jump to navigation

Holiday Shopping Safety! Debit or Credit? PIN or Pen? Check or Cash? November 18, 2020

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , ,

With the holidays around the corner, it is a hot time for criminals to steal from us all!  CyberCriminals are specifically after your money and cards.  There is ongoing confusion about whether cards are better than checks are better than cash.  While we all have our own opinions, I think the argument is pretty clear that payment cards are the most secure options for consumers.  Read below!

For some background, I am a payment card security professional.  I have worked at both MasterCard and with Visa, as well as the other card brands. I now work at a major telco overseeing the payment security program. 2020 marks the 15th consecutive year someone has stolen my card at least once (17 times in 15 years) BUT…I wasn’t worried…read below to find out why!

First off, I rarely carry or use my debit card.  I use my Amex (just my own preference) almost exclusively. If I could pay my mortgage on my Amex I would! (Amex is technically a charge card…not a credit card so if you pay off every month, there is no interest).  I never have more than $20 in cash and I have not had a check book in years. Too high risk! If I need to write a check, I initiate an e-check from my bank.

First, if you prefer cash, great!  If someone steals your wallet or purse and steals your cash.  You will never see that money again.  End of story.  Some people prefer checks.  If someone steals your checkbook and writes themselves a $1,500 check, you “may” be able to dispute the charge but the money is taken from your account first.  Check fraud accounted for $7 billion in 2019! More importantly, every time you had someone a check you are handing them enough information to commit more fraud against you.

In 2014 I moved from Park City, UT to Houston, TX. I checked my bank and noticed a $1,500 check in my name had been written to “Mitt Romney” (no kidding) for a “laptop”.  Cleary fraud but the bank honored the check.  I was only able to get my money back because the user had used “Romney” and I had not written a check on that account in years.  Where did they get my check? When I moved I had apparently either thrown the book in the garbage or it was found in my old house. I do not use checks!

I use cards and NEVER with a PIN (unless I have no choice…very rare).

platinum11chip_fr_h_1987You may notice that almost without exception when visiting merchants and using your debit card, you are prompted for your PIN without giving an option (usually) to allow it to be run as “credit” transaction.  Interestingly enough, I was at a merchant recently and it prompted me for my PIN when I “dipped” (chip card) my card.  I tried to decline to get it to go over to a credit transaction and the woman behind the counter informed me with absolute authority that PIN was safer and I should use my PIN.  Is this statement accurate?

Well, it depends on where you live and your perspective.  In the US we have credit networks and we have financial networks (EFT, ACH, etc.)  When issued a debit card your card will (usually) have a major card brand logo (Visa, MasterCard, etc.) on the front which means when run as an ‘offline’ or credit transaction it runs over the card brand networks (BankNet, VisaNet, etc.) and a variety of other network logos on the back. (PLUS, STAR, Interlink, etc.) which means that when run as an ‘online’ or PIN debit transaction it runs (usually) over the financial networks.

When using your debit card you have the option of running the transaction in an ‘online mode’ which means you input a PIN and it runs over the financial networks (thanks to Durbin you now have an option of card brand or financial networks) or you can cancel and run your debit as a ‘credit transaction’ in which it runs over the credit card networks and you are usually authenticated by your signature. In some cases a signature is not even required.  With chip cards it is more common to not require any signature.

In an online debit transaction (meaning a PIN is used..not related to Internet) the money comes from your account immediately and you can get cash back if you like. This is only possible because it runs over the financial networks.  In an offline transaction the debit transaction is treated like a credit card and you cannot get money back and it usually takes 2 days for the transaction to clear.

So why do merchants like debit transactions?  Easy answer.

First, they get their money quicker over the debit networks.  Second, and as importantly, debit transactions are (usually) less expensive to the merchant than credit transactions.  A debit transaction is normally only about 15 cents per transaction under the new Durbin Amendment while a credit transaction can reach as high as 5%.  So a $100 transaction costs the merchant 12 cents under an online debit while the same transaction could cost as much as $5 under a credit.  Why the difference?  This is the key to this post.  Lets first re-ask the question: “Is a PIN debit transaction safer than a signature credit transaction?”

The transaction is certainly safer for the merchant, the bank, and the processor. The use of the PIN for authentication means that the system has a very high degree of confidence that the transaction is legitimate and that you, the cardholder, are in possession of your card. (if authentication is new, please read the post Security 101: authentication) With a signature transaction it is possible your neighbor, some stranger, a wayward relative, or some criminal stole your card or that someone stole the data or purchased it from the Dark Web and counterfeited the card.  The PIN is NOT present on the card therefore the system knows that if you use a PIN with a debit card it is highly likely that it is you making the transaction.  The transaction is indeed safer for the merchant, the bank, and the processor. Now what about the user?

The simple answer is “No, it is not as safe as a credit transaction.”  Why?

Under the Fair Credit Billing Act there is a $50 limit on cardholder liability for a credit transaction run over a card brand network. (the ACT provides a number of other protections, as well) In spite of this, all of the major card brands (Visa, MasterCard, Amex, Discover, JCB) have implemented “zero liability” clauses into their contracts. This means that if someone steals your card and they charge something you call your bank directly, confirm it was not you and presto…the charges are reversed!  There may be an investigation but it is highly unlikely that it will not be reversed if it was fraud.

Remember, it is only over the card brand networks (VisaNet, BankNet etc.)  An online debit transaction (PIN based) usually runs over the financial (EFT) networks.  Read the fine print of your debit card or bank rules.  In many instances you have unlimited liability for PIN transactions over financial networks.  Why? Simple…PINS are considered SOOOO secure that they belief is that if someone is using a PIN it must be the person that owns the card who used the PIN.  If a fraudulent transaction occurs with your PIN, first the money comes out immediately and second it is very difficult to prove it was NOT you…because the PIN was used.  It can take up to 10 weeks to get the money returned in the event it is proven to be a fraudulent transaction!

PINs are very useful and inexpensive for banks, merchants, and processors. For cardholders they expose you to quite a bit of risk.  If someone steals your PIN (the only real way for that to happen is for you to use it!) then they can conduct a PIN based transaction and you have a heck of a time getting the debit reversed.   One note on this…if you have a fraudulent transaction on your debit card and it is a signature based transaction, under Regulation E (RegE) the bank must put your money back into your account within a certain period of time until they determine the validity of the transaction.  It is complex but call your bank, reference Reg E, ask for an affidavit to fill out and they will put the money back in provisionally.

Here is a rule of thumb.  If you are using your debit card and you are prompted for the PIN at a store simply hit ‘cancel’ or ‘enter’ and it will not cancel the transaction it will then fall back to ask you for a signature, or some other authentication. If you still prefer to use a PIN it will usually prompt you for either a “US Debit (or some other) or Visa Debit (or MC etc.)”  Always choose the ‘card brand’ to ensure your transaction runs over their networks. This means the transaction is running over a credit network and you have a safer transaction for you.

During these holidays have a happy and safe shopping time and hopefully this article has helped!!


1. What to do if your card was compromised and used… | Global Security, Privacy, & Risk Management - April 2, 2012

[…] transaction (debit, for example) there are other considerations.  You can read more on this post. “Signature or PIN? Credit or Debit?…the answers”  If the Global Payments breach was limited to track 1 or track 2 data as reports indicate, then […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: