Fraud protection with PINless debit on the rise

Credit unions can expect an increasing number of PINless debit transactions coming their way, resulting in reduced interchange fee revenue and presenting some important challenges regarding member incentives.

PINless debit transactions at the POS have been around for a while, but only started to gain traction this year. PINless debit occurs when a retail purchase amount is under $50.00 (perhaps 70% of PIN debit transactions qualify). When a cardholder presents her debit card at checkout, even if she chooses “credit”, the merchant may elect to route the transaction over the PIN debit networks without the PIN being entered. Since merchants pay higher interchange rates for signature transactions than PIN transactions, the merchant views PINless debit as a lower cost option compared to traditional signature debit.

We can expect this practice to increase. As merchants complete their EMV conversions later this year, many will turn their attention to PINless. There are a number of ways that this will impact the credit union community.

In the absence of a PIN we can reasonably expect that PINless transactions are more susceptible to fraud. In recent months there have been several cases where credit unions reported a surge in counterfeit activity specifically targeting PINless transactions. Individual cards were used 8-15 times before the fraudulent activity was detected. The source of the data for creating the counterfeit cards was reported to be previously undisclosed merchant breaches.

How, then, can credit unions better protect themselves?

• A number of the credit unions impacted had not signed up for their processor’s fraud monitoring service. You should check with your EFT processor to ensure that fraud monitoring is turned on and that it is specifically looking at PINless activity.

• Some credit unions had originally signed up for their processor’s fraud monitoring service, but later added other networks. Many processors require specific implementations of the fraud service for each network. Check with your processor to make sure all of your networks are covered.

• Most processors’ fraud monitoring services allow credit unions to customize their velocity parameters by transaction type. Given the increased risk of approving a transaction without a PIN, credit unions should consider tweaking their velocity parameters to ensure that they are quickly notified when cards are repeatedly used at the same location without a PIN.

• Due to the costs involved, some credit unions are reluctant to reissue cards involved in a breach when there are no signs of fraudulent activity. Compromised card data is often stored for long periods before being sold and used by the fraudsters. Credit unions should consider reissuing cards as soon as they become aware of a compromise.

• EMV chip cards were specifically designed to eliminate the types of counterfeit transactions we are seeing with PINless. Credit unions should consider the protections provided by chip cards in their EMV migration plans. While focus has largely been on credit cards, a re-evaluation of plans for debit may be in order.

The credit unions we have worked with through this recent fraud outbreak in PINless have seen major reductions in fraud losses.

There are other implications as well. Many credit unions offer reward programs with their signature debit cards. They encourage members to select “credit” at the POS to maximize the credit union’s interchange income. Reward points are often the incentive, and some of the credit union’s interchange revenue is applied to the cost of the rewards program. But what happens when merchants exercise their Durbin rights and route the transaction as PINless debit?   Your member may have selected “credit”, but the transaction is routed as PINless debit and the cardholder does not receive her reward points. The result is not only a loss of interchange revenue for the credit union, but also member dissatisfaction when she no longer receives the expected reward points. Given these possibilities, credit unions may want to reexamine their rewards programs to see what still makes sense under the new paradigm. Further exacerbating the situation, many credit unions impose a PIN debit fee to encourage signature use. For credit union members, however, they not only lose their rewards points, but also now have to pay for transactions they previously received for free.

As merchants transition more transactions to PINless, credit unions will want to take steps to mitigate the increased risk, re-examine how the new transaction mix impacts their members’ cost of doing business with their credit union, and how it may affect credit union revenue streams.