PIN adds level of security in payment transactions

posted by Terry Dooley on Tuesday, January 15, 2019 in SHAZAM Blog

There’s a clear trend emerging in the payments industry regarding payment authentication. It’s moving from authenticating the consumer to authenticating the transaction or device initiating the transaction. The effects and ramifications aren’t yet known; and, combined with countless new entrants into the payments landscape, consumers are using — and loading personal information into — more and more applications to access their accounts. Storing credentials in a third-party app to query other financial institution accounts, investment accounts or reward accounts carries inherent risk, and may have some unintended consequences. One of which occurs when an app is compromised but still has access to the consumer’s financial institution or investment credentials and is used to do nefarious things.

This situation reignites the old debate: Can you have a strong, seamless authentication process that doesn’t require consumer action, but instead just magically works? This is the trend in payments. In many cases the transaction is being authenticated by the device, not the consumer. One example is the elimination of the consumer’s signature for chip-on-chip transactions. PINless chip-on-chip transactions, which generally occur under a certain dollar amount, also operate this way.

The implementation of biometrics — fingerprints, facial recognition, etc. — are used to authenticate a consumer to a device. But that biometric data itself isn’t sent to the issuer to verify the consumer; the transaction is authenticated based on the device authentication. A personal identification number is, and continues to be, the only payment authentication method in which the consumer is authenticated by the financial institution.

Plus, while both PIN and biometrics are technically controlled by the consumer, one can be changed, and the other can’t. As a consumer, I can have hundreds of different PIN combinations and change them any time I want, but I can’t change the biometrics of my ten fingers and toes, and my two eyes.

Like biometrics, many other methods use device-level or transaction-level authentication, such as QR codes, text messages, email addresses and phone numbers. All these options are various representations of a token, just as the consumer’s credit or debit card number is a token to reach a consumers’s debit, prepaid or other account.

Should the PIN be required on every transaction? Well, it would allow for the least amount of fraud, but it’s not a practical approach for many channels. Yet, the PIN, because of its strength as well as its dynamic nature in its ability to be changed by the consumer, can serve as a highly effective secondary authentication method when the need for stronger authentication beyond the device or transaction authentication is needed.

I don’t believe choosing between one authentication or the other is a good strategy. A better approach is to leverage layered authentication and the PIN can serve as one of the strongest and most trusted methods because the consumer is being authenticated, not a device.

SHAZAM, Inc. and ITS, Inc. provide this blog for general informational purposes only. Our blog may be shared by a direct link wherein the content remains as originally presented and has not been altered. SHAZAM, Inc. and ITS, Inc. assume no responsibility for errors or omissions in the contents on the blog. By using this blog, reader agrees that the information published does not constitute nor is a substitute for legal advice which should only be sought from a qualified, licensed attorney. 


comments powered by Disqus