-
Everyone agrees that electronic transactions should be as safe as possible, but a PIN mandate will not prevent online or mobile fraud.
May 24 -
Walmart and Visa have had a long and volatile relationship, and the retailer's latest lawsuit against the global card brand gives voice to a struggle that many other companies are too small to fight.
May 11 -
Within the past 12 months, one large retailer after another has fallen victim to a massive data breach. But at least the pilfered data is getting harder for thieves to monetize.
September 9
A recent American Banker
The post by the Electronic Payments Coalition seemed aimed at making readers believe that Visa — currently embroiled in a
Myth: PIN doesn't prevent online or mobile fraud.
That is flatly untrue. There are in-market e-commerce PIN solutions that prevent fraud for e-commerce as effectively as traditional brick-and-mortar stores' PIN verifications. Acculynk, for instance, sells such technology that is used by companies like Sears, LendUp and American Airlines.
Myth: PINs were compromised in the Target and Home Depot data breaches.
In both of those breaches, the PINs weren't compromised. Yes, the criminals involved obtained encrypted PINs. But they were unable to decrypt them, which means that any card requiring PIN was not compromised and banks did not need to reissue the cards. A data breach, such as the ones suffered at
Myth: Consumers are harmed more when PINs are compromised.
The EPC's Molly Wilkinson
It's unclear how this could happen, but I assume Wilkinson means that fraudsters would use the card and stolen PIN to withdraw cash from an ATM.
Not only is it hard to imagine this scenario, but it conceals the real issue. A PIN still provides a strong layer of protection — both from criminals using cards to make purchases or to access bank accounts — that a signature does not. If a PIN is not required at the point of sale, the thieves can buy merchandise with only the card. Whether the money is fraudulently withdrawn as cash or used to purchase merchandise (which is easily liquidated), the customer's funds are gone. That's less likely if the point of sale, like bank-owned ATMs, is secured with PIN verification.
Even Visa knows PIN provides enhanced security. Throughout the rest of the world, Visa has touted the benefits of PIN. In Canada, Visa told consumers, "Because your Personal Identification Number (PIN) replaces your signature, the transaction is more secure." In the United Kingdom, Visa said in a submission to the Australian Competition Commission that "the decline in Lost/Stolen and NRI [Not Received as Issued] fraud ... is considered by Visa to be substantially, if not entirely, attributable to mandatory PIN@POS."
The company cannot have it both ways.
Myth: American consumers cannot remember multiple PINs.
Wilkinson argues that American consumers carry, on average, four cards and shouldn't be asked to remember different PINs for all of these cards. But this is obfuscation in the shroud of consumer convenience.
First, I believe the EPC is selling American consumers short. Most people have numerous passwords and access codes, which they manage effectively.
Further, it's probably not necessary for a consumer to have different PINs on all of their payment cards. Indeed, consumers only have two thumbs to use for biometric authentication, and it's far easier to change a PIN than to change one's thumbprint.
Finally, while the Merchant Advisory Group staunchly supports the implementation of PIN on all cards in the United States, this dispute between Walmart and Visa is limited to debit cards. It is rare for people to have more than one debit card.
Myth: The chip alone is sufficient to verify the cardholder.
Wilkinson makes the claim that "the technology preventing fraud is the actual chip." At best, that is half true.
The chip authenticates the card. In other words, the chip allows the merchant and the bank to know that the card being presented is the authentic card, not a counterfeit. The chip does not and cannot authenticate the cardholder. Only something that is not contained on the card — i.e. something only the cardholder knows, like a PIN — can authenticate the cardholder.
In fact, consumers are most affected by the types of fraud that PIN would address, but that are not addressed by the dynamic elements on the chip. Indeed,
The card networks won't hear any of this, though, because it's not in their financial interests.
Visa and its issuers are letting profits get in the way of common sense security solutions. Merchants can see it. Consumers will see it too.
Mark Horwedel is the chief executive of Merchant Advisory Group.