When shoppers forget their card's Pin number more than three times, the card should get temporarily blocked by the bank to avoid fraud, but increasingly this security feature is being overridden for certain transactions, according to Telegraph Money.
It’s learned of situations where if the wrong four-digit number is entered over three times, payments are still being allowed with a signature.
While this may sound convenient, it’s a security loophole that fraudsters may exploit.
Generally, if a Pin is entered incorrectly three times your card will be blocked.
But banks appear to have relaxed these rules slightly.
Now instead of aborting the transaction and freezing the card, some are allowing transactions to go through by getting the retailer to obtain a signature.
But a signature is easy to fake and so open to fraud.
Telegraph Money heard from a Barclays customer that entered the wrong Pin three times, but was allowed to sign for a transaction worth £40 at a Sainsbury’s store.
Worryingly, retailers seem to have forgotten the protocol with swipe and sign transactions, with some reportedly not even double checking the back of the card to verify that the signatures match.
The trend seems to coincide with the rise of contactless payments, which has led to more and more people forgetting their Pins as they are used less frequently.
When do banks let this happen?
There are various situations that banks and building societies will allow you to transact without a Pin.
Generally, the chip on your card needs to be set up to request a signature payment when a Pin has been incorrectly entered multiple times.
But the retailer’s card machine also needs to allow payments without a Pin, which will depend on the settings.
However, the payment still has to get authorisation from the bank. So it’s unlikely large payments will go through and you won’t be able to withdraw cash without your Pin.
The Barclays customer was able to put through a transaction worth £40 for groceries, but Barclays told the Telegraph a high-value item like an iPhone would not have been processed.
A Barclays spokesman said: "Our systems closely monitor transaction behaviour where a signature authorisation is requested, to identify and prevent fraud."
Your rights if a fraudster cheats Pin security
Many high street banks we contacted confirmed there are situations when a transaction can take place without a Pin.
While this makes our lives more convenient, it’s a worrying loophole in the security we would expect to protect us from fraudulent transactions.
We’ve already seen a rise in contactless card fraud where a criminal with a stolen contactless card is able to make payments up to £30 without a Pin, long after it has been cancelled.
What’s worrying is this new Pin security loophole theoretically allows fraudsters to spend more than the £30 contactless limit.
However, if a fraudster manages to use your card without a Pin your bank will usually take liability for the transaction.
John Marsden, a fraud expert at credit checking agency Equifax, said: “By removing the Pin requirement, the bank takes responsibility for all non-PIN transactions. I suspect banks take the decision to allow this based on the conditions of each transaction, and in an effort to ensure the cardholder can continue with their financial transactions.”