Retail Payments Risk Forum
Font Size: A A A

Portals and Rails

« Call Center Phone Fraud: Are You Really Who You Say You Are? | Main | The Mythical End State of Security »

February 10, 2014

Chip-and-PIN, or Chip-and-Choice?

If the comments that legislators and industry representatives made at the recent congressional hearings on data breaches were any indication, any card issuer advocating or adopting a chip-and-signature approach to EMV smartcard implementation would appear to be incautious. Unquestionably, chip-and-PIN is more secure than chip-and-signature because it represents two forms of authentication—something you have (the card) and something you know (the PIN). However, chip-and-signature could be a reasonable first step in that it would generate less friction for the consumer, merchant, and card issuer. Let me explain why.

Most consumers don't know their credit card PINs
Although most people know their debit card PINs—you need one to use an ATM—few U.S. consumers know their credit card PINs. Various studies place consumers' knowledge of their credit card PINs in the 5 to 10 percent range. It would therefore be an educational as well as logistical effort to get consumers to begin using their credit card PINs if the industry moved to a chip-and-PIN-only environment.

Merchants would incur a big expense for the equipment
Only about 25 percent of the 8 million POS terminals operating in the United States are equipped with a PIN pad, according to data provided to the Federal Reserve. Before Regulation II, merchants had a financial incentive to encourage PIN-based debit transactions because the interchange rate was lower than for credit card transactions. However, Reg II eliminated this differential. (This despite the fact that PIN debit transactions have less than one-third of the fraud loss rate of signature debit transactions, according to the 2013 Fed Payments Study Summary.) Although a representative of the National Retail Federation endorsed a chip-and-PIN-only strategy at a congressional hearing, it's difficult to know if merchants will want to make the additional investment required to equip, program, and maintain their POS systems to support PIN transactions. Most merchants have not yet taken this step, so what has changed?

Customer experience would change
A PIN-based transaction, with its single-message authorization and settlement process, creates problems for certain merchants—like car rental and lodging companies—that must run preauthorization transactions before the final amount of the transaction is determined. The separate authorization and settlement process provided by the dual-message format of a signature-based transaction is more conducive to the business needs of these merchant segments. Are fine dining restaurants going to install the even more expensive mobile payment terminals so customers can pay at the table as they currently do? Or will they require the customer to go to a checkout and pay there? These merchants especially will have to consider the impact on their customer experience.

Backup method needed
With debit cards now, a signature authentication can be a backup method of acceptance. But in a chip-and-PIN environment, how high will the rate of incomplete transactions be when cardholders can't remember their PINs and they have no other method of payment?

As with any change, there are a number of positives and negatives to be considered. To avoid unintended consequences, we at Portals and Rails believe that issuers, merchants, and consumer groups should carefully evaluate all the issues to determine the best way to migrate to EMV payment cards. What do you think—chip-and-PIN only or chip-and-choice?

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 10, 2014 in chip-and-pin, data security, debit cards, EMV | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73d743754970d

Listed below are links to blogs that reference Chip-and-PIN, or Chip-and-Choice?:

Comments

All issuers should support a well communicated and simple PIN change process (IVR, ATM or inbranch for example) for EMV cards. If cards are activated through an IVR; PIN selection could be added to the process. Cards can also be issued with unassigned PINs (the PIN is not sent to the cardholder) where the cardholder is forced to select a PIN; this process may encourage cardholders to proactively select a PIN they can remember. Re-issued cards can support PIN continuity (same PIN as previous card).

Support for PIN as the only permitted CVM will be more successful if ALL the card associations follow this practice. If one or more of them allow for signature CVM then cardholders may select the signature card and not bother to learn/select a PIN for the PINned card. This in turn leads to an uneven playing field and all chip cards may eventually revert to signature cards which would certainly be a step backwards.

As long as fallback to magstripe is supported, any cardholder that forgets their PIN can usually have the terminal revert to mag stripe (at least in Canada) by inserting the card backwards (you may have to do this three times). The terminal will attempt to read the chip (but can't because there is plastic where a chip should be) then ask for a mag stripe read while ignoring the service code (chip on board) info.

Posted by: M Ryan | February 11, 2014 at 12:49 PM

Your points are all valid, but I'd like to comment.

You are correct that most consumers don't know their credit card PINs and this would be a learning experience. Some POS application developers are putting in "PIN Bypass" functionality for this reason, although I believe that defeats the purpose of allowing the issuer to prefer PIN.

Merchants will incure some expense for migrating to EMV, but most EMV Card Readers are built into PIN pads, so with or without PIN, the expense is the same.

PIN based Credit transactions will continue to be dual message. PIN Debit transaction sre single message because they are "full financial" transactions that don't require a separate message.

EMV works perfectly fine with Hotels in the rest of the world, with incremental transactions after the original with PIN.

Yes, in Canada and Europe it is common for the customer to pay at the table with a wireless terminal. This supports the philosophy of "not handing your card to a stranger" that was promoted in those countries to support the implementation of EMV.

Yes, there will be a period of adjustment, perhaps painful - but not really much different than when PIN Debit at the POS was first introduced, just a larger scale.

Unfortunately, the more secure a process is, the less convenient it is. The U.S. has chosen convenience in the past, and we are seeing the repercussions of that approach.

Posted by: Allen Friedman | February 10, 2014 at 02:13 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in