Signing Off

Mastercard’s decision to remove the  signature requirement comes as authentication  measures improve in the payments industry.  But what comes next is still a huge question.

As unique as signatures are, their value as a way of authenticating a credit or debit card transaction has long passed, a realization many consumers have had for several years. Now, at least one card brand and its issuers are aligning their rules with that reality.

Mastercard Inc. announced in October it was disposing of its rule requiring merchants to get signatures for all transactions made with its credit and debit cards in the United States and Canada. The change goes into effect April 13, 2018, allowing issuers, merchants, and processors time to make adjustments, though merchants can adopt the change sooner, Mastercard says.

The new no-signature-required rule does not affect interchange, and applies only to point-of-sale transactions. The card brands each allowed card-present transactions without a signature when the total is below $50 in many instances.

As for why Mastercard is making the change, the explanation is multifold. Part of it has to do with consumer expectations. Most consumers say it would be easier to pay and that checkout lines would move faster if they didn’t have to sign for purchases, Mastercard says.

As it is, more than 80% of Mastercard in-store transactions in the United States and Canada do not need a cardholder signature, says Linda Kirkpatrick, Mastercard executive vice president of U.S. market development.

“We’re putting the power of the point of sale into the hands of the merchant to decide if they want to prompt or not,” Kirkpatrick says. “Now is the right time because from the digital-transformation perspective and payments perspective, we’re at an inflection point.”

When the modern credit card debuted decades ago, authentication was performed in an offline environment that made the signature very valuable.

But, “as telecommunications advanced, credit card approvals in the U.S. largely moved to an online environment and debit (both the PIN networks and signature from the card networks) was broadly introduced,” says Michael Moeser, director of payments at Pleasanton, Calif.-based Javelin Strategy & Research, in an email message.

“Now, with the introduction of EMV, coupled with ‘no-signature required under $50’ programs that pre-date U.S. EMV, there is significant market pressure to abandon signature,” adds Moeser.

Many merchants and merchant groups have decried the weaknesses of signature as an authentication measure and want PIN to accompany all chip card transactions, while others in financial services have a differing view, Moeser says.

One key change is the debut of EMV chip cards in the United States. Two years have passed since the U.S. EMV liability shift went into effect, and new payments products that are safe and secure are available, Kirkpatrick says.

“We want to recognize that consumers and merchants have evolved,” she says. “We want to make it easier for consumers and merchants to get in and out and on with their days.”

The change to no-signature-required does not alter Mastercard’s stance on securing its transactions, she says. “Mastercard has a long history of innovation and investments in all layers of security,” Kirkpatrick notes in a blog post. “Recently we introduced an Early Detection System to help financial institutions proactively and quickly pre-empt serious attacks. This new service provides issuers with a unique advanced alert for cards and accounts at a heightened risk of fraudulent use based on their exposure in security incidents or data breaches.”

Kirkpatrick says the rule change has been vetted with issuers, processors, and merchants. “Reaction has been neutral to positive,” she says. “From the issuer perspective, all are aligned around improving the experience at the point of sale.”

The idea, she says, is that an easier checkout experience leads to increased card use. “This is an area where all of our interests are aligned, merchants, issuers, and our network,” she says.

The world’s largest retailer, Wal-Mart Stores Inc., a long-time critic of signatures, has praised the decision. “Removing this step at the checkout will save time for our customers and decrease the expense associated with storing and presenting signatures back to the issuer, all while preserving security for customers,” a Wal-Mart spokesperson said in a statement. “We anticipate this will result in savings that can be used to continue to lower prices for our customers.”

Mark Horwedel, chief executive of the Merchant Advisory Group, also lauded the change. “The signature-optional requirement is a big opportunity for our merchant members to enjoy the effects of quicker checkout lines and returning customers who appreciate a frictionless payment experience,” Horwedel says in a statement.

The Minneapolis-based trade group says it has been working over the course of several years with its network partners to eliminate the signature requirement. “This step will improve the customer experience and eliminate inefficient, ineffective, and costly processes for the retail merchant community,” says Laura Townsend, MAG senior vice president of operations, in a statement.

“As commerce experiences continue to expand, new and improved digital authentication methods are available which bring better security innovations to the payments ecosystem,” her statement adds.

Others added their approval. “This is an important symbolic step putting signature into its rightful place in the trash heap of payments history,” says Steve Mott, principal at BetterBuyDesign, a Stamford, Conn.-based payments consultancy, in an email message. “Next step is for [Mastercard] to come out from Visa’s shadow and support PIN as the only current multifactor authenticated payment available today, under open standards.”

Mott’s comment raises a big question: What will the other card brands do?

“It is impossible to predict how Visa will react, but Mastercard’s new position has effectively forced all other card brands to react,” says Moeser. “If one card network brand does not require signature but others do, it could cause confusion among consumers and retailers when transactions take place. How Visa responds will be important since they are the largest debit and credit network.”

Moeser also suspects the Mastercard move could presage increased interest in chip-and-PIN, which is a common format for EMV elsewhere in the world but not in the U.S., where EMV has been introduced without a PIN requirement.

“I do expect increased market demand for chip-and-PIN among not just merchants, but advocacy groups and consumers, especially fraud victims,” Moeser says.

So far, Mastercard is the only card brand to make this change. None of the other brands have announced similar changes, though altering signature requirements is under study. “We’re currently evaluating No Signature as part of our continued goal to improve the checkout experience,” says Discover Financial Services in a message to Digital Transactions.

American Express Co. says it is “always looking at ways to enhance the checkout process, including reviewing our signature policy.” AmEx has a $50 no-signature U.S. threshold and a $100 limit in Canada, and doesn’t require signatures for digital-wallet transactions when a cardholder uses a fingerprint,

Meanwhile, Visa Inc. says 75% of “Visa card face-to-face transactions in North America do not require a signature.” The massive card-payments network says it supports “multiple technologies to bring speed, security, and consumer convenience to the authentication and authorization process.” Visa’s statement does not address whether Visa is reviewing its signature requirements.

Visa’s position may be influenced by the revenue it generates from so-called dual-message transactions, which are signature-based. Single-message transactions, in which authorization and settlement are part of the same transmission, use a PIN.

Neither Visa nor Mastercard makes available data about these types of payments. Visa has the larger debit card program in terms of volume. In its fourth quarter ended Sept. 30, Foster City, Calif.-based Visa’s U.S. debit purchase volume was $388 billion. In comparison, Mastercard for the same period had $160 billion in U.S. debit purchases. The average ticket for each is very close: $37.50 for Visa and $38.32 for Mastercard.

Almost all credit card transactions use signature authentication and run over the respective card brand’s rails. Debit transactions can use either PIN or signature and can use a variety of networks for processing.

Visa would not comment beyond its statement. But Mastercard’s Kirkpatrick said, “The flow of these transactions doesn’t change.” A merchant’s ability to prompt for PIN is unchanged, she says.

Still, there is an effort within the payments industry to dispel the notion that chip-and-signature has no place in the future of digital payments. In November, the Electronic Payments Coalition, a Washington, D.C.-based lobbying group that represents financial institutions and networks, released a report that it says supports the assertion that “there is no clear relationship between total card fraud and a country’s preference for using signatures or PINs.”

The EPC said it analyzed fraud data in chip-and-PIN and chip-and-signature countries. If chip-and-PIN cards were more effective at combatting fraud, the expectation is that chip-and-PIN-dominant markets would have lower normalized fraud levels than signature markets, the EPC argues.

“However, EPC’s analysis of Euromonitor data suggests that this is not the case,” the report says. Euromonitor is a London-based research firm. EPC defined normalized fraud as a share of the total value of debit and credit card transactions.

“Debating which [cardholder verification method] to use with smart cards, however, distracts from the work that must be done,” the EPC concludes. “Neither signatures nor PINs are effective against card-not-present fraud, and Euromonitor data show that there is no clear relationship between normalized card fraud and a country’s preferred CVM.”

Mastercard says fraud will be handled as it is now for transactions made with chip cards. “If there is fraud on the account, the fraud will shift to the entity with the least-secure environment,” Kirkpatrick says. “Those rules have been in place for two years.”

Yet, the advent of Mastercard’s signature-optional rule has some, such as debit network Shazam, concerned about what might be next.

“For us, this reconfirms the value of an authentication method like PIN,” says Patrick Dix, vice president of public relations at Shazam Inc., a financial-institution-owned debit network and provider of other payment services, including merchant processing.

Mastercard’s new rule indicates the falling away of signature as an authentication method, Dix says, adding Shazam’s concern is what technology will replace signatures, and who will own the technology. “As new methods of authentication come forward, the concern for us is they will be of a proprietary nature, and how will that affect the ability to use the best solutions in every transaction.”

As a debit network, Shazam has a vested interest in furthering transaction types that use its services. “Let’s say Shazam comes up with the best authentication measure and 100% of the market uses it,” Dix says. “That’s not necessarily great for the marketplace because we’re going to try to protect the technology rather than be a market where new and innovative solutions can rise to the top.”

The message, says Dix, is that, as the payments industry’s authentication practices evolve, the underlying technology should be open and available to all. “It shouldn’t be based on how big you are or how much of the marketplace you have,” he says.

Dix cites the growing use of biometrics—fingerprints and facial recognition, for example—as one instance of a cardholder verification method that emerged in the past few years. “There’s an example of a new CVM that has the potential to be the right fit for some people, but they don’t have the choice open to them,” he says.

Similarly, Kathy Herziger-Snider, senior vice president of product management at Co-Op Financial Services, views the Mastercard move as significant only as a way station to something more powerful. “We’re viewing it as the continued evolution to really support chip-and-PIN,” Herziger-Snider tells Digital Transactions.

The networks have had floor limits, which remove the signature requirement for most low-value transactions, in place for a while, she says. “It would appear this [rule change] would firm up the operating rules of the networks and move the United States more in line with the rest of the world,” she says.

Most large merchants prompt for PIN with debit purchases anyway, she says, and consumers with rewards cards opt out of that to sign for their transactions. Consumers used to earn rewards with debit card purchases, but most banks dropped these programs following the debit-pricing restrictions put in place by the Durbin Amendment to the 2010 Dodd-Frank Act.

All in all, Herziger-Snider doubts the Mastercard change will have much impact. Merchants likely won’t go out of their way to change the point-of-sale software on their payment terminals. Indeed, many merchants, especially the small and midsize ones, tend to have less awareness of high-level changes. Witness the challenge of persuading them to adopt EMV payment terminals.

The improved authentication data afforded by consumer use of mobile wallets and the attendant use of tokenization yields a much more secure authentication process, Herziger-Snider says. “A signature is not really that secure.” U.S. credit card transactions will continue to migrate to chip-and-PIN and tokens, she says, but the timing is unclear.

Among the other unknown aspects of the rule change is consumer reaction. “I personally believe most consumers will be pleasantly surprised that no signature is required on their Mastercard transactions (if the merchant complies),” says Javelin’s Moeser. “The less a consumer needs to do in order to complete a checkout, the more positive the experience.”

Shazam’s Dix agrees. “A lot of this is about getting people through the line faster,” he says. “If your priority is speed, you might be willing to give up a little bit of risk to get people through the line faster.”

Change, however, won’t come overnight. Kirkpatrick says there is some back-end work that must be done. Point-of-sale terminal software will have to be updated to eliminate the signature requirement for Mastercard products, if that is what the merchant chooses. “It’s not a difficult lift,” she says. “It’s a software change.”

Merchants will need to work with their payments providers, with larger merchants likely having a better understanding of the change than smaller ones, which typically lack information-technology and financial resources to the scale of their larger counterparts. As Kirkpatrick says, “The local grocer will not be intimate with network rule changes. They will rely on partners to code the POS terminal.”

The fragmentation of the U.S. merchant community might contribute to inconsistent consumer experiences involving the rule change. Mastercard estimates there are 10 million North American merchants. Educating merchants about the rule change will take work.

Kirkpatrick says Mastercard, as a business-to-business-to-consumer enterprise, will work through acquirers and processors to get the word out to merchants. The effort will mirror that of the EMV migration, which began in October 2015 when the liability shifts kicked in.

“In EMV, we relied heavily on the third party that sits between us and the merchant,” Kirkpatrick says. Visa estimated in June that 2.3 million U.S. merchant accept chip cards.

Consumers, too, as others have suggested, will have a role. They may tell merchants they don’t need to sign for a Mastercard transaction, which may aid merchants in realizing they didn’t have to ask for a signature. The Mastercard rule change isn’t tied to a merchant category code or transaction type, Kirkpatrick says.

The education process already is under way. It started with the bulletin Mastercard sent in October advising its network of the impending change. “There’s absolutely been a lot of questions that have come from all constituents,” Kirkpatrick says.

“Our next steps are to simply support our customers in this journey, educate the market on the benefits, and work with merchants, who really are going to receive the most benefit, and make sure the smaller entities see that and learn from these best practices,” she continues.

The change won’t be immediate. “Merchants may continue to ask for signatures for some time, likely in certain high-risk merchant categories that did not qualify for the no-signature programs or where the transaction values are very high,” says Moeser.

“In contrast, I would expect merchants that currently experience low levels of fraud and value quick customer checkouts, such as grocery stores, to largely abandon signature,” he says.