What’s The Difference Between Chip-And-PIN & Chip-And-Signature Cards?

The EMV liability shift is well underway and customers have started dipping those cards. At this point, most small business owners are probably wondering why the heck everybody is talking about chip-and-PIN cards when everybody seems to be using chip-and-signature. What’s the difference between chip-and-PIN and chip-and-signature cards? We’ve briefly mentioned this before, but if you want all the exciting details–how it works, what it means for you, etc.–we’ve got you covered right here.

Back Up a Minute.

Let’s go over how the whole magstripe/chip thing works again. Magstripes have secret numbers embedded in the little black box on your card. When you swipe it, the machine reads the numbers and sends them over the internet or phone lines to verify that the numbers are correct. Credit card companies have decided to update these cards because with magstripe, it’s easy for less-than-honest people to grab the secret information when the card is scanned or while the numbers are in transmission. Since magstripe numbers never change, fraudsters can wreak a lot of havoc with this information.

On the other hand, chip cards basically have a tiny embedded computer. When you dip the chip, it interacts with the terminal’s computer. First the card will send a secret, encrypted, randomly generated message, to the terminal which is interpreted by the terminal with a secret key, then vice versa. This way the card and the terminal make sure that everything is authentic.

To verify that the person using the card isn’t a thief, the card user has to put in a PIN (which should match the PIN stored in the card or on the banks servers). Or, if the card is chip-and-signature, the person just has to sign their name and the cashier may-or-may-not verify that it matches the one on the back of the card. It’s no wonder one expert said that chip-and-signature cards are the equivalent of “locking the front door and leaving the back one open.”

That Sounds Like a Problem.

Alright–that last sentiment is a bit too dramatic if you ask me, but it got your attention, right? Here’s the thing: chip cards make it incredibly difficult for fraudsters to make a fake card because everything is encrypted. The verification method (PINing or signing) determines how difficult it is for a thief to use a legitimate, but stolen, card. For a chip-and-PIN card, the thief has to know the PIN. For a chip-and-signature card, the thief just has to be half-way decent at forging a signature (if the cashier even checks at all). Since fake cards are a much bigger problem in the US than stolen cards, it really isn’t a big problem.

Why Don’t We Just Use Chip-and-PIN?

Short answer: it’s a work in progress. There are two big reasons we aren’t going straight to chip-and-PIN. The first reason is, the credit card companies don’t think that consumers can handle that much change. They’re used to swiping and signing, now they need to get used to dipping and signing.

Before you go off on a tirade about how humans aren’t that stupid (I wanted to when I learned this), there’s proof: when card companies in Canada rolled out chip cards, those who sent out chip-and-PIN cards realized that people kept forgetting their PINs. You’d think this would be entirely the consumer’s problem, until you remember that most people have multiple cards, and the card that’s a huge pain is going to be the one that’s used the least. Bad deal for card issuer.

The other reason is because ATMs aren’t chip-compatible yet (and they won’t be until October 2016 or 2017). Since magstripes are still an automatic fallback on ATMs, if a fraudster gets a hold of the magstripe data and PIN for a chipped card and uses the data at an ATM, they’re going to make off with a whole lot of money. Since the bank has to cover the lost money, it’s bad deal for the bank.

How Does This Affect Me, the Business Owner?

Glad you asked! The good news is, you cannot be held liable if somebody uses a stolen chip-and-signature card with your fancy EMV terminal. Hooray!

The bad news is, you can be liable if somebody uses a stolen chip-and-PIN card at your terminal and you have to fallback to processing it as chip-and-signature. The reasoning is the same as it is for any other EMV-related change: if you had the right technology, theoretically the fraud wouldn’t have happened. Because most cards are going to be chip-and-signature at this point, I wouldn’t worry about this too much. But when the PIN cards start to get more prevalent (which I’m guessing will happen in a few years when ATMs catch up), you might want to think about upgrading your terminal to one that does PINs.

One More Thing…

There is a payment process on the rise that bypasses the card altogether, and that’s NFC (near field communication). To get all the juicy details about how it works, check out our articles here and here, but let’s go over the basics. Customers can connect their cards to virtual wallets like Apple Pay or Android Pay, or connect their bank account directly to applications like CurrentC.

The verification process works much like it does for chipped cards: the phone and terminal send encrypted messages back and forth over short range electromagnetic waves to make sure that everything is legitimate. In the payment application, there will be a verification method like a PIN to ensure the user is correct. The whole thing is all very secure, in theory. It’s also a few years down the road from being widely used.

We’re stuck with regular-old signatures for a while longer, but more secure options are just around the corner. Until then, verify those signatures!