State Attorneys General Fire Shot Across the Bow at Major Payment Card Brands Over “Chip and PIN” Technology

by Ropes & Gray LLP
Contact

For well over a decade, U.S. regulators have been taking enforcement action against merchants and payment processors that, in the regulators’ view, failed to take “reasonable and appropriate” steps to secure payment card information in their possession from the risk of unauthorized access by third-party criminals. No significant public regulatory pressure, however, was brought to bear on a key feature of the U.S. payment card system that incentivized criminals to steal that payment card information in the first place: the major payment card brands’ failure to implement so-called “chip-and-PIN” technology that can substantially reduce criminals’ ability to fraudulently use stolen payment card data. 

This regulatory tolerance of the card brands’ inaction may be waning. On November 16, 2015, Attorneys General from eight states (the “Attorneys General”) sent a letter to leading payment card brands and banks that issue payment cards urging them to expedite the implementation of "chip-and-PIN" technology in the United States. Although the card brands and issuing banks have recently taken steps to promote the use of “chip-and-signature” cards, they did so only long after other developed countries had implemented chip technology. Moreover, the new “chip-and-signature” cards in the U.S., unlike the “chip-and-PIN” technology used abroad, are not designed to verify both the card and the individual using it. The Attorneys General argue that “there is no doubt” that chip-and-signature “is a less secure standard, since signatures can easily be forged or copied or even ignored at the point-of-sale.” 

As the Attorneys General note, “chip-and-PIN” has long been widely used for payment card transactions in Europe and other regions. According to EMVCo, 1.62 billion “chip-and-PIN” payment cards and 23.8 million terminals were in use globally by the close of 2012. See “Continued Marked Adoption of EMV Technology,” EMVCo Newsletter, May 2013, available here. Within the United States, however, moves to adopt this technology have occurred much more slowly.

“Chip-and-PIN” requires the presence of both (1) a security chip embedded in the payment card that uses cryptography to protect payment card data; and (2) a user-selected personal identification number (“PIN”) input by the user. “Chip-and-signature,” by contrast, requires only the chip (and an easily forged signature). While the security chip provides enhanced protection against the use of counterfeit payment cards, it does not protect against the criminal use of cards that have been physically lost or stolen, among other things.

Both “chip-and-PIN” and “chip-and-signature” transactions require chip-enabled point-of-sale (“POS”) terminals. The payment card brands have recently taken steps to encourage installation by merchants of POS terminals capable of accepting chip cards. Prior to October 1, 2015, card-present counterfeit fraud losses—losses caused by the use of a counterfeit payment card—were typically borne by the payment card issuer to the extent they were not reimbursed by a merchant that suffered a data breach or the bank that sponsored such merchant’s participation in the payment system (known as an “acquiring” or “sponsoring” bank). As of October 1, 2015, if a merchant has not implemented chip-enabled point-of-sale technology, its acquiring bank must bear any card-present counterfeit fraud losses associated with use of a chip card at that merchant. The acquiring bank, in turn, may seek to hold the merchant responsible for such fraudulent transactions through its agreement with the merchant.

Additionally, payment card brands have recently implemented rules to incentivize merchants to transition to dual-interface, chip-enabled payment terminals by providing safe harbors from some liability in the event the merchant experiences a data breach. Those safe harbors may be available if the merchant, among other things, processes more than 95 percent of its card-present transactions with fully functional and operating chip-enabled terminals within designated periods of time. See MasterCard Security Rules and Procedures: Merchant Edition (July 31, 2014), at ¶ 10.2.5.4(b); Visa Global Compromised Account Recovery Guide: Visa Supplemental Requirements (January 2015), at 3. Dual-interface refers to payment terminals that can process chips both with and without direct contact with the chip. Additional requirements must be met, including that the merchant not have suffered a breach within the prior year.

The Attorneys General’s letter recognizes these advancements, but cautions that they are too little, and too late. The letter takes the position that, as to chip technology, because “chip-and-PIN” is a known, more effective implementation for the protection of payment card data, and its adoption has proven to be feasible on a wide scale outside the U.S., the Attorneys General may consider the failure to adopt that implementation here unreasonable. The Attorneys General stopped short of suggesting that chip-and-PIN should actually be enshrined into law, noting they were sensitive to the concern that such enshrinement could pose risks to future innovation and/or give rise to incompatible technical requirements in different jurisdictions. But their letter cautions that the Attorneys General “cannot accept” the failure to implement chip-and-PIN in their jurisdictions, and that the card brands “can move more quickly to implement” it. The letter also draws a causal connection between recent major payment card breaches in the U.S. and the card brands’ failure to implement chip-and-PIN. The letter notes that hackers have been “exploiting our continued reliance on outdated and less secure magnetic-stripe payment cards,” and that the “U.S. has consistently accounted for about half of the global loss from fraudulent transactions, despite that it is responsible for only a quarter of total card payments.” In short, the letter makes clear the Attorneys General’s view that card brands and issuers “share in the responsibility for protecting the personal and financial information of their customers.”

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ropes & Gray LLP | Attorney Advertising

Written by:

Ropes & Gray LLP
Contact
more
less

Ropes & Gray LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.