PIN adds level of security in payment transactions


PIN adds level of security in payment transactions

by Terry Dooley, SHAZAM

When authenticating transactions, choosing between one authentication method or another isn’t a good strategy. A better approach is to leverage layered authentication, allowing the PIN to serve as the strongest option because the issuer is authenticating the consumer’s identity.

There’s a clear trend emerging in the payments industry regarding payment authentication. It’s moving from authenticating the consumer to authenticating the transaction or device initiating the transaction. The effects and ramifications aren’t yet known; and, combined with countless new entrants into the payments landscape, consumers are using — and loading personal information into — more and more applications to access their accounts. Storing credentials in a third-party app to query other financial institution accounts, investment accounts or reward accounts carries inherent risk, and may have some unintended consequences. One of which occurs when an app is compromised but still has access to the consumer’s financial institution or investment credentials and is used to do nefarious things.

This situation reignites the old debate: Can you have a strong, seamless authentication process that doesn’t require consumer action, but instead just magically works? This is the trend in payments. In many cases the transaction is being authenticated by the device, not the consumer. One example is the elimination of the consumer’s signature for chip-on-chip transactions. PINless chip-on-chip transactions, which generally occur under a certain dollar amount, also operate this way.

The implementation of biometrics — fingerprints, facial recognition, etc. — are used to authenticate a consumer to a device. But that biometric data itself isn’t sent to the issuer to verify the consumer; the transaction is authenticated based on the device authentication. A personal identification number is, and continues to be, the only payment authentication method in which the consumer is authenticated by the financial institution.

Plus, while both PIN and biometrics are technically controlled by the consumer, one can be changed, and the other can’t. As a consumer, I can have hundreds of different PIN combinations and change them any time I want, but I can’t change the biometrics of my ten fingers and toes, and my two eyes.

Like biometrics, many other methods use device-level or transaction-level authentication, such as QR codes, text messages, email addresses and phone numbers. All these options are various representations of a token, just as the consumer’s credit or debit card number is a token to reach a consumer’s debit, prepaid or other account.

Should the PIN be required on every transaction? Well, it would allow for the least amount of fraud, but it’s not a practical approach for many channels. Yet, the PIN, because of its strength as well as its dynamic nature in its ability to be changed by the consumer, can serve as a highly effective secondary authentication method when the need for stronger authentication beyond the device or transaction authentication is needed.

I don’t believe choosing between one authentication or the other is a good strategy. A better approach is to leverage layered authentication and the PIN can serve as one of the strongest and most trusted methods because the consumer is being authenticated, not a device.

About the author

Terry Dooley leads SHAZAM’s business and product development, application development, IT infrastructure, corporate and IT security, vendor integration, and security consultation teams.


SHAZAM is a national member-owned debit network, processor and core provider delivering choice and flexibility to community financial institutions throughout the U.S.  since 1976. SHAZAM is a single-source provider of the following services: debit card, core, fraud, marketing, merchant and more. Learn more at, and follow @SHAZAMNetwork.

Iowa Grocery Industry Association Payment Security SHAZAM Grocery