As the deadline for implementation of EMV nears closer, and chip cards are starting to hit customer mailboxes, questions surrounding the conversion are growing louder. The most controversial being why the U.S. has chosen to implement chip and signature over chip and PIN (like most other countries that have made the switch). There has been a ton of speculation over the decision, so we’re taking a step back to explain the differences, their impact, and what it really means to not be implementing PIN verification.What’s the Difference?
All chip cards - PIN and signature - are already world’s more secure than their magnetic stripe counterparts, due to a microprocessor chip that stores encoded cardholder information and security credentials. This chip creates a dynamic transaction code each time it is used, which prevents hackers from cloning the cards, since the information stolen is basically rendered useless outside of that particular transaction.
Magnetic stripe data, as we explained in our post on how hackers steal card information, is static and can easily be skimmed and cloned onto another card to use for in-store purchases. Unfortunately, because full EMV adoption is expected to take several years, all chip cards will continue to be printed with magnetic stripes, to accommodate purchases at non-compliant merchants. This means there will still be the potential for that information to be stolen and cloned for the next several years, while merchants upgrade their POS systems.
The PIN and signature argument comes into play during the cardholder verification step. Cardholder PINs are encrypted and verified by the issuer before the transaction is allowed to take place, adding a second layer of security to chip cards. Signature verification is exactly what it sounds like - the customer signs the receipt and then a staff person at the merchant compares that signature to the one on the back of the card (much like what happens today with existing credit card purchases).
PIN is certainly most secure option of the three, but chip and signature is still widely acknowledged to be better than the current magnetic stripe card.
Lost and Stolen vs Counterfeit Fraud
The U.S. has seen sizable increases in the amount of counterfeit card fraud over the last several years, which, as we explained above, chip and signature can almost singlehandedly stop. That said, there is still a lot of discussion around why the U.S. is choosing to implement the signature, rather than PIN. Some believe that issuers are afraid of “back-of-wallet” behavior from consumers who aren’t familiar with using PINs, and others claim that the implementation cost is too high. What we do know is that the PIN is really most uniquely valuable in an environment where the original card has been lost or stolen, since it would then provide an extra layer of protection by preventing someone else from transacting on it. Lost and stolen fraud in the U.S. has decreased where counterfeit has increased, so there’s a reasonable argument over whether PINs are worth the extra effort to implement.
In addition, though lost and stolen fraud has decreased overall since chip and PIN implementation in the UK, the last couple of years have seen steady increases as hackers have adopted their methods to gain access to the coveted PIN data.
CP vs CNP Fraud
Another point to consider in the signature vs PIN argument is how each addresses card present vs card not present fraud, compared with the expected shift in transaction volume from each channel.
As we mentioned above, chip and signature takes care of a large percentage of counterfeit card fraud, which would fall under the card present category. Adding a PIN would still only be applicable in chasing down additional card present fraud - specifically from lost or stolen cards.
What’s unfortunate about chip card implementation altogether though, is that it hasn’t done much at all to stop card not present fraud - the type that occurs via ecommerce transactions. In every country that has adopted EMV, card not present fraud has increased substantially. In the UK specifically, card not present fraud increased for four straight years after EMV was implemented, and is still at higher levels than it was pre-EMV.
But what’s most important in the U.S.’s case is that card not present transactions are expected to grow at an annual rate of 15 percent, reaching more than 27 billion transactions in 2018. By comparison, card present transactions are expected to grow around 4 percent.
So, the question has to be asked - if the PIN is more or less useless in the fight against the fastest growing sector of payment transactions, and fastest growing fraud sector, is it worth implementing at all?
With less than three months to go until the liability shift, it’s important for all parties to get up to speed on the transition and what changes it will bring. To learn more about EMV adoption and what we can expect here in the U.S., download our whitepaper below: