Security increases friction. That’s not news. I’ve myself written many blog posts – click here, here and here – on this perennial tradeoff involved in payments.
However, I recently found a new security measure that actually creates new sources of vulnerability.
Ironic but true.
Since December 2013, India’s central bank RBI has made it mandatory for all debit and credit card transactions at the point of sale to require PIN. This is in addition to signature, which has always been required for card present transactions. So, while some other nations are debating about “PIN or Signature”, India has already enforced a “PIN and Signature” regime. But I digress.
In theory, PIN makes card transactions more secure. When implemented properly – as Europe did with EMV over a decade ago – PIN does reduce card fraud arguably without a disproportionate increase in inconvenience.
However, when the same enhanced security measure is implemented in a half baked manner, it not only reduces convenience but increases vulnerability.
Let’s see how:
- Most credit cards have 6 digit PIN numbers, which are more difficult to remember than the standard 4 digit PIN applicable for debit / ATM cards.
- PIN is visible to everyone since existing POS terminals don’t have a hood. Instead of upgrading their POS terminals, banks are busy dishing out stupid advice like “Use your hand or body to shield your PIN”.
Can't @HDFC_Bank install hooded POS machines instead of giving inane advice like “Use your hand or body to shield your PIN…”?
— GTM360 (@GTM360) December 18, 2013
- In multiplexes, pharmacies, restaurants and many other merchant establishments, customers can’t directly access the POS machines, which are placed slightly remotely. As a result, they’re asked to speak out their PIN numbers aloud.
“PIN + Signature” regime has caused greater friction and increased vulnerability. Hope things improve in future.
As an aside, the central bank apparently implemented this new security measure to provide more confidence to people to use their payment cards and thereby usher in a cashless society.
For more than one reason, it might have exactly the opposite effect.
- When people received their PIN mailers along with their credit card welcome kits several years ago, they didn’t bother to note down the PIN number since it was only required to make cash withdrawals from ATMs via credit cards, a feature that very few people in India use since it attracts exorbitant fees and interest charges. As a result, most people don’t know their credit card PIN numbers today and few would take the trouble to contact their banks to get their PINs reissued.
- Not all POS machines are equipped to accept PIN for credit card transactions. As a result, many merchants, including two of my Mobile Network Operators, have stopped accepting credit cards.
Ergo, RBI’s recent mandate has rendered many credit cards unusable at the POS and it’s back to cash for many customers.
How’s that for “unintended consequence”?