment Card Industry Data Security Standard (PCI DSS). This provides merchants and service providers with a single source of information. Recently, a list has been placed on
www.pcisecuritystandards.org of PCI compliant PIN Entry Devices (PED)-equipment that can be used immediately by retailers. According to Bob Russo, general manager of the PCI Security Standards Council, this “will ease the burden on merchants” when meeting global credit card security standards.
According to Deloitte & Touche, compliance with the PCI’s Data Security Standard (DSS) does not have to be a difficult process. By taking a proactive approach, food retailers can better manage their validation effort, which saves money in the long run. A first important step therefore is to be aware of the weakest links in the company’s data systems. This enables retailers to better protect both company and customer data from potential security breaches.
Among the most common weaknesses that can hamper the payment card industry’s security efforts are insufficient security testing, poor configuration of operating system security and failure to encrypt or manage sensitive stored data (see box on page 67)
.
Easy? Giesecke & Devrient GmbH, a specialist in payment (security) processing, is positive about the introduction of Chip and PIN across Europe. First of all, Chip and PIN procedures are already well known in many European countries such as France and Germany. Moreover, in many cases the equipment is ready for this challenge. The procedure requires card readers to be able to read the chip and enter the PIN. Modern payment terminals usually feature these functionalities. Hence, retailers who already made such investments do not need to refit their equipment. Paying technology is changing fast anyway. In addition to Chip and PIN, many retailers are currently considering investments into the acceptance of contact less payments at the point of sale, for example with mobile phones. Giesecke & Devrient does point out the different situation regarding card readers which are integrated in multifunctional cash terminals. These are typically used by giant store chains. In this case retailers should contact their banks in order to learn more about adapting these systems to the Chip and PIN procedure.
Plan, act Changing to Chip and PIN is not (yet) compulsory. However, European retailers that take their time risk finding themselves in a logjam of retailers awaiting accreditation. In the UK, it turned out that lagging behind may result in more serious delay. During this time a retailer is left with the liability for card fraud and an easy target for fraudsters. Retailers that are about to introduce Chip and PIN must realise that the migration process is complex. It is therefore better to start now than tomorrow. In the UK, major retailers piloted the paying technology in 2004, well before the implementation in 2005. A good plan may reduce efforts and costs to roll out the system. In this respect it is good to realise that experiences in the UK showed that it is not uncommon that implementation and accreditation procedures may take six months to finish.
Retailers with a high percentage of online sales need to be alerted. They may become increasingly vulnerable for fraudulent credit card transactions in the future. As Chip and PIN progressively reduces fraud in retail stores, fraudsters will seek new hunting grounds. Buying over the Internet is one of these. •
.jpg)
