PIN vs. Signature Debit: Which Is More Secure?

Every time the Federal Reserve surveys the public, it finds that consumers consistently rank security as the most important characteristic of payment methods, Joanna Stavins from the Boston Fed reminds us in a new paper. Yet, just as consistently, when they analyze the actual consumer payment use patterns, the Fed’s researchers find that security is not as significant as other payment characteristics, such as cost, convenience and record keeping.

Trying to explain that puzzle away, the Stavins digs deep into the data and finds that security concerns create an obstacle to the adoption of some types of bank account-based payments, such as debit cards, online banking bill pay and bank account number payments, but once adopted, the security rating has no significant effect on the use of those payment instruments. However, the reverse is found to be the case with more established payment methods, such as cash, checks and credit cards: consumers’ perception of security has no influence on adoption, but it does affect the actual usage of these payment types.

But debit cards present a particularly interesting case, because debit transactions can be processed in two distinctly different ways. On the one hand we have signature-based debit, which uses the same infrastructure, which is used to process credit card payments. On the other, we have PIN-based debit, where transactions are processed via specialized debit networks. And it turns out that consumer attitudes toward the security of two debit types are markedly different and once again, the actual usage patterns do not always reflect the professed attitudes. Let’s take a closer look at what Stavins finds.

PIN vs. Signature: What’s the Difference?

When you swipe your debit card at the checkout, the point-of-sale (POS) terminal will usually ask you: “Debit or Credit?” I have no idea why this has become accepted, as you would have to be an industry insider, in order to understand its meaning. The more appropriate question, and one which would be immediately understood by everyone, would be: “PIN or Signature?” Either way, the question refers to the type of debit card authorization.

PIN Debit. PIN transactions are routed through what are known as electronic funds transfer (EFT) networks (for example Star, NYCE, Pulse, Interlink, etc.). EFT processing takes place when the customer chooses “debit” when prompted and then enters her PIN. The EFT network then authorizes the transaction and immediately deducts the transaction amount from the customer’s checking account, which is linked to the debit card used for payment. The merchant then receives the money within a few days. PIN debit transactions are often referred to as “online” transactions, because they require an electronic authorization.

Signature Debit. Signature-based debit transactions are authorized, cleared and settled through the same Visa or MasterCard networks used for processing credit card transactions. Signature debit processing is initiated when the customer selects “credit” when prompted by the POS terminal. She then signs a sales receipt (unless the merchant has waived the signature requirement for transactions under a certain amount or the card is not present) and the funds are deducted from her checking account, typically within a day of the processing date. The merchant submits the transaction with the rest of her card transactions, usually at the end of the day, and then receives the money, typically within a day or two of the settlement. Signature debit transactions are referred to as “offline” transactions, because a PIN debit network does not play a role in processing.

PIN vs. Signature Fraud

There is a big difference between the two debit authorization types when it comes to losses from fraud and theft. PIN debit is considered more secure because the cardholder authenticates her card with a PIN and, unless the PIN number is stolen, the transaction cannot be completed.

Signature debit transactions, in contrast, cannot be easily authenticated, especially because the signature requirement is typically waived for small-amount transactions, which is fully in compliance with industry standards, as all the big networks allow merchants to eliminate the signature requirement on purchases of less than $25 (for details, see here and here). Furthermore, signature debit processing is used in all e-commerce, mail and phone debit transactions (even though there is no possibility for actually signing anything), where fraud rates are higher.

And the data certainly confirm the higher level of security associated with PIN debit. In 2011, Stavins reminds us, PIN debit fraud losses were estimated at $0.004 per transaction, while signature debit fraud losses were about eight times as high — $0.031 per transaction. The ratio was much the same when the loss rate was calculated as a share of fraudulent transactions, in relation to the total number: signature POS fraud losses averaged 0.08 percent, while PIN fraud losses averaged 0.01 percent.

The author is quick to note that fraud losses borne by debit issuers and payment processors are not automatically transferred to the cardholders. In the U.S., at least, a cardholder is liable for no more than $50 per fraudulent PIN debit transaction if she reports it within a specified period of time. Furthermore, both Visa and MasterCard extend the same protection against unauthorized debit transactions as they do against fraudulent credit card transactions — zero liability for fraudulent transactions.

PIN vs. Signature: Perception of Security

In agreement with the evidence, consumers perceive PIN debit as more secure than signature debit: 63.8 percent of consumers consider PIN debit secure or very secure, compared with 51.4 percent for signature debit. However, over 41 percent consider no-PIN / no-signature debit transactions very risky, compared with 3.8 percent for signature debit and 5.3 percent for PIN debit, even though the no-PIN / no-signature transactions are processed the same way as signature debit transactions. Then there is the case of online debit transactions, which require neither a PIN nor a signature — these are rated more secure than the no-PIN / no-signature in-person transactions, with only 20 percent of consumers saying they are very risky.

But it turns out that consumers don’t always behave accordingly to their stated payment preferences. On the one hand, as you will see in the chart below, consumers who consider PIN debit “secure” or “very secure” are at least twice as likely to prefer PIN debit as those who consider PIN as “risky” or “very risky”. However, that is not the case with signature debit, where consumers who consider this type of debit processing to be “very secure” are nevertheless less likely to prefer signature debit than those who consider signature debit “secure” or “neither”.

PIN vs. Signature: How We Pay

Stavins then proceeds to compare the stated preferences for PIN vs. signature debit to the actual use of the two types of payment and finds that consumers’ behavior is consistent with their stated preferences. Those who prefer PIN debit use PIN debit more than twice as often as signature debit (71.2 percent versus 28.8) and those who prefer signature debit use it over three times as often as PIN (75.7 percent versus 24.3).

Then she compares the actual use of debit — total, PIN and no PIN — to consumers’ assessment of security of debit cards in general. Sure enough, consumers who view debit as “secure” or “very secure” use it more intensively than those who consider debit more risky and the pattern holds in the case of total debit, PIN and no-PIN debit.

Of course, as the author notes, consumers may not be aware that no-PIN debit transactions are processed the same way as signature debit and so may be more skeptical about the security of such payments. In fact, I think we can be reasonably certain that consumers do not know that the two are processed in an identical fashion.

The Takeaway

So, as you see, consumers don’t have a clear picture of the differences between the two debit types, which I guess could be expected. Yet, they nevertheless understand that PIN debit is more secure than signature-based debit and tend to use it more often, even though at times they do the opposite of what they say. In any case, industry regulations ensure that consumers are well protected from debit fraud.

Image credit: Wikimedia Commons.