Chip and signature is a joke!
“The fact that we didn’t go to PIN is such a joke,” says Mike Cook, Walmart’s assistant treasurer and a senior vice president, in reference to the USA’s current migration to EMV where chip and PIN or chip and signature are equally acceptable. “Signature is worthless as a form of authentication,” continues Cook, with Walmart preferring a Chip and PIN mandated approach similar to the UK and most of Europe. Not so says Visa Inc. vice president of risk products Stephanie Ericksen, “we don’t see a need for it; [chip and PIN] will have a shorter shelf life. We’re moving to new technologies and innovation.”
So who is correct, Visa or Walmart?
To answer this question it is most instructive to very briefly revisit the origins of EMV.
EMV in its ‘chip and PIN’ incarnation was ultimately designed for effective use in a predominantly offline card authorisation ecosystem (e.g. the UK at that time), thereby enabling issuers to delegate significant ‘authorisation authority’ to the chip without requiring an online authorisation from the issuer’s host system. Interestingly, the UK and most other European geographies are currently in the final stages of moving to a fully online ecosystem.
Back in 2002, following a number of years of unacceptable growth rates in various fraud types, the UK card industry formally began its migration to EMV chip and PIN. Significantly elevated levels of counterfeit fraud was one of the primary drivers of this decision and EMV chip, coupled with PIN as the cardholder verification method (CVM), was seen as the most effective approach given the predominantly offline nature of the UK authorisation ecosystem and the technology and commercial landscape at the time.
A centrally managed, UK-wide migration programme not only addressed the technical considerations and decisions, but arguably more importantly, the challenges that were likely to be faced by the various sets of stakeholders (e.g. industry, merchants, consumers, etc.). These challenges included the significant societal and cultural move away from signatures as the prevalent form of cardholder verification at the point of sale to the ‘high-tech’ PIN alternative already found in ATM transactions (although not chip-based PIN at that time).
The UK chip and PIN programme was ultimately regarded as an industry success and it certainly achieved one of its objectives: reduce counterfeit and lost and stolen fraud numbers significantly. However, this was not without some fairly harsh lessons being learned at the time and since then, for example:
- A credible industry business case was extremely difficult to develop due to varying approaches to risk appetite and management across the industry. Ultimately the view was that there was enough of a case to continue and that it was the right thing for the industry to do at the time (coupled with the ‘do nothing’ option being utterly unpalatable for all).
- Carefully consider the consequences – by effectively mitigating against certain fraud types (e.g. skimming/counterfeit), are you incentivising criminals to supercharge their efforts and focus on other fraud types (e.g. cardholder not present – CNP)? And will these subsequent fraudulent activities lead to a greater problem (e.g. increased CNP fraud) than the one you are solving with chip and PIN?
- A card scheme liability shift mechanism (effective from October 2015 for POS transactions in the US) is critical to drive appropriate and timely actions across the card payments value chain and industry as a whole. The general EMV liability shift rule-of-thumb is that those stakeholders that implement and enable the highest level of EMV capability/technology within their environments will enjoy the lowest risk of fraud loss (e.g. if a merchant implements a fully EMV capable terminal, that merchant will benefit from the liability shift if a magstripe card is presented).
- ATMs should have been one of the first channels to convert. ATMs were a primary card skimming enabler (and still suffer today notwithstanding various mitigating measures and technologies that have been developed over the years).
- Upfront agreement to the phasing out/cessation of CAM (chip) fall-back to magstripe and CVM fall-back is critical to drive desired behaviours and ensure that, for example, cardholders don’t continually ‘forget’ their PINs and therefore continue to rely on signatures. This is of course an extremely difficult and fraught journey for stakeholders to embark upon, especially merchants and consumers, but it has proven time and time again to be the appropriate course of action to support achievement of desired outcomes for EMV migrations.
Surely then, being mindful of these and other learnings, EMV chip and PIN is a must in the US? As ever, it’s not as straightforward as that. There are many factors to consider, not least of which is the cost – financial, operational, customer, social and cultural – of this decision. And apart from cost, are the reasons for deciding for chip and PIN historically still the same today?
Let’s deal with cost first. It is widely established (e.g. UK, Australia, Europe) that implementing EMV chip (typically CDA) is one of the most effective mitigants to skimming/counterfeit fraud. The addition of the PIN element generally mitigates against fraud types such as lost/stolen fraud.
The diagram below provides a perspective on the 2014 card fraud loss landscape in the US. Clearly the predominant fraud types are counterfeit ($3.0bn pa) and cardholder not present ($2.9bn pa), with lost and stolen fraud a not insignificant $0.8bn pa.
Bearing in mind that the US is almost entirely an online authorisation ecosystem and EMV chip and PIN was designed for a predominantly offline ecosystem – does it make sense to invest significantly in infrastructure to support offline PIN?
From purely a financial cost perspective, given significant current economic pressure from all quarters to reduce and manage costs, surely it makes sense to prioritise and focus limited resources on the areas of greatest exposure and impact? In the case of the US, this appears to be counterfeit and CNP fraud losses with lost/stolen appearing as the third priority. Therefore, based on current experience and relatively predictable outcomes, it appears most likely that chip and signature would be the most balanced, cost-effective immediate solution to the skimming/counterfeit fraud issue.
Furthermore, in a world where high-profile data breaches are too common for comfort, this would be a significant step towards rendering card data obtained from these breaches useless in geographies where EMV chip is the only acceptable form of face-to-face card payment type. The caveat however, is that as long as a magstripe exists on today’s payment cards, there is still a risk that, without the application of additional mitigating measures by value chain stakeholders, this data can still potentially be used to commit fraud in online environments (as can EMV cards without additional risk management controls in the online environment – EMV in and of itself does not reduce/remove CNP fraud risk).
One of the next questions is whether the payments ecosystem has changed to the extent that chip and PIN is no longer valid. Clearly the ecosystem has changed dramatically in many respects since the early days of EMV, not least of which is the phenomenal pace of technology advancement in the fraud and risk management space. Much has been written about a multi-layered approach to fraud management (this article will not seek to replicate that discussion) – at this time, EMV should be one component of that multi-layered approach. There are numerous other components such as advanced KYC, real-time behavioural analytics and transaction scoring (with the new breed of self-learning Bayesian modelling beginning to threaten the incumbent neural network based solutions), geographically aware location-based solutions, etc. Many of these solutions did not exist at the time that EMV PIN versus signature decisions were being made in the non-US EMV migrations – needless to say, their existence today significantly influences the considerations that underpin such decisions.
A further, oft-cited justification for ‘ignoring’ PIN is the argument that a large proportion of the general American population is likely to be unable to remember and use their PINs as required. This article cannot support that argument – Americans have been successfully using PIN-based debit card products for many years. For consumers, the EMV PIN experience is identical.
Perhaps a less obvious, but potentially important consideration is how chip and signature cards will be treated outside of the US. Most non-US implementations of EMV have been chip and PIN. US chip and signature cards being presented for payment in geographies that expect chip and PIN are likely to cause significant confusion and friction at the POS.
It is therefore valid to argue that, given the nature of the face-to-face payments ecosystem today and, in the absence of anything else (e.g. removing payment card data from the ecosystem entirely), perhaps chip and PIN is relatively the most appropriate solution. However, when implemented in a predominantly online authorisation ecosystem and in conjunction with a multi-layered fraud and risk management approach, compromising with chip and signature is unlikely to pose the same level of risk it may have done in the past. To Visa’s point, there are other innovations being driven into the market in this space and, while it will take some considerable time for some of these to gain the global ubiquity that is essential to their success, it probably makes sense to balance limited resources, i.e. industry investment, across these innovations in parallel with investment in today’s toolbox for fraud and risk management – of which EMV is definitely a part.
The Walmart position is both valid and unsurprising for a number of reasons – for example, having your till-based check-out staff carrying the burden of authentication, i.e. deciding whether a signature matches the version on the back of the payment card, is entirely unrealistic and has been proven to fail as an effective risk management measure time and again (e.g. there are many examples of ‘Mickey Mouse’ signatures being successfully used in face-to-face transactions…). PIN helps to address this issue, although effective online authorisation screening (e.g. context-aware, dynamic authentication) can be an even more powerful tool in both the face-to-face and online transaction ecosystems. Walmart is also in the position of having already made the investment in a PIN-based strategy – something a number of their competitors are not keen to do.
So, back to our original question, is Visa or Walmart correct. Both actually. There can be no doubt that signature has long been a very poor form of authentication, however, given the US context, implementing PIN where there are more advanced and effective methods of authentication available probably makes less sense today than historically. Value chain stakeholders with potentially significant exposure to fraud risk must consider investing in a sophisticated, multi-layered approach to fraud and risk management. With or without PIN, EMV is not and was never designed to be a standalone silver bullet solution to all payment fraud.