If the Shazam electronic funds transfer network had its way, smart cards issued with EMV chips would require a single PIN that would both open the chip and route the transaction for settlement.
"That's still under discussion," notes Dan Kramer, Shazam's senior vice president of marketing and merchant operations. "There's still so many things that need to be worked out."
Indeed, the question — or concern — over how legacy PIN-debit environments stay relevant in an EMV-based card market is one of the reasons various debit networks formed a working group in the Secure Remote Payments Council in April. The group wants to ensure existing PIN-debit networks integrate smoothly with EMV as it rolls out in the U.S. over the next several years.
"The key here is to make sure that regardless of how the PIN is used, that there is one," Kramer says.
The working group is currently focused on education, and it continues to meet and call in players from all aspects of the payments chain to ensure each is familiar with how it will need to communicate and work together in an EMV environment, Paul Tomasofsky, the council's president, said in an interview.
For an EMV PIN process to work as Shazam would prefer it, the process is a bit different when a chip is involved. EMV technology allows cards to be read by terminals when they are offline, which is not how PIN-debit payments work in the U.S. today.
One problem could arise if a cardholder changes the card's PIN with an issuer but an offline terminal has no way of verifying the new PIN, Tomasofsky said in citing an example of an issue the group is discussing.
No specific timeline for producing standards and best practices has yet been announced, he says, though "it will be sooner rather than later."
Another issue of significant importance to the networks involves large merchants, including American Airlines, that have signed deals with Acculynk Inc. and others that offer similar products that support the acceptance of PIN-debit transactions online to reduce fraud and to secure better acceptance rates.
PIN-debit acceptance online is relatively new, but it would work well in an EMV environment, where card-not-present fraud is relatively high, Kramer says.
EMV is a "chip product, but you can't stick a card in the computer, and a majority of fraud is still online," he says. "Why not have a product in the chip world that can do PIN transactions both at the point of sale and online?"
Kramer sees fraud reduction as a key benefit to PIN use online, noting the fraud on PIN-based transactions at Shazam represents about 0.8% of sales, whereas some online signature-debit transactions the network supports have fraud rates that range from 4% to 8%.
Debit card issuers may have been able to accommodate such losses for signature-debit before the Durbin amendment to Dodd-Frank lowered interchange revenue, but the rate cap has led them to shift their emphasis to PIN-debit and to downplay signature debit as fraud becomes a cost issue with tighter issuer margins.
"In my mind, signature-based transactions have become antiquated," Kramer says. "It's going the way of the dodo."
But the future of traditional PINs for authentication also may be in jeopardy.
Whereas EMV in most countries requires a PIN to open the chips in the cards for security purposes, Visa and MasterCard have indicated they would allow signature-based authorizations with EMV cards, presumably so they may continue to support their legacy systems. Over the longer term, Visa would like to cease reliance on signatures and PINs as primary methods of authenticating most point-of-sale card transactions.
Pressure from merchants might force changes as well.
"The cost of payments to retailers has gotten to the point they will start to dictate the payment environment in terms of acceptance in their stores," Kramer says. "We're already hearing grumbling (from merchants) about … not getting enough benefits to support EMV."
The Durbin rule also required issuers to support more one brand's debit networks on their cards, giving merchants the ability to route transactions through their preferred network. That practice likely will continue in an EMV environment, notes Judith McGuire, Pulse's executive vice president of product management. Pulse is Discover Financial Services' electronic funds transfer network.
Pulse expects EMV cards will have to comply with Durbin, McGuire says. "Some things will stay consistent, and merchant choice will be one of them," she says.
Mobile offerings are adding even more pressure on banks to come up with products and services that meet merchants' acceptance demands. Already, several of the top merchants are working to develop their own mobile-payment system.
And even the Electronic Transactions Association, which represents merchant acquirers, has formed a committee with tech companies to give themselves a voice in mobile payments.
Besides merchants, many in the payments industry also remain unsure of the business case for EMV in the U.S., where virtually all transactions are authorized online and fraud rates remain relatively low, especially for PIN-debit transactions.
However, many fraud experts say it's just a matter of time before fraud starts to rise as crooks seek ways to defeat the relatively low security of magnetic stripe cards.
"A lot of fraud will migrate to the U.S., but issuers and merchants have built pretty good authentication systems," McGuire says. "So [EMV] is getting a lot of momentum and focus, but it's still a bit unclear what the business case is."
Though Pulse has yet to state its position on which method of EMV authentication it will support, "we continue to see the value of PIN authentication, and we don't see that going away in an EMV world," she says.
Pulse is examining various card-verification methods, whether it's an online PIN, offline PIN or signature, McGuire says. "It's fair to say there are certainly transactions where the value of the PIN authentication is significant, and we intend to continue to leverage that value," she says.
As the council works to address EMV issues, its hope is that the industry comes together in understanding that the goal is to ensure a secure payment environment based on a system of relationships that has worked well over the years, Tomasofsky says.
As such, the council's work could become complicated if an organization or company tries to disrupt the process with a different set of standards to meet its own specific needs, he says.
"It shouldn't be used as a competitive weapon," Tomasofsky says. "There's other ways to compete."