Not so, says Stephanie Ericksen, vice president of risk products at Visa, Inc. "We don't see a need for it, [as chip and PIN] will have a shorter shelf life," she said, noting that the company is moving to new technologies and innovation that look beyond EMV.
In short, it's a case of two high-ranking executives from two major organizations in the U.S. voicing two very different perspectives about the October fraud liability shift rules. Which begs the question of who is correct – either, neither or both?
Is a signature equal to a PIN when it comes to chip cards?
Revisiting European roots, context and lessons
EMV in its chip-and-PIN incarnation was designed for effective use in a predominantly offline card ecosystem (e.g., the U.K. at that time), enabling issuers to delegate authorisation authority to the chip without requiring an online authorisation from the issuer’s host system. In 2002, following years of growth in various fraud types, the U.K. card industry formally began its migration to the EMV chip coupled with PIN — seen then as the most effective approach.
The U.K. chip and PIN programme was ultimately regarded as an industry success, and it certainly achieved one of its objectives: reducing counterfeit and lost-and-stolen fraud numbers significantly. However, the U.K. migration was not without harsh lessons learned at the time and since:
- A credible industry business case was extremely difficult to develop due to varying approaches to risk appetite and management across the industry. Ultimately, the view was that there was enough of a case to move forward instead of doing nothing.
- Consideration of the downside of a protocol shift is a necessity. Mitigating certain fraud types (e.g., skimming/counterfeit) might incent criminals to focus on other fraud types (e.g., card not present or "CNP"). The solution might lead to a greater problem.
- A card scheme liability-shift mechanism (like the one beginning in October 2015 in the U.S.) is critical to drive appropriate and timely actions across the industry.
- ATMs — primary card-skimming enablers — should have been (or should be) one of the first channels to convert.
- Up-front agreement to prevent fallback to magnetic stripes is critical to drive desired behaviours, even though this is an extremely difficult proposition for merchants and consumers.
Approaching the POS precipice in the U.S.
Given these and other learnings from Europe, is chip and PIN a must in the U.S.? There are many factors to consider, not least of which is cost — financial, operational, customer, social and cultural.
Let's deal with cost first. It is widely established (e.g., in Europe and Australia) that implementing EMV chip is one of the most effective methods of reducing skimming/counterfeit fraud. The addition of the PIN element generally mitigates losses from lost/stolen card fraud.
The chart below provides perspective on the 2014 card fraud loss landscape in the U.S.
Counterfeit and CNP fraud predominate, though lost/stolen fraud is not insignificant. Bearing in mind that the U.S. is almost entirely an online authorisation ecosystem and chip and PIN was designed for a predominantly offline ecosystem, does it make sense to invest significantly to support offline PIN?
From a purely financial cost perspective, it makes sense to focus limited resources on the areas of greatest exposure and impact. So based on current experience and predictable outcomes, it appears that chip and signature would be the most balanced, cost-effective, immediate solution in skimming and counterfeit fraud.
Bearing in mind that the U.S. is almost entirely an online authorisation ecosystem and chip and PIN was designed for a predominantly offline ecosystem, does it make sense to invest significantly to support offline PIN?
This would also be a significant step toward rendering card data obtained from data breaches useless in geographies where EMV chip is the only acceptable form of face-to-face card payment. The caveat however, is that as long as a magstripe exists on today’s payment cards, there is still a risk that this data can be used to commit fraud in online environments (though it must be noted that EMV in and of itself does not reduce CNP fraud risk).
"Too little, too late" for chip & PIN?
Another inquiry is whether the payments ecosystem has changed such that chip and PIN is no longer viable. Clearly, technology has changed dramatically since the early days of EMV. There are numerous fraud solutions that did not exist at the time that PIN-versus-signature decisions were being made outside the U.S., and their existence today significantly influences considerations that underpin such decisions.
An oft-cited justification for ignoring PIN is the argument that a large portion of the American population is unlikely to remember and use PINs. Experience does not support that argument — Americans have been successfully using PIN-based debit products for years.
Perhaps a less obvious but potentially important consideration is how chip and signature cards will be treated outside the U.S. — after all, chip-and-signature cards presented where chip-and-PIN cards are expected will cause friction.
So, is there a clear winner in this debate?
The position of Walmart’s Mike Cook that was referenced in the introduction of this article is both valid and unsurprising. A check-out staffer carrying the burden of signature authentication, for example, is unrealistic, and PIN helps to address this issue. And the company has already made the investment in a PIN-based strategy — something a number of competitors are not keen to do.
Bolstering the contrary position of Visa and other association stakeholders, there are other innovations being driven into the market in this space. While it will take considerable time for these to gain ubiquity, it makes sense to balance limited resources (i.e., industry investment) across these innovations with investment in today's tools for fraud and risk management — like EMV.
So perhaps both positions are somewhat correct and neither is completely correct.
Signature has long been a very poor form of authentication. But given the state of the U.S. market, implementing PIN where there are more advanced and effective methods of authentication makes less sense today than historically.