The takeaway (across various news outlets and blogs) is that chip and PIN cards, long the standard in other countries, are finally coming to the United States, thanks to the card networks’ October 2015 liability shift.
But is this true? The short answer: Not necessarily … Maybe … It’s complicated.
Here’s the long answer:
We might go chip and signature, rather than chip and PIN
The liability shift, which goes into effect on Oct. 1, 2015, will hold whichever party (merchants or issuers) that hasn’t upgraded to EMV chip technology responsible for the costs of fraud (fines, refunding customers, issuing new cards, etc.). In anticipation of this game of liability hot potato, Target has announced it’s going to shell out $100 million to upgrade its terminals to accept chip cards (and add chips to its own REDcards) by early 2015.
So we can all hail Oct. 1, 2015, as the day we start entering PINs for our credit card transactions, just like Canada and a slew of European and South American countries, right?
Perhaps not. There are two main types of authentication when it comes to EMV transactions:
- Chip and signature: The card comes with an EMV chip, and the cardholder signs the receipt to verify identity. This is the standard among the several U.S. issuers that have already started issuing EMV cards.
- Chip and PIN: The card comes with an EMV chip, and the cardholder must enter a PIN to verify identity. This is the standard in the countries that have already adopted EMV.
Here’s the deal: Chip and signature is enough to satisfy the terms of the liability shift. We confirmed this with a Visa spokesperson – and with Philippe Benitez, vice president of marketing with global digital security company Gemalto.
“A more accurate way to describe this transformation that’s happening with the liability shift is that it’s a transformation to EMV technology,” Benitez says.
The migration to EMV is more than a signature-versus-PIN issue, Benitez says. He describes EMV as a “toolbox” that enables both chip and PIN and chip and signature as authentication methods — and encompasses other types of EMV transactions, including contactless EMV (tap and pay) and mobile EMV (the technology behind mobile wallets). While the liability shift requires that merchants and issuers support all those things, whether a card gets a PIN is up to the issuer. And there’s nothing in the liability shift requirements that forces issuers choose chip and PIN over chip and signature.
So, given that issuers have a choice between chip and signature and chip and PIN, which will consumers see more of as the liability shift goes into effect and their new cards arrive in the mail?
“I think we’re going to see a mix,” Benitez says. “Different issuers may decide to go with one or the other.”
For example, he points out, United Nations Federal Credit Union has already gone full chip and PIN because its cardholders tend to be frequent international travelers (and chip and PIN is often needed at the many unmanned payment terminals abroad at gas stations and transit stops). Other banks with a more mainstream portfolio might opt for chip and signature. For the time being, JPMorgan Chase has separated itself from the rest of the pack, announcing in February 2014 that it would start issuing true chip-and-PIN cards later in the year. Target also announced in May that it will go the chip-and-PIN route on its entire line of REDcards, beginning in 2015.
The idea that chip and PIN may not prevail right away across all issuers in the U.S. may be disappointing to many globe-trotting cardholders (including our forum users) who were fervently hoping the liability shift would push chip and PIN stateside. In addition to the convenience of having a PIN card for international travel, the idea of entering a PIN instead of supplying an easy-to-forge signature is more appealing to the security-minded.
So why wouldn’t all issuers go straight for the PIN right way? Benitez sites two possible reasons. Issuers may be trying to mimic the signing-for-a-purchase ritual that’s already the norm with credit cards. As debit cards adopt EMV, PINs will likely be involved because that’s the ritual that’s most commonly associated with them, Benitez predicts. Another reason is the different ways PIN and signature transactions are processed. A PIN transaction can be processed either online (the card data is sent to the issuer for authentication in real time) or offline (the PIN can authenticate the card without the information being sent to the issuer). Signature transactions require online communication with the issuer, and some issuers may be more comfortable keeping it that way when it comes to credit cards.
Chip and signature isn’t necessarily inferior to chip and PIN
While many are eager for chip and PIN, chip and signature cards are a big step up from magnetic stripe cards when it comes to security, Benitez says. Whether or not a PIN is involved, the EMV chip (and its ability to dynamically encode the card’s information with each transaction) drastically reduces a data thief’s ability to create counterfeit cards out of stolen information.
“Whether we’re talking about chip and signature or chip and PIN, dynamic data is being used, and it’s infinitely more secure than magnetic stripe because the data changes with every transaction,” Benitez says.
A PIN, however, adds an extra layer of authentication that proves the person using the card is its rightful owner – and helps prevent, say, a pickpocket from using your card.
The EMV liability shift is more focused on preventing large-scale catastrophic counterfeit fraud than on preventing smaller-scale fraud from physical theft. While counterfeit fraud still exists in countries that have adopted EMV (thieves will always find a way), losses have decreased dramatically. In the U.K., for example, counterfeit card fraud losses, after peaking a few more times along the way, have fallen from £148.5 million in 2002 (when the U.K. started rolling out EMV) to £36.1 million by 2011, according to Financial Fraud Action UK.
Chip and PIN is still possible in the U.S.
The thing to keep in mind, Benitez says, is that, while the liability shift doesn’t require chip and PIN, it does require the migration to EMV. And EMV is flexible, so issuers can begin assigning PINs down the line.
“Certain issuers will say, ‘I would like to have that added layer of authentication that PIN provides’ and therefore support chip and pin for credit,” Benitez says.
The bottom line: While your first EMV card from your bank might not be chip and PIN, even after the liability shift in 2015, it’s not out of the question. And, although you might run into problems with unmanned terminals abroad in the meantime, your card will be much more secure than your old magnetic stripe one was.
Updated May 5, 2014