Visa: It’s the chip, not the PIN

As chip-based EMV cards become the payment norm for retailers, Visa continues to assert that PINs and even signatures are unnecessary security measures in a rapidly evolving payments landscape.



In a conference call, Visa executives explained why the company is taking the view that not only is PIN verification not a major concern, but neither is obtaining the customer’s signature.



“More than 60% of U.S. payment card transactions do not use any signature or PIN, and we expect that trend to continue,” said Stephanie Ericksen, VP of risk products for Visa.



This figure includes transactions of up to $25 in most retail categories and up to $50 in some everyday categories, such as grocery.



Ericksen cited supporting figures from other countries that use a chip and PIN authentication standard, rather than the chip-and-signature standard that will be mainly used in the U.S. For example, in Australia and Canada, contactless card payments of up to $100 do not require a PIN. The U.K. also recently increased the no-PIN limit on contactless card payments to 30 pounds, or about $40.



Mark Nelsen, senior VP of risk products and business intelligence at Visa, said biometrics are also reducing the need for PIN or signature verification of chip card transactions. [pb]



“Biometrics add incremental security,” said Nelsen. “It’s more convenient way to verify you are the genuine cardholder.”



Other methods retailers are using to prevent card fraud include tokenization, or the replacement of consumer financial data with encrypted digital “tokens” that provide no useful information if hacked. Nelsen said card issuers are now offering additional security measures such as transactional alerts, which send the cardholder a real-time SMS text message if there is any suspicious activity. He said this reduces card fraud by 40%.



Also, Visa is now offering mobile geolocation services which can verify that consumer location matches the location of a physical merchant. For online transactions, geolocation can match the location of a device being used for purchase to the location of a consumer.



“Security is being enabled more and more easily by mobile devices,” said Nelsen.

Looking at the likely adoption timeline EMV will follow in the U.S., Ericksen said in other countries, it took two to three years after the initial liability deadline to have 60%-70% of card transaction volume comply with the EMV standard. Within four to five years, that figure reached 90%.



“It takes time for encryption to be built out on the card side and the enablement side,” said Ericksen. “That’s why we initially announced the 2015 deadline in 2011, to streamline adoption and ensure clarity of the requirements.” [pb]



POS TERMINALS: Ericksen estimated that 30%-40% of POS terminals on the market are equipped with EMV-compliant hardware, meaning they may still need a hardware upgrade and software installation. Thanks to the availability of devices like an EMV-compliant $49 Square reader and desktop POS terminals that cost $100-$200 each, she said the hardware implementation cost in the U.S. is “negligible” compared to the cost in previous EMV rollouts.



Visa estimates it has issued 151.8 million chip cards in the U.S. to date, with about 90 million credit cards and 60 million debit or other form of payment card. This already makes the U.S. Visa’s largest EMV market. About 21% of all Visa payment cards in the U.S., and 33% of Visa credit cards, are now chip-enabled. Fifty-seven percent of all U.S. consumers are estimated to have at least one chip card (including all issuers).



Not that many merchant locations can actually accept chip-based payments. Ericksen estimated 314,000 of the estimated six million to eight million total merchant locations in the U.S. currently have EMV-compliant payment processing capability.



“It depends on the type of merchant,” said Ericksen. “Merchants like delis and dry cleaners don’t get a lot of payment fraud. Visa finds that the majority of EMV-compliant merchants process the majority of our payment volume. It’s the major retailers.”



In one good sign for retailers who have yet to comply with EMV mandate Ericksen said there will not likely be any sudden rush of fraud chargebacks as a result of the liability shift.



“Only cards with chips will be eligible for fraud chargebacks,” explained Ericksen. “The cardholder has to report card fraud, which is investigated by the issuer. If they determine fraud, they may send a chargeback. They may not bother sending a chargeback for small instances of fraud totaling $25 or less. In Canada, the first couple of years after EMV compliance there was an increase in chargebacks, then they declined.”