Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
January 23, 2012
PIN authentication versus signature authentication
In the United States, surveys from several organizations help us determine approximate total fraud losses by different payment instruments. For example, the American Bankers Association's 2011 Deposit Account Fraud Survey Report estimates that 2010 industry fraud losses totaled $893 million for checks and $955 million for debit cards. The Nilson Report puts 2010 payment card fraud losses at $3.56 billion. And a 2011 PaymentsSource report estimates that bank card issuers experienced fraud losses of $1.16 billion in 2010.
Some of these industry surveys actually fail to illustrate the complete risk landscape—we must also consider trends in the underlying usage of various payment mechanisms. To better assess risks to financial institutions from various payment types, it is useful to compare fraud losses on a per-unit basis. By doing this for credit card, signature debit, and PIN debit transactions, the effectiveness of PIN authentication in preventing payment card fraud becomes clear (see the chart).
Credit card loss rates are the largest among payment cards and growing
According to PaymentsSource's bank card profitability studies, financial institutions' credit card-related fraud losses grew each year between 2006 and 2008, rising from $1 billion to $1.11 billion. After an aberration in 2009, when credit card fraud losses fell by 14 percent, fraud losses grew again in 2010, by 22 percent. The Nilson Report data showed a similar trend in both the number and dollar value of credit card transactions during this time period.
The Nilson Report data provide the basis for determining per-unit credit card loss estimates for financial institutions. On a per-transaction basis, annual credit card-related fraud losses reached their highest level in 2010, at 7.5 cents per transaction. This figure represents an almost 9 percent increase from the 2006 figure, which was 6.9 cents. Credit card fraud losses on a dollar-volume basis increased by nearly 27 percent during this same time period, from 6.7 basis points (or 0.067 percent) in 2006 to 8.5 basis points in 2010.
Debit card fraud loss rates vary by authentication method
Likewise, financial institutions have seen debit card fraud losses rise steadily since 2004. According to this PULSE Debit Issuer Study, fraud losses from purchase transactions (excluding losses from ATM fraud) were about $201 million in 2004. Looking at PULSE study data in conjunction with data from The Nilson Report shows that debit card fraud losses from point-of-sale transactions peaked at $880 million in 2010.
However, a large disparity exists between debit card fraud based on the authentication method employed. For example, signature debit transactions accounted for an estimated $804 million—91 percent—of the total debit card fraud in 2010.
The increase in fraud losses should come as no surprise given the rapid growth in debit card transactions over the past six years. According to The Nilson Report, debit transactions grew by more than 122 percent, or 14.3 percent on an annualized basis, between 2004 and 2010. Data from PULSE studies show that in 2010, financial institutions experienced a 2.7-cent fraud loss for every signature debit transaction, and a 0.5-cent loss for every PIN debit transaction. This translates to 7.5 basis points for signature transactions and 1.3 basis points for PIN transactions on a per-dollar volume basis. These figures are up from the 2006 numbers of 1.9 cents (or 4.8 basis points) and 0.3 cents (or 0.8 basis points), respectively.
Comparing signature and PIN transactions
Based on per-unit fraud losses of credit and debit cards, financial institutions have significantly more exposure to fraud losses from card payments with signature authentication than from those with PIN authentication. Yet PIN authentication is not accepted for credit transactions, and it accounted for only 32 percent of debit card purchase transactions in 2010. Although the fraud rates for both signature and PIN transactions have increased over time, signature transactions still exhibit significantly higher loss rates, especially when comparing the transactions on a per-dollar volume basis. The large disparity in per-transaction fraud losses between credit card and signature debit transactions stems from credit card transactions having an average ticket size of nearly 2.5 times that of signature debit transactions. Ultimately, PIN debit offers an additional and superior layer of authentication not offered on credit and signature debit transactions.
Admittedly, the limited number of merchants in the face-to-face environment who have the capability to accept PIN-based transactions, combined with the lack of PIN-based acceptance in the card-not-present environment, limits the use of PIN transactions. But given the ongoing displacement of cash and checks by payment cards and other forms of electronic payments, the continued adoption of PIN debit transactions and the potential introduction of PIN authentication for credit card transactions could go a long way toward reducing growing payment card fraud. However, given recent EMV-related statements that Visa and the Merchant Advisory Group have issued, it remains unclear whether or not PIN authentication will become the standard in the United States.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference PIN authentication versus signature authentication:
- EMV Comments That Make Me Cringe
- Taking a Quantum Leap into Payment Security
- Looming Questions with the Rollout of NACHA's Mandated Same-Day ACH Rules Change
- AdmiNISTering Passwords: New Conventional Wisdom
- Mobile Banking and Payments—What's Changed?
- Risk Mitigation Isn't Just for Banks
- The Simple Consider Three but Four is the Key
- As with Nuclear Disarmament, So with ACH: Trust, but Verify
- The Personal Cost of Fraud
- When Fraud Hits Home: Questioning Today’s Authentication Methods
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud