There are lots of ongoing discussions around EMV payments in the US; PIN versus signature, contactless, mobile payments (firmly back on the table after the introduction of Apple Pay), tokenization, as well as transit payments, to name a few.
The one going on the longest has to be the back and forth between the payment systems
and US issuers on the card verification method (CVM) that should be used for consumers to authenticate EMV payments: personal identification number (PIN) or signature? – writes David Worthington – Principal Consultant Payment & Chip Technology.
Let’s take a look at some of the arguments:
Is PIN more expensive?
From a business perspective, there is a myth that deploying EMV payments with a PIN CVM is automatically more expensive. While software needs to be bought to manage the PIN, it’s not necessarily more expensive long-term. This has been seen in the other EMV regions as fraud is reduced significantly which has the knock-on effect of lowering reissuance and therefore costs.
Online and offline transactions?
Technologically, having a PIN CVM is most secure. But the debate really comes down to the issuer’s decision regarding ‘online’ (when the terminal dials out to connect to an acquirer to process a card transaction and request an authorization) and ‘offline’ transactions (when the terminal does not dial out for authorization).
With the added security that PIN brings, cardholders will be able to make a payment both online and offline, without issues. With signature as the CVM, there will be no issue making online transactions but offline transactions may cause problems. When the card profile is set up for offline transactions, a limit is set for the amount that can be spent without a CVM. As offline transactions tend to be at a kiosk where there is no cashier to check the signature, the payment has to be processed without a CVM and if it is more than the pre-set amount, it will be declined. Not great for the cardholder.
Plan for EMV mobile payments
Politically speaking, Visa is flying the flag for signature as a more short term solution as it might be possible to deploy EMV chip quicker. American Express, Discover and MasterCard, on the other hand, are pushing for PIN CVM to be the norm, stating that the US should build the platform that can be used further down the line with new technologies link mobile payments.
Using a CVM like a PIN, or with Apple Pay using fingerprints biometrics, will protect the US payments system. There is then the option to allow some card/mobile payments without a CVM (such as a low value contactless ‘tap and pay’ at a vending machine. Thinking about signature as a CVM more broadly, if the cashier does not check the signature then this is effectively a payment without any authentication anyway (worthless for security, yet costing US Merchants 100’s of millions of dollars to capture and store electronically or on paper), voiding security for the higher value/risk transactions too.
EMV payments business model
These are just a handful of points in a wide-ranging discussion. Overall, the market is hugely complex and every bank is coming to EMV payments from a slightly different situation. The end decision will come down to the business model. For issuers wanting a watertight solution with the highest levels of payment security that can be used online and offline with no trouble for the user, PIN is the way forward. For those happy with the increased fraud risk and the possibility of users’ cards being declined for offline, signature could be just fine.
For the more forward thinking institutions, thought also needs to be given to EMV for mobile NFC payments and particularly tokenization, where CVMs need to be managed in terms of different channels and tokens.
But that is a whole different discussion…