CEO Outlook: My Perspective on the PIN Debate

JASON OXMAN

I want to talk about PIN. Which is odd, because normally ETA doesn’t really engage in the PIN discussion as it relates to payments. Why not? Because our job on the acquiring side of the payments industry is to support whatever form of cardholder verification method the issuing banks have enabled on behalf of their customers. Sometimes it’s signature, sometimes it’s PIN, and sometimes it’s nothing – no cardholder verification. Whichever method the consumer’s bank has enabled, we implement it. That’s it.

But the discussion of the EMV migration has been so completely, overwhelmingly, exhaustively been taken over by the discussion of chip and PIN versus chip and signature, I thought I’d share a few thoughts to help clarify the discussion. To be clear: PIN is not bad. In many cases, it is good. But it isn’t what the EMV migration is all about.

As you’re thinking through the PIN debate that some merchant and bank trade groups are exchanging barbs about, here are a few things to consider. First let’s define our terms. A PIN is a type of “cardholder verification method” or CVM. A CVM is a means of ensuring that you – the person handing your credit or debit card to the clerk in a store – are actually the owner of that card. CVMs prevent what is called “lost or stolen” card fraud. That’s fraud where a pickpocket takes a card out of your purse, or finds it on the ground, and goes to use it in a store before you have a chance to report the card missing. With a PIN as CVM, the thief can’t use your card because they don’t know your PIN (hopefully you haven’t written it on the back of your card – don’t do that).

Did you know that some 70% percent of electronic payments transactions at retailers have no CVM? That means no signature and no PIN. This is because payments companies have enabled, on behalf of our merchant customers, the “no CVM” solution for small ticket, low fraud risk transactions. Think of using your credit card in a fast food restaurant, or buying a pack of gum at a convenience store. The CVM isn’t necessary in those transactions because the fraud risk is low – criminals don’t use fraudulent credit cards to buy a pack of gum – and the benefits to consumers and merchants of moving quickly through the checkout line are large. This kind of “swipe and go” – or soon, “dip and go” for chip cards – is a good thing and no one really argues against it.

So what about PINs with EMV chip cards? Why not use them? Again, PIN isn’t bad – in some cases, it’s good – but it isn’t what the EMV migration is about. It’s helpful to think of chip cards and PINs separately, because they address two different types of fraud. Chip cards prevent counterfeit card fraud because criminals can’t create a counterfeit chip card. Counterfeit fraud is currently two-thirds of all card fraud in stores in the U.S. Does the chip card need a PIN to prevent counterfeiting? No – the chip itself prevents the counterfeiting, by generating a unique security code for each transaction.

So what is the PIN good for? As I mentioned above, the PIN prevents lost and stolen card fraud – where a pickpocket steals your card and goes to use it before you report the card stolen. The crook won’t know your PIN and won’t be able to use your card. Lost and stolen card fraud is currently about 9% of fraud in stores in the U.S. today. PINs are also good when travelling outside the U.S. – I’ve been looking into banks that offer chip and PIN cards so I can use them at unattended kiosks in Europe, for example.

So why not do both chips and PINs at the same time? As evidenced by the current state of EMV deployment, upgrading the 1.2 billion cards to chips, and 8 million merchant locations to chip readers, takes a lot of time, expense, and resources for banks and merchants alike. We’ve only just begun the process. Adding in a ubiquitous PIN infrastructure – given that two-thirds of U.S. merchants do not have PIN pads in their stores today – would be overwhelming. Just think of the nation’s one million restaurants – they don’t have PIN pads at all today. What would they do with a PIN mandate?

So it’s a question of priority. Chips address an overwhelmingly large amount of overall fraud, and PINs would address a much smaller amount. Chips are the priority today because they address the most fraud. Again, that’s not to say PIN is not a good idea – it is for many transactions, such as credit card cash advances at ATMs, or debit transactions with cash back. But we need to prioritize the area of the most criminal activity first – and that’s what the EMV migration does. Remember, two-thirds of in-store fraud is counterfeit card fraud, EMV cards (with or without PINs) stop that fraud, so that’s what we are doing first.

We also need to work to fight online fraud – which neither chips nor PINs address – through tokenization. And we need to fight data breaches – which PINs don’t address – through encryption. And we have innovative new CVMs coming online every day, from fingerprints to retinal scans to “pay by selfie – all of which will help further prevent lost and stolen fraud. We’re working on all of this together. Let’s not let the back and forth over PIN prevent us from remembering that criminals are the real enemy.