Target Moves To Chip and Pin Cards To Boost Security

jfruh (300774) writes "U.S. retailers must accept chip-and-pin charge cards by the end of 2015 or become liable for fraudulent purchases made with chip cards. Target, still smarting from its recent embarrassing security breach, is moving to get ahead of that trend. The company will be installing chip-and-pin terminals in all its stores, and will also be issuing chip-and-pin versions of its own branded cards, which account for about 20 percent of Target sales. Will this move by a huge retailer push the U.S. into parity with the rest of the world?"

Re: Chip and PIN

[killfixx]

A bit off topic, but how will this changeover affect companies like square that depend on swipe and sign for most transactions?

Other than that, it's about fucking time!

Sick of finding out every other month that some retailer that I frequent has been hacked.

I'm tired of constantly changing my credit info to avoid being ripped off...

America is *finally* implementing chip-and-pin

[Lumpio-]

Meanwhile in Finland, everything and everybody has a wireless payment terminal. I once even saw a street musician with one for tips...

Re:America is *finally* implementing chip-and-pin

[jones_supa]

I can confirm this.

Re:America is *finally* implementing chip-and-pin

[welshie]

Today I saw an American in London trying to buy their lunch with their credit card. The cashier didn't know how to process swipe-and-sign cards, since they are exceedingly rare, they had to go and find a pen.

Re:America is *finally* implementing chip-and-pin

[Ol+Olsoc]

I can confirm this.

Only Netcraft can confirm this.

Re:America is *finally* implementing chip-and-pin

[Skater]

I'm going to Vienna, Austria (from the US) in a few weeks for work. My work-supplied credit card doesn't have the chip, so I asked about getting one with it. The area that handles the cards in my office said, "You're the first to ask about them," and called the credit card issuer. The CC company came back and said, "No, we don't issue them." Oddly enough, I have a personal CC in my wallet with the chip, issued by that same company. That card will be going with me to Europe.

Re:America is *finally* implementing chip-and-pin

[interkin3tic]

I remember hearing that one reason the US didn't have this while most other civilized countries did was because of all the crazy christians we have, who think it's the mark of the devil. There's no doubt a little bit of reluctance to start a new security measure which will cost them money, especially when there's no real demand for it here, but I'm guessing concerns over some insane televangelist going on some insane rant about "Visa is the DEVIL!" could seal the deal. So I'm going to blame them.

Re:America is *finally* implementing chip-and-pin

[toonces33]

I was in London in Feb, but I have a chip card from BofA. Technically not chip-and-pin, it is chip-and-signature. But I didn't have any problem whatsoever when I was there. Everyone knew what to do with it, and it worked without a hitch.

Re:America is *finally* implementing chip-and-pin

[CodeArtisan]

Today I saw an American in London trying to buy their lunch with their credit card. The cashier didn't know how to process swipe-and-sign cards, since they are exceedingly rare, they had to go and find a pen.

Very much this. I'm a Brit that has lived in the US for 17 years. When I go back home, the cashiers hear my accent, think I'm local and then give me weird looks when they have no clue how to process my credit cards (even though, technically, they should be able to). It's got to the stage now where I just use cash over there.

Re:America is *finally* implementing chip-and-pin

[93+Escort+Wagon]

I can confirm this.

Only Netcraft can confirm this.

Netcraft can only confirm that the street musician is dying.

Re:America is *finally* implementing chip-and-pin

[jfengel]

Good choice. I was in Europe recently, and there are a fair number of places that can't handle the chipless cards. (Including, irritatingly, French toll booths, which are fairly frequent and of course far away from any place you could get cash.)

Re:America is *finally* implementing chip-and-pin

[Jane+Q.+Public]

Meanwhile in Finland, everything and everybody has a wireless payment terminal. I once even saw a street musician with one for tips...

Not so fast.

Chip-and-pin is not a panacea. Every major chip-and-pin system in the world has known security flaws that haven't been fixed in years.

I would far rather have them fix the security flaws that already exist BEFORE adopting a new system with just more security flaws. It's an unnecessary expense and rather self-defeating.

Re:America is *finally* implementing chip-and-pin

I had the same experience in Dublin last year. Guy had no idea how to run it... until he remembered the old machine in the corner, which he had to blow the dust off of before he could use it.

Re:America is *finally* implementing chip-and-pin

[bill_mcgonigle]

I would far rather have them fix the security flaws that already exist BEFORE adopting a new system with just more security flaws. It's an unnecessary expense and rather self-defeating.

Chip-n-pin isn't secure, but it's more secure than visible numbers. The Europeans reduced their fraud by something like 95%.

Our real danger is getting stuck on chip-n-pin for the next 20 years. I suspect somebody (Amazon/PayPal/NewCorp) will replace payments entirely with phones by then, though. The old people who use credit cards might still be using chip-n-pin, but they will be a tiny minority.

My new debit card that came in the mail doesn't even have raised numbers on it. So much for imprint machines. Ah, well, the only place I've used one in the past five years was at a farmer's market and at a small toy store during a power outage.

Re:America is *finally* implementing chip-and-pin

[Jane+Q.+Public]

Chip-n-pin isn't secure, but it's more secure than visible numbers. The Europeans reduced their fraud by something like 95%.

Card "swiping" (I hate that word) doesn't require visible numbers. True, the cheap cards they have tended to use can be vulnerable even without the visible numbers, but there are ways to improve that.

The problem is trying to do it electronically, without physical contact. Which is inherently a dead end. Anything that uses the electromagnetic spectrum is vulnerable, unless the actual data exchange is strictly secure from third parties.

The same researcher who showed that passport RFIDs can be read from a moving car 30 feet away (Christopher something), also showed how "secure" data could be snarfed from NFC-equipped phones from several feet away with a $200 DIY rig... even when they weren't being used for transactions. (The NFC did have to be turned on, though.) And that was before NFC was even in most phones. A big enough antenna could do the same thing from behind a wall 10 feet away.

So I caution people about using electronics. If it's something that doesn't require physical contact, beware. Your RF can be picked up, and if the protocol isn't 100% secure, then it will be broken. Probably very quickly.

Re:America is *finally* implementing chip-and-pin

[fahrbot-bot]

Our real danger is getting stuck on chip-n-pin for the next 20 years. I suspect somebody (Amazon/PayPal/NewCorp) will replace payments entirely with phones by then, though. The old people who use credit cards might still be using chip-n-pin, but they will be a tiny minority.

Okay Smugly, payment by phone is different, but not necessarily better or more secure, convenient, robust ... than a CC. In addition, a phone has a battery, isn't water or crush proof (etc) or nearly as small as a CC. Some people, like me, don't even have a cell phone (because I don't need one), but I have a CC.

I don't think payment by phone will be the panacea you imagine.

'Bout time

[CRCulver]

Congratuations USA, you are only 10 years behind Finland. And not only have chip-and-pin cards been around for that long here, but some merchants have stopped accepting cards without chips (which is a pain in the ass for US expats or tourists who want to use their US card here).

Re:'Bout time

10 years? I've had a chip card always, and it's been more than 10 years

Re: 'Bout time

You're comparing a nation with probably 1000s of times more retailers than Finland. There's an economy of scale thing to consider.

Re: 'Bout time

[CRCulver]

Chip-and-PIN terminals are found across the EU, whose overall population and amount of businesses is perfectly comparable to the US.

Re: 'Bout time

[OneAhead]

economy of scale

You keep using that word. I do not think it means what you think it means.

Re: 'Bout time

[AlphaWolf_HK]

The US almost always suffers from the early adopter problem. That is, we get the earlier versions of standards merely because we adopt them first, and by the time Europe gets around to adopting them the technology has improved based on what was learned in the US. Note similar things like T1 equivalent E1 being faster, and given that superseding technologies (such as optical carrier) are sold in multipliers of T1 speeds, the Europe versions tend to be speced higher.

Broad adoption of standards is like a marriage: You're stuck with it, flaws and all, and changing to another incompatible one requires a lot of pain and sacrifice, with there being more pain the longer the marriage has lasted. For another perspective on this, look how much of a PITA it was to switch to digital TV, which the US actually did faster than most of the world.

And yes, I know Europe also had magnetic stripe. But like the marriage analogy they didn't have it for as long nor was it adopted as broadly before chip and pin came along, likewise switching wasn't as difficult.

There is a silver lining to our system though:

One time I saw somebody commenting on how much he hates chip and pin because it was supposedly only being pushed so that banks can force you to pay for fraudulent charges, whereas magnetic stripe they supposedly can't. The article was referring to the US adoption, and so I told him that we already have laws that strictly limit liability for consumers that mostly just make banks liable, and they aren't going away. He then lambastes me that "the rest of the world" doesn't do it that way, therefore chip and pin is evil, and I'm a stupid ignorant American for thinking that, even though the article was specifically about the US where such a problem doesn't exist.

Why doesn't it exist? Well, because us backward Americans have been on magnetic stripe for so long, that it was born out of necessity. (Which by the way, looking in his profile revealed he lived in Europe, which isn't "the rest of the world" as other non-European countries do have similar laws to the US, for the same reasons.)

Re: 'Bout time

Well you can compare with individual states too, and the situation does not change at all.

Re: 'Bout time

[mlts]

This has been going on since the days of the US having 120 volt electricity and Europe having 240VAC/50 Hz.

Chip and PIN is a necessity. Without it, the only thing actually preventing fraud are the anti-theft algorithms that banks use to detect out of place transactions and either call the person up for approval, or just put the kibosh on them. Long term, it is a good thing that chip and PIN is making its way here to the US. This will reduce CC fraud by a large amount [1].

[1]: Of course, there will be unexpected consequences. In the 1980s, anti-theft key ignitions stopped wholesale car theft, but what replaced it were carjackings. Same with burglaries being replaced by home invasions. I wouldn't be surprised to see muggings go up (only reason they went down in most areas is because people stopped carrying cash.) However as a whole, it presents a lot higher barrier to criminals succeeding at credit card fraud.

Re: 'Bout time

[matfud]

Yep I've seen the same silly argument.
Europe wide the only thing that has changed is that the retailer is now responsible for any fraud using C&P cards if they are not used as C&P (say just swiped as that is the normal fallback). Non C&P cards (such as amerians visiting) are still the liability of the card processor/bank.
The client has never been responsible for fraud. Although I think there is a lower limit for credit cards they normally wave it unless the item was very expensive. But that is a slightly different set of liabilites then you have with debit cards.

Re: 'Bout time

[IamTheRealMike]

That theory would be great except that the EU has a larger population than the USA and it's not like magstripe cards were exactly rare here, or get harder to drop the longer you have them.

The reason the USA hasn't upgraded is just that there's no willpower to do it in the banking sector. Perhaps because there are so many small banks. It's got nothing to do with being an "early adopter", lol. That's nearly as good as the explanation some poor VISA spokeswoman gave once - the USA doesn't need EMV because it had the internet earlier, and Chip/PIN was mostly useful for offline transactions, which only occur in stone age places like Europe. Hilarious.

Re: 'Bout time

[Guspaz]

See also: getting rid of pennies, or replacing the $1 bill with a coin. Both are amazingly easy things to do (you simply stop making pennies and/or $1 bills and eventually everybody has migrated), but they still can't get either done.

Admittedly, it took Canada until last year to ditch the penny, but when they did it, it was a complete non-event.

Re: 'Bout time

[MichaelBrotzman]

Back in the 1980's the European phone network was a lot less reliable than the North American one so Europe needed various systems for off line validation of card charges, hence the wide spread use of smart cards. In North America vendors could all use online terminals to verify the validity of the mag stripe cards so there ws no need for costly smart cards. Current Chip and PIN systems are not as secure as people think as there was a major problem a few years ago in the UK where people were being charged with fraud for contesting various charges made on their chip and PIN cards which were assumed to be secure. Turns out a compromised point of sale terminal could get all the information necessary to make additional transactions without the card or re-input of the users' PIN. So yeah, if you own the point of sale system you own the cards. Chip and PIN would not have helped Target.

http://www.telegraph.co.uk/tec...

BTW the E carrier is faster than T carrier because the AT&T engineers didn't want the phone company to sell the housekeeping bandwidth so they reduced the number of bits available for housekeeping so that it could not support an additional voice channel. Turns out their fears were justified as in Europe the extra housekeeping channel was quickly just turned into an extra data channel and the their engineers were left with nothing.

Re: 'Bout time

[OneAhead]

Dear inane moderator: I didn't think I would need to explain this, but the point GP was trying to make is exactly the opposite of economies of scale. And there's a word for that as well: diseconomies of scale. Only it does not apply here; there's no reason why there should be a diseconomy associated with switching a larger number of outlets to chip-and-pin. As demonstrated by all developed nations other than the USA and some emerging nations as well. The post I was replying to is simply an apologist of US business' inertia and unwillingness to innovate.

Re: 'Bout time

[dave420]

There you go again - apologizing for the US by making up some nebulous nonsense to explain why the US simply can't adopt modern standards. First you were defending using imperial units in an article about flight (because, according to you, flight was invented in the US), and now you're defending the US's inability to adopt a basic technology that the rest of the world has been using for over a decade. Guess what? Europe has been using magnetic swipe cards for ages, too, and seemed to be able to change without everyone losing their minds. You seem to think that the EU got magnetic swipe cards 6 months before chip+pin was invented. You must be, otherwise your entire post is just gibberish nonsense. You are clearly an intelligent person, so this behavior of yours of defending this nonsense is worrying.

This isn't why they had a security breach

[Karmashock]

They might as well announce they're getting Yettie insurance. They had their payment system compromised by people that got access to their point of sale system at one of their stores and then used that to gain access to their central system.

That has nothing to do with chip and pin.

And ultimately, how would you do chip and pin for online retail? You know, people that literally have to type their credit card number into a field? So indifferent to chip and pin, that is going to keep working. And I suspect that indifferent to chip and pin, somewhere in the target billing system there will be a list of credit card numbers, expiration dates, and security codes. A hacker gaining access to that database isn't going to care if the cards were chip and pin or not. Because by that point the data is prepared for processing. The only way chip and pin would be effective is if the security code were different for each transaction. That seems extremely unlikely but if you could some how pull that off then snagging the numbers might not get the thieves anything. Of course, how you'd get that to work with online retail is anyone's guess.

TLDR... I don't think chip and pin is going to accomplish anything and in so far as I understand the issue it wouldn't have stopped the breach at target in the first place. So i don't know why they're talking about it like its a solution to anything.

Re:This isn't why they had a security breach

[CRCulver]

And ultimately, how would you do chip and pin for online retail? You know, people that literally have to type their credit card number into a field?

Lots of online retailers now put credit card transactions through the Verified with Visa program, which takes you to e.g. your bank's online banking login page where you have to enter further credentials to complete the order. So, even if a thief has your credit card number and the extra security number on the back, he would not be able to use it without an extra password.

Re: This isn't why they had a security breach

With chip and pin the retailer doesn't store the card number, moron

Re: This isn't why they had a security breach

[DigiShaman]

Wasn't the hack accomplished by reading the data unencrypted in RAM?

Re:This isn't why they had a security breach

[NevarMore]

he would not be able to use it without an extra password.

Which was written on a piece of paper in your wallet with your credit cards.

Re:This isn't why they had a security breach

[rogoshen1]

perhaps it's because i've never had anything go wrong in terms of online shopping, but that program is such a pain in the ass.

Re:This isn't why they had a security breach

[SailorSpork]

Pffft, you think that matters? Target had a high-publicity credit card hack theft thingy, Target installing "better" card thingys with "chips" in them, seems gadgety and high tech. Target gets its "we're improving our credit card security" headline. American people go "wooooo, high tech thingy! Problem solved!"

Re:This isn't why they had a security breach

I find it to be a pain because it's not everywhere, if I had to do it for every transaction/every card I'd actually remember it, as it is I just use my MasterCard on newegg because I have no idea what I set up my verified by visa credentials to be.

Re: This isn't why they had a security breach

[Karmashock]

exactly how do they charge the card then?

Re: This isn't why they had a security breach

[number17]

Online stores can store the credit card number, not the PIN. Typically they will ask for the CVV which shouldnt be stored. See PCI Compliance FAQ

Re: This isn't why they had a security breach

[Em+Adespoton]

It's a key exchange -- the vendor presents the charge and the user presents the one-time encoded authentication token. Both of these are sent upstream to the authorization server, which then queries the merchant bank and cardholder bank to verify the token and the authorization request. They then send a signed response back down the line so that the card knows it was their issuer who authorized the request, the merchant bank knows the cardholder is good for the charge, and the merchant never sees anything at all identifiable.

This is how the rest of the world has done things for a decade. There is zero reason for a merchant to know anything other than that the customer is good for the credit, and that the banks will back the transaction. The rest of the transaction is done between banks, not people and merchants.

It still boggles my mind that a country that values anonymous cash so much would be so tied to a credit system that leaks personal information like a sieve, PCI DSS notwithstanding.

Re: This isn't why they had a security breach

[rkww]

exactly how do they charge the card then?

The vendor takes the customer's name, postal address and card number, and sends a message to their card processor (bank) saying "I want to charge this customer this amount for this transaction"; the bank sends back a url and the customer is redirected to that page.

The (secure) page (which displays a shared secret known only by you and the bank) asks for your online banking password; the bank processes the payment, and redirects you back to the vendor's thank-you page.

This has nothing to do with chip and pin.

But UK banks also hand out free one-time pad terminals which use your chip and pin card for online identitification.

Re:This isn't why they had a security breach

This is exactly right. It wasn't the method of authentication that was faulty.

Target's physical security of the CC equipment was breached. Just like all those gas station pumps with altered/hijacked CC scanners you've heard about.

This *fix* is downstream from the original problem so it will accomplish nothing.

This is 100% misdirection/PR. The sad thing is that most people will not know it.

Re: This isn't why they had a security breach

[IamTheRealMike]

Out of a regular PoS that's running Windows, yes. C&P transactions take place entirely between a dedicated piece of hardware and the card itself. Also the card signs a nonce so there's nothing to steal if the hardware is bad beyond the old regular magstripe data which is already stealable.

Re: This isn't why they had a security breach

[maevius]

No....

The full PAN can and must be read from an EMV card. (EMV specifications, book 3, Mandatory data objects). Actually both the authentication and the card PAN are sent to the issuer.

Re:This isn't why they had a security breach

And ultimately, how would you do chip and pin for online retail? You know, people that literally have to type their credit card number into a field?

Lots of online retailers now put credit card transactions through the Verified with Visa program, which takes you to e.g. your bank's online banking login page where you have to enter further credentials to complete the order. So, even if a thief has your credit card number and the extra security number on the back, he would not be able to use it without an extra password.

Mastercard has a similar program; saw it a few times years ago, but not since; and I don't think AMEX does that at all. Of course, then you have Discover and several other vendors too - so is your website going to query each and everyone? Or use the lowest common API between them to process as many cards as you can and keep your customers as happy as you can?

Chip and Pin wont' solve a thing.

Re:This isn't why they had a security breach

[RabidReindeer]

And ultimately, how would you do chip and pin for online retail? You know, people that literally have to type their credit card number into a field?

Lots of online retailers now put credit card transactions through the Verified with Visa program, which takes you to e.g. your bank's online banking login page where you have to enter further credentials to complete the order. So, even if a thief has your credit card number and the extra security number on the back, he would not be able to use it without an extra password.

And when my order comes up to the Verified with Visa page, I cancel it. VwV is a pain.

The security number by design not embossed on the card, nor, as far as I know, encoded in the stripe, because for physical card-reading applications the cashier has to confirm your identity by other means such as signature and driver's license.

Online transactions use the security ID, but if someone has latched onto that, then they're already running amok in someone's network or have physically stolen the card (in which case, cancel/replace ASAP!)

Re:This isn't why they had a security breach

You are right but the reason the Target breach was made such a big deal of was to use it as a vehicle to usher in chip and pin. Chip and pin has been compromised already in Europe with the consumer on the hook to prove that the charges were fraudulent. That's why they want it here. Sure the card companies can't do it here now, but wait and there will be "new legislation" to change the wording so that if someone does get a hold of our chip and pin information that we will be ones that have to prove that it was theft. Never mind that the card companies are making money hand over fist, they want more and more and more, and they don't want to have to pay for the flaws in their systems. It's all bullshit and the media is the conduit for spreading it to the masses.

Re: This isn't why they had a security breach

If the merchant sees nothing, how do the receipts from chip and pin (in Canada at least) still print your name and some of your credit card (some do, some don't, usually only the last 4 digits)

Re:This isn't why they had a security breach

[PPalmgren]

To get you to sign up for it, they're kind of deceptive. You can press 'skip' or 'no thanks' to verified by visa signup. Of course now that you're signed up your boned, and its probably a good idea to do it, but not having it isn't going to remove the ability for you to report and void fraudulent charges.

Re:This isn't why they had a security breach

[jbmartin6]

The proof is in the pudding as they say. There must be something to it, since the fraud rate for EMV card holders is far below signature-only card holders. No one is claiming that EMV is foolproof. It WOULD have stopped the Target breach since the POS system never handles the PIN, it only records the terminal's response that the PIN was valid.

Re:This isn't why they had a security breach

Except they know what to do because they already did it... 13 years ago. http://www.nytimes.com/2010/10/17/business/17digi.html?_r=0

Oh SHIT! You mean they already issued chipped cards in 2001 and no one knows! It'll be interesting to see if this really changes anything THIS time.

Re:This isn't why they had a security breach

[cdrudge]

The security number by design not embossed on the card, nor, as far as I know, encoded in the stripe, because for physical card-reading applications the cashier has to confirm your identity by other means such as signature and driver's license.

In VISA's case, their recommendation is to compare the signature with the one on the back of the card. However they explicitly state (page 34) that merchants can't decline processing a VISA transaction if the customer refuses to show an ID for a signed card. I believe MC has a similar policy.

With many merchants never even touching the card, the cashier never even sees the back of the card signature, let alone have an opportunity to compare it to the receipt's signature.

Re:This isn't why they had a security breach

[Solandri]

They might as well announce they're getting Yettie insurance. They had their payment system compromised by people that got access to their point of sale system at one of their stores and then used that to gain access to their central system.

That has nothing to do with chip and pin.

It has everything to do with chip and PIN. It would've prevented the security breach entirely because with chip and PIN, getting the card number by itself is useless. You need the smart chip on the card and the PIN to activate it before you can do anything with the card number. Since you can't use the numbers without the chip and PIN, there is no incentive for thieves to steal the card numbers - they are just numbers, not a magical way to access someone else's money.

And ultimately, how would you do chip and pin for online retail? You know, people that literally have to type their credit card number into a field?

You buy a card reader for your home computer.

TLDR... I don't think chip and pin is going to accomplish anything and in so far as I understand the issue it wouldn't have stopped the breach at target in the first place. So i don't know why they're talking about it like its a solution to anything.

I don't get why people keep trying to blame Target's security for this problem. The problem all along has been that you can buy stuff using nothing more than a plaintext sixteen-digit number that "belongs" to someone else. I'm not saying Target isn't at fault for failing to secure their network. But giving your credit card to a waiter at a restaurant makes your card just as vulnerable as Target's network was during their security breach. The current system is like telling your bank to authorize payment if someone gives them "your secret password." Then you proceed to give that very password out to every merchant you visit, so they can tell the bank and collect payment. Well if you're giving your password in plaintext to every merchant out there, it's not very secret is it? And anyone who steals the plaintext or overhears it or copies it can make charges to your account (whether it be a thief who stole them from the merchant, or an employee at the merchant, or the guy standing behind you in line who snapped a picture of your card with Google Glass).

The way I understand how chip and PIN works, you insert the card into the reader which powers up the chip. The merchant transmits the transaction info to the chip. You enter your PIN which gets transmitted to the chip. The chip then uses the private key embedded in it to encrypt those pieces of data. That encrypted data and the card number is sent to the credit card processor, who holds the card's corresponding public key. They look up the card number, find its public key, and decrypt the data. The card number is no longer the gateway to your money, it's just a reference number for looking up the public key. It's the public/private key pair safeguarding your money and authenticating the transaction, and using the private key requires physical access to the card's chip and the corresponding PIN.

Re:This isn't why they had a security breach

[mlts]

This reminds me of debit cards. Yes, it is quick and fast to just swipe the card, enter a PIN and be off without signatures or waiting days for the amount to stop floating and be debited... but the anti-fraud protection is nowhere near what one finds when one runs transactions via credit card processors.

What I wonder about is if chip/PIN does get compromised, on whose shoulders do the bogus transactions get dropped on. I'm guessing this is decided by who has the fattest wallets.

Re:This isn't why they had a security breach

[Obfuscant]

Lots of online retailers now put credit card transactions through the Verified with Visa program, which takes you to e.g. your bank's online banking login page

I have yet to see any online retailer do that to me, and if they did I'd assume it was some kind of MITM/phishing attack. I'd also be surprised if the retailer/phisher could correctly guess which of the several hundred "banks" (actually a CU) in the US I use.

Re:This isn't why they had a security breach

[CRCulver]

I have yet to see any online retailer do that to me, and if they did I'd assume it was some kind of MITM/phishing attack.

Whether you get sent to Verified by Visa depends on your card issuer. If you haven't seen it yet, it is because either your bank has not implemented Verified by Visa, or you have not opted in (or been tricked into opting in) to the program.

I'd also be surprised if the retailer/phisher could correctly guess which of the several hundred "banks" (actually a CU) in the US I use.

The retailer refers you to Visa's computer network. Visa then identifies which bank (or credit union, as I use) your card belongs to, because your credit card number encodes the bank, and you get sent to whatever site Visa has in its system for that bank.

It has been like this for a few years now in Europe, and I have long since got used to being sent to my online banking system to confirm transactions for e.g. Ryanair flights or Baltic ferry tickets when paying with my Finnish bank card. But it seems to be picking up steam in the US as well. I also have a card from an American credit union and about a year ago I was asked by the credit union to create a password for Verified by Visa, and from that day forth I have been sent to the Verified by Visa screen when paying with that card.

Re:This isn't why they had a security breach

[hawaiian717]

And this is where the October 2015 liability shift comes in:

If fraud occurs on an EMV card and the merchant hadn't upgraded to EMV and was relying on swiping the magnetic strip to process the transaction, the merchant has liability.

If fraud occurs on a non-EMV card and the merchant had upgraded to EMV, then the bank issuing the card has liability.

The result is banks are incentivized to upgrade to EMV cards so they can try to shift fraud liability to the merchant who hasn't upgraded to EMV terminals, and the merchant is incentivized to upgrade to EMV terminals to avoid the liability shifting to them.

Presumably fraud liability for EMV cards processed at EMV terminals remains where it is today (banks), and possibly everyone wonders "how did that happen?"

Meanwhile, fraud moves to card not present (read: over the Internet/phone) transactions.

Re:This isn't why they had a security breach

[NetNed]

It's just a blame shift and the issuers are not going to stop till they can make US consumers responsible to prove fraud while still on the hook for whatever charges were made. Same as in Europe where the system has been corrupted already but the banks are silent on it and where the consumer has to prove the charges are fraudulent


Like this:
or this:

And many more on the internet that I am more then surprised the slashdot community didn't point out. Much different community then ten years ago on here.

Re:This isn't why they had a security breach

[NetNed]

WTF? doesn't hyperlinking work on here anymore?

Re:This isn't why they had a security breach

[NetNed]

Ah fucks sakes! Forgot to name it!!!! My bad. It is on the dash!

Re:This isn't why they had a security breach

[mlts]

I mentioned this elsewhere, but one way the CNP transactions could be addressed would be an e-Ink display. Similar to the card I use for authenticating to PayPal, press the number, enter the six to eight digit code, and send in the transaction. With the fact that e-Ink displays only need power when changing state, the battery powering the display should easily last the life of a card (until it expires.)

With a card having this, a user just enters the numbers on the display in one field, his "CNP" PIN (could be different from the regular PIN in the chip and PIN transaction, or can be identical), and sends that in. Without the number from the display, the transaction won't go through, so it would require the physical presence of the card by the owner -somewhere- for the transaction to work.

Of course, this won't help if someone is mugged and their PIN is given out at knife-point, but muggings and coercing PINs are a weakness with chip and PIN as well.

Re:This isn't why they had a security breach

[tlhIngan]

That has nothing to do with chip and pin.

And ultimately, how would you do chip and pin for online retail? You know, people that literally have to type their credit card number into a field? So indifferent to chip and pin, that is going to keep working. And I suspect that indifferent to chip and pin, somewhere in the target billing system there will be a list of credit card numbers, expiration dates, and security codes. A hacker gaining access to that database isn't going to care if the cards were chip and pin or not. Because by that point the data is prepared for processing. The only way chip and pin would be effective is if the security code were different for each transaction. That seems extremely unlikely but if you could some how pull that off then snagging the numbers might not get the thieves anything. Of course, how you'd get that to work with online retail is anyone's guess.

TLDR... I don't think chip and pin is going to accomplish anything and in so far as I understand the issue it wouldn't have stopped the breach at target in the first place. So i don't know why they're talking about it like its a solution to anything.

Chip & PIN was never for online retail - it's for regular meatspace retail. Online retail is, and always has, used the traditional Card Not Present transaction that mail order and telephone orders have always done. Or what regular online retail does right now. Even in Europe, which has had Chip and PIN for years now.

Nothing special. You're still vulnerable to getting your numbers stolen, but that's already taken care of right now through limited liability.

Target using Chip and PIN though is different - this is for their stores, not their online store. And Chip and PIN is such that the breach would be meaningless because Target wouldn't get the credit card details to be breached - the terminal talks to the bank over an encrypted link and all target gets is a transaction ID they can reference.

Most likely, Target saw it as an opportunity to upgrade their payment system to not store credit card numbers (which Chip and PIN doesn't need) at all, I mean, if you're going to upgrade your payment system, you might as well do the Chip and PIN upgrade as well since you will have to do it in a year or two anyhow. Get it over all at once rather than suffer through it now, and again later.

Re:This isn't why they had a security breach

[hawaiian717]

I assume you're thinking of the eInk display as a way to protect web based transactions?

Rather than coming up with another scheme, I feel like a better solution would be a way to do EMV payments over the web using a regular smart card reader. Smart card readers don't seem uncommon in business oriented laptops already, and Dell and HP have smart card reader keyboards that they could just make the standard keyboard they ship with desktop PCs. It's possible to read EMV cards using regular USB card readers; the folks on FlyerTalk do it to read the CVM list off their card (that's how people figure out if a card is C&S or C&P priority and whether it supports offline PIN).

Re:This isn't why they had a security breach

PCI Compliance: You cannot process credit cards with VISA unless you are PCI Compliant, and part of that compliance is the fact that you are not storing the card information on your system. You can store Masked PAN instead of the full card number, but no CSV number, ever. I believe you can store the expiry date. There shouldn't BE anything in their central billing to GET if their system is compromised.

Re:This isn't why they had a security breach

[kesuki]

"You buy a card reader for your home computer."

but there is no chip & pin to buy the home reader.

it's there is a hole in the bucket problem, because the whet wheel needs water to hone the knife to fix the hole in the bucket.

Re:This isn't why they had a security breach

[Karmashock]

Well that's nonsense because how do they know if you're PCI complaint or not? Are they going to examine your database? They don't.

So all that means is that when a breach happens, if you're not complaint, they're not responsible. It doesn't mean anything else.

Furthermore, I've seen a lot of businesses that process credit cards that store everything on their systems forever.

So... no.

Re:This isn't why they had a security breach

If thats how chip & pin works it sounds better than I thought. It still sounds like it is potentially problematic. It would seem to me credit cards should have a screen and keypad on them. That would allow the user to enter a secret password onto the device itself to reveal a unique code that then allows the merchant to process the transaction when encrypted and sent to ones bank and then let the bank authorize the transaction to the merchant. The merchant shouldn't be liable because it required the user to enter a pin onto there own device. There is no opportunity to steal anything. Short of the device itself being stolen and the person forced to reveal the pin...

Now we just need to get the law changed the results in merchants having liability and we can avoid user-fraud (ie card holder rejects charges after agreeing to them).

Re: This isn't why they had a security breach

[Brulath]

Aussie banks (Commonwealth Bank, at least) seem to rely on SMS messages. You're redirected to their website and click a button. They send a 'NetCode SMS' (one-time code specific to that transaction) to your phone with a number you enter into their website, then the payment is processed. Not too bad; something you know (cc number) and something you have (phone).

Re: Chip and PIN

[jolyonr]

Square will have to do what PayPal Here does in territories with Chip and Pin, and that's replace their device with one that has a chip reader.

Of course, the PayPal Here reader with Chip and Pin is almost ten times the cost of the US PayPal Here swipe reader.

Fucking finally

[PvtVoid]

The U.S. is finally catching up with Bulgaria on this one.

Re:Fucking finally

The U.S. is finally catching up with Bulgaria on this one

Yet we're still so fucking far behind in everything else. I just got back from 2 months traveling all over Europe. It was really depressing to realize just how far behind we are in communications and consumer tech. Unlimited gigabit for $30/month? It's amazing what a little ISP competition will produce.

The conspiracy nut in me wonders if the NSA had a hand in the stagnation of US internet speeds, pressuring the FCC to let entrenched monopolies run amok. That would make spying *much* easier. In light of everything else, it sounds completely plausible.

Re:Fucking finally

[danbob999]

Maybe in 1-2 centuries the US will adopt the metric system.

Re:Fucking finally

IMperial system is far superior. Fractionals are all base 2, making them easier to compute with. With the retarded decimal system, you end up with fractional units that are coprime with other fractional units. RETARDED

Re:Fucking finally

Maybe in 1-2 centuries the metric system will be replaced by something that isn't crap.

Late on all fronts

As always, it only took a massive PR disaster before anyone started moving in this direction. The technology has been available (all over the word) for at least 15 years. I even used chip based calling cards around the world back then.

The companies thought it was cheaper to not upgrade. But now because they got massively embarrassed, they will finally spend the money which would have saved them thousands of times more money had they done it in the first place.

Why is it always reactionary in business? It's frustrating.

Also, while not quite the point of the Slashdot posting, this is news is several weeks late, Target announced this on their website a while ago. Slashdot Beta: News for nerds several weeks late, and then we'll dupe it. Beta sucks too.

Re:Late on all fronts

[Jmc23]

Why is it always reactionary in US business? It's frustrating.

FTFY.

'cause other countries took care of this years ago.

Re:Late on all fronts

[jjhall]

It isn't the merchants dragging their feet. Chip and Pin has not been available to merchants in the US. The thing most people don't realize is that credit card fraud is a profit center for Visa/Mastercard/etc. Do you think Visa is eating the cost of a fraudulent transaction to cover the "$0 Fraud Liability" they offer to their customers? Of course not. It goes right back on the merchant. Now the merchant is out their merchandise, out the money they would have received from the sale, and they are hit with a fee (that goes to Visa) for the chargeback. Have a massive breach like Target? Now there are big fines to pay to the card companies on top of it all.

The entire security of the credit card system is based on keeping a 16 digit number secret. That same 16 digit number you have to share with everyone you give money to. Making it TONS more secure would be cheap and easy, and most merchants are already set up to handle it... A simple rotating PIN that is only valid for a length of time is all it would take. Have merchants run all transactions as Debit, and give the customer an app on their phone (or even a periodic SMS with a new PIN.) The card companies could use the fraud liability as an incentive to use the system. No rotating pin? $1000 fraud liability. Monthly? $500. Weekly? $100. Daily? $25. Rotating PIN app or new SMS after each transaction? $0. This would also secure online purchases as well.

Every time I see a story relating to credit card security, I laugh to myself over how much more secure my World of Warcraft account is than my credit card accounts.

Re:Late on all fronts

[OneAhead]

Why is it always reactionary in American business?

FTFY. As to answer the question: it used to not be that way, but the companies discovered that if they gave enough money to the politicians, the regulator would let them get away with making arrangements like: "if none of us makes the first step to innovate, the others won't be force to follow, and we all can save ourselves the financial investment of the innovation".

Re:Late on all fronts

As always, it only took a massive PR disaster before anyone started moving in this direction. The technology has been available (all over the word) for at least 15 years. I even used chip based calling cards around the world back then.

The companies thought it was cheaper to not upgrade. But now because they got massively embarrassed, they will finally spend the money which would have saved them thousands of times more money had they done it in the first place.

Why is it always reactionary in business? It's frustrating.

Also, while not quite the point of the Slashdot posting, this is news is several weeks late, Target announced this on their website a while ago. Slashdot Beta: News for nerds several weeks late, and then we'll dupe it. Beta sucks too.

I was at a company that was helping the merchant banks roll out chip and pin back in '98. The pilots were going pretty well, and the only real issues were around the costs of the cards -- merchant issuers were rolling out chip-and-pin readers everywhere, even where there was no plan to immediately roll that area out to chip and pin.

Then the dot com bubble burst (in 2001?) and banks dropped all pilot programs as they focused on defending their existing business model. Chip-and-pin vanished, even though the Verifone/etc. readers that can read the chips were already deployed. It took another 5 years before they started looking at starting up new pilots to see if the market was ready for chip-and-pin again.

It was all just unfortunate timing that killed it the last time around. A lot of marketing spin (consumers: this is more like cash; you reclaim your privacy -- merchants: this is more secure and prevents skimming -- banks: this is more profitable and protects the bottom line), training, hardware development/deployment etc. was sunk into this the first time around, and only a small fraction of that was able to be reclaimed. These data breaches however are free advertising that overcomes a lot of the impetus the system has been facing, so since all the original pilots are already long complete, roll-out should now move along reasonably quickly.

HOWEVER, I was under the impression that the "new" US system would not require encrypted PIN -- in other words, while offloading liability and making people do "secure" things, unencrypted data would still be showing up in the merchant's systems. Hopefully this has changed since the data breaches, and the US is going to move to a sane (if slightly more expensive) end-to-end chip-and-pin system like the rest of the world.

Re:Late on all fronts

[bluefoxlucid]

Chip-And-Pin has the annoying side-effect of requiring a PIN instead of a signature. I don't understand why you need a PIN at all, honestly.

My suggestion nearly a decade ago was straight PKI. An embedded IC would contain a burned, non-readable, unique private key and certificate. The certificate would be bank-signed, and verified dynamically with the bank.

When you insert the card into the reader, a command stream is sent. This includes the transaction, a time stamp, and a block of random data. The bank accepts each data set once (manageable by a bloom filter of large hashes per hourly time stamp and a database indexed by time stamp). The whole block of data [TIME(now),RANDBITS(1024),Transaction[]] goes to the card, gets signed by the private key on the card through a dedicated RSA4096+RC4 specified to avoid weak IVs (bank rejects if the IV is weak), and is returned to the terminal.

In this way, you must physically possess the card to carry out a transaction. Transacting with Amazon? Plug a USB reader into your computer, plug it in. Reader contains a display which can list the charge, the merchant, and the transaction. You see "$315.09 AMAZON" and a listing, can accept that. You see "$45 XXX TOOLBAR EROTIX INC" and you reject that. Nothing goes to the card until you press the "accept" button on the reader.

I don't see a need for a PIN. If someone steals your card, deactivate your card.

Re:Late on all fronts

[maevius]

Interestingly enough, EMV (c&p) cards work like this. However the card and the cardholder are both authenticated - either PIN or signature.

If someone steals your card, deactivate your card.

Ok, isn't it a bit stupid to design a system that can be circumvented by someone stealing your card? And no card deactivation for sure doesn't solve the problem

Re:Late on all fronts

Chip-And-Pin has the annoying side-effect of requiring a PIN instead of a signature. I don't understand why you need a PIN at all, honestly.

The reason is that if someone steals your card, that isn't enough to charge things to your account.

And incidentally, for disabled people who are unable to sign, chip & signature cards do exist.

Re:Late on all fronts

Sadly, Chip and Pin doesn't do anything of the sort. You'd need biometrics...then the crooks would be stealing thumbs or eyes.

Re:Late on all fronts

[bluefoxlucid]

The primary fraud problem with the current system isn't a window between a stolen card and its deactivation; it's stolen card numbers sold on an open exchange. Bruce Schneier covers ATM pin stealing mechanisms fitted over the card slot fairly often: read the mag stripe, record the pin with a camera, transmit wireless signal to a laptop in a nearby coffee shop.

A hardware verification process removes this possibility entirely: a person must physically gain control of your card to use it. The current system detects when you swipe in New York, then California an hour later; it also detects large geographical changes in gas station use without travel tickets--you won't drive from New York to California without hitting gas stations along the way. A PIN system does nothing to cover the majority threats; it covers a tiny stolen card threat which almost never happens, at the expense of annoying people who swipe credit cards because punching in 3387 or 4129 or whatever the hell the PIN for this card was usually ends in the card being deactivated.

Personally, I've had my HSA deactivated a few times because I couldn't remember the PIN. I had 3 debit cards and an HSA credit/debit card at the time, and the HSA always defaults to debit. The first time, I hadn't actually set a PIN. My solution was to unlock the card (wait an hour--even support can't unlock it) and press "CANCEL" on the PIN pad, then sign.

My solution with C&P will be to write the PIN on the back of the card or, more subtly, use 0(CVV). I don't do this with debit cards because I use them as credit cards to avoid entering a PIN ever.

Re:Late on all fronts

[mlts]

I've wondered about just having a small e-Ink display on credit cards similar to the authentication card I use with PayPal/eBay. Press a button, up pops a number, and because e-Ink only needs power when changing state, the battery in the card has lasted a good number of years.

In combination with chip/PIN, this would protect transactions done online (basically turning CNP or card not present transactions into CP, or card present) because the user just enters the number on the card when checking out.

I do agree with the parent poster -- the security on my Gmail or World of Warcraft account is light-years ahead of the security on my credit card account, or even my bank account.

Re:Late on all fronts

[maevius]

the PIN vs signature subject (the cardholder verification methods) has more to do with who pays when the fraud happens. Signature is by far easier to use, and this is the reason why in europe it is usual for good customers (cards with expensive subscription fees etc.) to get chip and signature and low end cc and debit cards get chip and pin.

To me the problem is not the PIN, but the magstripe itself, which for europe is kept there for legacy reasons (and at this point, yes I am looking at you US...). If the magstripe was completely disabled then there would be no way to skim the card because you would lose one of the 2 required pieces of information (PAN/CVV).

The second problem is that even with the PAN/PIN, the card should be useless but again there are 2 problems.

1. is again legacy reasons. You steal the PAN, write it in a new card, enter the stolen PIN, bob's your uncle. This should not be possible if the cards where full EMV as the card itself is authenticated against Visa/Master PKI.

2. Internet purchases! Now this is a biggie. You don't want to inconvenience anyone so you keep it as easy as possible. No card authentication, no cardholder authentication. Everything goes. To me this problem can be best tackled with one time passwords/tokens generated by a smartcard.

As you understand this is not a technical problem - and I can assure you that the technology exists and it is solid, but an adoption problem and a backwards compatibility problem.

btw: Come on, you can't read Bruce Schneier and at the same time write the PIN on the back of the card. This is like writing your password on a postit and stick it on the screen. Sure, it's annoying but have some standards!

Re:Late on all fronts

[rahvin112]

Credit card fraud liability in the US is limited to $50 by federal law as long as the theft of the card is reported within 3 days of discovering it.

Re:Late on all fronts

[bluefoxlucid]

Writing passwords down is not a security problem.

Say it with me: Writing passwords down is not a security problem.

Writing passwords down in a place where they can be obtained within the bounds of your threat model is a security problem. My passwords are written in invisible ink in a book kept inside a locked filing cabinet at my desk; likewise, I have a password safe that double-encrypts with a long password (all lower case and spaces) as a symmetric key for the real key used in two passes of AES+Blowfish. If someone is in here looking through my cabinet with the foresight to bring a UV flashlight, locate my password book, shine the light on it, and interpret the passwords (i.e. know what to use them for), we have other problems.

Now if I were to take the book from the office and lose it somewhere, that's different. In fact, the book should not leave the office. Any password list which travels should contain only passwords; it should not contain an explanation that they are passwords, or what system they're for, or to what entity they belong. Depending on security needs, it may be inappropriate to ever move a password list.

I'm quite used to a threat model where losing my card results in compromise. I know how to handle that. Having the PIN written on the card is the same threat model; it's acceptable to me.

Re:Late on all fronts

[jjhall]

No, but according to the Smartcard Alliance's FAQ (http://www.smartcardalliance.org/pages/publications-emv-faq), the transaction will contain signatures proving the card is genuine, the correct PIN was used to access the chip, and "Third, even if fraudsters are able to steal account data from chip transactions, this data cannot be used to create a fraudulent transaction in an EMV or magnetic stripe environment, since every EMV transaction carries dynamic data." So while it doesn't include a key fob or rotating key the user must enter, it sounds like it implements it on a virtual level, thereby accomplishing the same goal. If the card data is intercepted, it is useless for future transactions.

Re:Late on all fronts

[jjhall]

I remember reading a magazine article (possibly even an ad) years back with some company touting this exact technology. It went so far as to mask the card number itself or even allowing selection of multiple card numbers based on the buttons. Sadly I never saw anything past that initial piece.

Re:Late on all fronts

[jjhall]

Currently that is true. I could see that being changed if the sliding scale were introduced. I believe it would still be effective if the max was $50, but slid to $0 with additional measures being taken by the cardholder.

More security lip service

It boosts their profits and nothing else as Chip & Pin helps to shift the liability to the customer.
We've had Chip & Pin for a while in the UK and there has been a lot of serious security problems.

walmart started requiring a chip about a month ago

[Wycliffe]

Walmart started doing this about a month ago in my area. Unfortunately for me the chip doesn't
work on my card so every time I go to walmart they have to manually key in my credit card number.

Didn't Target had Chip and Pin back in 2005?

[ConstantineM]

Didn't Target already had Chip and Pin back in 2005 or 2004? What happened to all of those?

I remember I got a Chip and Pin card from Fleet around that time (just on the edge of them being acquired by B of A); Fleet has even sent me a free card reader, which I've never used, actually.

Re: Chip and PIN

[number17]

but how will this changeover affect companies like square that depend on swipe and sign for most transactions?

Your card will likely continue to have a magnetic stripe for non chip and pin terminals. Canada's deadline for "liability shift" was March 31 2011 for credit.

Not invented here

Chip and Pin in the USA will go the same way Concorde did as it was not invented here.

Re:Not invented here

[PvtVoid]

Chip and Pin in the USA will go the same way Concorde did

Back and forth to Europe twice a day?

What!? Why this late?

It is mandatory here for like last 5 years, some cards now does not have a magnetic slip anymore(mostly membership/club cards).

Nope

[mice7943]

We will not gain parity simply because Target said "make it so". Sadly the cheap and easy CC system the US uses is the easy thing to stay with. Expect an extension of the current system just before it expires in 2015. Nobody want to spend money to be more secure - "that won't happen to us" mentality rules here in the States...

Re:Nope

And the insecure and expensive solution is any better? Heh...more the fool you.

Re:Nope

This will not gain parity because others are moving toward three-factor authentication:
http://www.oki.com/en/press/2014/02/z13115e.html

Recent experience in Italy

[dtjohnson]

Was recently in Italy and had to beg a kindly local woman to buy me a train ticket with her card as the ticket machine would not accept either cash (in the wrong denominations) or my magnetic stripe card. They're probably used to us visiting 3rd-worlders.

Re:Recent experience in Italy

[Jmc23]

Sad thing is the US screws it up for visitors as well. So stupid to ask for a postal code for a foreign card, or use incompatible debit systems.

It's almost like the US is the SONY for currency.

Re: Chip and PIN

[Em+Adespoton]

Square will have to do what PayPal Here does in territories with Chip and Pin, and that's replace their device with one that has a chip reader.

Of course, the PayPal Here reader with Chip and Pin is almost ten times the cost of the US PayPal Here swipe reader.

Well, it really depends. Without chip and pin, the vendor assumes all responsibility for chargebacks. It will be a decision for each square user as to whether it is more profitable to assume liability or pay for the more expensive reader. upgrade.

Re: Chip and PIN

[sjbe]

A bit off topic, but how will this changeover affect companies like square that depend on swipe and sign for most transactions?

Short answer is "who cares?". If they can't get with the new technology then we don't need them.

If I wandered into the bank..

[TechyImmigrant]

My wife has a retail store and a credit card reader.

If I wandered into the bank and asked how I get a C&P terminal for the store, they would stare at me blankly. It simply isn't available. The terminals exist, but the bank isn't going to talk to it until they're good an ready to, which at the current rate of progress is 'never'.

Target has more leverage, but small retailers have to take what the bank makes available.

For this and other reasons, we will probably switch banks, but people should be under the impression that retailers in the Us can 'just switch'. They can't. The bank decides which terminals it will work with. This is bizarre given that the terminals are completely generic.

Re:If I wandered into the bank..

[maevius]

Completely generic? Ummmm no. They are C programmable embedded devices which are usually developed according to the acquiring bank's specifications.

Re:If I wandered into the bank..

[TechyImmigrant]

The wire protocols are standardized by PCI.

Re:If I wandered into the bank..

[PRMan]

You can't even get a card for travelling to Europe in the US with a chip and pin. Looking into it recently, most people were saying you could get one from the UN credit union.

Re:If I wandered into the bank..

[maevius]

Ummmmm no.
The wire protocols are de-facto standarized up to a point (ISO-8583 or vendor specific protocols) and the rest are application specific. Interestingly, wire protocols are one of the things that PCI has never touched.

Re:If I wandered into the bank..

[TechyImmigrant]

I was under the impression PCI referenced 8583 and the transport wrapper. Maybe not. I'm not searching PCI specs for fun.

Re:If I wandered into the bank..

[KingOfBLASH]

I read that, not as in all devices are the same (since a chip and pin device has a completely different reader) but that there's no reason someone willing to buy a different reader shouldn't be able to use one

Re:If I wandered into the bank..

[jittles]

My wife has a retail store and a credit card reader.

If I wandered into the bank and asked how I get a C&P terminal for the store, they would stare at me blankly. It simply isn't available. The terminals exist, but the bank isn't going to talk to it until they're good an ready to, which at the current rate of progress is 'never'.

Target has more leverage, but small retailers have to take what the bank makes available.

For this and other reasons, we will probably switch banks, but people should be under the impression that retailers in the Us can 'just switch'. They can't. The bank decides which terminals it will work with. This is bizarre given that the terminals are completely generic.

Then you're dealing with the wrong vendor. I can tell you right now that I sometimes work on proof of concept applications for one of the largest POS terminal makers in the US and all of their hardware comes with chip and pin support. Even the lowest end equipment. It's available in the US. In fact, the last time I went into the T-Mobile store, all of the terminals inside the store supported chip and pin.

Re:If I wandered into the bank..

You can't even get a card for travelling to Europe in the US with a chip and pin.

Why would you need to? Just to look cool? I live in France, I travel all over, I used to live in the US. I use my French card when I want, and I use my US card when I want. Both work everywhere. (Mostly use US card these days in non-Eurozone countries, since they are too small of a bank to think of charging for international fees.)

Re:If I wandered into the bank..

[TechyImmigrant]

But not the shitty Hypercom terminals you find in a large fraction of independent retailers.

Re:If I wandered into the bank..

[jittles]

But not the shitty Hypercom terminals you find in a large fraction of independent retailers.

I am not involved in the sales end of their setup, but I do know that it works with European chip and pin cards. Some of the proof of concepts I put together are to market the terminals to banks. The low end readers are like $200. The units I play with are dev units, and do not communicate with a processing service. It's side work for me, so I don't know a lot of the details of how their product works once you tie it in to the processing. They sell the exact same units to the rest of the world, though. Are these Hypercom terminals even less than $200?

Re:If I wandered into the bank..

I don't know about banks but credit unions are awaiting a guidance report from NCUA to be issued in 2014 Q3 or Q4 before deploying EMV cards. One of the biggest issues is trying to resolve connectivity. Normally, a credit union only needs to communicate with one processor, CO-OP being the most widely used, but the current regulations indicate a credit union must have separate connections to Mastcard, Visa, etc.

Re:If I wandered into the bank..

You can, I'm doing that right now. Get a USAA World MasterCard, then call them up and switch to a Chip and PIN card. For some stupid reason MasterCard doesn't let you do it all in one go, so I have to wait to get the first card, then they'll mail me a second one...

Re:If I wandered into the bank..

[TechyImmigrant]

>Are these Hypercom terminals even less than $200?

Some are. On Amazon I've seen $70 terminals. Our model is $269 because adding an ethernet interface adds $200 to the price. Odd that since I just brought a 16 port switch to $70.

But to get one that works with the bank I have to get it from the bank and they charge their own price. Presumably they throw some secret numbers in there that any decent hacker could extract.

Re:If I wandered into the bank..

[maevius]

I don't have experience with the american market so your mile may vary. Having said that:

The terminals are usually sold by vendors that develop the software too. If a bank decides not to work with the vendor in order to develop the software (as in testing environments, proper specifications etc.) then you simply can't use a specific terminal device (reader if you like) with a specific bank/acquirer. As you understand this has to do more with business matters/politics, but nevertheless it is true.

Now the chip and pin/EMV vs magstripe only, if the bank doesn't support it, it is end of story which the OP mentioned. The specifications/requirements are simply too different.

Re:If I wandered into the bank..

[wkk2]

Citi sent me a chip card on request. I don't know if it's configured for chip/pin or signature. I've tried readers that have chip slots but I have yet to find one in the US that works. One company asked their supplier and was told the card slots were disabled.

My laptop can read the chip id but I don't want to try anything else since it might lock the card.

Re: Chip and PIN

[radarskiy]

On the user side, all cards are not only backwards compatible with not only magnetic stripe but mechanical impression on carbon paper.

On the processor side, presumably Square will have a new unit next year that can read the chip unless they want to absorb the costs of chargebacks themselves.

Re: Chip and PIN

[AlphaWolf_HK]

I think your bank is probably more tired of it than you are as by law they are required to eat most of the liability. The good banks give you zero liability (as in, you aren't ever responsible for losses.)

I'm curious how this will work for internet transactions though, unless they expect everybody to have smartcard readers (wouldn't bother me, but buying things via smartphone or tablet will need some revamping.)

Re:walmart started requiring a chip about a month

[Barny]

If the chip doesn't work, just get a new card issued?

Re: Chip and PIN

[AlphaWolf_HK]

Don't you just need a simple ISO7816 card reader? I remember paying $10 for those 8 years ago back in my directv hacking days. The communication method is simple serial/RS232, of which there is a Bluetooth standard for (and it works rather well with Android phones too, I've used it for OBD2 serial communication to avoid needing a wire connected under the dash.)

PayPal Here could likewise do ISO7816 via a bluetooth dongle and ask for the pin on the device itself. I don't imagine the whole thing would cost the same if not less than the present dongle they have. (My bluetooth OBD2 dongle cost me $20, and apparently the manufacturer makes a profit on it.)

Welcome to the rest of the world?

Some time ago all the mag-strip only cards were replaced with Chip and Pin here in Canada.

Not quite

[ThatsNotPudding]

Will this move by a huge retailer push the U.S. into parity with the rest of the world?"

Target is huge? I'm not so sure about that. But it will be fait accompli when Walmart changes.

Re:Not quite

Target is number 10 in 2012 (list starts from page 12):

http://www.deloitte.com/assets/Dcom-Finland/Local%20Assets/Documents/Global%20Powers%20of%20Retailing%202014.pdf

Re:Not quite

Last week I was forced to go to WalMart and my magstripe got rejected and I had to use the chip, still signature though.

Canada has had them since the mid 00's

Canada completed roll out of chip and pin in 2010. Congrats on finally catching up with the rest of the world.

Why aim for mere parity?

Why is Target playing catch up? Why doesn't it leapfrog Chip and Pin and do something even better?
Why should anybody hand over the credentials required to initiate transactions in their name to a clerk or a machine that they don't control?

Let's start with a concept like 3C Transactions and build something much better than Chip and Pin.
3C is more secure than C-n-P and easier to implement. It could begin initial rollout with no new hardware required by merchants.

Of course, 3C is really just a napkin sketch and would take some work to build into a real world solution. But the benefits over C-n-P seem so obvious that it (or something with similar principles) should be well worth the effort.

Re: Chip and PIN

[lgw]

Other than that, it's about fucking time!

Sick of finding out every other month that some retailer that I frequent has been hacked.

That won't change in the long run. In the short run maybe some benefit, while the crooks come up to speed, but chip and PIN is also hackable. It's not as easy, to be sure, but technology marches on and both PIN harvesting and stolen card use are both happening in Europe today (though not with the frequency of the US problems yet).

One place we might gain advantage form our late start is that no one will have the older-tech cards where PIN-extraction from stolen cards is possible (and done) due to flaws.
 

Bitcoin?

[PRMan]

How about taking bitcoin online? Make a deal with BitPay or Coinbase.

No information to steal except for shipping information. And the public fact that it was paid with bitcoin.

Re:Bitcoin?

[maevius]

Because bitcoin is totally fraud-proof.

Ahh...Chip and SPIN...

Chip and Pin isn't any better than what's currently there...

Chip and Spin
Safety in numbers? Not likely.

It's not a solution and screws YOU the consumer on many fronts.

Re: Chip and PIN

[toonces33]

That's clearly part of it, but there is a lot of backoffice related stuff that needs to be present for it all to work as there is encrypted information that needs to get passed back and forth from the card to the issuer.

But a small merchant might not have that much to do in that I am guessing that their own bank would handle all of that.

Re:I will cancel all my cards

I am not going to remember a PIN for each of my credit cards. I will cancel all my cards, immediately.

I am guessing that you are just trolling. You should be able to go to an ATM of the issuing bank and change your pin to one that you can remember. It can be the same as the one you use for your banking card but that is less secure. There is a trade-off between security and convenience which you have to consider.

If your card is not issued by a local bank then you will have to call the automated number on the back of your card to change it there.

Re: Chip and PIN

[timeOday]

I'm curious how this will work for internet transactions though, unless they expect everybody to have smartcard readers

My guess: more businesses will be pushed towards PayPal, which will not use the extra verification, the PayPal fees amounting to a "security surcharge" / insurance policy for the extra risk of such unverifiable transactions.

Chip and Signature, not Chip and PIN

[weave]

Most US cards being issued with a chip are Chip and Signature, not Chip and PIN -- because banks have trained Americans to think PIN means debit so banks fear applying a PIN to a credit card would confuse people.

I have one of these Chip and Signature cards and on my last trip to UK it was a real PITA, especially at self-checkouts. Like at ASDA there was a signature signing pad but I had to wait for a clerk to come over to give me the pen and then she checked my signature real closely. Same thing at the duty free at the airport. The self-checking stopped and alerted the clerk to come over to check my signature. Then at other stores the clerk couldn't find a pen, or was surprised when paper spit out and had to ask a manager what was going on.

(I had one clerk hand me the slip to sign, checked my signature, then put the signed slip into the bag with the receipt! If I was an "arse" I probably could have disputed the charge and gotten away with it because they couldn't produce a signed slip)

At the ASDA (far away from where tourists usually go) the clerk remarked it's been years since she saw someone have to sign for a charge. I apologized, said I was an American, and that our banks think we are too stupid to remember a PIN. She got a good chuckle out of that...

Re:Chip and Signature, not Chip and PIN

[hawaiian717]

True about most US cards being C&S, not C&P. Or being both, but with C&S as higher priority and not supporting offline PIN (which is where the real trouble comes). From what I'm hearing, Visa is the one that's really pushing C&S in the US; MasterCard is pushing C&P. And since the new EMV Target cards will be MasterCards, there's reason to hope that they'll be C&P.

For the record, Walmart has also apparently been advocating C&P. They're also ahead of Target in rolling out EMV support, about 25% of Walmart US stores are actively accepting EMV payments.

Re:Chip and Signature, not Chip and PIN

[erice]

Most US cards being issued with a chip are Chip and Signature, not Chip and PIN -- because banks have trained Americans to think PIN means debit so banks fear applying a PIN to a credit card would confuse people.

Confuse or alarm? Perhaps it has changed but it used be that if you purchased using a credit card and used the PIN, the transaction went through as a cash advance with all the associated and onerous fees.

Re:Chip and Signature, not Chip and PIN

[Cro+Magnon]

Yup! The first time I paid at the grocery store with a card, I used the PIN, and got socked with a big fee. Ever since, I used the same card as a credit card (no PIN) without any such fees. That was many years ago, so I don't know if they still pull that crap.

Re:Chip and Signature, not Chip and PIN

[rastos1]

banks have trained Americans to think PIN means debit so banks fear applying a PIN to a crbanks have trained Americans to think PIN means debit so banks fear applying a PIN to a credit card would confuse people.edit card would confuse people.

You mean like people would suddenly buy things with money they actually have? I see. That would be really confusing.

Re:Chip and Signature, not Chip and PIN

[rahvin112]

They don't think we are too stupid. Visa and MC make money on fraud. They have a profit incentive to make fraud easy.

Re:Chip and Signature, not Chip and PIN

[davecb]

This because the UK discovered to their discredit that chip and pin could be broken by grad students on a security course. See Chip and Pin is Broken (2010)

Re:Chip and Signature, not Chip and PIN

[weave]

At least it takes a grad student.

Magnetic swipes can be cloned by anyone. Heck, you can easily buy a cloning card to do it.

CARDHOLDER SHOULD BE LIABLE FOR ALL PURCHASES

Case closed.

Re:CARDHOLDER SHOULD BE LIABLE FOR ALL PURCHASES

Why the fuck should I be liable for purchases made on my card if someone hacks into a major retailer's computer system (oh...I don't know let me pick one entirely at random...say Target) and steals my credit card information?

Chip and Pin stops card cloning

[wiredog]

And cloned cards were a major vector of fraud in the Target attack.

Re: Chip and PIN

[maevius]

Not really. Chip might be kinda easy to read using commodity hardware, but pin entry must be done through a PCI certified device (as in, lots of money for certification, passed on to you, the consumer)

https://www.pcisecuritystandar...

Chip and Pin cards?

[dirk]

That is great and all, but are there any banks in the US supporting chip and PIN cards for Visa/MasterCard currently? I'd love to get one even if I only use it at Target just to help push things along, but I don't know of any cards that are supporting it now (and I really don't need a Target card).

Re:Chip and Pin cards?

[slacktide]

Both Chase and Citi offer them. I have a Citi that I use for European travel.

target

[JohnVanVliet]

i can almost GUARANTY that target will "frack up " this too
a 2015 prediction
target will use the password " 1234" to secure the servers

Should we actually trust the NSA to babysit us

[Orwell1983]

This is the most ridiculous things I have ever heard and the fact that people buy into it is what is wrong with America. Chip and pin cards, are you kidding me? I hate to give in to the hype of an overused buzzword, but we do find ourselves coming into an age where big data has massively amplified the stakes of security as companies are pooling all of their assets into one giant "data lake" so that it can be analyzed. Yes, I agree that it is great that they now can "glean valuable insights from the connections between xyz..." by aggregating all of the information into one giant store of structured or unstructured data to be analyze, rinse, repeat and analyze again, but then guess what - one hole in your security means the whole house of cards comes tumbling down and all of your data "assets" and people's "private" information is now exposed. Chip and pin cards are a joke to placate the public - this is a good blog on what companies are putting in place right now that are actually a step in the right direction at least. http://sqrrl.com/big-data-secu... The thing that is interesting: the one with the most all encompassing security architecture was created at the NSA.... So do we not trust that approach because the database was created by evil government spies and will abuse our information somehow, or trust them because maybe they actually know how to keep information secure. All I know is that it's interesting that at least they built their "big data" analyzation tools as a secondary priority to security, and as the blog shows the other databases are now implementing different security measures to their information warehouses which is at least a step in the right direction....My two cents. To all of the big companies like this that think "that won't happen to us".... That first step off your high horse is going to be a bitch honey. Tuck and roll.

Re: Chip and PIN

[Mattcelt]

I still have a Target-branded chip-and-pin card and USB reader from 10+ years ago from an early pilot they did with a well-financed crypto startup. I would imagine some of their executives are kicking themselves now for having shut the project down then.

It's nice to see the US finally catching up with what Europe has been doing for a very long time.

Whoosh

EMV (nicknamed "Chip and Pin") technology makes it more difficult for a theif to steal your credit card out of your pocket and then use it.
It does not prevent data breaches.

To complete an EMV transaction with a merchant, you have to hand over a credit card with an embedded chip. Then you have to provide a PIN used to decrypt the credit card authorization. The merchant can then use the decrypted authorization for the transaction.

And the merchant can still store that information and get compromised.

The Target breach was an inside job. It didn't happen at a store counter. EMV does nothing to protect against these attacks.

If you have to tell a third party how to decrypt you super secret in order to do business with them, it isn't very super secret anymore. What's the point. We need a system that doesn't require you to hand over the keys your account.

Re:Whoosh

No, you don't hand over the card, you put it in a reader and then you type the pin to the reader. The reader contacts the bank or credit card company (or maybe they have a central server for all that, don't know) and OKs the purchase. NEVER give the pin to anyone.

Re:Whoosh

... The readers are either at the register or portable, so there is no reason to hand over the card either.

Re:Whoosh

[IamTheRealMike]

That's not how it works.

their terminals already had it

[YesIAmAScript]

The terminals that had the problem were their new (few months old) chip and PIN-capable EMV terminals.

Chip and PIN doesn't fix the breach Target had. Only Chip and PIN with tokenization does.

I already have one Chip and PIN card from my bank (US bank) and I'm trying to get my other one switched too. But it doesn't fix this problem.

Target, if you replace your terminals again, please get ones that do Chip and PIN and also NFC and PIN please?

Re:their terminals already had it

Or implement some form of 3C Transaction

Naa, I use 4-step security, so I don't have to wri

1) Click on "Forgot Password?" Link
2) Click on link to reset password in email just received
3) Create new password
4) Use new password before you forget it. If you forgot it, return to step 1

if that card is Chip and sign, you're boned

[YesIAmAScript]

It still has to be swiped in Europe.

You need a Chip and PIN card. Wells Fargo issues them now. And Chase does for some cards too. You really should be getting one of those before you go.

If you don't have the PIN for your card, you don't have a Chip and PIN card and you'll be in a slightly worse boat in Europe than a card that doesn't have a chip because you'll usually have to tell them "ignore that chip, you have to swipe that" every time you use the card.

Re:if that card is Chip and sign, you're boned

Um, wrong - you will still insert the card, you just have to sign the slip. It is called chip and signature and Europe is still used to it. You CAN'T swipe the card on a chip reader if you have a chip - the service code on the magnetic stripe doesn't allow it.

My reference: 10 trips to Europe in the last two years, plus Aruba, Chile, etc. With a US chip and signature chip card. You can even use it in some readers that require PIN, so long a they go online for the transaction and you have remembered your PIN (and yes, it is a purchase, not cash advance).

Re:if that card is Chip and sign, you're boned

[jrumney]

You need a Chip and PIN card. Wells Fargo issues them now.

Everywhere else has introduced chip and pin cards years before they switch it on on the backend. They still have a magstripe on the back, so it isn't an either/or choice. Given the deadline of end of 2015 for retailers to start accepting them, I'm surprised all current cards in the US are not already equipped with the chip. At this late stage, I'm also surprised that they aren't just going straight to contactless cards.

that's not true

[YesIAmAScript]

http://en.wikipedia.org/wiki/E...

Although most of these attacks require you be able to clone the data reaped from EMV onto a stripe card and use it in a place that accepts stripe swipes. If the US stops accepting those, it will reduce fraud by presenting less opportunity. But it won't be because EMV prevented data extraction, but because you can't (currently) clone onto an EMV card.

Re:that's not true

[IamTheRealMike]

EMV prevents you from extracting the private signing key it uses in EMV transactions. EMV chips also contain a copy of the magstripe data on the chip for convenience, but if you can get access to the chip it's 99.9% certain you could also read the magstripe, so that's hardly a big deal.

The chips used in these sorts of cards have proven remarkably robust. Though there have been several exotic protocol attacks on EMV so far there have been (AFAIK) none on the chips themselves.

No, it was in 2001

No, Target was way ahead on this one in 2001. http://www.nytimes.com/2010/10/17/business/17digi.html?_r=0

They saw no upside and converted everyone to non-chipped cards as they expired around . Looks like they were way out ahead on this one, TOO far out ahead. They dropped them when no one else followed suit.

This still wouldn't have prevented the security breach, but whatever, people gotta hate on something.

Re:No, it was in 2001

[ConstantineM]

Well, I can't confirm they did it back in 2001, but I do recall they were still on it in 2005 or so.

It could prevent the security breach -- in England, Chip and PIN cards cannot be swiped in the presence of a Chip and PIN terminal.

But, yeah, it's kinda funny how things turn out. :-)

Re: Chip and PIN

[matfud]

The company accepting payment bumps the user off to an outside service such as "Verified by Visa" or mastercards equiv and let them handle the problem. These are run by the payment processors and as a card user you generally have to sign up to them seperately. They tend to use seperate information that is not on your card.

Then visa takes responsibility for fraud.

Re: Chip and PIN

PCI compliance does not allow the "PIN" part to be executed on the touch screen.

Target Canada's have a physical PIN pad, while still using the touch screen for everything else.

I'm surprised honestly that online credit card chip+pin hasn't ever been done. Right the card readers are 10$ bucks but the PCI compliant ones with their own pin pad are 100$. Is the pin pad required at home? or is it because we can't trust software on the computer?

Remember that the reason target et al get hacked is to acquire the credit card numbers used by their marketing. Quit using the card number as a tracking variable and this problem would go away.

Re: Chip and PIN

This is because the entire world has not shifted to chip+pin. I remember the first days with it and the people working the cash tills were being forced at metaphorical gunpoint to recite "insert the chip card", now everyone just does it without a second thought.

As for who took the longest to switch over, bank ATM's, transit ticket machines, vending machines. Most vending machines here still only take cash, while damn near every machine in the US has a swipe card option.

Now there is a -better- solution than forcing chip+pin cards, and that's to make use of the Paypass/NFC instead. This can be integrated into a combined swipe/nfc reader, or better yet many Android phones have NFC on them already, even the Nintendo Wii U has NFC. It would be better to standardize on a what the NFC payment terminal looks like (the o)) symbol) on an external payment dongle as to not confuse the hell out of customers.

BTW the NFC is only marginally better than swipe cards. Someone can't clone a NFC/Chip card, but they can still use the data obtained from a chip or NFC card to make a magstripe clone, that's why the magstripe cards need to go away.

Re: Chip and PIN

[uberdilligaff]

I'm curious how this will work for internet transactions though, unless they expect everybody to have smartcard readers

My guess: more businesses will be pushed towards PayPal, which will not use the extra verification, the PayPal fees amounting to a "security surcharge" / insurance policy for the extra risk of such unverifiable transactions.

Remember that under US law, when you pay via credit card, you have rather strong protections that largely take your side when you dispute whether a merchant delivered what you ordered. No such provisions exist when you pay using PayPal. This is especially valuable in the era of internet ordering, rather than brick-and-mortar purchases.

Impressed when US figures out Debit

Chip and Pin is so 2005. What about Paywave, and Debit Flash? Phone payments?
I still find it amazing that I cannot pay with a debit card in the US. When you try to use it the cashier gives you a blank look like you just threatened to rob him/her. :)
Canada will soon be switching to one-card tech where you have one card for all methods of electronic payment.

Re: Chip and PIN

[tlhIngan]

My guess: more businesses will be pushed towards PayPal, which will not use the extra verification, the PayPal fees amounting to a "security surcharge" / insurance policy for the extra risk of such unverifiable transactions.

That exists right now - it's called a "Card Not Present" transaction and the transaction fees ARE higher as a result. I believe Square charges like 3.5% instead of 2.5% for those kind of transactions. because of the increased risk.

Paypal fees mirror the credit card processing fees, so Paypal knows how to do Card Not Present transactions (and they do tons of verification as well that reduces their risk).

integration lagging

I work for a one-stop-shop retail IT solutions provider that partners with several of the big international hardware and software companies involved in pinpads, mag stripe readers, point of sale, etc. While our partners are established in Europe and have chip and pin products there, and we have significant lead times to integrate their products into solutions and get them deployed into stores, I've yet to see them discuss any chip and pin products with us, let alone start the work of getting them into stores. I don't see how chip and pin could possibly be widespread in stores by fall 2015.

Good I guess

[koan]

I'm still waiting for the metric system to catch on =)

Re: Chip and PIN

[Cyberax]

It's been done, multiple times in various countries. For example, Ukraine uses NSMEP (National System for Mass Electronic Payments) which requires a terminal for purchases. Turns out, that users don't like it that much.

chip and pin

does any bank in the United States of America provide chip and pin debit card? I couldn't find any in my neighborhood. Just asking.

Re: Chip and PIN

[timeOday]

+1

Re: Chip and PIN

[Jarik+C-Bol]

As a US citizen who has never seen a vending machine with a card swipe option, I feel left out.

Re: Chip and PIN

[Dogtanian]

I think your bank is probably more tired of it than you are as by law they are required to eat most of the liability. The good banks give you zero liability (as in, you aren't ever responsible for losses.)

No, the banks don't have to cover the cost of fraudulent credit card transactions (although I bet they love basking in the warm glow of the widespread misconception that they do). It's the retailers who get screwed when that happens, both in the US (I assume that reference to Newegg means it's American) and in the UK.

As I posted in this comment, the banks don't give a **** because they don't have to; they're not the ones paying for it. Fraud report? Yank the money back from the retailer (even if they've performed reasonable diligence (*))

Even though chip and pin is very common in the UK (I can't remember the last time I used a swipe-and-signature terminal), credit card fraud still exists and it's the retailer that gets screwed.

(*) In fact, as far as I'm aware, retailers- in the US, at least- are suposedly *prohibited* from checking ID, which makes this even worse

Re: Chip and PIN

[drinkypoo]

As a US citizen who has never seen a vending machine with a card swipe option, I feel left out.

You will commonly see them in the USA in major airports, and in business hotels. They'll feature things like iPods (or whatever, I haven't been in a business hotel in a while and the last airport I was in just had brookstone racks everywhere) and cellphone chargers and of course headphones.

Re: Chip and PIN

Go to the University of Arizona Medical Center in Tucson. Their Coke machines have them. They are often not working.

Re: Chip and PIN

[Guspaz]

Except Target Canada's card readers are giant antiquated-looking things that are awkward to use, have a completely useless touchscreen/stylus for some reason (to do what with, exactly?), and don't support contactless payments (which all cards support at this point).

It's not just the card readers that work poorly. Their self-checkout terminals also have issues. They're unilingual French (in Montreal), even in English neighbourhoods, which doesn't really matter because the volume level is below a whisper and is inaudible (although the screen is also in French). They're more complex to use than comparable machines at other stores, and instead of just showing you a list of what you've scanned, they show a strange "stacked deck of cards" that makes it tough to see anything other than the most recent thing you scanned.

Re: Chip and PIN

[Guspaz]

Vending machines here in Montreal never take any sort of cards, but when I was recently visiting Boston, many of the machines had contactless readers, so the PayPass/PayWave on our Canadian credit cards worked fine.

What wasn't so nice is when you come across a machine in the US that doesn't take credit cards... Because the Americans don't have any useful denominations of coins, you basically can't use vending machines if you don't have any $1 bills. Even putting a $10 bill into the machine to buy a $2 drink would spit out 32 coins, which is insane.

Re: Chip and PIN

[Darinbob]

I got a new visa with a smart card built in. But I don't know what my pin is... I think I last gave one for my visa 12 years ago.

Re: Chip and PIN

[David_W]

retailers- in the US, at least- are suposedly *prohibited* from checking ID

I don't have a link handy, so I'm going from memory here, but I think they are prohibited from requiring ID. They can ask, and that might be enough to ward off some folks trying to pull something, plus most legitimate people will show it. However, supposedly you could refuse (or lie saying you don't have it with you) and they are still supposed to run the transaction. It reduces down to largely the same thing in the end for anyone who knows what they are doing.

Re: Chip and PIN

[BasilBrush]

Speaking from Europe, where we've been using Chip&PIN for nearly a decade, it is only used for in person purchases.

Internet purchases fall back on the old card number plus 3 digit "security number" from the back of the card, plus the need to specify a delivery address who's digits have the correct hash value. Same as presumably happens now in the US.

I guess the point is that's it's trivial to "clone" a mag-stripe card, but not a chip and pin one. Just because it doesn't also solve internet frauds doesn't mean the cloning problem isn't worth dealing with.

EMV - Encryption

[ArkiMage]

http://www.digitaltransactions...

"Security experts say data still can be transmitted unencrypted, or in plain text, during an EMV transaction."

So this is going to help Target how?

Online

[Sepodati]

Online sales use a challenge-response system to ensure you have the card and know the PIN. You don't enter the PIN into any website, though, just the little card reader. The challenge-response system is run by the bank, I think. You're redirected there as a part of the sale to verify. Kind of like the Verified by Visa thing, but instead of just entering a password, you do the whole challenge-response thing with your card and reader.

This is how it's done in Europe, at least.

In POS systems, the PIN never leaves the card reader, so it's can't be stored to be stolen later.

Reader

[Sepodati]

Yes, you'd have to have the card reader if everyone implements a challenge/response type system like in Europe. I have one at work and keep one at home. When I travel I throw one in the bag just in case. You get used to it.

Flaws

[Sepodati]

Do you have any links to chip & pin flaws? The one I saw I thought allowed you to enter any PIN and have it return as valid, so the transaction would be charged. You had to have a programmable card hooked up to a laptop and a valid card, I think. Doable with a jacket and backpack, but not quite clone & go. Curious what else is out there.

Re:Flaws

[lgw]

A remarkable number of search results on the topic lead to articles that are mysteriously broken. Makes you wonder. Here's one on PIN extraction (no clue what the fastest attack is yet, but there are far to many claims to all be fraud).

But the best part is banks will deny you fraud coverage. That's right. These cards are "unclonable", so if you're claiming the use was unauthorized, clearly you're perpetuating fraud.

Re:Flaws

[lgw]

Gah, and now /. ate my link! Government coverup! OK, that one might have been operator error.

http://www.zdnet.com/chip-and-...

Pain

[Sepodati]

I agree the Visa and MC programs are a pain. They come up so infrequently that I never remember what the password is. Plus with varying rules as to what constitutes an acceptable password, I can't even count on it using a password I'm familiar with.

If implemented like in Europe,though, you only have to remember the PIN. Which you use everywhere, so that's not an issue. There's a challenge-response part of the online purchase that generates a code to confirm you have possession of the card and know the PIN to validate the transaction. Yes, everyone has to have the little card reader available. I've only made a few online purchases with my European card, but they've all been that way so far.

Re:Pain

[RabidReindeer]

I agree the Visa and MC programs are a pain. They come up so infrequently that I never remember what the password is. Plus with varying rules as to what constitutes an acceptable password, I can't even count on it using a password I'm familiar with.

If implemented like in Europe,though, you only have to remember the PIN. Which you use everywhere, so that's not an issue. There's a challenge-response part of the online purchase that generates a code to confirm you have possession of the card and know the PIN to validate the transaction. Yes, everyone has to have the little card reader available. I've only made a few online purchases with my European card, but they've all been that way so far.

I think what originally generated my hatred of Verified by Visa was that it had been assuming that I was idiot enough to do things involving money under IE and Microsoft Windows. So it didn't even work under Linux/Firefox.

Re:Pain

[IamTheRealMike]

It's up to each individual bank. Most banks won't require you to do a CAP authentication (with the little device) just for credit card purchases. Password with hint at most - banks earn mad fees on card transactions so they don't want you to do less of them. If they need more authentication for very risky transactions, they certainly can do that. Though whether the merchant opts in or not is up to them, it costs merchants more money to support 3D-Secure authentication unfortunately.

CAP is used primarily for wire transfers and logging in to online banking, where the sums involved tend to be higher.

Terminals

[Sepodati]

With the terminals, the bank issues you a challenge code based on the transaction and you use the terminal, card and PIN to generate a response that validates your the authorised card holder. It's worked pretty well the few times I've bought someone online with it.

PIN

[Sepodati]

If someone steals your card, deactivate your card.

Sure, but in the meantime, the PIN prevents the card from being used since the thief doesn't know what it is. It also prevents the card from being cloned (assuming that's possible) and used elsewhere even though you have your card in your wallet. It's the whole "something you have" and "something you know" security model.

Re:PIN

[bluefoxlucid]

Sure, but in the meantime, the PIN prevents the card from being used since the thief doesn't know what it is.

As I said above: This is an extreme minority case. It would be as if you prepared your house with steel doors and barred windows and turrets and artillery so as to prepare for invasion by an armed mob of rioters. It happens once in a while, every several decades; but now it is inconvenient to get into your house, and your house is expensive and needs much maintenance. This is not worth doing.

It also prevents the card from being cloned (assuming that's possible) and used elsewhere even though you have your card in your wallet.

It's not possible in the model I described. You can't copy the card. The card has a data channel which you send input and it returns output; the contents of the card cannot be cloned except by physically prying off the chip, using acid to dissolve the case, and then using a scanning electron microscope to examine the integrated circuitry. At this point, you don't have the card in your wallet.

No changes

[Sepodati]

The card I was issued from my bank does not allow the PIN to be changed. It could be because they don't have physical branches/ATMs anywhere, though. Maybe if this catches on a lot more, you'll be able to change it at any ATM.

More common

[Sepodati]

It's becoming more common, although slowly. I have a C&P from my US bank. Reading through the thread here, there appear to be several other banks that issue the cards upon request, too.

Let's get fuckin real about this

Smart card uses challenge response technique, based on cryptographic protocols, implemented on a processor on teh card. Its not like magstripes where fucking assholes can just copy the shit and scam. Fucking tired of the god damn FUD

Re:Let's get fuckin real about this

[Jane+Q.+Public]

Smart card uses challenge response technique, based on cryptographic protocols, implemented on a processor on teh card.

No shit? Well, guess what? So was OpenSSL!

Its not like magstripes where fucking assholes can just copy the shit and scam.

Correct.

Fucking tired of the god damn FUD

And I'm pretty tired of people telling me I'm feeding them FUD when it's not FUD. Try reading about it a little.

of course you can

I did.

Wells Fargo offers them. Chase does too on their Sapphire (travel) card I believe.

https://docs.google.com/spread...

I called WF and upgraded my regular (non-gold, non-platinum) to chip and PIN. It also does FastPay, but don't ask for that, or you might get a card that doesn't work with Chip and PIN.

Don't try to do it through your local branch, they'll likely have no clue.

US Credit Card companies are far behind too

I was able to secure a Chip and Signature card from Bank of America about a year and a half ago. No chip and pin available yet.
My American Express, about 6 months ago got an early adopter chip and signature card as well. No timetables were available when I asked the rep about chip and signature... Time's running out.

Regarding the Target "pin pad" they've had for years, yep, chip reading slots are on each one. The problem is that US Point of Sale and middle merchant processing companies are so out of touch that they consider it "On their radar" but put no business capital behind actually implementing any solutions. Chip and Sig, and Chip and Pin are just distant blips on the retail payment processing roadmark.

Welcome...

welcome to 2010, America!