The PIN Is Mightier Than the Pen
US merchants have until this October to convert their payment terminals to those capable of EMV (or chip) transactions. This move has been long awaited by banks and payments companies worldwide as it is hoped that it will – among other things – put an end to the US being the primary offender related to fraud from cloned or stolen cards.
The much anticipated liability shift will be a game-changer, particularly for merchants, who will be liable for any card-present fraud committed in their store if they do not have EMV capable card acceptance technology.
The payments industry has been awash with predictions about what this will mean for card-present fraud (it will drop), card-not-present fraud (it will rise) and how American consumers will adapt to this new way of performing transaction.
Given the significant effort involved with consumer re-education, the transition won’t be easy. The current indicators suggest that most card issuers will still be allowing cardholder signature as the cardholder verification method (CVM) for the foreseeable future, or the so-called ‘Chip & Choose’ compromise.
Recent research by Forrester suggests that even though the EMV liability shift is almost upon the US, it won’t be until 2020 that the majority of US card transactions are in EMV format. Indeed, the same report suggests that adoption of EMV could actually be slowed down by ‘new technologies’, and that by 2025, mobile and contactless payments will exceed chip payments in volume.
A study performed by Aite estimates that between 2015 and 2018 lost or stolen card fraud will cost the industry $1bn. It can be argued that a large portion of this fraud can be attributed to the failure to adopt a more robust authentication factor as the CVM, like the PIN for example.
The magnetic stripe (mag stripe) currently used to hold information on US cards is based on technology invented during the Second World War and has changed little since it was first used on payment cards in the late 60s. Mag stripe data is notoriously easy to steal and to clone, and was the main driving force behind the introduction and enforcement of the Payment Card Industry Data Security Standard (PCI DSS) in 2004.
The introduction of the chip into US cards will render them much more difficult to clone, having a significant impact on counterfeit card crime, even as a stand-alone technology. In fact, in the same research by Aite, it is estimated that counterfeit card fraud in the U.S. will fall $1.8 billion (-51 percent) to $1.77 billion between 2015 and 2018 due to EMV chips. That is significant.
However, card-present fraud is not limited to counterfeit cards, as it includes lost or stolen cards too. So, while the US is still using the pen instead of the PIN as the CVM, there is little to stop the fraudulent use of lost or stolen cards. Due to the limitations of the chip & choice implementation, the door is still wide open to fraud; signatures can be forged, and shop assistants can neglect to check for accuracy or ask for accompanying ID. The PIN on the other hand, is adding an entire second factor of authentication and can be used to secure, physical, mobile and e-commerce transactions alike.
If the US is serious about fighting card fraud, it needs to adopt 2-factor authentication for card present transaction. No other form of authentication is as widely accepted and easy to use as the PIN.