"If we can envision a world where magstripe doesn't exist, Chip-and-PIN would virtually eliminate all counterfeit, lost and stolen fraud as well as almost 99 percent of PCI costs," said Mike Cook, Wal-Mart's VP and assistant treasurer. "So you no longer have to have your database encrypted. You no longer need to have the secure lines. You're no longer storing data that could be used by somebody else. The PCI costs become significant cost savings."
Panelists agreed that dynamic data is the key, suggesting that static data authentication (SDA) is inherently inferior to today's dynamic data authentication (DDA) chips.
"We should stop wasting money propping up and trying to secure the existing fraud-prone magstripe and signature system that exists in the U.S. today and move to two-factor authentication," Cook said, stressing what he did not want one of those factors to be. "I don't think there's anyone in this room who would believe that signature is an appropriate form of authentication. We haven't hired a handwriting expert at Wal-Mart in years."
Target's Marc Black, the chain's guest data security director, was asked what it would take before Target would start purchasing EMV-friendly POS units. "Part of that investment decision will be how terminal manufacturers incorporate smartcard readers in their products. We need a firm roadmap, so we can guide our investment. This is not the only new payment technology out there," he said, referring to near field communication (NFC), among others.
Wal-Mart's Cook added that retailers should also refrain from trying to cheap-out on the chip costs too much. "The PIN must be encrypted between the device and the card itself. That means we'll need slightly more costly chips to accept that encryption," he said. "We'll also need offline PIN authentication, so that whenever it is sent up for authorization—through our host, out to the acquirer—the validation of the PIN takes place at the point of sale, not that we have to transmit that PIN and expose it anywhere along the line, even if it is encrypted. Also, two-factor authentication."