by Bill Snyder

A key security takeaway from Walmart’s chip-and-PIN suit against Visa

May 12, 2016
Consumer ElectronicsPayment SystemsSecurity

Walmart this week accused Visa of not doing everything it can to reduce fraud. The legal action won't likely see resolution soon, but it spotlights an important payment security safeguard consumers can apply immediately.

Payment card users can’t make financial services giants such as Visa behave themselves. When it comes to debit card security, however, they can use all of the features built into new chip-and-PIN cards to protect sensitive data — even if card companies don’t enforce the safeguards, according to Dimitri Sirota, a long-time security professional who founded BigID, which develops security software for financial services companies.

Walmart on Tuesday filed suit against Visa and charged the payment card provider with making it too easy for consumers to avoid some of the security features built into chip-and-PIN cards. Walmart’s suit relates specifically to Visa debit cards and does not involve chip-and-PIN credit cards, which are making a much slower transition into the U.S. market.

emv chip and pin Shutterstock

A credit card with EMV (for Europay, MasterCard and Visa) chip security.

Credit and debit cards with embedded chips are becoming more common in the United States, and they’re slowly replacing the old-style cards with familiar magnetic stripes. Europe and Canada have used chip-and-PIN cards for years, and the cards are generally known to be more secure. In fact, the cards have reduced fraud in the United Kingdom by about 75 percent since they were first introduced, according to Sirota.

Despite the implication of the name, chip-and-PIN cards can be configured to work without PINs. Although the embedded chips make the cards more secure than those with magnetic stripes, they’re even more secure when used along with PINs.

Walmart suit has far-reaching implications for other retailers

That’s the crux of Walmart’s lawsuit. The company says Visa forces it to give customers who use Visa-branded debit cards a choice between verifying purchases with PINs, or with signatures. The signature option invites fraud, according to Walmart. And because Visa debit cards are common, many other retailers are also likely forced to let consumers choose to use lesser payment security measures, Sirota says.

“PIN verification is much more secure than signature verification,” according to the lawsuit, which was filed in a New York state court. “It also enables Walmart to route transactions across PIN debit networks rather than signature debit networks, which saves Walmart (and its customers) money.”

Visa has not yet provided a comment on Walmart’s charges, but Sirota says its motivation in offering a signature verification option is clear: the company doesn’t want to lose the associated fees. The two companies have also collided before for similar reasons, fighting over the size of fees for transaction verification.

The moral of this story? If you have a choice between using a PIN or signature to verify your identity when making a purchase, do yourself a favor and choose the former option. Sure, it’s yet another number to memorize, but the extra security will be more than worth the trouble if it helps you avoid a migraine associated with payment card fraud.