MasterCard Pushing EMV PIN. Visa? Not So Much

Written by Evan Schuman
February 2nd, 2012

MasterCard’s Monday (Jan. 30) rollout of its roadmap for EMV in the U.S. set it on the opposite side of payment security from Visa, with MasterCard pushing for EMV with PIN and Visa arguing that PIN isn’t necessary. MasterCard is backing up its preference with some serious fraud-dollar forgiveness. Oddly enough, the much-smaller MasterCard has trumped—or, more precisely, nullified—Visa’s position, at least as far as retailers are concerned.

Given that greater-than-99-percent of Visa retailers in the U.S. also accept MasterCard, chains must go along with whichever brand has the more strict requirements. Typically, that’s been Visa, but not this time. On EMV-related PCI relaxations, however, the two brands opted to adopt identical policies.

The calendar part of the timetables are pretty similar, too, with both brands insisting that acquirers be able to handle EMV transactions by April 2013. It’s the post-fraud promises where the two diverge. Visa’s position can best be described as PIN optional, where the brand argues that PIN won’t be needed in the U.S. and that implementing it might serve to slow down consumer acceptance by layering on another behavior change.

Put another way, Visa is arguing that the current EMV chip is so much more secure than magstripe cards today that the small additional level of security delivered by a PIN doesn’t make that much of a difference. And if that small difference causes a slowdown in the card’s acceptance, it may not make ultimate sense for retailers.

MasterCard this week made it explicit that it considers PIN to be the more secure approach and that it will back up that position with dollars. (Clearly, Chip-and-PIN is more secure than chip-and-nothing-else. But I digress.) MasterCard describes a liability hierarchy, with issuers and retailers on sort of a payment seesaw.

If the issuers are considered to be using the less secure approach—which MasterCard defines as anything other than PIN—then they have to absorb the costs of post-fraud cards being reissued, in addition to the direct costs of the crimes. If issuers and retailers are using the same approach, the costs still stay with the issuer. But if the retailer is using the less-secure approach, then it has to pay the fraud bills.

For the record, both brands have the same core position, which is that they are not requiring any retailer to do anything. But they can certainly telegraph their preferences and use money to persuade. “Merchants are free to adopt any technology that they want,” such as adopting EMV or choosing to stay with magstripe, said Colin McGrath, the MasterCard VP for U.S. market development. “We’re not going to dictate a particular cardholder verification approach.”

That said, here comes the carrot and the stick. “If the retailer opts to go for PIN and the issuer is only pushing signature,” McGrath said, “if fraud were to occur, the issuer would be responsible for that fraud.”

Both brands are using the same entry benchmark, that 75 percent of a chain’s payment transactions must be processed through an EMV terminal that supports both contactless and contact. The E-Commerce and mobile implications are unclear. Such transactions today are typically limited to the card number, an expiration date and a CVV, with no practical way to access the chip data. The only way to do that would be with an EMV reader attachment for a desktop/laptop/mobile device, which is certainly not the typical arrangement for most U.S. E-Commerce and M-Commerce transactions today.

Therefore, if a chain has enough online transactions, it might not be possible to process 75 percent of transactions through an EMV reader. Presumably, the intent is to encourage 75 percent of in-store transactions being processed through such EMV-friendly terminals.

If the retailer is pushing 75 percent of its transactions through an acceptable EMV terminal, MasterCard is promising to cut cost recovery in half by October 2013. Two years later (October 2015), MasterCard will make the reductions 100 percent.

Why not make it 100 percent as soon as the retailer hits the percentage of transactions?


2 Comments | Read MasterCard Pushing EMV PIN. Visa? Not So Much

  1. James L. Says:

    When our company switched from AmEx to MC for business travel expenses, I thought we finally had the opportunity for chip/PIN & signature cards to facilitate the travel in Europe. “They’re not available in the US yet”, I was told by the bank representative who conducted the training on the new related expense reporting website. It was interesting to see that the chip card with mag stripe was available to my colleages in Canada.

    I thought the idea with chip & signature was to allow its use in both US & EU markets. One card – dual authorization methods.

  2. Dan Says:

    I want Chip & PIN. With Chip & Signature, sure it has a an EMV chip, but then a fraudster could just steal my card, run it through the chip reader and then sign my name. The PIN adds an extra layer of security as only I (should) know it. At the very least, I would like to see a dual method wherein if the US insists on using Chip & Signature, our cards would work as Chip & PIN in countries where that is the norm. I am just sick of this back and forth. America needs to get off its high horse and comply with the world payment standards. Visa says Chip & Signature, MasterCard wants Chip & PIN and then Amex is mysteriously quiet. All of this talk….the government, banks, acquiring banks and card networks need to work together to make it affordable and easy to fast track EMV.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.