USA is one country where you don’t need to enter PIN to verify a credit card transaction at a POS (PIN is required to withdraw cash with credit card at ATM).
In theory, safety is compromised by the apparent lack of security. But, in practice, the fraud triggered by the lack of security comprises less than 1% of transactions. In fact, most of the fraud within that <1% is caused by large scale hacking into merchant systems that yield info on millions of credit cards. Compared to that, fraud committed by non-entry of PIN is extremely low and is therefore a “less than 1%” problem.
OTOH, fearing 1% fraud, if you tell all 100% of cardholders to enter a PIN, you inject friction into the payment process. Some people may not remember the PIN at the POS; others might enter it wrongly; the transaction time increases. So many extra moving parts are introduced for 100% of transactions, thus increasing the risk of failure of payment, which means the merchant loses business. This is definitely a “more than 1%” problem.
UPDATE DATED 26 MAY 2019:
I received the following email alert from Quora about a comment left on my original answer:
In case it’s difficult to read the text in the above screengrab, let me copy-paste the comment from the email:
QUOTE
People should understand that developed countries can also be wrong and shouldn’t blind think that everything over there is superior than non developed countries. Not having pin security is very risky, consider a situation in which i lost my wallet or card and is not aware of that, person who found my card can withdraw max limit allowed amount easily, there is nothing preventing him from doing that. I could have agreed with you in case 2 way auth, but pin security is bare minimum. Your argument is like i should stop locking my house because there is a chance i might lose key and it also consumes time in locking and unlocking.
ENDQUOTE
I clicked the View Comment button on the email but I couldn’t see the comment on Quora website. For whatever reason, it has been deleted.
The commenter has raised some important points. They merit a response. Even though the comment has been deleted, I’m going ahead with a response (To protect the commenter’s privacy, I’ve redacted their name in the above screengrab).
The way I understood the OP’s original question, it sought the logic behind some countries not requiring PIN for verifying a credit card transaction. That’s the logic I provided in my answer. At no stage did I propose that other countries should copy what USA does. In fact, on other occasions, I’ve appreciated things done differently by different countries without blindly copying what has been done in the developed countries, like in the following tweet.
Bugs and all, @NPCI_BHIM app is a miracle in s/w dev. Similar apps in developed nations have taken months to develop & cost millions.
— Ketharaman Swaminathan (@s_ketharaman) January 6, 2017
My original answer does state that PINless regime is risky in theory. What the commenter has missed is, for the risk to become real, the following events need to happen in tandem: (1) Cardholder loses wallet (2) Somebody else finds the wallet and the credit cards inside them, and (3) This somebody has nothing else to do other than use the credit card fraudulently to buy something at a store, knowing that they’re committing a crime and are possibly being recorded on a CCTV feed.
In actual practice, that likelihood of all those events happening together are slim, so the risk posed by PINless regime is worth it in the case of a credit card (considering that PINless transaction provides a frictionless CX and likely enhances the conversion and hence makes the sale happen, as explained in my original answer).
If anyone has a problem believing that, let’s take PayTM, the largest mobile payment in India, with 200M+ customers. How many times have you seen someone going to the app’s logon screen and entering a userid and password to open the app, just before making an instore payment?
Yes, I thought so too.
From personal experience and anecdotal evidence, 99% of PayTM users are permanently logged in because they never sign out of their PayTM app, and make payments without entering a password or PIN, as I highlighted in the following tweet:
Hypocritical of @Paytm to complain that WhatsApp Payments doesn't have a login. Its own Sign Out link is buried so deeply that 99% of PayTM users I know are permanently logged into the app and never enter password / PIN to make an individual payment.https://t.co/hBaOIqVk4h
— Ketharaman Swaminathan (@s_ketharaman) February 19, 2018
As in the case of credit card, it could be argued that, if a mobile phone with PayTM falls in the wrong hands, somebody can wipe out the entire wallet balance and their bank balance via linked debit cards. While that argument is correct in theory, it does not seem to happen very often in actual practice. PINless regime has been providing a frictionless CX for PayTM for a long time.
The commenter’s analogy with house / lock is is self-defeating. Credit card is first factor of authentication in payments. Key is first factor of authentication in house. PIN is second factor. No house key I know has a PIN. If commenter is okay with no two factor authentication, by their own logic, they should be okay with no PIN for house and no PIN for credit card payment.
The original question pertains to credit card. My answer so far pertained to credit card.
Let me move on to debit card.
Even though the original question does not reference debit card, I want to take this opportunity to bring it up since many people often talk about credit card and debit card in the same breath, and that could be dangerous in the specific context of PINless regime.
At the high level, both credit card and debit card are digital payment methods, so it’s okay to think of them interchangeably. However, when it comes to PINless regime, they should not be mixed up.
If I lose my credit card and somebody is able to use it fraudulently because they don’t need any PIN, I don’t lose any money. I get a bill from the credit card company, I can dispute the bill and, until I write a check, the money does not leave my bank account.
Whereas, in a similar situation with a debit card, the money leaves my bank account instantly. I’ll face an ordeal to retrieve it. And, mind you, I’ll have to suffer that ordeal without money in my bank account. So PINless regime poses too big a risk with debit card (unlike credit card).
In every PINless regime I know, there’s an upper limit on the value of transaction that can be put through without PIN e.g. $50 in USA, INR 2K in India. However, with due respect to regulators, it’s not that they can wave a magic wand and see this limit implemented in a jiffy by all debit card issuers.
From what I know about the innards of debit card management software, the upper limit needs to be programmed by each debit card issuer into their respective debit card management software. Some issuers will have the bandwidth to do so quickly. Some other issuers may need extra time.
Old news. LIC & MSEB still levy surcharge on credit card payments. Talk is cheap. It's time for action! pic.twitter.com/8CQDOAowaY
— Ketharaman Swaminathan (@s_ketharaman) September 8, 2016
And, going by what happened to the diktat on zero-surcharge on online payments issued at the peak of re/demonetization in India in 2016–7, I won’t be shocked if some debit card issuers have still not set the PINless transaction value ceiling. In those cases, I can’t rule out the possibility that the entire bank account will get wiped out.
Therefore, I’m okay with PINless regime for credit card, but not for debit card. Historically, I’ve only ever used my debit card to withdraw cash from ATM - I only use credit card at point of sale. Now, after the PINless regime for card payments has come into effect, I’ve taken out all my debit cards from my wallet and have left them at home. I now take them out of home only when I need to visit an ATM to withdraw cash.