Home Depot sues Visa, MasterCard over credit card security

Dive Brief:

A new federal lawsuit filed by home improvement retailer Home Depot alleges that credit card giants Visa and MasterCard are putting merchants at risk of cyberattack by employing security measures susceptible to fraud.
The suit, filed in the U.S. District Court in Atlanta, contends that Visa and MasterCard U.S. payment cards integrating EMV chip technology remain less secure than cards used in Europe and other regions because American payment processors still rely on customers' handwritten signatures for verification, rather than more secure Personal Identification Numbers, or PINs.
About 80 nations use cards with EMV chips, and most require a PIN rather than a signature, Home Depot said in the 138-page filing. "Requiring the user to enter a four-digit PIN [ensures] that the individual using the card is the card's owner," Home Depot explained. "Signatures can be copied or forged, and cashiers are not handwriting experts trained to identify forged signatures.”

Dive Insight:

Two years removed from a massive data breach that compromised more than 50 million customer credit and debit cards, Home Depot is going on the offensive to bolster security both in stores and on the web. Its suit against Visa and MasterCard argues that the absence of PIN requirements in the U.S. could lead to even greater fraud as shopper activity shifts to online transactions, where no physical card is presented.

Home Depot also alleges that Visa and MasterCard are conspiring to block adoption of more secure payment measures for financial gain. "For years, Visa and MasterCard have been more concerned with protecting their own inflated profits and their dominant market positions than with the security of payment cards used by American consumers and the health of the United States economy," Home Depot states in its lawsuit.

"Regardless of how the cardholder's identity is confirmed, the chip makes data much more secure, rendering it almost useless to create fraudulent cards or transactions,” a MasterCard spokesman said in a statement Wednesday, the Associated Press reports. Both MasterCard and Visa said they are still reviewing Home Depot’s claims, the report adds.

The Home Depot suit follows a month after Wal-Mart filed a similar suit against Visa that argues the retailer should be able to require customers to verify purchases with PINs rather than signatures when they pay using EMV-enabled debit cards. Wal-Mart alleges that Visa is requiring signatures because the payments provider earns five cents more per transaction when a signature is used.

"I'm not surprised to see these types of lawsuits. Merchants are incredibly frustrated because they're spending a ton of money and still not getting the safest, best solution,” Matt Schulz, senior industry analyst at CreditCards.com, said in an email to Retail Dive. "The truth is that chip and signature is a half-step, security-wise. It's less secure than chip and PIN simply because it's a whole lot easier to fake someone's signature than it is to know their PIN.”

This week Apple expanded its Apple Pay checkout technology to mobile and desktop websites, which could ultimately render moot many questions about physical card security. Apple Pay replaces PINs and signatures with Apple’s TouchID fingerprint sensor technology, promising improved security for merchants and consumers alike. "Just look for the Apple Pay button at checkout on many of your favorite shopping sites and complete your purchase with Touch ID on your iPhone or by using your Apple Watch," Apple explained in a press release. "Strong encryption protects all communication between your devices and Apple Pay servers."