Visa's Chip-And-No-PIN Plans For The U.S. Making Some Nervous

With Visa's clarification on January 13 that its U.S. EMV deployments will include Chip-and-no-PIN, retailers are trying to decide if this is a good thing or a bad thing. On the good side, the move should certainly make it easier for consumers to use EMV cards and have it feel almost exactly like using magstripe cards. On the bad side, this forces retailers to immediately trust the chip technology perhaps a bit more than they want to.

William Titus, the Loss Prevention VP at Sears, wasn't overjoyed at the prospect of deploying Chip-sans-PIN, whether it's on the card directly or embedded into a consumer's mobile device.

"When I think about secondary validation, that gives me more of a warm fuzzy even though we have people saying that I have a more sophisticated chip and that my smart device has got some protection sitting in it," Titus said. "I'm really very comfortable and, quite honestly, Europe and everybody else is using Chip-and-PIN. It's just another step in providing more secure data."

Actually, although Chip-and-PIN is popular in Europe, PIN-less in Europe certainly exists. PIN-mandating countries in Europe include Belgium, Estonia, France, Finland, France, Ireland, Netherlands, Norway, Poland, Slovakia, Sweden and the UK. Euro countries that are not mandating PIN include Spain, Portugal, Italy, Turkey, Germany and Russia.

In Asia, Japan mandates PIN, China does not mandate PIN and Malaysia doesn't mandate PIN but it's slated to start mandating it after 2015. Much of the rest of Asia is mostly signature. New Zealand, India and Australia are all in the PIN optional camps.

In North America, the U.S. is surrounded with a split decision. Northern POS in Canada mandate PIN and Southern POS in Mexico are PIN optional.

In the Visa statement, Visa's head of authentication product integration, Stephanie Ericksen, said the technology that the U.S. will be deploying makes the PINs unnecessary.

"That's because, in the U.S., we can rely on online processing where transactions are transmitted in real time to the issuer for approval. With that in place, there's no need for the offline authentication that was the genesis of Chip-and-PIN," she said, adding: "As a late adopter of EMV, there's a great upside for the industry in the U.S., because we can avoid much of the cost and complexity involved in deploying older generation chip cards, while still reaping all of the benefits of reduced counterfeit fraud."

As a practical matter, though, getting consumers to embrace EMV—unlike, say, how U.S. consumers never even remotely warmed to contactless payment—is all about minimizing any required behavioral changes. And if the transaction can be accelerated at the same time, all the better.

Visa stresses that this can all happen gradually.

"Visa will continue to support a range of cardholder verification methods (CVMs) with EMV chip, including signature, online PIN and no-signature for low-value, low-risk transactions," Ericksen said. "In the longer term, we expect the industry will reduce or even eliminate its use of static verification methods, such as signature and PIN in favor of new and dynamic forms of cardholder verification."Walt Conway, a QSA with 403Labs and the StorefrontBacktalk PCI Columnist, said he expects PINs to be available in the U.S. for quite some time, for a couple of very different reasons.

"Whether merchants require PINs at the POS or not may be up to them, but I expect issuers will include PINs with their chip cards for two reasons. First, some merchants may still want to go with Chip-and-PIN at the POS either for their own risk management purposes or because another card brand requires it," Conway said. "Second, the cardholder will need a PIN if they travel to Canada or Europe where Chip-and-PIN is the norm."

Speaking of those other card brands, Conway wonders if that will force yet more delays. "Although the majority of payment cards in the U.S. market are Visa branded, they are not the only brand. I wonder if retailers will wait for MasterCard and Amex to announce their chip card plans before replacing their retail POS devices?"

Visa is trying to use pricing pressure to push for faster EMV retail adoption, but those efforts are not getting widespread retail IT applause.

The fundamental issue with a PIN-optional approach in the U.S. is retailers having strong faith in the security of the chip alone. With a steady flow of anecdotes raising questions about EMV security, that's not going to be an especially easy sell.

Beyond consumer resistance, retail resistance, the lack of clear direction from other card brands and inconsistent usage in other countries is the obstacle of store associate training.

PIN-less chip cards may speed things up slightly at checkout, but the big problem is the same point of failure that strangled the success of contactless cards: the cashier who only knows magstripe.

During the time that magstripe cards are being phased out, the countertop POS device will have to support a magstripe swipe slot (because magstripe isn't dead yet), a PIN pad (because PIN debit cards will still be around), a contactless/NFC touchpoint (for smartphones and contactless cards) and a contact EMV slot. That's four types of cards (or phones), each with three types of authentication (none, signature and PIN).

And who's the on-the-spot tech support for customers trying to figure out how to use their cards? The cashier—and we already know how that will work out. If something doesn't work, or reacts unexpectedly, or just seems unfamiliar, traditional magstripe will be the automatic fallback.

True, more sophisticated POS devices will be able to prompt customers and cashiers on how to use their cards. For example, an EMV-chipped card will have information in the magstripe that it's chipped, so a POS device could tell the customer to insert the card in the contact EMV slot. Again, we already know how that conversation will go:
Customer: "It's telling me to put the card in the slot. What do I do now?"
Cashier: "Never mind, there are people in line. I'll just override it."

Unless chains make it a point to retrain cashiers out of that habit, we'll have magstripe forever.