By John Stewart
Just 45 days to go until the Oct. 1 deadline for EMV in the United States, and among the issues over which merchants are still wrangling with banks is whether EMV chip cards should be universally issued with PINs—credit cards as well as debit.
Merchant groups have aggressively pushed PINs for EMV ever since the card networks got serious four years ago about the conversion from mag-stripe to the chip card standard. But most U.S. financial institutions that have issued EMV credit cards so far have overwhelmingly done so with the signature authentication so familiar from decades of card swiping.
In fact, issuers are so entrenched in signature-card issuance that some experts see signature-based EMV credit cards as a fait accompli. “This train has left the station whether it’ll be PIN or signature,” says Nick Holland, a senior analyst at Javelin Strategy & Research, Pleasanton, Calif., who follows EMV.
Holland and other expert observers spoke to Digital Transactions for a story in the upcoming September issue of the magazine on the PIN vs. signature controversy.
But the issue won’t die, even with a crucial deadline only a month-and-a-half away. By card-network rules, merchants that aren’t prepared to accept EMV chip cards by Oct. 1 will assume liability for any counterfeit fraud (some networks add lost-and-stolen fraud) losses—losses that are currently borne by the issuer. And the issuer will continue to bear those losses if the card involved isn’t EMV-compliant.
Merchant groups are adamant that PINs are surer barriers to fraud than signatures, which a number of retail executives over the years have dismissed as “worthless.” Their latest ammunition comes from a survey of 84 IT decision makers conducted in May and June by staffing company Randstad Technologies and released last month. “Two-thirds of IT decision makers, including C-suite executives, believe that chip and signature does not offer credit card holders sufficient security, and that chip and PIN should be required,” says a release from NACS, convenience-store trade group, citing results from the Randstad survey.
Merchants see far less return on investment in EMV readers that will end up accepting only signature-based credit cards. “Retailers are investing billions to implement new chip-enabled card readers in stores nationwide. They’re asking banks and credit unions to meet that commitment by issuing new chip cards with PINs,” says the Retail Industry Leaders Association in a recent press release.
To be sure, some financial institutions have gone with something they refer to as “chip and choice,” an approach by which they support online PIN authentication as well as signature. State Employees Credit Union, the second largest credit union in the country, issues all of its EMV credit cards with PINs and allows its cardholders to authenticate with either the PIN or a signature. So far, less than one-half of 1% of all of SECU’s credit card transactions have been PIN-authenticated.
So, with merchants adamant about PINs for EMV, why are banks and credit unions mostly issuing signature-based credit cards? The reasons are manifold, but fall into three broad categories: consumer experience, return on investment, and processor capability.
Experts cite consumer familiarity with signature-based credit cards—along with a dearth of consumer education about EMV—as a prime reason issuers are sticking with signature authentication. They don’t want to see their cards disfavored by consumers who aren’t accustomed to memorizing and entering a PIN. “If your card is suddenly harder to use, you lose top of wallet,” notes Rick Oglesby, senior analyst at Double Diamond Research, Centennial, Colo.
Besides that, the type of fraud issuers are most concerned with is counterfeit fraud, which chip cards are pretty effective at preventing. Lost-and-stolen fraud, which PIN would prevent, comes to a much smaller total. “Lost-and-stolen is the only thing PIN buys you [as an issuer]. It was a pretty easy business case for chip-and-signature,” says Julie Conroy, a senior analyst at Aite Group, Boston.
Finally, it turns out some processors that handle card transactions on behalf of issuers haven’t geared up for PINs on credit card transactions, these experts say. Issuers that are supporting online PINs with EMV credit cards, like SECU, are doing so with in-house systems. Or they've signed up with a processor that can handle credit card PINs. “A lot of the [third-party] issuer systems on the credit card side are really pretty stupid,” says Steve Mott, principal at Stamford, Conn.-based payments consultancy BetterBuyDesign.
Most markets around the world that have adopted EMV, such as Canada and United Kingdom, are using offline PIN authentication, but this relies on a more powerful, and hence more expensive, chip. That makes EMV credit cards a more costly proposition for issuers, which are also racing to beat the Oct. 1 deadline.