PINDROP BLOG

Walmart Sues Visa Over Chip-and-PIN Security

In what may be a sign of things to come, Walmart, the world’s largest retailer, has filed a lawsuit against Visa USA over the payment card brand’s refusal to allow consumers to use PINs, rather than signatures, to verify their identities during transactions with chip cards.

The suit, filed this week in New York State Supreme Court, is very much a creation of the current climate in security and payment fraud. The chip-and-PIN protocol for payment cards has been in place in Europe–where it’s known as EMV–for several years, but only was rolled out in the United States in 2015. That transition is still ongoing, though many large retailers have completed the installation of payment terminals capable of accepting chip-enabled cards. Walmart is one of those chains, and the company says it wants to be able to have customers input PINs instead of sign receipts in addition to inserting the chip-enabled card into the terminal.

“Visa, however, believes that Walmart should be required to use the more fraud-prone mechanism of signature verification for certain debit card transactions, which in the case of a Visa-branded debit card would route debit card transactions across Visa’s debit network rather than competitor networks of Walmart’s choosing,” the suit says.

Chip-and-PIN cards are designed to help reduce fraud at the point of sale by using a chip embedded in the card to verify the card and then a PIN to authenticate the user. However, some of the retailers that have deployed the technology are not requiring PINs and are having customers still sign receipts instead. Walmart says in its suit that this practice negates the security advantages of the protocol and blames Visa for not allowing the company to require PINs.

“PIN verification is significantly more secure and less prone to fraud than signature verification.”

“PIN verification is significantly more secure and less prone to fraud than signature verification. Signatures can be forged or copied, and cashiers may forget to check the signature on a receipt or POS terminal to make sure it matches the signature on the back of the card,” the suite says.

But, deciding to use PINs rather than signatures for verification isn’t as simple as sending a memo to all of the company’s stores. There are two separate kinds of networks used to route debit card transactions: PIN transaction networks and signature transaction networks. The networks used for PIN transactions are mainly private and not affiliated with card brands such as Visa and MasterCard, though each of those brands owns a PIN network. Signature transactions, however, are sent over the specific brand’s network. And those networks, of course, have fees associated with them.

In its suit, Walmart cites data from the Federal Reserve Board from 2009 that shows that fees for signature transactions were $0.56 per transaction, while PIN transaction fees were $0.23 each. Walmart says that “the choice of signature as an authentication method operates as a de facto choice of network for routing purposes”, which also determines where the transaction fee goes.

“Visa has acknowledged in many other countries that chip-and-pin offer greater security,” Walmart spokesman Randy Hargrove said in a statement to Bloomberg. “Visa nevertheless has demanded that we allow fraud-prone signature verification for debit transactions in our U.S. stores because Visa stands to make more money processing those transactions.”