An issuer's decision to deploy EMV chip-and-signature credit cards in the U.S., rather than the chip-and-PIN model common in other countries, has as much to do with technology constraints as it does with Americans' reluctance to using a PIN.
Most U.S. issuers will offer chip-and-signature credit cards, according to a recent study from Aite Group, which predicts 70% of U.S. credit cards and 41% of U.S. debit cards will support EMV by the end of 2015.
Many issuers don't currently have the capability to handle online chip-and-PIN credit transactions at the point of sale, says Julie Conroy, senior analyst and fraud expert with Aite Group. In addition, some processors are not ready to handle online chip-and-PIN.
"One issuer in the U.S. said the only way their processor could do EMV credit card transactions was offline PIN, so that has an additional set of overhead associated with it," Conroy says. "So it was just a non-starter to consider PIN from their perspective."
Conroy wouldn't name the processor, but says, "this is a very big processor, so even if it is only that one, it's a big chunk of the market affected by that one not having the rails to handle chip-and-PIN online."
With an online PIN transaction, the merchant terminal has a direct connection to the issuing bank's servers for real-time PIN verification and transaction authorization. An offline PIN transaction lacks the direct connection and never sends a PIN over the network. Rather, the terminal accesses the PIN stored in the card's chip for authentication on behalf of the bank.
Online PIN payments are generally preferred because they are less expensive to establish than offline and settle transactions more quickly. Offline PIN payments call for issuers to consider how PIN information is maintained on the card and the host system.
Both chip-and-signature and chip-and-PIN EMV standards have proven to significantly deter counterfeit fraud because the chips create one-time codes for transactions. The use of a PIN adds to the security by making it harder to exploit legitimate cards that have been lost or stolen cards.
As such, the argument against online PIN always comes back to the business case, Conroy says.
"There is going to be some investment required to make this happen, and when lost and stolen fraud is only 13 percent of the total problem it is a drop in the bucket compared to what counterfeit fraud is," she says.
Since the major card brands revealed their October 2015 timeline for conversion to EMV chip-based cards, Visa has openly supported chip-and-signature as the easier and faster option. MasterCard favors chip-and-PIN for its security aspects.
Several merchant groups have been outspoken in their support of EMV chip-and-PIN, saying it is not worth the investment for migration to EMV smartcards if the U.S. doesn't go to the more secure chip-and-PIN method.
"It has been circulating for some time that basically the reason the big banks don't want to do PIN on credit is that they don't have the technical capabilities to do PIN online," says Mark Horwedel, CEO of the Merchant Advisory Group. "They are essentially masking this with the assertion that they are trying not to disrupt the habits of consumers at the point of sale."
In addition, U.S. consumers traveling abroad could become targets for fraud or theft because criminals will know their EMV cards likely are not chip-and-PIN, Horwedel says.
Payment processor First Data "is ready to accept chip-and-PIN credit card transactions and were ready to issue chip-and-PIN cards for our issuing clients," says Steve Mathison, vice president of payment acceptance at First Data.
But issuers and acquirers traditionally have not supported PINs for credit cards online at the point of sale because of the need for additional technology, Mathison says.
"It is up to each issuer to determine the most effective cardholder verification method to keep data secure," Mathison says. "EMV has the capability to drive both counterfeit and lost or stolen cards out of the ecosystem."
As such, Mathison understands why some are adamant that issuers deliver EMV chip-and-PIN for credit cards. "To address only one concern means spending significant time, effort and money and then solving only part of the problem," he says.
EMV debit payments won't have the same split approach, because debit cards "have historically made use of the online PIN in the mag-stripe world and will continue to do so in the EMV world," says Philippe Benitez, vice president of marketing for secure transactions at chip manufacturer Gemalto.
But adding PIN to credit card payments is far from impossible, Benitez adds. "These constraints are the same ones faced by other countries that migrated to EMV before us, and they have been solved successfully."
Still, introducing chip-and-PIN credit cards will require changes to the terminal, merchant and acquiring networks and issuing hosts, says Philip Andreae, Oberthur Technologies' field marketing director for payment in North America.
"These changes involve both software and hardware and require the introduction of unique cryptographic functions and secrets to encrypt and protect the PIN," Andreae says.
Supporting offline PIN transactions should not be a problem. "Most EMV-capable devices include the necessary key pad and there is no need to upgrade the network to support the end-to-end encryption of the PIN," Andreae says. However, if a consumer changes a PIN, the offline system requires devices that securely write and synchronize that value to the chip and issuer host, Andreae adds.
"The U.S. has unique challenges and somehow a solution has to be developed that can work for and be agreed upon by all 14,000 banks," Andreae says.