Chip-and-PIN, or Chip-and-Choice? EMV Liability Shift For PIN Transactions

With US EMV adoption well under way in the US, merchants are in the next phase of decision making for their EMV environment, for those terminals and solutions that support it. Should I force chip and pin when the issuer supports it, or should I allow chip and choice? It’s a tough decision and the answer is not the same for everyone.

Point-of-Sale (POS) systems vary in both implementation and capability. For example, a salesperson for a popular POS solution I spoke to told me they don’t support chip and pin. He actually said, “Since debit card processing costs are the same either way now with regulated debit, pin doesn’t really matter any more anyway.” Not true.

Consider the implications for a specialty retail environment with higher average value transactions, such as building supply, automotive parts, and electronics.

RETAIL: HIGH VALUE
FORCED CHIP & PIN CHIP & CHOICE
PROS Maximize profit potential 3 ways: highest security supported to shift counterfeit fraud to issuer; Even with regulated debit, there’s some financial differential for sending transactions via debit network, though vastly decreased. Finally, not all debit is regulated, and costs do vary. Less friction at the point of sale, faster checkout.
CONS While consumers know their debit pins, studies estimate consumers’ knowledge of credit card PINs at 5-10%. What is financial impact if customer cannot recall pin, fallback to signature is not allowed, and customer has no other payment method? Potential losses based on US EMV liability shift rules which require the highest level of security to shift back to issuer; may vary by brand for counterfeit, lost and stolen cards.

As with everything EMV, there are many moving parts to certifications for chip card acceptance. In order to have a choice, the merchants ecosystem from terminal to payment gateway, if applicable, acquirer, etc must all support it, which may be a tall order.

IMPORTANT: This article highlights a few items and does not cover all brand, business type, transaction type, card type, nor reasons for determining liability. Refer to various card brand core manuals or your acquirer for more specific details about EMV and card acceptance rules.

RESOURCES & ARTICLES AROUND THE WEB

To avoid issues with broken outside links over time, please copy the URL’s below into your browser.

https://www.mastercard.us/en-us/about-mastercard/what-we-do/rules.html

Chip & PIN vs. Chip & Signature

Best article for thoroughness. October 2014 http://krebsonsecurity.com/2014/10/chip-pin-vs-chip-signature/

Chip-and-PIN, or Chip-and-Choice?

Worth a look. February 10, 2014, By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed. http://takeonpayments.frbatlanta.org/2014/02/chip-and-pin-or-chip-and-choice.html

Chip & Choice Keeping Security Flexible

From Visa web site today, great illustration on impact of choices in different market segments. https://www.visa.com/chip/clients-partners/issuers/credit-card-chip-technology/chip-and-pin-choices.jsp

Chip-and-PIN vs. ‘chip-and-sig’

Good global overview and stats By Janna Herron · Bankrate.com, August 28, 2013
 http://www.bankrate.com/financing/credit-cards/chip-and-pin-vs-chip-and-sig/#ixzz4ALnE5Ps9
“What’s the difference? What separates the two is how each is authenticated at the register. Chip-and-PIN cards require a personal identification number to be entered to complete a purchase, much like how many debit card transactions are carried out now with magnetic stripe cards.” Read more: http://www.bankrate.com/financing/credit-cards/chip-and-pin-vs-chip-and-sig/#ixzz4ALnUjB9D

Visa Core Rules AND OTHER CARD BRAND RULES

Merchant Alerts & Rules Links

 

 

EMV chip and pin liability shift hidden merchant risk

EMV terminal and EMV technology selection can impact merchant liability depending on chip and pin capabilities and management of them. Use this information to ask key questions before selecting an EMV solution.

Liability shift for stolen cards for MasterCard, American Express, and Discover

  • If the card is chip & sign, and the terminal is EMV only, the card issuer is liable
  • If the card is chip & pin, and the terminal is EMV only, the merchant is liable
  • If the card is chip & pin, and the terminal is EMV with pin, the issuer is liable

What if the terminal supports EMV & pin, but the customer does chip & sign? The merchant is liable.  Acquirers generally support chip and pin bypass to chip and signature. The only way to effectively manage liability is to steer customers to the action protecting the merchant.

emv fraud liabilityTerminals may be able to be programmed to disable pin bypass; First Data ships terminals with PIN bypass disabled.

  • Integrated payment gateways and and standalone virtual terminals can also drive terminals; because the terminals have no programming, the payment technology must have the capability to dynamically determine the best way to process, and prompt the consumer to the actions allowed. This is a tall order for most gateways, as they do not have that type of dynamic capability, and or, the gateway may not have the needed EMV certification. CenPOS disables the consumers ability to select signature over pin at the POS.

The entire EMV transaction process is certified. If an EMV certified terminal, including integrated or non-integrated payment gateway with terminal, doesn’t support the option to require chip and pin when the card issuer supports it, merchants need to weigh the associated financial risks.