Signature or PIN? Credit or Debit? The answers… January 22, 2012Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: Chris Mark, credit or debit, durban amendment, mark consulting group, PCI DSS, PIN
For some background, I am a payment card security professional. I have worked at both MasterCard and with Visa, as well as the other card brands. I have noticed that almost without exception when visiting merchants and using my debit card, I am prompted for my PIN without giving me an option (usually) to allow it to be run as debit. Interestingly enough, I was at a merchant just today and it prompted me for my PIN. I tried to decline to get it to go over to a credit transaction and the woman behind the counter informed me with absolute authority that PIN was safer and I should use my PIN. Is this true? Well, it depends on where you live and your perspective. At this point our friends from the UK (and some other countries) can quit reading. When discussing EMV, or what is known in the UK as Chip and PIN, what I am about to say does not apply. For brevity, I will not discuss chip and PIN in this post. Back to my story….
In the US we have credit networks and we have financial networks (EFT, ACH, etc.) When issued a debit card your card will (usually) have a major card brand logo (Visa, MasterCard, etc.) on the front which means when run as a credit transaction it runs over the card brand networks (BankNet, VisaNet, etc.) and a variety of other network logos on the back. (PLUS, STAR, Interlink, etc.). When using your debit card you have the option of running the transaction in an ‘online mode’ which means you input a PIN and it runs over the financial networks (usually…don’t ask) or you can cancel and run your debit as a ‘credit transaction’ in which it runs over the credit card networks and you are usually authenticated by your signature. In an online debit transaction the money comes from your account immediately and you can get cash back. In a credit scenario the transaction is treated like a credit card and you cannot get money back and it usually takes 2 days for the transaction to clear. So why do merchants like debit transactions? Easy answer. First, they get their money quicker over the debit networks. Second, and as importantly, debit transactions are (usually) less expensive to the merchant than credit transactions. A debit transaction is limited to only 12 cents per transaction under the new Durban Amendment while a credit transaction can reach as high as 5%. So a $100 transaction costs the merchant 12 cents under an online debit while the same transaction could cost as much as $5 under a credit. Why the difference? This is the key to this post. Lets first re-ask the question: “Is a debit transaction safer than a signature credit transaction?”
The transaction is more safe for the merchant, the bank, and the processor. The use of the PIN for authentication means that the system has a high degree of confidence that the transaction is legitimate and that you, the cardholder, are in possession of your card. (if authentication is new, please read the post Security 101: authentication) With a signature transaction it is possible your neighbor stole your card or that someone stole the data and counterfeited the card. The PIN is NOT present on the card therefore the system knows that if you use a PIN with a debit card it is highly likely that it is you making the transaction. The transaction is indeed safer for the merchant, the bank, and the processor. Now what about the user? The simple answer is “No, it is not as safe as a credit transaction.” Why? Read on…
Under federal law there is a $50 limit on cardholder liability for a credit transaction run over a card brand network. All of the major card brands (Visa, MasterCard, Amex, Discover, JCB) have implemented “zero liability” clauses into their contracts. This means that if someone steals your card and they charge something, you simply write an affidavit, confirm it was not you and presto…no money is taken out! Remember, it is only over the card brand networks. Going back to the first paragraph. An online debit transaction (PIN based) runs over the financial networks. Read the fine print of your debit card or bank rules. In many instances you have unlimited liability for PIN transactions. Why? Simple…PINS are considered SOOOO secure that they belief is that if someone is using a PIN it must be the person that owns the card. If a fraudulent transaction occurs with your PIN, first the money comes out immediately and second it is very difficult to prove it was NOT you…because the PIN was used.
PINs are very useful and inexpensive for banks, merchants, and processors. For cardholders they expose you to quite a bit of risk. If someone steals your PIN (the only real way for that to happen is for you to use it) then they can conduct and online transaction and you have a heck of a time getting the debit reversed. One note on this…if you have a fraudulent transaction on your debit card and it is a signature based transaction, under Regulation E (RegE) the bank must put your money back into your account within a certain period of time until they determine the validity of the transaction. It is complex but call your bank, reference Reg E, ask for an affidavit to fill out and they will put the money back in provisionally.
Here is a rule of thumb. If you are using your debit card and you are prompted for the PIN at a store simply hit ‘cancel’ and it will not cancel the transaction it will then fall back to ask you for a signature, or some other authentication. This means the transaction is running over a credit network and you have a safer transaction for you.