For Credit Card Security, U.S. Banks Need to Rethink PINs


James D. Ratley, CFE
ACFE President and CEO

Verifying a credit card purchase with a signature is less burdensome to a consumer than having to remember a four-digit personal identification number (PIN). Unfortunately, it is also considerably less secure. According to a recent CFO article, the Association for Finance Professionals found in its 2015 Payments Fraud and Control Survey that 61 percent of respondents believe chip and PIN will be the most effective authentication method for mitigating fraud, while only 7 percent saw chip and signature as most effective.

In the coming weeks and months, several major U.S. banks will roll out new credit cards with embedded computer chips for added security. Rather than combining this technology with a PIN, as implemented in countries in Europe, Latin America, the Asia-Pacific region and elsewhere, they have decided (for now) to use the more familiar and traditional verification method of a signature as a matter of convenience for customers.

U.S. credit cardholders must ask themselves which is more of a burden: completing their purchase using a PIN; or dealing with the fallout from a compromised account, stolen identity or damaged credit history? Most people would agree that the latter are frustrating and potentially life-changing burdens that far outweigh convenience.

Chip and PIN security measures combine to substantially decrease the risk of fraud. The technology is not new – European banks introduced it in 2002, and experts predicted then that it would become the global standard. Chip-and-signature authentication, by comparison, comes up short. Signatures can be copied or forged and do not offer the same level of security as a unique PIN known to the legitimate card holder.

Merchant groups agree. In a December 29th letter to the president and CEO of the Independent Community Bankers of America (ICBA), leaders of seven prominent U.S. merchant groups stated that “ignoring PIN technology leaves us all more vulnerable.” The letter goes on to explain: “’Chip-and-PIN’ has already shown success throughout the world and could reduce fraud losses in the U.S. by as much as 40 percent, according to the Federal Reserve Bank of Kansas City. The added security provided when each customer is given a unique personal identification number or PIN has already been shown to make debit card transactions 700 percent safer. Alternatives such as ‘chip-and-signature’ do not provide this level of security. Furthermore, PINs would also make ‘card-not-present’ transactions safer by adding another layer of authentication.”

The message to J.P. Morgan Chase, Discover, Bank of America Corp., Citigroup Inc. and other large banks is clear: consumer protection is paramount. After the massive data breaches involving Target Corp., Home Depot and other large retailers, Americans are looking for reassurance that their personal and financial information is secure. According to a Unysis Security Index, “the top three threats most worrisome in the United States in 2012 were identity theft, bankcard fraud and national security as it relates to terrorism.” More than half of Americans surveyed were seriously concerned about someone obtaining and using their credit or debit card information.

It is true that in today’s digital age, most individuals must remember a host of passwords and codes for various accounts and online activities, including existing PINs for any debit cards they might use. Having another PIN to remember certainly places a burden on the credit card holder. But it is not an undue burden when considering the added level of protection.

For its part, Target announced in the wake of its data breach that beginning early this year, all Target-branded credit cards and debit cards will include chip and PIN technology. If customers at nearly 1,800 Target stores across the U.S. can become accustomed to using a PIN to complete their credit card purchase, fellow Americans can follow suit. In fact, consumers will likely embrace the two-factor security as they have in Europe, knowing it is providing an increased level of protection from credit card fraud.

Certified Fraud Examiners (CFEs), the experts who investigate financial crimes around the globe, know the importance of preventing the next fraud before it occurs. In all frauds, including those involving credit cards, recovering the proceeds of the crime is often difficult or impossible. Whether it be the bank, merchant or customer, someone always loses. When a method such as PIN promises to decrease the incidence of fraud, it should be implemented.

Credit card fraud is a harrowing experience for the victim. Just ask those who spend months or years dealing with investigators, their bank, credit reporting agencies and others just to repair their credit history. The technology is here to better protect consumers from having to take such a journey. The sooner we collectively join our neighbors in other parts of the world in providing both chip and PIN technology, the better.