There’s a groundswell of opinion in the US calling for the widespread adoption of 'Chip and PIN' to go alongside the move to EMV chip cards for credit and debit purchases. Last year the President signed an order mandating Chip and PIN for all federally-issued
payment cards and all federal acceptance points. This week the Consumer Policy Solutions pressure group called for Chip and PIN to be adopted for all US card purchases based on the increased protection against fraud that PIN offers.
In Europe and the rest of the world, ‘Chip and PIN’ exclusively means storing the PIN securely in the chip for it to be verified locally on the point-of-sale (POS) device, while in the US the term is being used more loosely to mean replacement of signature-based
purchases by entry of a PIN, as happens with many of the independent debit networks. The PIN is then securely sent with the transaction details to the issuing bank for verification.
As usual in the US market, the discussion is being shaped by opinion from many sides, some of which is driven by commercial and political interests, and some of which focuses purely on the technical hurdles. The unique and distinctive nature of the US cards
market is a big factor – there are thousands of small card issuers but the market is dominated by a handful of large processors. There are a couple of dozen independent debit networks that grew from being ATM operators (explaining their PIN legacy) to having
their cards accepted at POS, although ATM reciprocity – being able to use one network-brand card in an ATM operated by another network brand – is virtually non-existent. Those debit networks compete with internationally-branded debit that is still based on
signature, aligning with similarly-branded credit cards. Then there’s been Durbin and its impact on the move of debit to chip (but let’s not go there…), and unlike other card markets around the world, the US has no central organization that coordinates policy
and practice on card payments, making it very difficult to gauge industry opinion and to achieve consensus on industry matters.
In spite of all this, there are a number of points around this discussion that need to be made plain. First is that there’s no doubt that PIN at POS is a superior method of cardholder identification than signature, which in reality is hardly ever checked.
It’s also quicker and requires no merchant interaction with the card. Second, the argument that credit card users will not be able to remember a PIN because they don’t use a credit card at ATM has been disproved in many other countries who have made seamless
transitions to Chip and PIN – cardholders in general did not have to think twice about switching to PIN. Third is that pretty much all POS devices now have the ability to accept PIN, and the days of multiple devices on store counters are long gone. Fourth
is that all networks and all acquirer and issuer systems have the ability to send a PIN and to verify a PIN as part of authorization processing; whether it is switched on for all products is another question, but it’s not a show-stopper.
Another line of argument against the adoption PIN for all purchases has been that the superior quality of online authorization processing available from US networks makes PIN unnecessary. That is plainly untrue, since fraud still happens; the truth is that
a large proportion of lost and stolen card fraud is authorized by card issuers, and PIN would prevent that. Alongside that line of dissembling is the deliberate confusion of PIN at POS with offline processing, where a purchase can be authorized remotely without
contacting the card issuer. That may have a bearing on the adoption of Offline PIN (stored in the chip) for local verification, where other risk management features provided by EMV would also come into play, but has no bearing on the use of Online PIN that
is checked by the card issuer. Naturally networks will argue tooth and nail against any move towards offline transactions that may consequently see a reduction in network traffic (and therefore charges), but the attempt to confuse PIN with offline authorization
is plain unworthy.