Many moons after the U.S. payment industry adopted a largely chip-and-signature approach to EMV instead of chip-and-PIN security that’s standard elsewhere, rising merchant chargebacks are leading some to question the wisdom of PIN-free payments.
The sentiment spread this month when many merchants reported an unprecedented surge in chargebacks appearing on their books several months after the Oct. 1, 2015 liability shift for counterfeit card fraud.
The National Retail Federation warns that the chargeback increase signals U.S. merchants are being exposed to new risks because of its unique approach to EMV.
“The lack of a PIN requirement on most EMV cards in the U.S. is creating major problems in verifying the authenticity of the cardholder making a transaction, because a signature alone is not secure,” said Mallory Duncan, senior vice president and general counsel for the National Retail Federation.
To protect against further losses, some retailers that are not yet EMV-ready recently implemented temporary precautions against gift card sale fraud by requiring consumers to use a PIN with their debit card or pay with cash.
Sen. Dick Durbin, D-Ill., last week weighed in with a letter sent to EMVCo, owned by Visa, MasterCard and American Express, asking for specific data about what percentage of EMV cards worldwide are enabled for PIN authentication for every transaction, versus the percentage in the U.S.
Noting that several of EMVCo’s members have “advocated against” the chip-and-PIN approach in the U.S., Durbin asked whether EMVCo thinks the signature-only policy should also be extended elsewhere, including in Europe and Asia, where PINs are required on most credit and debit transactions.
The letter was prompted by Sen. Durbin’s longstanding advocacy for a chip-and-PIN approach in the U.S., a spokesperson for Durbin said. “Lawmakers and the public have no idea what EMVCo is or does, so this letter is trying to get some info,” she added.
Beginning last October, companies that aren’t equipped to process cards via higher-security EMV chips—now present within about 70% of U.S. credit and debit cards—are on the hook for chargebacks from suspected in-store counterfeit transactions, a cost banks previous absorbed.
Fewer than 30% of all merchants have upgraded in-store payment terminals to accept EMV, though several large, national merchants have done so, including Walmart, Target, Best Buy, Kroger and Nordstrom.
Because of the time needed to process disputed transactions, it’s taken several months for the full financial effect of the new arrangement to take shape for merchants. The result: Many merchants that have not completed their EMV are suddenly seeing an “explosion” of chargebacks, said Mark Horwedel, CEO of the Merchant Advisory Group.
Those retailers fear they may be getting hit not just by the cost of counterfeit card fraud, but by the cost of bogus transactions on lost and stolen cards, as well as “friendly fraud” by cardholders taking advantage of the confusion around the EMV transition, Horwedel said.
Navy Federal Credit Union is one of the few large financial institutions with broad experience supporting both a chip-and-signature and chip-and-PIN approach to its EMV cards, and so far enabling a PIN for credit cards is not causing its customers any problems, said Matt Freeman, the credit union's manager of credit card products. Vienna, Va.-based Navy Federal is the nation’s largest credit union, with a heavy proportion of customers in the U.S. military.
Because many of Navy Federal’s customers live or travel overseas frequently, the credit union needed to make PINs available for all EMV cards. One reason is that some transactions, such as purchasing train tickets at a kiosk overseas, may not allow signature authentication.
“After some experimentation, we found the best solution is to let consumers choose their own four-digit PIN for their EMV cards, by going to our site online or calling us or visiting a branch,” Freeman said. “We’re getting higher approval rates when our customers use the chip-and-PIN approach overseas than when they swipe the cards there.”
Since introducing EMV cards, Freeman said Navy Federal’s counterfeit card fraud rate has declined, as have overall chargebacks.
Walmart and Target are among major retailers that have long advocated for requiring all transactions to use PINs to protect merchants from a broader array of types of card fraud.
“[EMV card fraud] risks could be mitigated by adding a second factor of authentication (e.g., PIN) to the payments ecosystem to help protect both the person-present and remote payment transactions,” Kara Kazazean, Walmart’s director of credit and debit acceptance, told PaymentsSource as part of the 2016 Most Influential Women in Payments feature.
Kristy Cook, Target’s group manager for bankcard strategic projects and also a Most Influential Women in Payments honoree, told PaymentsSource her company’s experience has demonstrated that using a PIN for card transactions reduces fraud and chargebacks.
Target’s RED card is set up to handle transactions with either a PIN or a signature, making it easier for Target to observe the difference each security method provides. “Disputes and chargebacks are almost nonexistent with PIN transactions versus signature transactions,” she said.
The logic for taking the unusual approach of bypassing a PIN requirement when EMV was introduced to the U.S. was based on the size and complexity of the U.S. market, plus the fact that counterfeit card transactions account for the majority of card fraud, and EMV chips would block most of that activity.
U.S. payment networks support a “chip and choice” approach to EMV, enabling issuers to let a signature suffice as authentication for credit and many debit card transactions.
The rise of contactless and mobile payment systems like Apple Pay, Samsung Pay and Android Pay, which deploy EMV technology but do not require a PIN for every transaction, has fueled the movement away from PINs.
There was also a concern that adding a PIN requirement to credit cards, which typically require only a signature in the U.S., would deter consumers from using those cards. Plus, fraudsters have already found ways to steal PINs from U.S. debit cards, such as by setting up hidden cameras at ATMs.
The National Retail Federation’s Duncan scoffs at the notion that PINs are inherently risky or confusing for consumers.
“We keep hearing that the static nature of a PIN is highly risky, and we should hold on with a signature-only approach until biometric solutions arrive, but we think PINs are the safest, most efficient and cost-effective of all payment authentication methods available right now,” Duncan said.
Quite a few other U.S.-issued EMV cards have an optional PIN, said Randy Vanderhoof, director of the U.S. EMV Migration Forum. In fact, many recently issued EMV corporate charge cards require a PIN, he said.
“Most corporate credit cards that require a PIN can also be configured to work if a PIN option isn’t available,” Vanderhoof said.
Not everyone agrees that expanding a PIN requirement for all U.S. EMV cards is a panacea for retailers’ various woes.
“The EMV signature approach eliminates counterfeit fraud, which is the lion’s share of it all,” said Eric Grover, a payments analyst with Intrepid Ventures. “The piece of fraud that’s associated with lost and stolen cards isn’t so large that requiring PINs across the board would affect fraud number by more than a basis point or two.”