This is page 2 of:
Visa’s Chip-And-No-PIN Plans For The U.S. Making Some Nervous
Walt Conway, a QSA with 403Labs and the StorefrontBacktalk PCI Columnist, said he expects PINs to be available in the U.S. for quite some time, for a couple of very different reasons.
“Whether merchants require PINs at the POS or not may be up to them, but I expect issuers will include PINs with their chip cards for two reasons. First, some merchants may still want to go with Chip-and-PIN at the POS either for their own risk management purposes or because another card brand requires it,” Conway said. “Second, the cardholder will need a PIN if they travel to Canada or Europe where Chip-and-PIN is the norm.”
Speaking of those other card brands, Conway wonders if that will force yet more delays. “Although the majority of payment cards in the U.S. market are Visa branded, they are not the only brand. I wonder if retailers will wait for MasterCard and Amex to announce their chip card plans before replacing their retail POS devices?”
Visa is trying to use pricing pressure to push for faster EMV retail adoption, but those efforts are not getting widespread retail IT applause.
The fundamental issue with a PIN-optional approach in the U.S. is retailers having strong faith in the security of the chip alone. With a steady flow of anecdotes raising questions about EMV security, that’s not going to be an especially easy sell.
Beyond consumer resistance, retail resistance, the lack of clear direction from other card brands and inconsistent usage in other countries is the obstacle of store associate training.
PIN-less chip cards may speed things up slightly at checkout, but the big problem is the same point of failure that strangled the success of contactless cards: the cashier who only knows magstripe.
During the time that magstripe cards are being phased out, the countertop POS device will have to support a magstripe swipe slot (because magstripe isn’t dead yet), a PIN pad (because PIN debit cards will still be around), a contactless/NFC touchpoint (for smartphones and contactless cards) and a contact EMV slot. That’s four types of cards (or phones), each with three types of authentication (none, signature and PIN).
And who’s the on-the-spot tech support for customers trying to figure out how to use their cards? The cashier—and we already know how that will work out. If something doesn’t work, or reacts unexpectedly, or just seems unfamiliar, traditional magstripe will be the automatic fallback.
True, more sophisticated POS devices will be able to prompt customers and cashiers on how to use their cards. For example, an EMV-chipped card will have information in the magstripe that it’s chipped, so a POS device could tell the customer to insert the card in the contact EMV slot. Again, we already know how that conversation will go:
Customer: “It’s telling me to put the card in the slot. What do I do now?”
Cashier: “Never mind, there are people in line. I’ll just override it.”
Unless chains make it a point to retrain cashiers out of that habit, we’ll have magstripe forever.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
