PINs, Signatures and Countering Fraud

Trotting through the shiny new airport terminal in Brussels recently, I was surprised to be asked to verify my credit card purchases in the duty-free shop with a PIN instead of a signature.

The last time this happened was when I used my Visa debit card in the U.S. late last year, so I was surprised to see the use of PINs in place of signatures in Europe - and on credit cards too.

In the U.S., many outlets are switching users over to PIN-verified debit card purchases, so that the transaction is carried over ATM networks such as Plus, Cirrus and others, instead of the normal Visa/MasterCard network. Because of this, the merchant typically pays 15 cents for PIN-based transactions - around a quarter of what they pay for debit card transactions routed through their Visa/MasterCard transaction processor. The situation in the U.S. has become so competitive that Visa and MasterCard are now offering incentives on a growing number of debit cards to persuade cardholders to use their signature to verify a transaction. If you use a PIN with your debit card, it seems, you don't get the bonus points or cash rebate.

Some U.S. banks are even resorting to charging fees if you use a PIN to verify a transaction at a retailer - in a study carried out earlier this year in New York state, for example, 57 per cent of banks were found to impose such fees, which range up to $1.50 per transaction.

While all of this is hardly surprising, it doesn't help any on the anti-fraud front, since PINs are infinitely more secure than signatures. This is because PINs - even those where the cardholder chooses their own number - are mainly stored on the financial institution's central computer system, and are generated using highly complex algorithms.

When European cardholders choose their own PIN, the difference between the chosen PIN and the original one - known as the PIN offset - is normally stored on the magnetic stripe of the card. PINs chosen by U.S. cardholders, because their cards tend to have a narrower magnetic stripe and cannot record PIN offsets, mainly store the PIN offset on the institution's servers. These security measures mean that PINs are generally more secure than signatures, as a fraudster can falsify a signature, but not a PIN.

The U.S. trend towards PINs, despite card issuers trying to steer cardholders back to signature verification is, therefore, good news on the anti-fraud front. In Europe, the long-term aim is do away with signatures for Visa/MasterCard transactions, whether debit or credit cards are used.

Back in Brussels' duty-free, meanwhile, and being the sad technical journalist that I am, I deliberately tapped in the wrong PIN on my credit card purchase of around 150 euros - that's 800 cigarettes and a bottle of single malt, in case you were wondering.

The transaction was approved.

I had a chat with the checkout supervisor and discovered that the airport's transaction processing network can only achieve 100 per cent PIN verification on Belgian cards. On non-Belgian cards, the PIN verification is a bit hit and miss and, if a PIN cannot be verified, provided the transaction is under the floor limit for the merchant concerned, it is still approved. As my experience showed, the floor limit in duty-free shops is somewhat higher than a normal sales outlet, presumably because of the relatively high value of transactions being processed.

Obviously, the duty-free shop also swipes the customer's boarding card, so if a fraudulent transaction were processed, then they would have some tracking mechanism - unless the passenger were traveling on a false passport, of course.

Normally I'd have written off my Brussels airport experience, but, back in the summer, on a ferry between Britain and Ireland, I saw a really scruffy Irish guy presenting a Platinum Visa card issued by a U.K. card issuer. Not that I have anything against the Irish, believe me - it could have been the same situation with a Brit presenting an Irish card for payment. The Irish chap was trying to buy - wait for it - six bottles of whisky and four packs of cigarettes.

The sales assistant told him the most he could buy was £80 worth of goods, so he put two bottles back and the transaction went through. The £80 floor limit, he explained, was necessary, as the ferry company has no means of checking there are funds available on a card account - in the middle of the Irish sea, there were payment authorization systems that could be used.

Later on I saw the same guy buying another six bottles of whisky and, since the whisky was not cheaper on board than back in the U.K., it was obviously a potential fraud in progress. I pointed out the situation to the security officer who, quite frankly, couldn't care less, although I doubt the ferry company would take such a light-hearted attitude when the transaction was charged back after being discovered to be fraudulent.

The bottom line to these two traveler's vignettes is that, if yours truly is aware of the shortcomings of card purchasing systems, you can bet your bottom dollar that professional fraudsters are as well. It's against this backdrop that I recently learned of a trial just about to start in Northampton, a mid-sized city in the British Midlands that will use chip-enabled credit and debit cards, requiring cardholders to use PINs in place of signatures. If the trial is a success, the banks say it could be extended across the whole of the U.K. by 2005. This is good news for the banks, as they have seen credit card fraud rise by around 30 per cent in the last five years.

The British Retail Consortium, however, has criticized the banks for failing to bear their share of the estimated £1.1 billion cost of the Northampton PIN-based verification system. The Association for Payment Clearing Services (APACS), which coordinates the card companies' fight against fraud, has appointed PricewaterhouseCoopers to run the trial, but PwC says that it is down to the stores to negotiate the cost of the new transaction processing kit needed with their processor.

This doesn't exactly inspire confidence, does it?

Back to my Brussels airport experience. I learned from the supervisor that cardholders who don't have a PIN - or claim not to have a PIN - can fall back on the signature-based verification system. The same situation is likely to occur in the Northampton smartcard trial - if someone says they haven't got a PIN for their credit or debit card, the retailer isn't going to turn the business away. Visa and MasterCard, along with American Express, have committed to upgrading their credit and charge cards to be smartcard-enabled by the middle part of this decade, but this only applies to card issuers in most of Europe.

The situation in the U.S., as well as in other areas of the world, remains patchy. The card companies are not talking about solid smartcard introductory target dates for these areas and it's not difficult to see why. Buying some goods in the Slovak Republic earlier this year, where credit card usage has exploded from almost zero in the last decade, I noticed that many merchants are using paper-based vouchers (i.e. offline) for their card transactions. The reason for using paper vouchers, they say, is that the cost of processing the transactions is lower than using online systems, even though the potential for chargebacks in the case of fraudulent transactions is higher.

Or is it?

Twenty years ago, before the arrival of electronic terminals at the checkout, European and U.S. retailers simply phoned up for authorization if they encountered a high value transaction or were simply worried about a customer's credit-worthiness. These days, whether a transaction is electronic or manual, Visa/MasterCard still reserve the right to charge back a transaction for several weeks after the transaction is processed.

The bottom lime is that the scales are stacked firmly in favor of the banks and against the retailers when it comes to moving to better anti-fraud systems for card transactions. And if fraud continues to rise as a result of the financial institutions' intransigence in shouldering a fair share of the cost of smartcard-based security systems, you probably won't be surprised to learn who ends up paying for the cost of fraud.

It's the customers of the banks - i.e. you and me.

Steve Gold is news editor for SC Magazine (

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.