Understanding Payments and PINless Debit
It’s a cold, windy day. It’s Fargo. It’s Wednesday. I scurry into the store, using the collar of my jacket to cover the side of my face. Inside, I weave around the carts that are one by one taken out of the rows. There is only one thing I need, a pack of gum to refresh the taste of mid-morning coffee. I step up to the self-check-out register, grab a pack from the impulse-buy shelf, scan the barcode, and press the screen to check out.
At the register, I am prompted to insert my card. I take out my Community Bank debit card. Insert the chip into the card reader. The screen reads “Authorizing…” I wait. The card terminal beeps. I remove my card. The transaction is approved. The receipt prints and I crumple it up, stuff it into my jacket pocket.
Nothing out of this scene seems out of the normal for most shoppers. However, this is an example of a PINless Debit Transaction. A PINless Debit Transaction is simple in nature. When I insert my debit card in using the chip, I am NOT prompted to insert my PIN.
If I use the same example, except use a Wells Fargo, US Bank, Bank of America, etc. debit card, I am prompted to use my PIN for verification. This is significant, because without the PIN authentication, the purpose of the chip becomes pointless.
The chip on cards was designed to be an encrypted and more secure way to improve transactions and reduce fraud. However, with a PINless Debit Transaction the most important part of using chip authentication, inserting a PIN, is bypassed. The transaction is approved whether or not the PIN is input.
Why does this happen?
It all depends on the financial institution’s Payment Network and the Network’s Operating Rules they abide by.
When a community financial institution signs a contract with a Network vendor, there is typically a clause in the contract which states that they will abide by the Network Operating Rules. Very similar to when you just click accept without reading anything on the Terms and Conditions when setting up your new iPhone.
For payment networks, the Network Operating Rules are around 200 pages of technical language that are monotonous and daunting to read for anyone, especially a financial institution executive. Executive want to run their organization, improve it, achieve their goals. Their time would be better spent fulling their objectives than trying to read and understand a vendor’s operating rules.
It is in these Network Operating Rules where problems lie. PINless Debit Rules, as well as other clauses which are cause for concern, are hidden in these pages. Additionally, the Network Operating Rules state that the vendor can modify and change these rules at any time with minimal notice to the financial institution.
Payments refers to a transaction and how money is transferred from your bank/credit union account to the merchant selling you the products you purchase.
To the average consumer, a payment seems simple. I pay for products with my debit card that is tied to my bank account. The merchant gets my money in exchange for the good and/or services. When I go into my online banking later in the day, I see a money has been taken out of my account in the amount of my purchase. But what happens in order to get the money from the bank to the merchant behind the scenes is a bit more complex.
Once a transaction is approved it is sent to through a virtual network or gateway. At the network/gateway, the system determines how the transaction should be processed and then who or where the transaction should be processed through. From here the transaction is sent to the processing vendor, where the transaction is processed and sent into the banks system or “Core” where your account is stored.
What does this mean for my Financial Institution?
To dive a little deeper into the implications of these PINless Debit transaction, we need to explain the two types of transactions, pinned and signature.
A signature transaction is simply when the consumer uses their card and signs instead of using the chip and pin. For a Financial Institution, signature transactions yield a greater interchange rate per transaction than pinned, meaning they make more money per transaction that is signed for than a transaction where you put in a pin.
This is because there is more risk of a fraudulent transaction with signature than pin. It is far easier to use the mag strip of a counterfeit card and get away with it than to try to recreate and reconfigure a chip and pin to counterfeit a card.
What happens with a PINless Debit Transaction is the transaction is treated as a pinned transaction, yielding less interchange for the financial institution, but no pin is needed to complete the transaction. In essence, a PINless debit transaction allows all and every transaction through without security measures.
(Please note: this description is a simplification. The Copper River Group understands that there is more to a fraudulent transaction and PINless Transaction than what is depicted. For the purposes of general understanding and consequential impact, it can be said that PINless Debit Transaction are at a much higher risk of fraud. If a financial institution is taking more risk by not having the PIN authenticated, then it should be counted as a Signature Transaction.)
While it is understandable that financial institutions would be upset about the difference in interchange, there is one more major point to note about PINless Debit Transactions…
Going back to the Operating Rules, the rules state that if a pinned transaction is fraudulent than the financial institution is responsible. The financial institution has no chargeback rights, meaning they essentially take any fraud as a loss and can do nothing about it.
What does this mean for me, the Consumer?
The receipt prints and I crumple it up, stuff it into my jacket pocket. I stuff my debit card in my jacket with the receipt. I don’t notice that the card is peaking out of the pocket, as the crumpled paper fills the extra space. Scurrying out of the store, I brace for the wind as the doors slide open. Pulling up and adjusting my jacket, the card falls out of my pocket onto the floor. I walk out of the store, unsuspecting and unaware of anything wrong.
PINless Debit typically have a transaction threshold of only $50. They are designed for small “convenience” transactions. The average transaction value is $37.76 (according to the Federal Reserve Study published in 2018). However, recently two major networks recently changed their threshold to account for transaction up to $100. This now covers the majority of transactions overall.
Knowing this and understanding PINless debit transactions any fraudster can pick up that card and begin buying. One $50 transaction here one there, then at the next store and the next. Soon there is quite a bill racking up on my card. No PIN needed.
If I don’t check my account regularly, I may not notice the charges, and with them being so small I may not even realize my spending if I frequently buy things from various stores. Likely, I wouldn’t notice anything is wrong until I can’t find my card.
Now, this will create quite a headache. I’ll have to work with my bank/credit union to get this sorted out and the fraud reversed. I’ll have to get a new card and wait for the Financial Institution to complete their review, which can take several weeks. Meaning, I will be out that money for a period of time, which can be very significant if running on a tight budget. But eventually everything will be resolved, and I will not be out any money… right?
For debit cards, the Electronic Fund Transfer Act states that your liability is as follows:
|If you report:||Your maximum loss:|
|Before any unauthorized changes are made||$0|
|Within 2 business days after you learn about the loss or theft||$50|
|More than 2 business days after you learn about the loss or theft, but less than 60 calendar days after your statement is sent to you||$500|
|More than 60 calendar days after your statement is sent to you||All the money is taken from your ATM/Debit Card account, and possibly more; for example, money in accounts linked to your debit account|
Now, many Financial Institutions have implemented friendly tactics to keep their customers and members happy. The fraud may be forgiven, but at the cost of the financial institution. (Keep in mind, there would be no fraud on the card if the PIN was necessary to complete the transaction.) This puts the financial institution in a very tough place. They are now caught between making their community happy and making up for fraud.
A PINless Debit Transaction is simple in nature. When I insert my debit card in using the chip, I am NOT prompted to insert my PIN. The chip on cards was designed to be an encrypted and more secure way to improve transactions and reduce fraud. However, with a PINless Debit Transaction the most important part of using chip authentication, inserting a PIN, is bypassed. The transaction is approved whether or not the PIN is input.
This can lead to increased fraud and A PINless Debit Transaction puts all the liability onto the Financial Institution. All while making less interchange for that “Pinned” transaction.
The community financial institutions are being caught between vendors competing for their share of the market and the consumer, and they are paying for it.
Here’s another growing concern regarding credit card fraud: How to Report and Protect Yourself From Credit Card Fraud