Bonneville Bancorp is taking an unusually drastic — and seemingly counterintuitive — approach to fighting fraud. To make sure its customers use their PIN codes, shoring up security for debit purchases, it is prohibiting signature debit payments in some states.
Though PIN codes provide an additional layer of security, signature debit transactions generally earn issuers more money, and observers say it is unheard of for a bank to consider its fraud losses severe enough to switch off that revenue stream.
According to a notice on Bonneville's website warning of "high amounts of fraudulent card activity in California, Florida and Georgia," customers in those states must use their PIN codes for any debit transactions. "No signature transactions will be allowed," the notice asserts.
"All I can think of is that the fraud was so high that the lost interchange revenue is worth it compared to the cost of issuing new accounts," said Avivah Litan, a vice president and distinguished analyst at the Stamford, Conn., market research company Gartner Inc. "It's a statement admitting PIN is more secure, so it contradicts all the marketing messages" from most other banks.
In most cases, "banks are sending out new communications that are reinforcing the policy that you should always use your signature," Litan said. Bonneville's approach is "very unusual," she said.
Ryan Nielsen, a vice president at Bonneville, said that the $34 million-asset bank, which has one branch in Provo, Utah, is going to keep signature transactions switched off in the three states for the foreseeable future, and that this approach was suggested by its processor, First Data Corp.
"We had several fraud activities in those states in a short amount of time," Nielsen said, and although Bonneville is evaluating other methods of addressing that fraud, it does not know when it will change its approach.
Nielsen said he believes other banks have shut off signature transactions in response to fraud, but did not know which. First Data said its executives were not available to comment.
Litan said that Bonneville's message is so striking because banks have gone out of their way to encourage signature debit use over PIN debit. These pitches usually play up the convenience or offer a reward, but JPMorgan Chase & Co. has gone even further in presenting signature as the safer approach because it does not require consumers to risk exposing their PIN code by using it. This message was featured prominently on mailings JPMorgan Chase customers received in April.
JPMorgan Chase defended this by stressing that it wanted to reassure customers about the security of debit cards, but Litan said there is no confusion about which is the more secure method.
"From a pure technical security standpoint, PIN is much more secure," she said. "There's no two ways about it."
Bonneville is likely seeing fraud from criminal rings based in the states where it has barred signature transactions, Litan said. In recent weeks, many news reports spotlighted Florida as the setting for large amounts of card fraud.
Litan said Bonneville's pinpoint focus on specific states indicates that the stripe data of its customers' cards has been stolen with a skimming device to copy the stripe's data, then written onto physical cards that are used by fraudsters in those states.
"The cards can be skimmed anywhere, but that's where they're being used," she said.
Aaron McPherson, a research manager for payments at the Framingham, Mass., research firm IDC Financial Insights, said that Bonneville's response is so striking because it is so public — it is the most prominent notice on the company's website.