The US payments industry should reconsider the value of PCI compliance guidance in the light of increasingly sophisticated skimming attacks and instead consider mitigating risk by moving to chip and PIN, according to a Federal Reserve Bank of Atlanta staffer.
In a post on the Atlanta Fed's Portals and Rail blog, Cindy Merritt, assistant director of the retail payments risk forum, calls into question the value of Payment Card Industry (PCI) data security council guidelines in a mag-stripe country.
Merritt says the number of card data breaches in the States continues to rise, highlighting the recent problems at retailer Michaels, where around 90 of its PIN pads around the country have been tampered with, leaving customer card details at risk.
Although the PCI council has developed guidelines for retailers like Michaels to protect card readers against skimming, these are often necessary precisely because cards are mag-stripe instead of the more secure chip-and-pin technology used in other countries.
Says Merritt: "As schemes become increasingly sophisticated, however, these guidelines will likely be less and less effective - a possibility that should give the industry pause to reconsider the value of PCI compliance guidance in light of risk mitigation alternatives, such as a migration to chip-and-pin card technology."
She acknowledges that a US migration to EMV would be difficult and expensive because of the large number of card, networks, issuers and merchants involved. However, with so many countries, including most of Europe and Canada, making the switch, crooks are expected to concentrate on the US, pushing up skimming-related losses.
Merritt's concerns echo those of her colleague Richard Oliver, who last year also used the Portals and Rail blog to warn that the US is being left isolated by its reliance on mag-stripe cards while the rest of the world moves to the more secure chip.
Momentum does appear to be building for chip and PIN migration, with retailers, led by giant Wal-Mart, calling for its introduction and the US Department of Defence considering adding EMV-compliant pre-paid payment capabilities to its ID card for military personnel and staff.