An issuers decision to deploy EMV chip-and-signature credit cards in the U.S., instead of the chip-and-PIN model common in other countries, has as much to do with technology constraints as it does with Americans reluctance to using a PIN.
A recent Aite Group study of EMV progress in the U.S. as the country moves toward its October 2015 liability shift timeline for chip-based technology confirmed that most banks and issuers in the U.S. will issue chip-and-signature credit cards.
Banks fear having their credit cards go to back-of-wallet if a consumer has to enter a PIN for the first time on those transactions. In addition, its difficult for many to justify the business case for chip-and-PIN because they dont have the capability to handle online chip-and-PIN credit card transactions at the point of sale, says Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group. Whats more, some processors arent ready to handle online chip-and-PIN.
One issuer in the U.S. said the only way their processor could do EMV credit card transactions was offline PIN, so that has an additional set of overhead associated with it, Conroy says. So it was just a non-starter to consider PIN from their perspective.
While Conroy couldnt reveal the processor in the Aite study, she says that this is a very big processor, so even if it is only that one, its a big chunk of the market affected by that one not having the rails to handle chip-and-PIN online.
With an online PIN transaction, the PIN is not stored in the card and the merchant terminal has a direct connection to the issuing banks servers for real-time PIN verification and transaction authorization. An offline PIN transaction lacks the direct connection and never sends a PIN over the network. Instead, the terminal accesses the PIN stored in the cards chip for authentication on behalf of the bank.
PIN online is generally preferred because its less expensive to establish than offline and settles transactions more quickly. Offline PIN calls for issuers to consider how PIN information is maintained on the card and the host system.
Chip-and-signature and chip-and-PIN EMV standards both deter counterfeiting because the chips create one-time codes for transactions. However, PIN would also deter fraud through lost or stolen cards.
As such, the argument against online PIN always comes back to the business case, Conroy says.
There is going to be some investment required to make this happen, and when lost and stolen fraud is only 13% of the total problem and you extend [compare] that to the issuer [technology] problem, it is drop in the bucket compared to what counterfeit fraud is, she says.
Since the major card brands revealed their October 2015 timeline for conversion from mag-stripe cards to EMV chip-based cards, Visa has openly supported chip-and-signature as easier and faster for merchants without disrupting consumer habits. Meanwhile, MasterCard has embraced chip-and-PIN for the stronger security aspects.
Several merchant groups have been vigilant in their support of EMV chip-and-PIN, saying it is not worth the investment to switch to EMV smartcards if the U.S. doesnt go to the more secure chip-and-PIN method.
It has been circulating for some time that basically the reason the big banks dont want to do PIN on credit is that they dont have the technical capabilities to do PIN online, says Mark Horwedel, CEO of the Merchant Advisory Group. They are essentially masking this with the assertion that they are trying not to disrupt the habits of consumers at the point of sale.
In addition, U.S. consumers traveling abroad could become targets of fraud or theft of their cards because criminals will know their EMV cards likely are not chip-and-PIN, Horwedel says.
First Data is ready to accept chip-and-PIN credit card transactions, and were ready to issue chip-and-PIN cards for our issuing clients, says Steve Mathison, the processors vice president of payment acceptance at First Data.
But issuers and acquirers have not supported PINs because of the need for additional PIN management and key functions similar to PINs for debit transactions, Mathison says.
It is up to each issuer to determine the most effective cardholder verification method to keep data secure, Mathison says.
As such, Mathison understands why some are adamant that issuers deliver EMV chip-and-PIN for credit cards. To address only one concern means spending significant time, effort and money and then solving only part of the problem, he says.
EMV debit chip-and-PIN online wont encounter the same debate because debit cards have historically made use of the online PIN in the mag-stripe world and will continue to do so in the EMV world, says Philippe Benitez, vice president of marketing for secure transactions at chip maker Gemalto.
Generally, online PIN was not supported in the mag-stripe credit card world, Benitez says. Therefore, processors would need to upgrade their systems to support online PIN for credit, regardless of whether the card is mag or chip.
But the U.S. isnt facing an impossible technological task. These constraints are the same ones faced by other countries that migrated to EMV before us, and they have been solved successfully, Benitez notes.
Still, chip-and-PIN will require changes to terminals, merchant and acquiring networks and issuing hosts, says Philip Andreae, Oberthur Technologies field marketing director for payment, North America.
These changes involve both software and hardware and require the introduction of unique cryptographic functions and secrets to encrypt and protect the PIN, Andreae says.
Supporting offline PIN transactions should not pose a problem. Most EMV-capable devices include the necessary key pad, and there is no need to upgrade the network to support the end-to-end encryption of the PIN, Andreae says. However, if a consumer changes a PIN, the offline system requires devices that securely write and synchronize that value to the chip and issuer host.
The U.S. has unique challenges and somehow a solution has to be developed that can work for and be agreed upon by all 14,000 banks, Andreae says.
Plus, merchants will benefit from the dynamic data used for chip-based cards, whether they include signature or PIN verification, Gemaltos Benitez says.
Its infinitely more secure than magnetic stripe because the data changes with every transaction, Benitez says.
But consumer habit is a legitimate concern for issuers, Benitez says. So much so that the U.S. will have to consider tap-and-go contactless EMV cards so the consumer no longer has to place the card in a reader.
But terminals prepared for EMV card acceptance will also have NFC, making the transition to contactless seamless.