To PIN, or NOT to PIN - That Is The Question

May 12, 2016 Eric Sampson

This month, Wal-Mart Stores Inc. sued Visa Inc. for the right to require customers to enter a PIN when using a chip-based debit card.  Currently, customers have the option to pass on entering a PIN and write a signature instead.  The problem with that, according to Wal-Mart, is that merchants like Wal-Mart must pay about an additional five cents per signature transaction.  The Wall Street Journal reports that as the most frequently used form of payment at Wal-Mart, debit card transactions account for 70% of the dollar value of card payments for the retail giant.

At the heart of the issue is not just that millions of dollars in chip-based debit card transaction fees are at stake for Wal-Mart and other retailers.  If Wal-Mart wins, the state of the industry could potentially change requiring PINs not only for all chip-based debit cards and but also for all chip-based cards, credit and debit.

Applicatoin Security Testing and Validatoin Webinar

Is using a PIN more secure?  Absolutely.  Is using a PIN more difficult than a signature?  Yes, because a PIN has to be remembered.  Consider for a moment how many cards, debit or credit, the average person holds.  Very frequently, it's more than three.  If entering a PIN becomes a requirement for chip-based card transactions, consumers may balk from making a purchase altogether if they can't remember the PIN.

In Europe, there is a difficult culture when it comes to chip-based debit cards.  PIN use is required, and signature approval is not an option.  Fraudulent payment card transactions are also significantly lower in Europe than in the United States where PIN is required for chip-based cards.  Arguably, Europe is the gold standard for low risk of fraudulent chip-based card transactions at brick and mortar stores.

Presently, there are some key liability differences for the consumer in the United States versus Europe.  In the United States, when a fraudulent transaction is reported, card agreements shift the burden of proving responsibility for fraudulent activity onto the card issuing bank.  Whereas in Europe, if the transaction involves a PIN, it's usually the cardholder's responsibility for the purchase if the cardholder did not properly notify the card issuer of a PIN compromise.

If the question is should Visa and other card brands require PIN use for chip-enabled card transactions, that depends on the card brands' risk acceptance posture.  In the long term, the writing is on the wall.  PIN is here to stay for chip-based card transactions.  What remains to be seen is what will happen next in the short term for Wal-Mart and the rest of the payment card industry.

About the Author

Eric Sampson

Eric Sampson is a Manager at Schellman. Eric began his professional career in 2005 while working as an IT auditor in Philadelphia. Eric executed several critical projects for clients in the areas of information security and Service Organization Controls (SOC) reporting projects. To date, Eric has provided services to clients in the healthcare, information technology, and financial services industries, among others.

More Content by Eric Sampson
Previous Article
5 Ways to Ensure Good Healthcare Security Hygiene
5 Ways to Ensure Good Healthcare Security Hygiene

Security is vital to the healthcare industry. Thirteen percent of CIOs, CTOs and CSOs reported being target...

Next Article
The FIVE Hurdles to HITRUST
The FIVE Hurdles to HITRUST

As larger players in the healthcare industry like Anthem, Humana, and UnitedHealth Group begin to embrace t...

×



Subscribe now
to receive content updates once a week

First Name
!
Success
Error - something went wrong!