For years, the U.S. has been divided on whether EMV-chip cards should be deployed as chip-and-PIN cards or the simpler chip-and-signature. After the Target data breach drew attention to the threat of data theft, the PIN debate seems to have lost its edge but it hasn't gone away.
Visa Inc. remains supportive of chip-and-signature for credit card transactions, whereas other card networks have been more outspoken of their support for chip-and-PIN. But either approach is better than sticking to the less secure magnetic stripe cards in wide use today.
"There isn't a one size fits all, and we don't see it as one vs. the other," says Carolyn Balfany, MasterCard's senior vice president and group head of U.S. product delivery.
Verifications will continue to be based on the risk case for each particular transaction, Balfany adds. As such, the industry can expect to see "a variety of strategies continue to be embraced across the market," she says.
JPMorgan Chase, the first major card issuer to adopt the chip-and-signature model for U.S. cards, announced on Feb. 25 that it would begin issuing chip-and-PIN cards this year. Whether Chase is a lone convert or the first of many signature advocates to switch sides remains to be seen.
From Visa's perspective, it would not be wise to move the industry forward for EMV adoption and "change the cardholder verification landscape at the same time," says Ellen Richey, Visa's chief enterprise risk officer and chief legal officer.
"That's why we are saying, let's get the EMV cards out there and not force a massive change upon consumers with credit cards by forcing them to use a PIN," Richey adds.
Ultimately, the industry has to focus attention on card-not-present fraud and embracing tokenization, rather than continuing to debate secondary authorization on a chip card, she says.
Some merchants support a complete transition in the U.S. to chip-and-PIN, demanding the added security of a PIN to justify the cost of upgrading their terminals to accept EMV-chip cards.
But some industry experts see Visa's stance as a practical approach for issuers and merchants to migrate quickly to EMV smartcards in the U.S. by the October 2015 deadline set by the card networks. After that date, most merchants who cannot accept EMV cards face an increase in fraud liability.
"The PIN is redundant because the true benefit of EMV is that the card cannot be counterfeited," says Al Pascual, senior analyst for Javelin Strategy & Research. "So, unless we go back to a world where pick-pocketing becomes the norm, it's not really an issue."
In conversations with issuers, most say they are going to issue chip-and-signature credit cards, says Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group.
"Chip-and-signature makes a lot of sense because it addresses the majority of the fraud problem and eliminates worry about consumer attrition," Conroy adds.
PIN also adds to merchant costs and overhead, Conroy says. "Combine that with the attrition risk and the small percent of fraud problem it addresses beyond chip-and-signature" and more issuers see reason to support a signature-only approach, Conroy says.
Still, Conroy says it will be interesting to see if talk about PIN security in Congress in the wake of data breach hearings will change the views of issuers in the coming months.
Regardless of whether PIN or signature wins out, the biggest security issue remains the magnetic stripe, which would still be used on EMV cards to keep them compatible with older technology, says Mark Horwedel, CEO of the Merchant Advisory Group and a strong proponent of chip-and-PIN.
"Without a plan for the elimination of the magnetic stripe, merchants and consumers will continue to be exposed to the fraud-prone nature of that outdated technology even after EMV has been implemented," he says.
The card networks "don't want to force the issuers to move away from mag-stripe or signature, but they want the merchants to invest in systems that will support all issuer options, including those of international issuers who support offline PIN," Horwedel says. Such a scenario means merchants are saddled with new costs associated with fraud if they do not convert to EMV technology, while issuers can simply retain their existing costs if they choose not to change authorization methods, Horwedel says.
In the meantime, merchants need to do a better job of explaining to consumers why it is not in the public's best interests to sign for authorization at the point of sale, Horwedel adds.
Such a strategy may not be as easy as it sounds, Javelin's Pascual says.
"Merchants continue to push for PIN because it is extra security that resonates with consumers in the wake of recent breaches," Pascual says.
Consumers understand PIN, but they don't understand EMV, Pascual adds.
"If the merchant says PIN, it sounds like the merchants are really pushing for more security; if they say EMV or talk about chip-based cards, consumers in general just don't understand."