Are PINs always needed for paying with card?
I'm a little concerned because I just payed to get access to Spotify Premium and it only asked for my card number and 2 other details that were on the card. Nothing like a PIN. Also I noticed that at an airport the ticket machine just asked you to put the card in and it never needed a PIN, yet a transaction was made. How is this possible. Surely then anyone who could steal my card can pay for things like this because all the details they need are on the card?
Spotify said it would do something with 1p to authorise it, but I don't see how that confirms that it's me using the card?
(6)6 Comments
Sorted by latest first Latest Oldest Best
There generally isn't much in the way of real identity verification, at least in the US and online. The protection you get is that with most credit cards you can report your card stolen (within some amount of time) and the fraudulent charges dropped.
The merchant is the one that usually ends up paying for it if it gets charged back so it's usually in the merchant's best interest to do verification. However the cost of doing so (inconvenience to the customer, or if it's an impulse buy, giving them more time to change their mind, etc) is often greater than the occasional fraudulent charge so they usually don't do too much about it unless they're in a business where it's a frequent problem.
Chip and Pin cards are popular in Europe, however in the US we don't have them. Visa/MC and Amex can issue chip and pin cards but no merchants or machines are set up here to take them. Only certain countries in Europe use them and since you could possibly have a US visitor or a non-chip and pin person using your machine or eating at your restaurant they usually allow you to sign or just omit the pin if the card doesn't have a chip.
It is definitely less secure, but the entire credit card industry in the US is running right now without it, so I don't think the major credit card companies care too much (they just pass the fraud on to the merchants anyway).
Like email and spam, fighting creditcard fraud is a cat and mouse game, with technology and processes constantly being developed to reduce fraud. The CVV on the back of the card is just one more layer of security.
Requiring the CVV generally requires you to physically have access to the card. CVV should not be stored by any merchant. This frustrates card skimming fraud as the CVV is not present in the track data and fraud caused by database compromises.
You should never use your PIN online. MC/VISA both have implementations of 3D-Secure (SecureCode for MC and Verified by VISA) which require a password / code to confirm card ownership. Depends on both Issuer and Merchant implementing the standard.
Regarding not needing a PIN at the airport, some low value transactions no longer need PINs, depending on the Issuer and Scheme (VISA/MC). MasterCard PayPass or VISA PayWave enable low value contactless transactions without PIN. In Australia, the maximum value for a contactless transactions is 0 AUD. At some merchants (McDonalds for example) a PIN is not required for for meals purchased with VISA (at least, for the cheeseburger I bought there as a test). This makes sense - if you don't need a PIN for a contactless purchase, why do you need it for a chip based purchase?
So - why allow PIN free transactions? On average customers report stolen credit cards / wallet very quickly and the losses are correspondingly small. As card issuers are always online, cards can be cancelled very quickly after being reported lost / stolen.
Finally, by performing transactions for just a few cents or pennies, the merchant (Spotify) can likely validate you are the owner of the card as you'd need access to your online bank to confirm the transactions. PayPal do this with bank account to confirm ownership. (Unless I've misunderstood your statement).
As far as I'm aware, PINs are only used for in-person transactions, not 'remote' (over the Internet or phone).
Security in the merchant services system is mainly handled in two ways:
1) Before transactions are done, the business itself must go through an application process similar (but not identical) to getting a loan. Some high risk businesses must pay higher fees due to the increased likelihood of customer complaints.
2) When a customer disputes a transaction, that's a mark against the business. Get too many of these disputes, and your priviledge of accepting credit cards will be revoked, meaning you won't be able to again.
It's in the merchant's best interest to verify customer's identity, because disputes cost them money directly. It's in the servicer's best interest to verify the businesses integrity, because fraud drives up the cost for everyone else.
As a whole, it's quite a reactionary system, yet in practice it works remarkably well.
For the first part of your question;
Refer to related question
Why do some online stores not ask for the 3-digit code on the back of my credit card?
The other case of Airport ticket machines, requires the physical presence of card. The assumption is that if you had the card before and after the transaction, it was you who used it for transaction. As the amounts are small its really easy by anyone [merchant, Banks] to write this off. The only way to misuse would be if you lost the card and someone used it. Also these ticket machines would have built in feature where by you cannot buy more than "X" tickets for the day. Ensuring max loss on a stolen card is limited to a small amount.
Terms of Use Privacy policy Contact About Cancellation policy © freshhoot.com2025 All Rights reserved.