[ELI5] Why we can just skip the PIN when using our cards?

512 views

You know when it gets to the PIN screen, sometimes it’ll say, “Press cancel/enter to continue” and you can just… bypass the PIN. Doesn’t that just defeat the purpose of the PIN?

In: 247

17 Answers

Anonymous 0 Comments

Not every issuing bank and card processor requires it: it’s an optional cardholder verification method.

The merchant may be offered a lower card processing rate by verifying it, but it’s not necessary to submit a transaction

Anonymous 0 Comments

Tap payments are quite secure – if the card is physically present it’s almost always held by the right person.

There are usually spending limits on those too – like you can tap for up to $100 or $200 maybe (depends on your card, bank, and maybe local laws) but bigger items require the PIN.

If your card is stolen and you report it, you won’t be liable for purchases the thief made on it.

Anonymous 0 Comments

In the US, there are typically two different types of networks a transaction can go through, a debit type, and a credit type. Most (but definitely not all) debit cards can also be processed as a credit transaction. There are specific rules and regulations around how each type of transaction, especially related to chargebacks/fraud. Once a debit transaction is complete, it can be incredibly difficult to dispute after the fact, while there are 60 days to dispute a fraudulent credit transaction. This means the processing fees for credit transactions are more expensive than for debit, and nearly always come out of the seller’s pocket, hence some retailers only accepting debit transactions.

Your average larger retailer uses a Point of Sale device that can handle both types of transactions, and generally saves money (both in processing fees and chargebacks) by hoping you will choose debit. This is also (usually) the only method you can request cash back, since the transfer is treated, essentially, like an ATM transaction. When you “skip the PIN”, your transaction is processed as a credit card. If your account doesn’t have that feature (like some payday debit cards and high riak accounts), it will be rejected.

Anonymous 0 Comments

I never see this. It either asks for the pin or directly takes the money. (Though we have bus tills here which serve both as validator and ticket selling… so it might be good for accidental NFC)

For me, “sometimes” is after 10 uses or when spending more money at once (in that case, the amount of uses resets).

Anonymous 0 Comments

There are 3 main methods of payment with a debit card.

1. Swipe
2. Chip
3. Tap

Each has their advantages and disadvantages when it comes to being a merchant. TL;DR is that the credit card company (Visa, Mastercard, AMEX, etc) is willing to accept more and more liability as you move from swipe, to chip, to tap.

A fraudulent transaction performed by a swipe payment via a cloned card, means the merchant is stuck with the lost inventory and is forced to refund the transaction. A chip payment method is significantly harder to clone compared to swipe and as such. The credit card company will accept more liability. A merchant may not have to refund a fraudulent transaction if it is performed via chip though they still may suffer a reputation hit with the CC company.

An finally with tap, it is the most “secure”. It is setup in a way where you basically cannot clone the card within the lifetime of the universe unless you are stupidly lucky. With this, the CC company accepts practicality all of the liability. The only way you can “tap” is with the physical card, and the card is only supposed to be with the cardholder and people the cardholder authorized by giving it to them.

Now with the PIN, you provide an additional level of verification on top of the various payment methods. When you provide your pin number, your verifying to the card that you are authorized to use it and that the card holder is personally running the transaction. The pin number isnt required because you are the only person who should ever know the pin. There are situations where you dont want people to have the PIN.

You dont want to hand your card to the waiter, give them the pin number, and have no idea what that card is doing during that 10-15 minute period. By running the card as credit, the liability gets shifted back to the merchant. If they ran an extra charge on your card to steal money, you want to be able to dispute it and show you did not personally authorize the transaction.

The reason your allowed to skip the PIN and run it as credit is most places, is that they are willing to accept the increase in liability in exchange for having to turn down fewer customers. As a merchant, you are more than allowed to set your own restrictions to shed off that liability. You can require the customer have matching ID with their credit card, use tap to pay, and run it as a PIN transaction if you would rather not deal with the headache.

Anonymous 0 Comments

There are several reasons, but a large part of it is because American retailers and banks don’t want to make people actually remember and use their PIN, because that might cut into their profits either by people not being able to use their card because they forgot their PIN, or because they might have to buy POS gear that handles it.

In European and other countries, all in person card transactions are strictly Chip+PIN. Go to a restaurant? Server comes out with a POS device where you stick your card in and enter your PIN.

The U.S. is every so slowly inching that way, but it will be many years before we fully convert. And by that time, there will be a newer, more secure system in place probably, hah.

Anonymous 0 Comments

I know from the FI side we like it when you bypass the PIN and run it through as a credit transaction, it is more lucrative.

Anonymous 0 Comments

Only in the USA. In Canada if the card has a chip you have to enter the PIN. You cannot hit cancel/enter to bypass it. You cannot swipe a chip card as it will say Insert card on the terminal.

However if the chip is damaged you can still insert it 3 – 4 times and then the terminal will say Swipe Card.

4 ways of doing a card transaction at most places. Chip and Pin, Swipe the mag stripe and enter pin, manually enter the card number and CVV, and manually enter card number without CVV. The first two the merchant is not liable for lost/Stolen cards used. The last two the banks may reverse the transaction if disputed and the merchant has to provide more backup to get the money.

Anonymous 0 Comments

In terms of information security, A single factor authentication just need one of the 5:

1. Something you KNOW, eg password
2. Something you HAVE, eg Smart Card
3. Somethign your ARE, eg biometrics
4. Something you DO, eg the way you sign the name
5. SomeWHERE you are, ie GPS

With Bank Smartcard (ie with chip – Smart Card), it satisfy “Something you have”.

That being said, most of us know that is not secure. So you got 2FA/MFA – MultiFACTOR – instead of just using one, you use multiple factors. In Banking, that means inserting Smart Card and then enter your PIN. In terms of Google Accounts, the Authenticator is consider something you HAVE, and then throw in password, and that’s your 2FA.

Throw in Geofencing and you got even more secure.

Anonymous 0 Comments

This only happens in the US

Does not happen in other countries. Swipe is non existent here