One of the longest discussions regarding the U.S. EMV migration is the choice of chip and PIN or chip and signature as the card verification method (CVM).
On balance, Chip and PIN provides more security, and does not necessarily cost more.
From a business perspective, there is a myth that deploying EMV payments with a PIN CVM is automatically more expensive. While software needs to be bought to manage the PIN, its not necessarily more expensive long-term. This has been seen in the other EMV regions as fraud is reduced significantly which has the knock-on effect of lowering reissuance and therefore costs.
Technologically, having a PIN CVM is most secure. But the debate really comes down to the issuers decision regarding online (when the terminal dials out to connect to an acquirer to process a card transaction and request an authorization) and offline transactions (when the terminal does not dial out for authorization).
With the added security that PIN brings, cardholders will be able to make a payment both online and offline, without issues. With signature as the CVM, there will be no issue making online transactions but offline transactions may cause problems. When the card profile is set up for offline transactions, a limit is set for the amount that can be spent without a CVM. As offline transactions tend to be at a kiosk where there is no cashier to check the signature, the payment has to be processed without a CVM and if it is more than the pre-set amount, it will be declined. Not great for the cardholder.
Visa is flying the flag for signature as a more short term solution as it might be possible to deploy EMV chip quicker. American Express, Discover and MasterCard, on the other hand, are pushing for PIN CVM to be the norm, stating that the U.S. should build the platform that can be used further down the line with new technologies link mobile payments.
Using a CVM like a PIN, or with Apple Pay using fingerprints biometrics, will protect the U.S. payments system. There is also the option to allow some card/mobile payments without a CVM, such as a low value contactless tap and pay at a vending machine. Thinking about signature as a CVM more broadly, if the cashier does not check the signature then this is effectively a payment without any authentication anyway (worthless for security, yet costing U.S. merchants hundreds of millions of dollars to capture and store electronically or on paper).
Overall, the market is hugely complex and every bank is coming to EMV payments from a slightly different situation. The end decision will come down to the business model. For issuers wanting a watertight solution with the highest levels of payment security that can be used online and offline with no trouble for the user, PIN is the way forward. For those happy with the increased fraud risk and the possibility of users cards being declined for offline, signature could be just fine.
For the more forward thinking institutions, thought also needs to be given to EMV for mobile NFC payments and particularly tokenization, where CVMs need to be managed in terms of different channels and tokens.
But that is a whole different discussion.
David Worthington is principal consultant for payment and chip technology for Bell ID.
