EMV’s Signature Moment

While PINs are more secure, signatures are by far card issuers’ preferred authentication method for U.S. EMV credit cards. Why?

By the time you read this, the big EMV deadline will be anywhere from 15 to 30 days away. Yet, with so little time remaining, the effort to implement the chip card standard in the United States faces any number of hurdles, from certification headaches to lagging merchant terminal adoption.

And you can add one more item to the list: the PIN vs. signature controversy. It’s one of the oldest disputes in the brief history of American EMV, but merchants are still wrangling with banks over the question of whether chip cards should be universally issued with PINs—credit cards as well as debit.

Merchant groups have aggressively pushed PINs for EMV ever since the card networks got serious four years ago about the conversion from magnetic-stripe cards to the chip card standard. But most U.S. financial institutions that have issued EMV credit cards so far have overwhelmingly done so with the signature authentication so familiar from decades of card swiping.

In fact, issuers are so entrenched in signature-card issuance that some experts see signature-based EMV credit cards as a fait accompli. “This train has left the station whether it’ll be PIN or signature,” says Nick Holland, a senior analyst at Javelin Strategy & Research, Pleasanton, Calif., who follows EMV.

But the issue simply won’t die, even with a crucial deadline only weeks away.

By card-network rules, merchants that aren’t prepared to accept EMV chip cards by Oct. 1 will assume liability for any counterfeit fraud (some networks add lost-and-stolen fraud) losses—losses that are currently borne by the issuer. The issuer will continue to bear those losses if the card involved isn’t EMV-compliant.

‘Worthless’ Signatures

Despite the deadline’s proximity, merchant groups aren’t giving up. They’re adamant that PINs are surer barriers to fraud than signatures, which a number of retail executives over the years have dismissed as “worthless.”

Their latest salvo came out in July in the form of a survey of 84 IT decision makers conducted in May and June by business-technology company Randstad Technologies. The study not only concluded PINs were superior to signatures, it all but called for an industry mandate that issuers adopt PINs. Nearly two-thirds of the respondents preferred PIN security for EMV.

“The majority (66 percent) believe chip and signature does not offer ample security and that PIN technologies should be required,” reads a Randstad summary of the survey results.

“If there’s anything surprising in these numbers, it’s that nearly six percent of respondents believe that mag-stripe technology offers sufficient security,” summary continues. “That’s a perspective that’s been undercut on many occasions by costly security breaches to a number of prominent businesses.”

Merchants are also questioning why they’re spending so much time and money on EMV training and installations when their chip readers will end up accepting only signature-based credit cards.

“Retailers are investing billions to implement new chip-enabled card readers in stores nationwide. They’re asking banks and credit unions to meet that commitment by issuing new chip cards with PINs,” says the Arlington, Va.-based Retail Industry Leaders Association in a recent press release.

The retailer faction received further support this summer from no less a figure than a governor of the Federal Reserve Board.

“New approaches to authentication increasingly offer greater assurance and protection. Given the current technologies that we have at our disposal, we should assess the continued use of signatures as a means of authenticating card transactions,” said Fed governor Jerome H. Powell in a speech given late in June at a payments conference at the Kansas City Fed.

To be sure, some financial institutions have gone with something they refer to as “chip and choice,” an approach by which they support online PIN authentication as well as signature.

A prominent example is Raleigh, N.C.-based State Employees Credit Union, the second largest credit union in the country. SECU issues all of its EMV credit cards with PINs and allows its cardholders to authenticate with either the PIN or a signature, says Leanne Phelps, senior vice president for card services.

So far, though, less than one-half of 1% of all of SECU’s credit card transactions have been PIN-authenticated. And of the 120 million or so EMV cards U.S. financial institutions had issued by the start of the year, the great majority were credit cards requiring only a signature from the cardholder.

That number is expected to balloon to 600 million by the end of 2015, according to the EMV Migration Forum, an industry trade group. Most will still be credit cards, and no one’s betting that any appreciable number of them will require a PIN.

‘Pretty Stupid’

So, with merchants insisting on PINs for EMV, and with few doubting that PINs are more secure, why are banks and credit unions mostly issuing signature-based credit cards? The reasons are manifold, but fall into three broad categories: consumer experience, return on investment, and processor capability.

Experts cite consumer familiarity with signature-based credit cards—along with a dearth of consumer education about EMV—as a prime reason issuers are sticking with signature authentication.

They don’t want to see their cards disfavored by consumers who aren’t accustomed to memorizing and entering a PIN. Typically, if you forget your PIN, it’s hard to start all over and use a signature. “If your card is suddenly harder to use, you lose top of wallet,” notes Rick Oglesby, senior analyst at Double Diamond Research, Centennial, Colo.

So, “issuers are defaulting to the method they know always works,” says Louis Buccheri, an analyst at Auriemma Consulting Group, New York City.

Besides that, the type of fraud issuers are most concerned with is counterfeit fraud, which chip cards are pretty effective at preventing. Lost-and-stolen fraud, which PINs would prevent, comes to a much smaller total.

Indeed, of all card-fraud losses, 37% are attributable to counterfeit cards, compared to 14% for lost-and-stolen cards, according to a study of 18 of the 40 largest issuers conducted in 2014 by Aite Group, a Boston-based research firm.

That makes it harder for issuers to justify investments in credit card operations to handle PIN resets, among other back-office changes. “Lost-and-stolen is the only thing PIN buys you [as an issuer]. It was a pretty easy business case for chip-and-signature,” says Julie Conroy, a senior analyst at Aite.

Finally, issuers that are supporting online PINs with EMV credit cards, like SECU, are doing so with in-house systems. Or they’ve signed up with a processor that can handle credit card PINs.

But it turns out some processors that handle card transactions on behalf of issuers haven’t geared up for PINs on credit card transactions, say Conroy and other experts. “A lot of the [third-party] issuer systems on the credit card side are really pretty stupid,” says Steve Mott, principal at Stamford, Conn.-based payments consultancy BetterBuyDesign.

How Long?

Most markets around the world that have adopted EMV, such as Canada and United Kingdom, are using offline PIN authentication. In this configuration, the card relies on its embedded chip to match the PIN entered at the terminal with the encrypted PIN in the chip. But this method relies on a more powerful, and hence more expensive, chip.

That’s another thing that makes EMV credit cards a more costly proposition for issuers. After all, they’re also racing to get cards out the door, and not just because of the liability shift. They know that the last mag-stripe issuer will be the one on which the fraudsters will focus all their considerable resources.

Still, no one is ruling out EMV credit card PINs forever. The superiority of PINs over signatures can’t be denied, after all, when cardholders catch on and start asking about the matter. It would just be nice to know how long that’s going to take.