Chip-and-PIN technology for credit cards has been used in most of the developed world for over a decade. In Europe, Canada and Australia, chip-and-PIN is the standard. The United States, however, has lagged behind in this department, opting only to require PIN with debit cards (and even that is optional).
But with chip cards being issued in the U.S. ahead of the October EMV liability shift, banks and retailers could mandate the extra line of defense that PIN provides credit card users—if they want to. However, the new chip cards will most likely not use the PIN technology for authentication, instead opting for less secure signature authentication.
Some analysts have speculated that banks do not want to move to chip-and-PIN because they consider chip cards to be such a big change that they did not want to complicate matter by requiring a PIN as well. Others insist that the retailers are afraid of inconveniencing customers by requiring them to do too much at the point-of-sale.
The idea that a four-digit PIN code would mean too much of a change for Americans has led to some in Europe mocking Americans for not being able to remember something Europeans take for granted in their everyday life—a four digit PIN code when going shopping. Indeed, neither argument really holds up; requiring consumers to do more when making a purchase may be a bit of an inconvenience at first, but once they get used to it—provided all banks and retailers require the PIN—they’ll adapt.
So, is the real reason the card industry in the U.S. is settling for signature authentication really that the change would be too grand for Americans to handle, or is there another reason? Are retailers really that worried that a changed consumer experience would affect sales due to customers not wanting to pay using a PIN? It really wouldn’t matter as long as all retailers faced the same issue. If a PIN code was required for all purchases in all stores it shouldn’t matter. Right?
Could the real reason instead be found on the banks’ table? According to Brian Dodge, executive vice president of the Retail Industry Leaders Association (RILA), which represents many of America’s leading retailers, the investment cost for adopting PIN authentication technology is greater than signature authentication. “Quite simply, issuing banks are unwilling to update systems to include PIN authentication, because doing so would cost them money,” Dodge said. “Given that today merchants cover fraud costs, banks are just not financially incentivized to reduce fraud. Instead, they boast that their investment in analytics that identify fraud patterns suffices. Merchants disagree.”
Liz Garner, vice president of the Merchant Advisory Group (MAG), a retail trade association that focuses on payments, stressed that if taking fraud out of the system is truly the ultimate goal, then any extra layer of security must be implemented. “Those types of two-factor authentication mechanisms like PINs should absolutely be enabled on every financial product or device that’s out there,” she said in a recent interview at the AFP Annual Conference
However, Garner does not necessarily believe that merchants should be required to ask for a PIN with every single credit card purchase. “The risk profile on a $2 cup of coffee is different than the risk profile on a big screen TV,” she said. “But at the end of the day, I may decide that I want two-factor authentication on that cup of coffee, and if a password or a PIN isn't enabled on the product, then I have no ability to ask for it.”
So again, it comes down to the issuers. Regardless of whether retailers want to use the PIN or not—they should have the option to do so. “The people who are issuing chip cards really need to have a PIN affiliated with it,” Garner said. “That way merchants can ask for two-factor authentication when it's appropriate in the marketplace.”