Stax - A global strategy consulting firm

Using Signatures with Chip Cards Is the Wrong Move

Banks give a lot of reasons for providing chip cards that work with signatures, rather than four-digit PIN codes, but none of them are convincing.

As pressure mounts on card issuers to offer chip-and-PIN cards, why are so many banks clinging to signatures?

Last week, nine attorneys general sent a letter to the big card issuers (including Discover Financial Services, Bank of America, Capital One, Citigroup, American Express and JPMorgan Chase), Visa and MasterCard, demanding they support the use of PINs. The letter is surprisingly illogical given the source — it mainly talks about the dangers of hacking, data breaches and identity theft, none of which would be affected by switching from chip and signature to chip and PIN. But the overarching point — that card issuers ought to do their utmost to secure card payments and that chip and PIN is more secure than chip and signature — is right.

Requiring PINs on every transaction would make it much harder for fraudsters to use lost and stolen chip cards; they would have to know or guess the PIN for the payment to go through.

Large retailers are also pushing banks to support PINs. Retailers can get a lower interchange rate on PIN transactions, and they perceive them to be more secure. (However, some retailers balk at the idea of requiring PINs for credit cards, especially during the busy holiday season when lines are already long.)

U.S. banks that don't offer four-digit PIN codes make "a big, big, big mistake," said Mehmet Sezgin, head of global payment systems at BBVA. "Chip and PIN is making the contactless experience for cardholders easier, faster and better."

Banks give a number of reasons for going with chip and signature rather than chip and PIN on their new cards (which are called EMV cards, after the Europay MasterCard Visa standard). About 30% of U.S. banks don't have the software and hardware to accommodate PINs with credit transactions, according to Steve Mott, CEO of BetterBuyDesign, a consulting company based in Stamford, Conn. They would have to make multimillion-dollar upgrades to their card systems, and many feel that since they already invest heavily in fraud detection software, they don't need to spend on this. Some say they want to make the migration to EMV as smooth as possible, and asking consumers to create a PIN for their credit cards would confuse them and slow things down.

Sezgin dismisses such excuses.

"Everybody uses a PIN for their debit card. It's not like you're introducing a whole new thing," he said. "People in the U.S. for the last 40 years have been using PIN for ATMs." In many countries people can easily change their PINs at ATMs or through a call center.

Others defend the banks' position. "There's already significant confusion at the checkout counter," said Brett Conradt, director of the Boston-based consulting firm Stax. A recent Stax survey found that 36% of consumers don't know if they have a chip card or not. Roughly 45% of consumers find the process of dipping their cards confusing the first time, and say it adds 50 seconds to their checkout time. Only 37% of consumers who have used an EMV card felt that the sales associate or cashier was knowledgeable about the cards.

"That's just with moving from swiping to dipping," Conradt said. "If you factor in having to add a PIN to that, there could be more confusion there."

If the EMV rollout were cleaner, chip and PIN would make sense, he said. "The rollout has been somewhat of a mess, and the fact that it wasn't completely standardized caused a lot of confusion," he said. Requiring people to go to PIN at this point is a well intentioned but misdirected effort, in his view.

Banks point out that lost and stolen card fraud accounts for less than 15% of overall card fraud.

And no issuer wants to have the card that's hardest to use. "If I have three cards in my wallet and one of the cards requires a PIN, and at checkout I can't remember the PIN and I'm flustered, I might stick with a card that doesn't require a PIN," Conradt said. "Being the only issuer to require a PIN puts the issuer in a tough spot."

Mott points out that the benefits of the current chip-and-signature cards are slim. While magnetic stripes continue to be present on all chip cards and accepted by all chip terminals, there will be little savings from counterfeit fraud anytime soon. Online fraud, which EMV does not address, has already begun to grow.

"So the only near-term bang for buck in investing in and putting up with all the problems we're experiencing in implementation would be deployment with PIN — which effectively combats fraud from lost and stolen cards," he said.

In the ideal world, large card issuers would offer chip-and-PIN cards and educate cardholders on how to use them, thereby minimizing or eliminating the confusion. It's the right thing to do and would provide a perception that card issuers are doing everything they can to help protect cardholders and retailers.

We'd like to hear from you Contact Stax