PINless Card Payments – Innovative Or Harebrained?

by

I’ve been asked many times to weigh in on the new PINless regime for credit and debit card payments in India. Most recently it was on Quora, where I was asked to answer the following question:

Why is it not required to enter a PIN to authenticate a credit or debit card in many countries?

For background, the newly launched NFC-based contactless credit cards and debit cards can be simply waved over an NFC POS terminal to complete a payment without entering a PIN (or signature, or any form of authentication whatever).

I call this “PINless card payment”, “PINless regime” or “PINless mode”. Mere possession of the payment card is enough to put through a payment at the point of sale, in the so-called TAP or CTLS mode. In payment industry speak, this is one factor authentication, not two factor authentication that Indians are used to for several years for making online payments.

PINless is in contrast with older magstripe and chip cards, where the card must make contact with the POS in the SWIPE or DIP mode respectively and Signature or PIN or Signature + PIN is required to complete the payment (which make it two factor authentication).

PINless card payments are faster and more convenient. But they’re also less secure. If you lose your contactless card, anyone who finds it can go on a shopping spree at your cost since they won’t be asked for a PIN. In other words, PINless regime leads to “finders keepers, losers weepers”.

Ergo the debate on whether PINless card payments is innovative or harebrained.

RBI has mandated PINless regime only for payments up to INR 2000 (~US$ 30).

Let me unpack this ceiling based on my use of contactless credit cards in the last three months or so.

  • Payments below INR 2K went through in TAP mode without PIN
  • Whenever I’ve tried TAP above INR 2K, the payments failed, with the POS terminal displaying the message that the transaction was not permitted according to RBI mandate. I had to use the DIP mode and enter the PIN to complete those payments. (There was no facility to enter the PIN in the TAP mode).
  • DIP mode asked for PIN even for payments below INR 2K.

It appears that there’s a strong link between PINless and TAP in India (though not everywhere, as we’ll see shortly).

I have no experience of using debit cards in PINless mode. Nor do I plan on acquiring any. More on that in a bit.

In the USA, you don’t enter PIN to authorize a credit card transaction at a POS. This is true for both new generation contactless cards in TAP mode and traditional contact cards in DIP or SWIPE modes.

It’s left to the merchant to verify the cardholder’s identity by asking them to sign the paper or digital chargeslip. Many merchants don’t bother.

Some merchants don’t even verify if the cardholder is physically present as long as they get a card to charge. I saw an instance of this when a coworker in our Miami office owed us a treat but couldn’t spare the time to take us out. She simply gave her credit card to us. We went to a nearby fast food restaurant and charged our meals to her credit card. The clerk didn’t ask us to sign the chargeslip, so we didn’t even have to engage in “sign-with-left-hand” kind of friendly forgery. See EMV Compliance – USA Versus Rest Of World for more details.

(Of course, PIN is required to withdraw cash with credit card at ATM but we’re only talking about instore POS payments in this post).

Under this regime, safety is heavily compromised – there’s no PIN, many merchants don’t bother to take signatures and some merchants don’t even verify whether the cardholder is physically present. In short, anybody can use anybody else’s card. In theory, the lack of security should cause huge amount of card fraud.

But, in practice, it doesn’t.

Payment card fraud is less than 0.1% of all card transactions. Of that, a vast majority is caused by large scale breaches of merchant databases rather than by individual cards being used fraudulently because they’re not secured by PIN or signature. While the effort should always be to root out fraud, however low the percentage, it’s safe to say that card fraud is a “less than a 1%” problem.

On the other hand, fearing 0.1% fraud, when you tell 100% of cardholders to enter a PIN, you inject friction into the payment process. Some people may not remember the PIN at the POS; others might enter it wrongly; the transaction time increases; and the queue at checkout becomes longer. So many extra moving parts are introduced, thus increasing the risk of failure of every payment, which means the merchant loses business. This is definitely a “more than a 1%” problem.

So there’s a prima facie case for letting credit card payments go through without a PIN.

As always, whenever you share a global best practice, someone will always pushback saying it’s not applicable to India.

This happened in this case as well. A few days later, somebody left the following comment on my answer:

People should understand that developed countries can also be wrong and shouldn’t blind think that everything over there is superior than non developed countries. Not having pin security is very risky, consider a situation in which i lost my wallet or card and is not aware of that, person who found my card can withdraw max limit allowed amount easily, there is nothing preventing him from doing that. I could have agreed with you in case 2 way auth, but pin security is bare minimum.

I rebutted this objection as follows:

The OP’s original question sought the logic behind some countries not requiring PIN for verifying a credit card transaction. That’s the logic I provided in my answer. At no stage did I propose that other countries should copy what USA does. In fact, on other occasions, I’ve appreciated things done differently by different countries without blindly copying what has been done in the developed countries.

That said, when it comes to PINless credit card payments, there’s a strong case to copy the US practice in India.

While PINless regime is risky in theory, the risk does not translate automatically into fraud. For that to happen, both of the following events need to happen after a cardholder loses their card and before they have it blocked:

  1. Someone else finds the wallet and the credit cards inside them, and
  2. Takes the risk of using the credit card fraudulently, knowing fully well they’re committing a crime and are being caught on a CCTV feed.

While anything is possible, the likelihood of these events happening together is slim.

For those who find that hard to accept in the Indian context, let me take the example of PayTM, India’s largest mobile wallet in India, with over 250M users.

How many times have you entered a password or PIN to make a PayTM payment at a point of sale? How often have you seen someone else doing that??

Yes, I thought so too.

From personal experience and anecdotal evidence, 99% of PayTM users never sign out of the app. As a result, they’re permanently logged in to the app and make payments without entering a password or PIN.

Which means that, as in the case of a contactless credit card, if a mobile phone with PayTM installed on it falls in the wrong hands, somebody can wipe out the entire wallet balance and also the bank balance in the bank account(s) linked to the debit cards on file. While that’s a theoretical possibility, it doesn’t seem to happen too often in actual practice – personally, I haven’t even heard of a single incident of this nature (knock on wood!).

PINless regime has provided a frictionless CX for PayTM, which, I believe, is the primary driver of PayTM’s popularity. See also Why Do People Obsess Over Security And Then Make Payments Without A Password?.

So it will for contactless credit cards.

Going by the above, I believe that the benefits of PINless credit card payment – greater convenience, faster checkout, and reduction in failed payments – far outweigh the risk caused by it.

Therefore, PINless is an innovation for contactless credit card payments.

Now let’s take contacless debit card payments.

At the high level, both credit card and debit card are digital payment methods, so many people think of them interchangeably. However, when it comes to evaluating the merits and demerits of PINless regime, they’d do well to distinguish debit card from credit card.

The key difference between credit card and debit card in this context is as follows: When a fraudster uses my credit card, they steal the bank’s money but when they use my debit card fraudulently, they steal my money.

If I lose my credit card and somebody is able to use it without my authorization – because they don’t need a PIN – I don’t lose any money. I get a bill from the credit card company. I can dispute the bill and, until I write a check, the money does not leave my bank account.

Whereas, in a similar situation with a debit card, the money leaves my bank account instantly. I’ll face an ordeal to retrieve it. And, mind you, I’ll have to suffer that ordeal without money in my bank account.

Accordingly, PINless debit card payment carries a huge risk.

Therefore, PINless is a harebrained idea for contactless debit card payments.

Some may argue that the risk of loss of money caused by stolen credit and debit cards is minimal because PINless payments are capped at INR 2K.

There are two problems with that argument.

One is that the 2K limit is per transaction, so you could lose way more money if the thief uses the card multiple times before you have it blocked.

Two, it’s not as though regulators can wave a magic wand and all POS machines will automatically start asking for PIN for payments above INR 2K. A lot of other things need to happen before the restriction is enforced in actual practice.

From what I know about the internals of payment card management systems, the 2K limit

  • can be enforced centrally by the card network aka Visa, MasterCard and RuPay in the case of credit card. This resonates with my aforementioned experience where all my attempts to complete credit card payments above INR 2K in the TAP / PINless mode were blocked by the POS machine.
  • needs to be programmed by each debit card issuer into its core banking software separately. Some banks will have the bandwidth to do so immediately. Others will not. Accordingly, some POS terminals will block PINless debit card transactions above INR 2K whereas others might let them go.

I see a parallel with the “no-surcharge rule” enforced by the government for making digital payments to government bodies at the peak of re/demonetization in India in 2016–7. Some government agencies like Pune Municipal Corporation implemented it immediately whereas others like Life Insurance Corporation and Mahrashtra State Electricity Board continued to levy surcharges for a long time (they still do, two years later).

Going by that experience, I won’t be surprised if some debit card issuers are not compliant with the PINless regime’s cap of INR 2K.

In those cases, a fraudster can wipe out your entire bank account if they lay their hands on your PINless debit card.

Overall, I think PINless regime is innovative for credit card but harebrained for debit card.

I only use credit cards for shopping. As highlighted here, that’s because they offer several benefits like float from deferred payment, rewards, greater fraud protection, better redressal against fraud, and credit history, etc.

Accordingly, I restrict the use of debit cards to withdrawing cash from ATMs.

But, just like my credit cards, I’ve always been keeping my debit cards inside my wallet.

But not any more. Stolen contactless debit cards could cause a huge havoc under the PINless regime.

As a result, I’ve removed all debit cards from my wallet and now take them out of home only when I’m going to visit an ATM.

UPDATE DATED 14 MARCH 2022:

The regulator has ignored the Quora Commenter’s take. Since I wrote the original post, it has actually increased the ceiling for PINless credit card and debit card payments from INR 2K to 5K. PINless debit card continues to be a thing ergo I continue to keep my contactless debit cards outside my wallet.