Visa Inc.'s attempt to phase out the old, static PIN in favor of dynamic authentication is facing resistance – in particular because many are not convinced that the PIN is past its prime.
Visa is laying the groundwork for U.S. issuers and merchants to upgrade to the EMV Integrated Circuit Card Specifications used in other countries. But in a departure from nearly every other global market that has switched to EMV cards, which are commonly called chip-and-PIN for their most prominent security feature, Visa's plan excludes PINs.
Visa recently outlined a series of incentives and deadlines to urge U.S. merchants to accept chip-card payments. The other card networks have not signaled plans to follow Visa's lead, although they eventually did when Visa set similar deadlines in most other countries.
The San Francisco card network's chances of success "will depend on whether Visa has the market power to effect this widespread market change to chip transactions in the U.S., despite the fact that many players, from issuers to terminal manufacturers, have made a big investment in PIN-debit technology," says Mike Kutsch, a manager with the consulting firm Carlisle & Gallagher in Charlotte, N.C.
Visa has set Oct. 1, 2015 as the date when liability will shift from issuers to merchant acquirers if fraud occurs in a transaction that could have been prevented with a chip-enabled payment terminal.
Discover Financial Services, which owns the Pulse PIN-debit network, may not be eager to see PINs disappear or support a liability shift on chip cards.
"Discover has its own PIN-debit network, so it may not follow … Visa," Beth Robertson, director of payments research at Javelin Strategy & Research, says.
Discover, of River Woods, Ill., declined to comment on Visa's initiatives for this story.
EMV chips combat card counterfeiting by sending a dynamic code with each transaction. If that code is stolen, it cannot be used again to authorize a second transaction.
PINs, if stolen, can be reused easily. One such example is Michaels Stores Inc., which in May announced the discovery of a major debit PIN-pad breach affecting 90 payment terminals across 20 states where fraudsters stole debit card account numbers and PINs, which they used to get cash through ATMs from at least 100 customers' bank accounts.
While PINs were not effective at stopping counterfeit fraud in that incident, they serve a key role in helping to prevent first-party fraud, which occurs when a customer disputes a transaction, says Dave Lott, senior vice president with Speer & Associates of Atlanta.
"Most merchants prefer PIN-based debit transactions over signatures because it is very effective in minimizing charge-backs at the point of sale, and even issuers are likely to want to stick with PINs as a way of preventing fraud on lost debit cards," he says.
Dynamic authentication also does not block fraud on individual lost or stolen cards, says Julie Conroy McNelley, a senior risk and fraud analyst at Aite Group LLC.
"The challenge to eliminating PINs on chip cards, and why PINs are still useful, is the fact that if someone takes your wallet and gets your signature-only chip card, a criminal can use that card until the cardholder notices it's gone and calls it in," McNelley says.
There are "a variety of reasons" that merchants may insist on keeping PINs, Lott says. "PINs are widely viewed by merchants, issuers and consumers as important security factors and clearly PINs are still essential to card security everywhere else, including in Mexico and Canada, which quite recently adopted chip-and-PIN cards."
Be the first to comment on this post using the section below.