Chip and PIN or Chip and Signature?

We’ll break down the differences, and why it matters.

This is a big question for retail merchants these days. Many merchants find themselves asking, “Do I need to accept PIN-debit?” Historically, the answer to this question depended on many factors, primarily cost differences and time saved with PIN entry. However, with the advent of EMV technology and regulations, PIN entry is increasingly becoming the most secure form of in-person acceptance, and Dharma highly recommends purchasing PIN-enabled hardware so that when Chip+PIN technology becomes more widespread, you’re prepared.

What’s the difference between Chip+PIN and Chip+Signature?

In October 2015, new regulations went into place that required merchants to begin accepting new chip cards, or EMV cards. EMV cards come in two major variations – you guessed it – Chip and PIN and Chip and Signature. And, just like you’d expect, they have two different authentication methods for the point of sale, either a 4-digit PIN number entered by the consumer, or a signature taken on a printed receipt or tablet screen, offered by the retailer. Fundamentally, an issuing bank can decide to issue any card it likes with a PIN, or without. Chip+PIN is the “strongest” encryption method since it’s much harder to steal a PIN than fake a signature. Right now, most US issuing banks only issue Chip+Signature cards. But, as time moves on, they’ll all start migrating towards Chip+PIN.

So, as the merchant, you have two options:

  1. Accept Chip+PIN. This is the “safest” method, since you can take both Chip+PIN, and the standard, default Chip+Signature.
  2. Only accept Chip+Signature. You open yourself up to a little bit of liability. Chip+PIN cards are less-widely adopted as of yet. Should you accept a Chip+PIN enabled card, that customer could theoretically have been fraudulent, and you wouldn’t have stopped the fraud, since you only requested a signature. Therefore, you’d be liable for the chargeback in this instance.

Chip+PIN hardware

In order to accept Chip+PIN, merchants are required to have either a terminal with an internal, encrypted PINpad, or an external, customer-facing PINpad to allow for debit card PIN number entry. External PIN-pads carry an additional fee, as it’s another piece of hardware to purchase. Internal encryption of a terminal requires a physical encryption, meaning that Dharma has to sell you the terminal pre-encrypted. Otherwise, you will not be able to accept PIN debit. In addition, if you do opt to use your terminal’s internal PIN-pad, please note that you’ll be required to manually move your terminal so that you can allow your customer to input their PIN-number. As such, merchants with long lines would likely require an external PIN-pad.

Dharma sells many different Chip+PIN hardware options, and you can view them here. However, simply purchasing any Dharma terminal will ensure that your terminal is encrypted with the proper injection keys for future Chip+PIN acceptance. This means that when other terminals accept Chip+PIN in the future, Dharma merchants will be covered. Both the Verifone and First Data terminal line are Chip+PIN certified, as is the Clover POS line.

What is PIN Bypass, and why is it important to restaurants?

If you need to accept tips – as many restaurants do – the PIN Bypass is very important to you. When a card is setup as Chip+PIN, you can’t adjust the transaction for a tip later if you run it with a PIN number. This means that as the merchant, you’ll need to run this as Chip+Signature. But wait, you say! That means that I’ll incur liability, right? Not with PIN Bypass.

By using a terminal like the FD-150 that allows for PIN-Bypass, you can opt to “Bypass” the PIN request, and instead automatically request an exception from the issuing bank. In real time, automatically, the terminal will allow you to accept the transaction as Chip+Signature, while still ensuring that liability for fraud remains with the issuing bank. This is big – it means that no matter what, you’re always ensuring that liability for fraud remains where it should – with the issuing bank.