Tuesday, May 5, 2009

Debit Cards on the Rise - Why Security Should Care

A Wall Street Journal (WSJ) article the other day went in our ear and then out the other for me, at first read.  Then I was flipping channels in my hotel room and stopped on Dave Ramsey on Fox talking about it... and something struck me.  That something is the fine point most folks don't understand about how a debit card differs from a credit card.  When you use your debit card with your PIN you effectively make the transaction as if it was a cash transaction.  This means the money leaves your account pseudo-immediately...and unlike a credit card there isn't that nice period for you to contest the charge.

Also - when you use your debit card with your PIN, that PIN has to be stored somewhere for batch processing (don't even get me started on why banking isn't real-time yet... see previous article).  Herein lies the problem and the issue I am seeing with this VISA-demonstrated trend.  Most people don't know to not use their debit card with their PIN... and to use it as a credit card.  There is a massive difference in how things get processed, yes - but the main difference is your precious PIN.

Consider the role the compliance plays today, when a good chunk of people are still using their credit cards as forms of payment.  Compliance is important because it causes you pain if you get your card information stolen and used... but ultimately it's not so bad because your money doesn't immediately disappear from, say, your bank account.  If you start using your debit card plus PIN, and someone breaches a merchant you trusted with your information - your money disappears from your bank immediately.  Are you ready for that?  Sure, there is still the "Zero fraud liability" if you use VISA (for example) - but that's only if you use the card as a credit card.

There's a bigger picture when you zoom out from all the statistics and cost figures and trends of debit vs. credit.  At the end of the day - if people start to use their card more as a debit card compliance (most notably PCI Compliance) goes from critical to possibly catastrophic!

Please, if you don't already know this... use your debit card as a credit card... avoid inputting your PIN at all cost.  Tell your friends, family and anyone you care for.


Nick Bell said...

In places like the UK (and Australia is about to go there), all Credit Cards now have 'chips' in them and you can no longer sign for a Credit Card Purchase. It is PIN only now. Thoughts?

Rafal Los said...

@Nick - that depends. The PIN you're inputting (in the UK (and Australia)) gives the card device access to the card itself as far as I understand it - not to your account. It all really depends on the readers I guess and how that's all implemented. But in the US the "PIN" is an account "password"... in the UK/Australia the PIN is giving the reader access to the chip on the card - so you'd have to have the card AND the PIN ... which is a much lower incidence of fraud.

MrSm1th said...

Right on! The big reason for the popularity of debit card use is that retailers are positioning it as the default as it costs them less.

A typical consumer assumes that they need to go ahead and enter their PIN when prompted for it by default at the terminal (supermarkets near me do this). Retailers have experienced substantial cost savings by "pushing" this on customers.

A small correction to your post. You said that, "when you use your debit card with your PIN, that PIN has to be stored somewhere for batch processing". Debit transactions are immediate and the PIN is only used to authenticate that transaction.

MrSm1th said...

I forgot to add this URL to tips on using your credit card more securely.

Using Your Card Safely