Planning for a post-PIN world
Back in the early days of the 21st Century, there was a huge burden of responsibility on the shoulders of every retail sales assistant or checkout clerk.
In those pre-chip days, when lost, stolen and counterfeit card fraud were the big security threats, the checkout clerk was the last line of defence.
If anything looked suspicious, they were expected to confront their customer – or leave their employer liable for fraudulent transactions.
The chip and PIN combination brought an end to this. The chip showed the card was genuine and the PIN that it wasn’t lost or stolen.
Fast forward to today, and counterfeit fraud has dropped significantly. As the potential to use the magnetic stripe further on cards diminishes, so too does the remaining fraud threat1.
Meanwhile, it’s become clear that today’s criminals have little appetite for fraud based around lost or stolen cards. As contactless became commonplace, there was widespread concern that lost and stolen fraud losses could balloon. In fact, at 0.01%, contactless has one of the lowest fraud rates of any transaction type2 – suggesting that today’s criminals find lost and stolen fraud too problematic and unwieldy to scale.
Meanwhile, for businesses, banks and the payments industry, there are other easier, surer ways to verify the customer’s identity. Much of the work is done in the background. With almost all transactions now going online, AI-powered fraud detection systems can spot suspicious spending or behavioural glitches with extreme accuracy. Then, when step-up verification is warranted, today’s consumers prefer biometrics – taking to fingerprint or face-scanning technology with unexpected enthusiasm.
Also, as consumers, many more protections are available to us. Today, for example, if our card goes astray, the immediate instinct is to block-and-lock its use via our mobile banking app. If we find it again, we can unblock it. If not, we can report its loss and get it reissued. And, all the while, we know we are protected by a zero-liability guarantee.
So, as an industry, we should probably ask ourselves three questions.
1. Is the PIN still necessary?
Today, from a risk as well as technological perspective, we have less of a need for customers to actively identify themselves. Where it is necessary, more elegant and effective solutions – like biometric, behavioural and contextual information – are available.
2. Is the PIN getting in the way?
First, there’s the impact on the customer experience.
The more accustomed consumers are to contactless transactions, the more of an intrusion PIN entry becomes. Also, consider the consequences when the PIN is forgotten and needs to be re-set – in some markets, the card itself has to be reissued and, everywhere, it creates friction.
Second, there’s the impact on innovation.
If we continue to regard PIN as fundamental to the way our business operates, we limit everyone to a point-of-sale configuration that accommodates the PIN. This, in turn, adds cost, creates complexity, and limits potential.
Consider, for example, the latest generation of tap-to-phone or SoftPOS solutions – software-only mobile applications which enable the acceptance of contactless payments using nothing more than a standard smart phone, but don’t and can’t support some prevalent PIN configurations (namely offline PIN where, for historical reasons, the PIN verification is handled between the acceptance device and the chip).
3. What could life beyond PIN look like?
By migrating away from PIN, we could reimagine the very nature of face-to-face payments.
We could continue the migration away from static data and its inherent security risks (for example, the way tokenisation replaces a static card number with a dynamic equivalent, unique to that merchant or channel, that can be changed over time). And, by relying more fully on contextual, behavioural, biometric, and AI-driven authentication solutions, we could make the payment experience ever simpler and more seamless.
We could also enable a fuller convergence of card present and card not present acceptance methodologies, rid ourselves of a distinction that is becoming an anachronism, and embrace an acceptance methodology that can be applied to all payments – irrespective of location, device, or channel.
So, what am I advocating here?
I am simply making the point that the trend is leading us away from PIN usage and this is something that, as an industry, we ought to embrace.
PIN can’t and shouldn’t be eliminated overnight. But we should start to envisage a life beyond PIN and, as an industry, start to plan for this eventuality. We should also avoid any significant investments that needlessly perpetuate the use of PIN.
We already benefit from universal standards, like EMV- chip, 3DS, and tokenisation, that can be further evolved, provide a basis for next-generation solutions, and enable the industry to build on past investments.
Let’s remind ourselves of the PIN’s original function. It was only ever intended to guard against lost and stolen fraud and relieve the burden of responsibility on the checkout clerk. Today, that rationale is redundant – and we ought to be thinking about how we can make PIN redundant too.
Stay current with the latest payments insights from Visa Navigate Europe - subscribe today.
All brand names, logos and/or trademarks are the property of their respective owners, are used for identification purposes only, and do not necessarily imply product endorsement or affiliation with Visa.
1European Central Bank, Card Fraud Report, 2021: https://www.ecb.europa.eu/pub/cardfraud/html/ecb.cardfraudreport202110~cac4c418e8.en.html#:~:text=Over%20the%20five%2Dyear%20period%20from%202015%20to%202019%2C%20the,card%20fraud%20decreased%20by%2011.3%25.
2Visa, The opportunity for contactless in the UK, 2021: https://www.visa.co.uk/visa-everywhere/blog/bdp/2021/02/09/the-opportunity-for-1612892621595.html