Visa's Plan to Drop PINs Leaves Some Concerned About Security

Visa Inc.'s attempt to phase out the old, static PIN in favor of dynamic authentication is facing resistance – in particular because many are not convinced that the PIN is past its prime.

Visa is laying the groundwork for U.S. issuers and merchants to upgrade to the EMV Integrated Circuit Card Specifications used in other countries. But in a departure from nearly every other global market that has switched to EMV cards, which are commonly called chip-and-PIN for their most prominent security feature, Visa's plan excludes PINs.

Visa recently outlined a series of incentives and deadlines to urge U.S. merchants to accept chip-card payments. The other card networks have not signaled plans to follow Visa's lead, although they eventually did when Visa set similar deadlines in most other countries.

The San Francisco card network's chances of success "will depend on whether Visa has the market power to effect this widespread market change to chip transactions in the U.S., despite the fact that many players, from issuers to terminal manufacturers, have made a big investment in PIN-debit technology," says Mike Kutsch, a manager with the consulting firm Carlisle & Gallagher in Charlotte, N.C.

Visa has set Oct. 1, 2015 as the date when liability will shift from issuers to merchant acquirers if fraud occurs in a transaction that could have been prevented with a chip-enabled payment terminal.

Discover Financial Services, which owns the Pulse PIN-debit network, may not be eager to see PINs disappear or support a liability shift on chip cards.

"Discover has its own PIN-debit network, so it may not follow … Visa," Beth Robertson, director of payments research at Javelin Strategy & Research, says.

Discover, of River Woods, Ill., declined to comment on Visa's initiatives for this story.

EMV chips combat card counterfeiting by sending a dynamic code with each transaction. If that code is stolen, it cannot be used again to authorize a second transaction.

PINs, if stolen, can be reused easily. One such example is Michaels Stores Inc., which in May announced the discovery of a major debit PIN-pad breach affecting 90 payment terminals across 20 states where fraudsters stole debit card account numbers and PINs, which they used to get cash through ATMs from at least 100 customers' bank accounts.

While PINs were not effective at stopping counterfeit fraud in that incident, they serve a key role in helping to prevent first-party fraud, which occurs when a customer disputes a transaction, says Dave Lott, senior vice president with Speer & Associates of Atlanta.

"Most merchants prefer PIN-based debit transactions over signatures because it is very effective in minimizing charge-backs at the point of sale, and even issuers are likely to want to stick with PINs as a way of preventing fraud on lost debit cards," he says.

Dynamic authentication also does not block fraud on individual lost or stolen cards, says Julie Conroy McNelley, a senior risk and fraud analyst at Aite Group LLC.

"The challenge to eliminating PINs on chip cards, and why PINs are still useful, is the fact that if someone takes your wallet and gets your signature-only chip card, a criminal can use that card until the cardholder notices it's gone and calls it in," McNelley says.

There are "a variety of reasons" that merchants may insist on keeping PINs, Lott says. "PINs are widely viewed by merchants, issuers and consumers as important security factors and clearly PINs are still essential to card security everywhere else, including in Mexico and Canada, which quite recently adopted chip-and-PIN cards."

But Visa executives say the signature- and PIN-based authentication methods have largely outlived their usefulness in point of sale payment security. For several years, Visa has encouraged a "no signature required" process on debit and credit card transactions under $25.

"Over time, we want to use our smart network to help facilitate [authentication] at the point of sale or in e-commerce transactions so we're not creating any additional friction, burden or risk by providing an identifiable variable," says Eduardo Perez, head of Visa's global payments risk group.

"The online platform allows us to use our network with strong alerts, in real time if customers request it, to monitor and prevent fraud," Perez says.

Chip-and-PIN systems were created to authorize transactions more securely without a connection to the payments network, but for years "virtually all" U.S. point of sale card-network transactions are authorized online, he says.

Around the world "more [chip-and-PIN card] markets that were offline are moving online," which will eventually eliminate the need for PINs, Perez says.

The transition away from PINs may not be jarring for merchants and consumers because only 25% of U.S. merchant locations are equipped with PIN-debit terminals, Visa says. This undercuts the perception that PIN-based terminals are ubiquitous.

Lott disagrees, putting the estimate of U.S. merchants with PIN-based terminals at "about 30%." But even that figure "is a bit misleading," he says, because by some measures 70% to 80% of all U.S. debit transactions flow through large merchants that tend to be equipped with PIN-debit transactions.

Many retailers may resist the transition away from PINs because they recently invested in tamper-resistant PIN-pad payment terminals. Making that technology obsolete in less than five years may spark resistance, Lott says.

Merchants are certainly in support of a movement away from reliance on magnetic stripe and signature authentication, and "are hopeful that Visa's progressive announcement will begin a concerted move in that direction for the United States," Dodd Roberts, president of the Merchant Advisory Group, which counts the nation's largest merchants among its members, said in an emailed statement. "However, we feel that the use of PIN, as in the rest of the world, completes the security of EMV chip technology," Roberts said.

PIN-based debit networks likely will not be eager to eliminate PINs.

"We think that securing cardholder information with a PIN, whether it's on chip or magnetic-stripe cards, is the most secure method of authenticating a transaction, period," says Dan Kramer, senior vice president of marketing and merchant services for Shazam, an electronic funds transfer network based in Johnston, Iowa.

"There are networks that strongly advocate PIN verification at the terminal. As long as they continue to advocate PINs...[they] will be around for a long time," says Guy Berg, a consultant with Datacard Group, a division of global card manufacturer Datacard Corp.

For reprint and licensing requests for this article, click here.
Consumer banking
MORE FROM AMERICAN BANKER