Bluefin Chief Innovation Officer, Ruston Miles, writes in today’s Morning Consult Op-Ed on credit card authentication and payment security.
The news that a large retailer has filed a lawsuit against one of the card networks over whether newly-issued chip cards should use Personal Identification Numbers (PIN) as a secondary means of authentication at checkout is a new development in a debate that has been well covered by contributors in the media. Despite all the attention, I can’t help thinking that the focus on PIN numbers verges on an unhelpful distraction.
It would be far better if all involved put their energies toward fighting the primary payment fraud threat to U.S. consumers – the ability of hackers to steal and exploit millions of card numbers at a time from vulnerable retailer systems. In any case, PIN authentication is an old technology which is very near to its sell-by-date.
To deal with this second point first, much has been made of the fact that when Europe moved to chip cards fifteen years ago, PIN was the standard form of secondary authentication – a hangover from ATM cards. By today’s technological standards, however, PIN is famously unsafe. Vast numbers of cardholders write their PIN down, or choose easy-to-guess or work-out numbers (a date of birth and 1234 are apparently favorites).
This is creating such problems that in the UK, where Chip cards have been standard for more than a decade, new banking rules mean that financial institutions may not have to reimburse cardholders whose PIN is written down and stolen.
Addressing this weakness involves moving authentication from “what the cardholder knows”, to “who the cardholder actually is”, with biometrics offering the best option for the very near future. There are plenty of examples of biometrics already in use in payments including Apple Pay, MasterCard’s “Selfie Pay”, and USAA’s biometrically secured mobile app, which, late last year, passed a million users. All of these shift the burden from the consumer for inventing and remembering a PIN and suggest that biometric authentication at checkout is very close. This begs the question why would anyone want to tie consumers to vulnerable PIN authentication when better technology is around the corner?
Read the full Op-Ed.