In the previous blog post we introduced you to chip equipped card (EMV) and its consequences for shoppers. In this post we want to describe why there are different kinds of verification methods, as well as in what situation you will be using which one.
As with everything payment related, there is no definitive answer to this question. There are a lot of factors that influence the type of requested verification, or cardholder verification method (CVM) as they are officially named. And when an EMV card is used, there is virtually no way of predicting what CVM will be applied, as the chip is ultimately responsible for choosing one. In the following the most common CVMs are explained in more detail and then applied to credit and debit card payments.
Cardholder Verification Methods (CVM)
When it comes to authenticate the shopper against the merchant for a specific transaction, there are different methods available that are chosen by the payment terminal based on multiple factors, including transaction amount, merchant and card type as well as the chip configuration in case of an EMV transaction.
Back when payment cards weren’t equipped with an EMV chip and most payment terminals were only capable of doing offline transactions, card issuing banks introduced the signature as the primary type of authorization for a transaction. The merchant is supposed to check the signature on the back of the card with the signature provided by the shopper. Often the merchant also asks for an ID card in order to verify the ownership of the card.
There was also a time when a picture of the card owner was printed on the back of the card and used instead of a signature at the point of sale. The drawback of this type of verification is that no paper trail of the authorization is available afterwards, which is probably also one of the reasons why this type is no longer used.
A PIN was traditionally used to authorize cash withdrawals at ATMs, but is becoming a more and more common CVM at the point of sale. To accept PIN verifications, terminals must meet high security standards and undergo a certification process before they can be used at the point of sale. This ensures that the PIN is highly protected and cannot be extracted in plain by a malicious entity. Today there are two different PIN verification methods, online PIN and offline PIN. With an online PIN verification, the PIN is encrypted by the terminal and send to the card issuing bank with a request to verify its authenticity. The offline PIN verification is only available with EMV cards, as the PIN is checked internally by the chip.
It is also worth noting that based on the used CVM, the burden of proof that a transaction was actually authorized by the rightful card owner lies with different parties. With a signature the merchant is responsible to provide the appropriate proof (i.e. by producing the respective receipt with a signature) in case of a challenge by the card owner. In case of a PIN authorized transaction, the burden of proof lies with the shopper and it is generally impossible to challenge this transaction.
Paying with Credit or Debit Card
In determining which CVM will be used for a specific transaction at the point of sale, the type of card is the most decisive factor.
Transactions with a debit card represent the most straight forward cases, as they will use the PIN as verification method if the terminal offers this feature. In general the online PIN is used and while checking the PIN with the issuing bank, the account balance is also checked.
When paying with credit cards, a signature is commonly used as the preferred CVM for transactions at the point of sale. Only when withdrawing cash at an ATM, a PIN is requested. But there is a slow shift away from signatures in favor of PIN verifications, with the United Kingdom and Ireland being one of the countries now only issuing cards that require a PIN as CVM.
As a bonus, there are some situations in which the shopper is neither asked for a signature nor for a PIN. This is commonly the case for transactions with a low volume, falling below the so-called floor limit. This limit is a more or less arbitrary number that is set by the bank handling the terminal transactions and can vary between merchants.