PINDROP BLOG

Senator Asks FTC to Examine Issues With Chip Card Rollout

A Senator from Illinois is asking the Federal Trade Commission to look into problems and delays in the process for certifying chip-card payment software systems and whether the group of six global payment networks that controls the process is causing those delays intentionally for financial reasons.

Sen. Dick Durbin (D-Ill.) sent a letter to Edith Ramirez, chair of the FTC, asking the commission to look at these problems, while at the same time sending a rather harsh letter to director of operations at EMVCo, the group that controls standards for chip-based card systems. In that document, Durbin expresses many concerns about the way the organization is set up and how it handles certification for chip-card payment systems. EMVCo comprises six large payment networks, including American Express, Visa, and MasterCard, and sets standards for secure payment transactions on various networks.

Durbin said in his letter to the group that problems with the rollout of chip-card payments in the United States, such as very low adoption of chip-and-PIN for verification, were predictable and avoidable.

“For example,many merchants that have purchased EMV card reader technology have been unable to use it because of backlogs in the EMV software certification process. Also, many consumers have been discouraged from using EMV cards because of the long amount of time the transactions take at the retail counter,” Durbin’s letter says.

“These were predictable problems but it appears that these problems either were not recognized or or were not viewed as a problem by EMVCo and its controlling networks.”

“Customers are forced to continue using fraud-prone magnetic stripe technology.”

The rollout of chip-based cards in the U.S. is not yet a year old, but, as Durbin says in his letter, “has caused chaos”. Attackers have used the transition to ramp up fraud operations in other areas, and many retailers have not been able to implement the PIN portion of chip-and-PIN for various reasons, to they’re still having consumers sign receipts for verification. That’s a much less secure option than using a PIN, and it has led to conflicts between retailers and payment networks. Walmart sued Visa last week over the issue, claiming that Visa refuses to allow PIN verification because signature-based transactions automatically go through Visa’s network, generating transactions fees for the company.

EMVCo controls the process for certifying chip-card software systems, and in his letter to Ramirez of the FTC, Durbin says small-and-medium businesses are taking a financial hit as a result of delays in that certification process.

“For example, I recently heard from a grocery chain with stores in Illinois and several other states that has spent an estimated $385,000 purchasing 770 upgraded card readers at a price of $500 each, but that has been unable to use the equipment due to repeated delays in obtaining certification.  As a result, customers are forced to continue using fraud-prone magnetic stripe technology for their card transactions while the chip readers remain idle,” Durbin’s letter says.

“The certification process can last for months, yet some of the technical requirements were not even made available until shortly before the October 2015 shift to EMV technology.  Payment processors and other providers have been slow to conduct certifications for small- and medium-sized merchants; so far only a fraction of merchants who have sought certifications have been able to obtain them, and the merchants who have been stuck in the certification queue are at increased risk of being victimized by fraud because of their inability to use their chip readers.”

Durbin asked the FTC for information on whether the commission has investigated several issues around EMV, including the certification process, how many merchants haven’t been able to get certified because of delays, and the roles that various groups play in the certification process, including EMVCo, card networks, financial institutions, and payment processors.

“I am concerned that problems and delays in the certification process are imposing costly burdens on small- and medium-sized businesses and leaving consumers’ card transactions vulnerable to fraud.  I urge the FTC to examine how flaws and delays in the certification process can be addressed so that businesses and consumers can be better protected from these harms,” Durbin said in his letter to Ramirez.

Durbin asked that the FTC respond to his questions within in 30 days.

Webinar: Call Center Fraud Vectors & Fraudsters Analyzed