Mastercard’s signature drop eases user experience, but hikes security pressure
Merchants will no longer need to require a signature for any credit or debit transactions in the U.S. and Canada next year, a move that underscores the fast-changing environment for card security.
Merchants for years have complained about the porousness of signatures as a customer verification method and Mastercard finally acknowledged the reality in a Thursday blog post announcing the signature requirement will end after April of 2018.
Mastercard said more than 80% of its in-store transactions already occur with no signature, under its Quick Payment Service rules that went into effect in 2012—currently mirrored by other card networks—requiring no signature for supermarket and discount store transactions up to $50 and all other transactions up to $25.
Visa, Discover and American Express have so far remained mum on Mastercard’s move, but observers expect the other card networks will eventually follow suit.
The heat will now be on card networks to reassure consumers of card security through other methods, during the ongoing barrage of data breaches that could undermine consumers’ confidence in cards, observers day.
For merchants, the move should help streamline checkouts and improve consumer convenience, but their biggest benefit will be relief from the previous requirement to physically store a copy of the signature, analysts say.
“Large merchants have said that storing receipt signatures was ridiculously expensive for something that added absolutely no value to payment security,” said Julie Conroy, research director at Aite Group.
Participating merchants also will need to reprogram terminals that currently prompt for signatures, experts said.
The Merchant Advisory Group (MAG) applauded Mastercard’s move, noting that signatures long ago lost effectiveness as an authentication method because they were so easy to spoof and virtually impossible to verify, while better methods of authentication were available, including PIN and emerging digital solutions including tokenization and biometrics.
“Chip technology is an improvement to validate a payment credential but without a PIN, the consumer in possession of the payment card is not authenticated and signature still offers no proof the customer is legitimate,” said Laura Townsend, MAG’s chief operating officer.
MAG continues to advocate for PINs to provide additional layers of security for lost and stolen cards, along with multi-factor authentication, when warranted, for higher-risk transactions, Townsend said.
Dispensing with signatures is long overdue, analysts agreed, and card networks are now fast-tracking development of new card-security methods: Adding layers to card authentication processes for in-store and online transactions, including enabling consumers to block their own cards when they’re at risk; creating programs enabling merchants to more easily store and manage tokens instead of card numbers, and developing a range of specialized digital and biometric platforms to escalate verification on risky transactions with multiple factors.
“Signature is not a great cardholder verification method to begin with, because cashiers don’t always check the receipt against the card, undermining the original purpose which was to prove an imposter was using the card in case it was lost or stolen,” said Zil Bareisis, a senior analyst with Celent.
Mastercard said there is no change in liability for merchants; the existing chargeback rules implemented with the EMV migration still apply.
The option to eliminate signature verification only applies to the U.S. and Canada; Mastercard said other regions are still evaluating a change in rules.