Earlier this week, the American Banker covered Visa’s EMV chip announcement in a story titled “Visa’s Plan to Drop PINs Leaves Some Concerned About Security.” This headline is misleading as Visa will continue to support PIN authentication, so let me clarify.
Point-of-sale online PIN verification for debit transactions will continue to exist in the United States for some time. In fact, Visa expects that merchant and/or issuer preference for PIN verified transactions may become more prevalent in the U.S. debit category given recent regulation. Moreover, we recently made announcements to our U.S. clients regarding 2012 enhancements to our core Visa-branded debit product to improve the performance of PIN verified transactions.
While PIN does provide some fraud protection for lost and stolen cards and has proven to be an effective fraud deterrent in international markets where trasactions are sometimes approved “offline,” PIN will forever remain a static data element. And we continue to believe that long-term static data elements, including PIN, can create an increased risk for fraud. An increase in ATM fraud could occur in cases in which the PIN is stolen along with cardholder account information. Long term, we will focus on risk-based and dynamic ways to verify the cardholder, such as one-time passcodes that are sent by text or email for high risk transactions.
Additionally, the article stated that “In a departure from nearly every other global market that has switched to EMV cards, which are commonly called chip-and-PIN for their most prominent security feature, Visa’s plan excludes PINs.” As already noted Visa supports online PIN as a cardholder verification method; however, it’s important to note that there are more EMV markets that have implemented chip and signature than chip and PIN.
Bottom line: Visa will continue to support online PIN as a cardholder verification method for debit transactions in the U.S., and at the same time encourages the move toward future adoption of dynamic cardholder verification methods.
Posted by: Eduardo Perez, Global Payment System Security on August 26, 2011 at 1:04 pm