Chip and PIN in the US – why all the confusion?
Bethan Cowper, Head of Global Marketing at Compass Plus
On a recent trip to the US, I was surprised to see how many merchants still don’t accept EMV-enabled cards. As a UK citizen, chip and PIN has been part of my life for well over a decade and the idea of signature and magstripe in today’s forward-thinking, innovative payment landscape seems rather antiquated. I think we can all agree that things have moved along since the 1960s especially as the magstripe has been identified as a main source for US data breaches.
According to the Smart Card Alliance, since the mainstream adoption of chip and PIN cards in the UK in 2004, retail fraud has fallen by 67 per cent. Whilst in Canada, the Canadian Bankers Association announced that debit card fraud losses have dropped 92 per cent from a high of $142 million in 2009 to $11.8 million in 2015. With case studies such as these, why has the United States been so seemingly reluctant to rollout EMV?
Back in 2011, Visa announced their plans to accelerate chip migration in the United States through retailer incentives, processing infrastructure acceptance requirements and a counterfeit card liability shift, swiftly followed by MasterCard’s announcement of their roadmap to enable next generation payments using EMV just under six months later. Over the last five years, EMV has gained both good and bad press in the US media, positives include increased security for card present transactions and the fact this card type is being actively backed by Obama, whilst the negatives generally fall around the substantial costs associated with new hardware and the idea that fraudsters will focus all their efforts on card-not-present environments.
At the time of the October 2015 deadline, whereby the liability for accepting non-EMV enabled cards shifted to merchants, a survey by The Strawhecker Group found that only 27 per cent of US merchants were EMV-ready, a figure not forecasted to reach 90 per cent until 2017. In fact, only 40 per cent of cardholders in the US had been issued EMV-compliant credit cards, with chip debit card issuance delayed due to issues with the networks.
Currently in the United States, the majority of banks are only issuing chip and signature cards, even though according to the Federal Reserve, adding a PIN makes a transaction up to 700 per cent more secure. Whether to issue chip and PIN or chip and signature cards is a choice allowed within the EMV specification and a large number of issuers feel that remembering a four digit PIN is too complicated for the average consumer and will only end in embarrassment and increased calls to customer services. In fact, despite encouragement from MasterCard, most issuers have chosen the signature option as they don’t want to be the first to be associated with the inconvenience of PIN. A little insulting to the American people perhaps, especially if the issuer were to offer the consumer the chance to choose their own PIN.
By introducing chip and signature, it is arguable that the consumer payment environment is instead made more complicated. At this current stage of rollout, it would be completely normal to find a chip and PIN credit card, a chip and signature debit card and a magnetic stripe card of some description in a consumer’s wallet. The consumer has no incentive other than their typical behaviour and card fees to use any one of these cards. If the bank hasn’t issued them a chip card and their credit card number is used fraudulently, the liability isn’t with the consumer. If the merchant wasn’t set up to accept their EMV card, once again this isn’t the consumer’s problem. Given the option of continuing typical payment behaviours or having to type a PIN, the consumer will go for the path of least resistance; not because they can’t remember four digits but because old habits are hard to break.
Today, it is estimated that 50 per cent of merchants have the hardware to accept EMV whilst only 20 per cent have turned it on. Wait-times for certification and testing can be up to six months and set-up tends to be a long customised process. Whilst high profile security breaches have made merchants more cautious about fraudulent activity, many say the risk of fraud is still less costly than that of upgrading their instore devices, especially with contactless and NFC terminals on the horizon. However, ultimately fraud will only increase as more merchants become EMV-compliant, leaving a smaller pool of resources to target.
Whilst arguments around the chip and choice options continue, consumers are suffering from a distinct lack of education on the choices available to them. Chip cards are touted as more secure by issuers, but no further explanation is provided and it has been left to the merchants at the POS to pick up the slack. In comparison, the rollout of EMV in the UK was by no means seamless, however, it was mandated. A date was set, everyone (issuers and merchants alike) was told to be ready for that date and there were countless campaigns across all media to educate the public. On the deadline everyone had a chip and PIN card, which was accepted everywhere.
The current chip ‘combos’ available in the United States has resulted in a non-unified experience which is making consumer use less likely to be habitual. Many predict that people will use chip and signature until this evolves to mobile payments. What they don’t mention is that the people that are uneasy about entering their PIN are unlikely to be early mobile payment adopters. For any payment behaviour to feel natural it needs to be consistent. Whilst implementation is staggered across all mediums with cardholders in chip and choice limbo and merchants in various stages of implementation consumers aren’t being given the opportunity they need to build secure payment habits.