To PIN or Not to PIN?

A PIN— a Personal Identification Number. A customer’s PIN is the number that can verify a customer’s identity during a transaction. Most consumers and merchants believe that a PIN should be the de facto method for validating a cardholder’s identity. The question of whether or not a PIN will be the verification method most widely used in the future is not so clear. As the payments industry continues to evolve, this hot-button issue will continue to generate heated debates between consumers, merchants, and the credit networks over the safety and validity of PIN as a verification method. Should PIN be the primary form of verification for a customer?

The History of PIN in the US

For those of us that grew up in the United States, when we hear “PIN”, we automatically think of the 4-digit (in most cases) code that we use with our debit cards at an ATM or when prompted at a retail location to authorize a purchase. In the latter scenario, the consumer has typically had the option to press the cancel key or red “X” on the PIN Pad to avoid entering his or her PIN. The implementation of EMV chip technology has disrupted this option of consumer choice regarding the use of PIN. As the rest of the world implemented EMV beginning in the 90s, the “normal” implementation was Chip + PIN. The chip authenticated that the card was valid, and the PIN verified the customer’s identity— thus, the PIN was a key part of transaction completion.
The US charted a different path for its implementation of EMV, taking the approach of “Chip + Choice.” US financial institutions can issue new chip cards with a preferred Cardholder Verification Method (CVM) of either PIN or Signature.
Though many in the industry wondered why issuers would choose Signature over PIN, there are a number of possible reasons:

  • There is a stance that signature is just as strong as PIN to verify a customer
  • A signature can always be remembered; customers cannot necessarily remember different PINs for different cards in their wallet, especially with the ability to have a PIN associated with a credit card.
  • Verification of PIN in real time would require issuers to invest in significant infrastructure upgrades
  • Issuers do not want to incur the financial loss of interchange for transactions routing over PIN Debit rails instead of credit rails.

While half of these reasons contain some validity, another more legitimate argument is that the large majority of card present fraud committed is counterfeit, which chip technology is designed to protect against. If a fraudster has a physical stolen card, they are likely to attempt a transaction in a Card Not Present environment, as there is more opportunity and greater ease to make a fraudulent purchase without PIN or Signature verification. Additionally, we do know that Card Not Present fraud has increased as the US has implemented the acceptance of chip technology. Does this mean that the payments industry should refrain from promoting the use of PIN for card present purchases?

The Future of PIN

While the purpose of this article is not to argue whether or not the US should have mandated PIN acceptance with the implementation of EMV, I think it is important to understand industry trends to consider in speculating whether PIN will be the verification method of the future. There are new uses cases gaining attention around “PIN on Glass” transactions where a customer can enter a PIN on a touchscreen. While the security of this use case continues to spark debate, PIN in this instance provides one more potential method to verify a customer.
Another change in the payments industry was the announcement by Mastercard that, beginning in April 2018, it will be optional for merchants to obtain a signature as a CVM for any purchase. The logic behind this decision is that other technology controls are in place, and the removal of signature capture will speed up the checkout process. While this is true, the speed of checkout can be addressed by using No CVM (e.g. no PIN or Signature) for small-ticket transactions. The other payment brands have not made official announcements about whether they will follow suit and remove the requirement for merchants to obtain a signature, but the removal of this requirement by MasterCard adds merit to the argument that Signature is not doing much to curb fraudulent transactions, and that it is not a strong enough verification method.
New verification methods, such as biometrics (including fingerprints and facial recognition via devices such as iPhone X), provide other avenues to verify customers for purchases made with payment wallets in smartphones. While these contactless transactions still make up a small percentage of overall purchases, this percentage will inevitably continue to increase. (This is the year of Mobile, right?)
PIN has been a proven method to verify customers for years, and Signature appears to be on its way out. In the next few years, issuers will be issuing the 2nd wave of EMV chip cards. As the payments ecosystem improves with innovations such as faster payments and blockchain technology, it remains to be seen if PIN will emerge as the preferred method of verification. Guess we’ll all be waiting on PINs and needles to see!
For further discussion, contact Clint at [email protected].