EMV Technology In Credit and Debit Cards Reducing Counterfeit Fraud, Says Visa

An anonymous reader cites an article on USA Today: The new chip-enabled cards flowing into the U.S. marketplace have already made a dent in fraud, with some of the biggest merchants seeing a dip of more than 18% in counterfeit transactions, according to Visa. Among the 25 merchants who were suffering the most instances of counterfeit fraud at the end of 2014, five that began processing credit and debit cards equipped with the new EMV technology saw those infractions fall 18.3% as of the final quarter of 2015, says Stephanie Ericksen, vice president of risk products at Visa. Meanwhile, five of those merchants who were not yet equipped to handle chip-enabled cards saw an increase in fraudulent transactions of 11.4%. "We're seeing EMV is having a positive impact on counterfeit fraud," Ericksen says. "Merchants who implement chip, their counterfeit fraud is going down, while those still finalizing plans, their counterfeit fraud is going up."Also from the report, "Visa on Tuesday also announced a software upgrade that will shave the amount of time spent on chip card transactions. With 'Quick Chip,' consumers can dip their chip cards into the terminal and withdraw it in two seconds or less, instead of waiting until their purchase is authorized. The consumer can 'put the card in the terminal and put it right back in your wallet and . . . move to get their coffee, or hamburger or start bagging their groceries,' Ericksen says. Ars Technica has more details.

I'm more impressed

[BigU+03C0in]

With the potential speedup. I intentionally avoid/bring cash to places that have the chip slot enabled because it typically takes 5 times as long to process the transaction.

Re:I'm more impressed

[I4ko]

It means they are making it insecure by copying the private key from the chip to the terminal. Means that the transaction is no longer actually singed by the card, and that fraud is possible again, as you can plug the card in a "skimmer" that will extract the key. Someone will write that key to a chip and present it somewhere else and good luck convincing them it was fraud this time. Chip & Sign is insecure and not better than magstripe. Chip & Pin is the only secure system as the key stays encrypted before the right pin is entered. But.. they had to do something about tipping, because you can't tip Chip & Pin unless they bring the mobile POS to the table and you enter the tip directly in it.

Re:I'm more impressed

[Cerlyn]

I would hope the EMV standard would not allow private keys to be read.

What's more likely is that they are either:
(1) Running the system purely using the simulated Track data (magnetic stripe) on the card, skipping most of the EMV process apart from potentially rotating the card verification code; or
(2) Quickly walking through all the EMV steps, providing fake data (transaction amount, etc.) if the card requests it.

Either would seem to weaken the standard a bit.

Someone from VISA would have to clarify what they came up with to avoid speculation.

Re:I'm more impressed

[Aighearach]

I don't really care that much about the theoretical security. I avoid this technology because it shifts liability onto me, that with swiping the card the old way rests with the bank.

I don't want to take on a smaller liability to save the bank from the larger old one. It isn't like the savings pass through to me.

Re:I'm more impressed

[PRMan]

unless they bring the mobile POS to the table and you enter the tip directly in it.

Sounds like the perfect solution to me.

Re:I'm more impressed

Maybe you should read the spec. No key is copied. If you follow the links you will find it.

Re:I'm more impressed

Doubtful they would undermine their own security.

If you've ever used chip cards in Canada you'd notice that the entire chip+pin process is essentially immediate unless you're the first transaction of the day. By which the process time is about the same as the mag stripe anyway.

Automated machines like ATM's, Transit ticket machines and vending machines that take chip+pin or NFC are always instant because what they're doing is not tearing down the connection between payments.

The Chip+sign thing in the US is pretty stupid since there is no security in the signature. But that is also a difference that US and Canadian ATM's have as well. US ATM's generally make you swipe the card and then put it back in your wallet, while you complete the transaction. Canadian ATM's hold onto the card until you tell the ATM that you're done. So if a Chip card just lets access your account, then the reason it's fast is that the chip card acts as the key and the transaction has been already queued.

So ultimately card cloning is hard to do with EMV, but stealing cards are so much easier. Not like swipe cards weren't easy to begin with, but it was far more lucrative to clone a card and burn it afterwords than try to use a stolen card.

Re:I'm more impressed

[s.petry]

IMHO this is why we see articles like TFA which intentionally omit the largest section of fraud. Sure, retailers see some credit card fraud but the majority of fraud is wire based fraud, not card in hand at merchants. Smart chips do nothing to prevent wire fraud.

Re: I'm more impressed

If you are a merchant that has not implemented, you already accept all liability for fraud as of October 1, 2015. That's part of your agreement. Consumer liability has not changed.

Re: I'm more impressed

You should blame the magstripe for that. As soon as it's phased out any only chips are available you will be required to plug your card into an inexpensive chip reader connected to USB on your computer and still pay easily. Like the have it Netherlands and Korea. Holding on to magstripe compatibility is the problem. My European bank already does not allow any "card not present" transactions

Re:I'm more impressed

Chip+sign is more secure than swipe+sign. Here's why:

In order to process a card-present transaction with a magstripe card, the terminal must be able to read the CVV1. That's the Card Verification Value #1, which is embedded into the magstripe, but not seen anywhere else. (Note: This is not the CVV2! The CVV2 is a completely different value and is only printed on the card. That value is used to validate card-not-present transactions, not card-present ones.) If you clone the magstripe, you clone the CVV1 with it. Security was not even imagined when this was invented, as many stores still kept carbon-copy impressions of the raised numbers on the card at that time.

In order to process a card-present transaction with a chipped card, the terminal must be able to power the chip and run the CVV-generator algorithm that the chip provides. The generated card-present CVV will not be the same twice in a row. Thus, "cloning" the card is impossible, as there's no way to clone the exact algorithm the chip uses (it introduces a hardware randomization factor) when generating the card-present CVV. (Again, the CVV2 is unchanged on these cards, because it's for card-not-present transactions.)

The signature only provides a legal assurance that you acknowledge and accept the terms of the sale, not of the card transaction. The cardholder agreement that you accepted when you signed the back of the card is what governs the acceptance of any and all card transactions not fraudulently performed against the card/account. You did that, didn't you? Or did you put something moronic like "See ID" or "CID" (yes, really, I've seen that done) and invalidate that agreement, making the card invalid as well? That's not there for the cashier to check your signature against. The cashier does not give even a single shit. That signature is there so that when you go to court, you can legally say that, yes, you did accept the terms of the cardholder agreement, and you are the legal cardholder, and you are not committing fraud in your own name.

Chip+sign is secure enough. Chip+PIN is just annoying, inconvenient, and anti-cardholder.

Re:I'm more impressed

[davecb]

The signatures are wonderful, as they allow the human to prove that they didn't buy the goods in case of fraud.

Re:I'm more impressed

[Mousit]

But that is also a difference that US and Canadian ATM's have as well. US ATM's generally make you swipe the card and then put it back in your wallet, while you complete the transaction. Canadian ATM's hold onto the card until you tell the ATM that you're done.

Curious. Now, I admit I never use third-party ATMs so maybe those are different, but among first-party bank ATMs, I haven't encountered a swipe one in a good 25 years. Ever since the early 90s, and having been a customer of several different U.S. banks, all I've encountered are insert-and-hold-card ATMs.

Re: I'm more impressed

[hawguy]

You should blame the magstripe for that. As soon as it's phased out any only chips are available you will be required to plug your card into an inexpensive chip reader connected to USB on your computer and still pay easily. Like the have it Netherlands and Korea. Holding on to magstripe compatibility is the problem. My European bank already does not allow any "card not present" transactions

How would you make an urgent purchase by phone? More than once, I've purchased an airline ticket over the phone while I was literally in a cab on my way to the airport, I'd be pretty pissed if my bank would not allow that. Since I don't have a chip reader in my phone, I don't see how I'd be able to make a mobile web purchase either.

Re:I'm more impressed

[radarskiy]

"because you can't tip Chip & Pin unless they bring the mobile POS to the table and you enter the tip directly in it."

Bringing the POS to you is the point. It works perfectly fine for damned dirty communists in Europe.

Re:I'm more impressed

[kqs]

I've not seen any "swipe", but "insert and quickly remove" are common at the ATMs in gas stations and other third-party machines. As you said, all of the bank machines seem to be "insert and hold". Maybe banks want to confiscate cards which they know are bogus, while third-party machines don't want that liability?

I'll be glad for the faster transactions; I'm impatient.

Re:I'm more impressed

[Applehu+Akbar]

"...Means that the transaction is no longer actually singed by the card..."

If they would put in a proper heat sink, any scorching of the transaction would be avoided.

Re:I'm more impressed

No they don't. They're essentially useless. Signatures are one of the worst forms of identity there is - they're right up there with "Security" questions for ineffectiveness.

Re: I'm more impressed

You should blame the magstripe for that. As soon as it's phased out any only chips are available you will be required to plug your card into an inexpensive chip reader connected to USB on your computer and still pay easily. Like the have it Netherlands and Korea. Holding on to magstripe compatibility is the problem. My European bank already does not allow any "card not present" transactions

Magstripes, huh? Because Card Numbers and their CVC have never ever been leaked by careless Internet- or Telephone-based merchants.

Re:I'm more impressed

[GNious]

I'd not trust a location that takes your card out of your sight.

Re:I'm more impressed

[drinkypoo]

Signatures are one of the worst forms of identity there is - they're right up there with "Security" questions for ineffectiveness.

You're not going to stop a talented, targeted attack this way. You will however make it possible to recover your costs in the majority of cases, which is good enough for the customer.

Re:I'm more impressed

US ATMs also hold onto chip cards until finished. This has been the case for me with chip debit cards at Chase, Wells Fargo and Bank of America.

Re: I'm more impressed

Internet banking. How else?

Re: I'm more impressed

[hawguy]

Internet banking. How else?

How do you buy a plane ticket via internet banking? As far as I know, airlines don't accept EFT's or Paypal for ticket purchases. I have a credit card on file with the airlines I fly regularly, but that's a "Card Not Present" transaction, which this bank apparently does not allow.

Re: I'm more impressed

[ArmoredDragon]

How would you make an urgent purchase by phone? More than once, I've purchased an airline ticket over the phone while I was literally in a cab on my way to the airport, I'd be pretty pissed if my bank would not allow that. Since I don't have a chip reader in my phone, I don't see how I'd be able to make a mobile web purchase either.

I can think of a really trivial way to do that: They could just issue you a fob (or an app) that is paired with the card and issues a one time password. Think Google Authenticator or RSA SecureID.

Or if you really want to make things interesting: Have an app send an SMS to the merchant containing the one time password it generates from a secret key and pin combo (wrong pin generates the wrong key, which can't be verified until sent to the bank, meaning bank can quickly detect hack attempt) paired with a one time account number, and the authenticating service sends to the bank those two bits of information paired with the phone number that sent it the SMS, and the bank then validates (or invalidates) all three. You obtain the secret key for generating the first two from a QR code they send in the mail, combined with another code they text to you, with the app making it easy to input both.

That would be pretty damn hard to spoof, and likely not worth the time and effort for a typical petty crackhead thief just looking for fix money. This would absolutely require malware that exploits your device, and can only be done with YOUR device itself (or rather, they MUST have your physical SIM card.) And nowadays Google (and I'm guessing Apple does as well) routinely scans all devices for new bits of malware as they are found. Given how quickly an exploit like this would be spotted, the hacker probably wouldn't make much over a long term.

Re:I'm more impressed

[Dahamma]

Nope, not how it works. Bad assumption there. Also chip and signature vs pin has nothing to with "tips" - it makes no difference if you add a tip or not, if it requires a PIN they have to bring the POS to you to enter the PIN. Signature is faster and more convenient than a PIN in any retail setting, and the last thing VISA, the banks, and the retailers want is to make it harder for you to spend your money at their stores on their credit cards...

But I totally agree with how chip & signature is NOT a good solution. Chip & signature prevents counterfeiting, which is a bank and retailer headache. It does NOT prevent identity theft, which is a *consumer* headache. So basically in the US they don't care about the consumer, just the retailer and the banks. Is anyone surprised?

Re: I'm more impressed

[Dahamma]

Since I don't have a chip reader in my phone, I don't see how I'd be able to make a mobile web purchase either.

But you do (or you soon will). Apple Pay basically solves that same problem.

Re:I'm more impressed

It means they are making it insecure by copying the private key from the chip to the terminal. Means that the transaction is no longer actually singed by the card, and that fraud is possible again, as you can plug the card in a "skimmer" that will extract the key. Someone will write that key to a chip and present it somewhere else and good luck convincing them it was fraud this time. Chip & Sign is insecure and not better than magstripe. Chip & Pin is the only secure system as the key stays encrypted before the right pin is entered. But.. they had to do something about tipping, because you can't tip Chip & Pin unless they bring the mobile POS to the table and you enter the tip directly in it.

NO it doesn't mean that at all. A one time token is sent to the reader not the key, the token is good for precisely one transaction. It is actually far more secure in terms of ensuring that the store or someone hacking the store can't steal your card details and reuse.

Re:I'm more impressed

[bloodhawk]

Signatures are FUCKING aweful as proof. My wife is an artist, she can perfectly replicate anyones signature within about 1 min of seeing it, even incredibly complex ones. most people don't even have a consistent signature anymore so even if the signature is only sortof like your real one good luck proving it wasn't you.

Re:I'm more impressed

[adhdengineer]

It's pretty much how it works here in Northern Ireland. I cant remember the last time a waiter/waitress tried to take my card away from the table. With chip and pin I have to be present to enter the pin anyway so there's no reason for me to separated from the card.

Re:I'm more impressed

[Zocalo]

Most of the older ATMs I've encountered will generally return the card before any cash so you don't accidentally walk off with the money and leave the card behind, but otherwise generally keep the card in case you want to do multiple transactions (maybe they rescan each transaction for audit purposes or something), but there do seem to be more around that just scan and return the card, with swipe and even touch NFC readers both getting much more popular. I'd assume that's a deliberate design decision for security; maybe it's thought to be harder to install a skimmer in the slot of a swipe than it is to affix something around a slot, for instance, but I'm not quite convinced on a scammer just sticking something over the top of a contact reader given how slim some of the fake keypads they use are.

Re:I'm more impressed

[mjwx]

I don't really care that much about the theoretical security. I avoid this technology because it shifts liability onto me, that with swiping the card the old way rests with the bank.

I don't want to take on a smaller liability to save the bank from the larger old one. It isn't like the savings pass through to me.

Then fix your shitty government.

In Australia and Europe, the liability still rests with the bank. In fact merchants have gotten rid of swiping only terminals because it's the other way around (and should be) that the merchant can be liable for not having the updated terminals where as with Chip and Pin, the bank is liable.

Re:I'm more impressed

And in NZ we don't even bother waiting for some "server" to come and tell us when they think we're done. We just go up to the counter and pay when we want to, dammit. I ain't waiting ten minutes, I got stuff to do.

(In part because NZ was paying restaurant bills electronically in the late 1980s, long before cellphones and WiFi were around. These days, EFTPOS terminals are often cellular data or TCP/IP over broadband, but good old modem over POTS is perfectly fine and still supported.)

And you can still tip, if you want, just up the front.

Re:I'm more impressed

[mjwx]

"because you can't tip Chip & Pin unless they bring the mobile POS to the table and you enter the tip directly in it."

Bringing the POS to you is the point. It works perfectly fine for damned dirty communists in Europe.

Patently false sir.

You're right due to our 1000 year history of anti-slavery rules here in 5 weeks of paid holiday Britain that we dont tip because it's unnecessary and frankly barbaric to keep people on unliveable wages that they are dependent on the charity of customers but that doesn't stop you from being able to tip with a Chip and Pin card.

You simply do it the same way you currently do it. The service serf brings you a cheque with a pen, you write the tip amount or percentage onto the cheque, the indentured thrall then takes that to the till, enters the tip in as a line item, finalises the sale and the till passes the full amount, tip and all to the Chip and Pin device.

Also mobile Chip and Pin terminals are commonplace over here. Mainly because they're the cheapest device offered to small businesses.

Re:I'm more impressed

[RevRagnarok]

"That... looks like a penis."

"Yep. Not giving you my real signature..."

Re:I'm more impressed

[140Mandak262Jamuna]

Not by caching the private key. It is by pre-fetching the challenge.

The chip in the card does the challenge-and-response routine. The bank sends a small string, the chip signs that string with its private key and the bank verifies the encryption with the card's public key. The way it is implemented now the challenge string comes from the bank only after you insert the card into the terminal. In the next generation of the terminals, the card company would have already issued a few, may be as few as one, challenge string. You insert the card, terminal issues the prefetched challenge, the card issues a response. After this you don't need the card anymore. The terminal has enough time to pre-fetch the next challenge string before the next transaction is processed.

[Caveat:] I don't know if this is how they are planning to implement the next gen terminals. This is how *I* would reduce the transaction time without copying/caching the private keys, without allowing the terminals to generate their own challenge strings.

Re:I'm more impressed

[davecb]

Actually I used to be able to forge things well. too, but we're unusual. "Herd immunity" keeps the banks in the US from making the claim they did in Britain, that anything with a pin was hack-proof and fraud or theft was necessarily the customer's fault.

Re: I'm more impressed

I believe the way it works is that the card authorises itsself in the same way as normal (so in the uk, this would be by verifying that the pin is correct, and giving some kind of one time auth code to the reader, along with the card number) and then the actual process of connecting to the payment processor/bank is performed after the transaction is performed.

We already use little card readers here that we personally own, which are used to generate auth codes to do things like log in to online banking, do bank transfers etc, and after entering the pin, the response code is generated instantly (and totaly within the reader/card, no Internet connection needed)

Although all the above relies on using a chip&pin card rather than chip&sign, so I'm not sure exactly how that would effect things, I guess it would rely on transactions not being approved until the cashier has checked the signature, which still leaves you open to abuse, and kind of negates the speed of the process.

Re:I'm more impressed

[JamesKeane7745]

Correct See: https://en.wikipedia.org/wiki/...

Re: I'm more impressed

[Agent0013]

Doesn't Apple pay just use a credit card that you own. It would seem that Apple pay is a "card not present" type of situation.

Re: I'm more impressed

Chip and pin requires customer interaction with the card machine anyway. And you could always get the tip amount somewhere on the actual bill instead of the credit card receipt.

Re:I'm more impressed

Some corrections are required:
The liability is NOT shifted to the customer, it remains with the bank or get's shifted to the merchant.

Card request Chip transaction, Merchant insists on magstripe (old terminal for instance) -> fraud -> merchant is liable
card request chip transaction, merchant makes chip transaction -> fraud -> card issuer is liable

Re:I'm more impressed

[NetNed]

I am guessing you are not in the US? In the US liability still is on the bank. I am sure the banks would love to have it on the consumer and will probably try to push for that sometime down the road, but as of now it's on the bank. Stories like this will probably be used by the bank to have it the other way around.

Re:I'm more impressed

[radarskiy]

Nowhere in Europe have I even entered a tip on a piece of paper, even using my stupid US Chip and Sign card.

Re:I'm more impressed

[Not-a-Neg]

I am a USAA customer and use a Chase ATM near me (USAA does not have branches of their own.) When I use the Chase ATM I insert the card and pull it right back out, it does not hold it and I do not leave it in. I have used ATMs that pull the card in and don't relinquish it until after the transaction is done, but the last time I used one it was an ancient ATM in an HSBC office building. Even the ATM's at gas stations are swipe style with the annoying recess that you have to fit your fingers into when inserting and removing the card.

Re:I'm more impressed

[thegarbz]

I don't really care that much about the theoretical security. I avoid this technology because it shifts liability onto me, that with swiping the card the old way rests with the bank.

Why would liability rest with you after a technology change? Did someone write a shitty law?
If so what makes you think you can avoid the liability change in the future?

Re:I'm more impressed

[thegarbz]

I'd not trust a location that takes your card out of your sight.

Why? It's not like the liability rests with you.

Re:I'm more impressed

[rickb928]

My credit union ATMs in Arizona are all swipe.

Re:I'm more impressed

[lgw]

In order to process a card-present transaction with a magstripe card, the terminal must be able to read the CVV1. That's the Card Verification Value #1, which is embedded into the magstripe, but not seen anywhere else. (Note: This is not the CVV2! The CVV2 is a completely different value and is only printed on the card. That value is used to validate card-not-present transactions, not card-present ones.) If you clone the magstripe, you clone the CVV1 with it. Security was not even imagined when this was invented, as many stores still kept carbon-copy impressions of the raised numbers on the card at that time.

That's not quite right. CVV1/2 were security measures, and thoughtful ones for the problem they were created for: fraud originating from carbon copies. Adding data that doesn't show up on the carbon was a clever approach, back in the day, but it's always an arms race.

Chip+sign is secure enough. Chip+PIN is just annoying, inconvenient, and anti-cardholder.

There's nothing wrong with Chip+PIN as a technology, but there's everything wrong with the shift of liability to the cardholder that went with Chip+PIN, on the stupid assumption that the PIN couldn't possibly be cloned (but of course, it has been).

Re: I'm more impressed

[Aighearach]

You should blame the magstripe for that. As soon as it's phased out any only chips are available you will be required to...

go back to cash, unless VISA decides to go back to providing liability protection. And the funny part, the least secure way to use the card is online, and that will become the only way it is safe (for the customer) to use it!

In the US we don't have worry about banks getting rid of "card not present" transactions. We have enough democracy that the government could never mandate that, and we have banks that are ruled by a desire to make money, so they won't get rid of it willingly. Without "card not present" a significant portion of the population is going to use cash on local goods, and the banks don't have any way to get a cut of that.

Re:I'm more impressed

[Aighearach]

You got some derp on your chin there.

BTW, you just wave your hands and presume that some places have perfect banking laws, but actually there is a lot of argument to be made that those places do not have perfect, non-controversial banking rules.

And furthermore, under the American system, I have substantial protections from liability as a matter of contract, not law. There is absolutely nothing at all preventing VISA from extending the protections that would encourage me to use the new technology. They think they can get people to use it anyways. But, they can't force me to use their card, so I'm the only one who can win the contest over if I will make purchases in the way I'm most comfortable.

And, this idea that Europeans have more liability protection than Americans? Funny. But I'm not going to give you that lecture, because you're too snooty.

Re:I'm more impressed

[Aighearach]

Or, I am in the US, and you're familiar with these details. ;) The thing I was talking about? It is a thing. Didn't know about it? Still a thing.

Re: I'm more impressed

[Dahamma]

No, as long as your finger is still present (or your PIN) then the card is present. Both are still more secure than "card is present" in the US (chip and signature) and equally secure elsewhere (chip and pin) since if someone steals your phone they still need to authenticate before a purchase.

Re:I'm more impressed

[Dahamma]

Hah, love how my post and the GP have been modded overrated/troll. The US banking industry clearly has many users on slashdot...

Re: I'm more impressed

[Agent0013]

But the actual charge is on a credit card. And since the real card is never put into the reader, the chip is not used. If someone gets the card number they can make charges with it without the card or the phone or the pin. If the system required the card and could not make a charge without it then Apple pay would not work unless they put the actual chip from the card into the phone.

Re: I'm more impressed

[Dahamma]

Obviously I'm not saying the card is literally present... the Apple Pay system itself is secure (different mechanism as the chip but same purpose - prevent counterfeiting/fraudulent use of the card) and requires a pin/touch, so it can be considered equivalent to "card present".

But it turns out it's a bit more complicated. According to Apple, if ApplePay is used in a store it's "card present" but in-app purchases are "card not present". Which is funny, because Apple Pay via an in-app purchase is still more secure than using an actual credit card via chip and signature (chip and pin, on the other hand, would be about equivalent).

That's nice

[93+Escort+Wagon]

Now how about more of you merchants finally move forward with contactless payments?

Re:That's nice

[rubycodez]

bullshit, more advanced countries have been doing it for over a decade

United States of Luddites

Re:That's nice

[DogDude]

Good argument! Thanks for that information. I really feel like you've added a lot to this conversation with your unique insight.

Re:That's nice

[bloodhawk]

What utter ignorant total bullshit. Most countries all over the world have had this as standard in everything from your local coffee shop to huge retailers for the last few years. It saves time and money for retailers, making checkouts faster, the hardware is cheap and reliable.

Re:That's nice

[Etcetera]

Now how about more of you merchants finally move forward with contactless payments?

That involves RFID and/or NFC, right? How does "add wireless stuff to it" make any system at all more secure over an overt and obvious physical interaction?

Re:That's nice

happily using mine in the Uk, all the time

Re:That's nice

Swipe has been happening in the Europe for 2 years, USA is well behind the curve

Re:That's nice

[Lumpy]

"Well:
- The hardware is expensive as fuck
- The hardware breaks frequently
- The standards are still in flux
- There's almost no benefit to the merchant unless the merchant takes a lot of fraudulent cards
- Contactless is going to cost more, if it doesn't already (Apple and Google aren't charities)
--"

100% of this is bullshit. Unless you are basing your information from 10 years ago.
The readers are cheap. $215 on avarage. The hardware DOES NOT BREAK frequently in fact the mag stripe readers have more of a problem as they get gunked up. The standard is solid as a freaking rock as it has been in use for well over a decade in europe, and there is a large benefit to the retailer as they get a discount on processing fees when they adopt it.

You were correct 10 years ago.. but today, every single word you said is 100% wrong. Even SQUARE supports the chip cards with a $49.00 reader.

Re:That's nice

[Cimexus]

Hm? I've been regularly using contactless (PayPass/PayWave) for close to decade here (Australia). I haven't had it fail, or been told 'sorry, you can't do that because the equipment has failed' once. It's super convenient and fast and virtually every retailer has it now (noting that contactless is limited to transactions $100 or less ... anything higher requires the usual chip + PIN arrangement).

PayPass and PayWave are the main two standards (Mastercard and Visa respectively). Since the vast majority of cards in the (Western) world are one of those two companies, I don't think it's accurate to say the standards are really 'in flux'.

Re:That's nice

[Mousit]

That involves RFID and/or NFC, right? How does "add wireless stuff to it" make any system at all more secure over an overt and obvious physical interaction?

Apple Pay and Android Pay both implement tokenization for their contactless systems, which is significantly more secure than non-tokenized transactions, physical interaction or not. The massive Target hack, for example? Wouldn't have worked on tokenized transactions.

Tokenization is part of the EMV Payment Specifications so it could be implemented in physical chip transactions as well. Might have been, I'm not sure off-hand. But Apple Pay in particular got a lot of press for being the first implementation of contactless EMV tokenization.

Re: That's nice

I don't know where you get your information, but you're completely wrong on every single point in this statement.

And yet you don't bother to tell us why any of those points are wrong.

Way to argue!

Re:That's nice

Higher doesn't need chip and pin, it just needs the pin as well as the wave.

Re:That's nice

[Mashiki]

They're right. Canada has had this since 2010, that includes credit and debit cards, not counting the RFID cards. Hell most of the credit cards I've had won't even work in the US because you guys are behind the times and the basic readers are incompatible with cards outside of the US, don't even get me started on the "at the pump" readers that can't tell that it's a foreign card. Just to save myself the hassle, I ended up opening a bank account in the US and dump a couple of thousand in there when I go traveling across the US instead of relying on my Canadian cards.

Fraud has fallen through the floor, but criminals are starting to catch up now that there are exploitable loopholes in the chip & pin system, but it's much more difficult then just skimming a card.

Re:That's nice

Well, given that it's apparently so much worse, it's very interesting that immediately after contactless payments became a thing, small coffee shops, take-aways and other places that used to be religiously cash-only suddenly started accepting cards - with contactless payments.

That's only circumstantial evidence that it's cheaper, but it's infinitely more evidence than you've provided to the contrary.

Re:That's nice

[Applehu+Akbar]

Now how about more of you merchants finally move forward with contactless payments?

Most of the new EMV-capable terminals also have the near-field chip. You and the merchant will often be equally surprised to find that your smartphone payment system will work on such terminals.

Re:That's nice

[bloodhawk]

Really? which point is wrong and why? this isn't new technology, it is well proven and used throughout the world (except the US). Hell even the food vendors at the markets use it now.

Re:That's nice

As opposed to your post which had no information or facts and was simply statements pulled out of your arse which have been proven wrong all over the world. Hell I even brought a 4g contactless card reader for my wife to use at her market stall. They are cheap, they are fast and easy and work.

Re:That's nice

[dave420]

Good argument! Thanks for that information. I really feel like you've added a lot to this conversation with your unique insight.

Re:That's nice

[Ginger+Unicorn]

I'm a retailer in a country that has had chip & pin (as it's called here) for ten years, and contactless NFC cards for four or five years, and I can categorically tell you that you are absolutely 100% flat out wrong. Every single thing you've said in this thread is categorically untrue, and I haven't the faintest idea where you would get these ideas, other than straight out of your ass.

Re:That's nice

[JamesKeane7745]

Now how about more of you merchants finally move forward with contactless payments? Well: - The hardware is expensive as fuck

Nope. Certified terminals in the UK can be bought for around £100. Even market sellers and car boot sellers use it from their phones/ipads.

- The hardware breaks frequently

Nope - its more resilient than any other piece of POS hardware I've architected.

- The standards are still in flux

Total bullshit. EMV are strict and stable.

- There's almost no benefit to the merchant unless the merchant takes a lot of fraudulent cards

Thats why UK high volume retailers are stopping accepting cash? So they can increase margins and throughput by speeding up transactions?

- Contactless is going to cost more, if it doesn't already (Apple and Google aren't charities)

Thats the biggest bullshit of the lot! Apple and Google aren't merchant banks. Interchange fees on contactless are lower, sometimes nil, in order to encourage their use over cash.

Re:That's nice

[dj245]

What utter ignorant total bullshit. Most countries all over the world have had this as standard in everything from your local coffee shop to huge retailers for the last few years. It saves time and money for retailers, making checkouts faster, the hardware is cheap and reliable.

The way that the USA implemented it is very different from other countries. The USA implemented "Chip and Signature". Most of Europe implemented "Chip and Pin". I understand that many implementations in Europe of Chip and Pin can make transactions without contacting a central server. Not the case in the USA- the POS equipment has to contact a central server, which seems to take longer than a magswipe. Chip and Pin is a lot more secure compared to the Chip and Signature we have in the USA as well. I have also had some problems with the Chip readers not reading correctly, and the card readers are a lot more fussy about when you can insert the card, when you can remove it, etc. I might go back to cash for a lot of purchases because the chip and signature cards are just too much of a pain in the butt.

If you live in the USA, go to a store and watch (from far away, so you aren't a creep) how long it takes to use Chip and Signature vs Magstripe or any other payment method. In my experience, it is a lot slower, not faster as you claim.

Re:That's nice

[Not-a-Neg]

Apple does not charge merchants anything for ApplePay, try doing research before posting lies.

https://support.apple.com/en-u...

Re:That's nice

[thegarbz]

As someone who ran a business in a country which changed over let me clear some things up for you:

- The hardware is expensive as fuck

Nope cost of terminal lease remains unchanged. You automagically got a new one as part of a general hardware review.

- The hardware breaks frequently

Nope. Design, manufacture, and construction quality remains unchanged.

- The standards are still in flux

Nope the standards haven't changed since the device was introduced in any way that affected retailers or consumers, with the exception that mag stripe fallback was disabled some time ago.

- There's almost no benefit to the merchant unless the merchant takes a lot of fraudulent cards

The cost of transaction of the old system went up. Liability shifted to merchants if they used old systems. Doing nothing was literally the worst option, and upgrading put you back to where you should be.

- Contactless is going to cost more, if it doesn't already (Apple and Google aren't charities)

Err no, and what the hell does Apple and Google have to do with it? Contactless payments predate any effort on the phones, and Google's method is transparent to the terminal.

Re:That's nice

[DogDude]

Oh really? How much do you pay for those card swipers, then?

Re:That's nice

The terminal companies charge exactly the same as existing units. Though we did buy some small ones outright for a small store once, equivalent of about $170 US a unit. if you find that expensive then you probably should not be in a business.

Re:That's nice

[Ginger+Unicorn]

I lease it. It costs me the trivial sum of £100 per year. It's a drop in the ocean.

Welcome to the World

[Ashe+Tyrael]

Most of the rest of the world has had EMV for about 10 years, often wondered why it never caught on sooner over there.

Re:Welcome to the World

[rubycodez]

but it's not what EMV does, instead it is a slower 60 second process of sticking the whole damn card into a slot and waiting for an authorization. meanwhile, I take cc card with chip and tap it on reader to board electric train and get charged, elapsed time 1.5 seconds. WTF you payment processors?

Re:Welcome to the World

[Fnord666]

Most of the rest of the world has had EMV for about 10 years, often wondered why it never caught on sooner over there.

Because none of the parties involved in the transactions were losing enough to fraudulent transactions to justify the expense of implementing EMV across the ecosystem. It took a shift in the liability mandated by Visa and MasterCard to drive any real change.

Re:Welcome to the World

[superdave80]

instead it is a slower 60 second process of sticking the whole damn card into a slot and waiting for an authorization.

Did you mean 6 seconds? Because I've never had the process take more than that. True, it's not as fast as swiping a mag stripe or tapping on a reader, but if you had a transaction take 60 seconds, there was something seriously wrong with that payment terminal.

Re:Welcome to the World

Nonsense, it takes 2 seconds at most.

Re:Welcome to the World

[Cimexus]

I used a chip card today, in the US (Walgreens to be precise). The authorisation took maybe 4 seconds. No longer than swiping it would have taken.

Having said that I do like using contactless when outside the US (Australia, Canada, Europe...) as it's even faster!

Re:Welcome to the World

Yeah - and NZ has used magswipe and PIN for 30. Not a typo, we were using magnetic swipe and PIN based electronic transactions since the mid 1980s.

Chip is nothing but slower for us - and not really noticeably any more secure as the PIN alone stops quite a lot of fraud. (RFID/PayPass/PayWave is noticeably faster, but obviously increased risk if the card itself falls into the hands of a malicious party.)

I've used PayWave once in the USA (2014), at a Macey's store. And I still had to use their silly touch sensitive sign thingie. That's right -- PayWave AND sign. Oh good grief. I was dumbfounded. (Always wondered how foreign visitors to NZ cope when the shop assistant won't even ASK if they have a PIN, merely gesture towards the terminal..)

Re:Welcome to the World

And here I thought our banks in Europe were criminally negligent for waiting as long as they did to upgrade to EMV, which is rather dinky as a standard and already well behind the times at introduction. Well, congratulations on the EMV in the 'states, I guess, eh.

Re:Welcome to the World

[Ash-Fox]

Chip is nothing but slower for us - and not really noticeably any more secure as the PIN alone stops quite a lot of fraud.

If your chip system is designed properly (PoS systems have a lot of different configuration options and countries have many different regulations), it should reject magnetic stripe payments on terminals that have chip and pin. Currently, it is not possible to clone chip cards and be able to process transactions on proper EMV PoS implementations.

Re:Welcome to the World

[JamesKeane7745]

Slightly incorrect - most Card Scheme rules require fallback to swipe in confirmed chip faliure. The MagStripe is under PCI-DSS though, and the reader should be disabled until the HSM confirms that what it has read is not a payment card, then if your PED is smart, another application may be allowed to read the stripe (i.e. Electric and Loyalty cards)

Re:Welcome to the World

[Ash-Fox]

Slightly incorrect - most Card Scheme rules require fallback to swipe in confirmed chip faliure.

The last PoS system (Forelogix based) I worked with actually had a validation built in to check any cards swiped and was able to identify without trying the chip reader first whether or not the card should have a chip. We were able to configure it to flat out refuse to accept using stripe on cards that should have a chip.

Re:Welcome to the World

At least some older terminals used modems for internet access. Making that connections takes a while.

Re:Welcome to the World

[JamesKeane7745]

Maybe this is country specific then - most UK scheme rules mandate it - all POS's can configure it though!

18% less fraud....

[ganjadude]

what does that translate into reduced fees for us????

oh wait....

Re:18% less fraud....

[superdave80]

What fees are you paying on your credit card? Outside of foreign transactions fees, I've NEVER paid for a credit card in any way.

Re:18% less fraud....

Every single transaction has a fee.

Re:18% less fraud....

what does that translate into reduced fees for us????

  oh wait....

No, of course not. Merchants pay the same fees as before, and they are now on the hook for all fraud. Visa/MC is loving this.

Re:18% less fraud....

Please share with us your list of merchants who are not passing the transaction fees on to the consumer.

Still, some are certainly paying more because of their credit card habits.

Re:18% less fraud....

[JamesKeane7745]

The ones that charge the same for card as cash? BUT WAIT - they must be passing on the fortunes they spend in cash handling on to card customers! how unfair!

Re:18% less fraud....

[thegarbz]

Actually they are passing the costs on to both card and cash users, the only difference is the cash user gets nothing for it. You see you only get a saving in cash handling if you can avoid cash, which unfortunately very few places can do. Printing a receipt and balacing the till takes the same amount of effort at the end of the day if every customer pays cash or if every customer pays by card.

Re:18% less fraud....

[superdave80]

I've never had a merchant add any kind of credit card transaction fee to my purchase. Ever. And I've never seen any kind of discount for paying cash or debit either.

Re:18% less fraud....

[JamesKeane7745]

No, it doesn't. Getting cash in and out of a store, ordering floats, EOD process for systems to do GL postings for cash - are such a huge business expense. So much longer than asking your payment switch to run the Acquire/Settle process.

Re:18% less fraud....

[thegarbz]

Yes and unless you can go all cashless you're doing that anyway. You're not paying by the dollar.

Christians won't let us eliminate the rest of the

Simply put a chip inside everyone's fingers that uniquely links them to the transaction. That would eliminate fraud almost entirely. The problem is that Christians believe such a chip would be the mark of the beast, based on the accounts of a delusional drug user in the Biblical book of Revelation. We're it not for this ridiculous paranoia, we could eliminate the rest of the fraud.

It's just so slow!

The old auths used to take us about 5 seconds, but now they take over 45 seconds. I work in IT for a chain of convenience stores, so that's a big problem. Most of the stores have gone back to swipping out of frustration.

Re: It's just so slow!

Living in the UK and having shopped in most of Europe this is an issue peculiar to the USA, worst case here is 10 seconds on some old gprs connection but in most shops it's 2 or 3.

Re:It's just so slow!

[rubycodez]

and I can still type in your cc number and buy things online...that chip helps how exactly?

Re:It's just so slow!

Really over 45s? I have never seen an EMV card take longer to auth that 10s in the EU and most are 5s approx. There is 1 exception to this in locations where an IP connection isn't available and to auth you have to establish a dial up connection which can take about 30 seconds.

A lot of our small retail and hospitality clients would stop processing and go back to cash if transactions took over 45s to auth.

Re:It's just so slow!

[binarylarry]

Actually you'd need the name, number, expiration date, back security code and zip code to buy things online.

Re: It's just so slow!

[just+someone]

As a traveler from the US, I agree. Faster overseas.

I think that US CC issuers failed to set a standard for horsepower to process the chip.
Both big and small companies bought the cheapest ones possible.
Local University Parking office... dog ass slow.
Local Liquor store... faster than the parking office, but slow.
Ralphs, fast, but they waited a little while to bring them back.
CVS... not fast, but passable.

Re:It's just so slow!

[Qzukk]

The old auths used to take us about 5 seconds, but now they take over 45 seconds.

The old auths used to take us about 30-45 seconds too, but the person didn't have to stand and stare at it their with their card in the machine, so it didn't feel like you were waiting 30 seconds.

It gave me a chance to put my card back in my wallet and my wallet back in my pocket before the cashier could try and shove the receipt into my occupied hands.

Re: It's just so slow!

I own a bar and the time the chips take really slows down the severs so much that they often put in the card then go do something else and come back to get it. We've lost more cards in the past month than we did in the previous five years!

Re: It's just so slow!

Plus, at least for us, the vast majority of the credit card fraud is from stolen cards that the new slow readers don't help at all.

Re: It's just so slow!

[PRMan]

CVS killed Android Pay on purpose, so I don't go there anymore.

Re:It's just so slow!

> back security code and zip code to buy things online.

You don't always need those two things. We pay a higher rate for transactions since we don't do address verification system (AVS) or card security code (CSC). The small increase in fraud is still worth it because of the reduced number of failed auths and thus lost sales.

Re:It's just so slow!

[PRMan]

Every chip reader here takes over 30 seconds. It's completely frustrating. Just one more reason I buy everything on Amazon.

Re: It's just so slow!

Blame chip and sig for that one, another US only issue.

Re:It's just so slow!

Actually you'd need the name, number, expiration date, back security code and zip code to buy things online.

Wrong. I won't say more because I don't want more people to know the vulnerabilities. It's worse than you can imagine.

Re: It's just so slow!

As a traveler from the US, I agree. Faster overseas.

I think that US CC issuers failed to set a standard for horsepower to process the chip.
Both big and small companies bought the cheapest ones possible.
Local University Parking office... dog ass slow.
Local Liquor store... faster than the parking office, but slow.
Ralphs, fast, but they waited a little while to bring them back.
CVS... not fast, but passable.

Nope. I am using the current state-of-the-art top-of-the-line model from VeriFone (Vx 520, with Vx 805) and it is slow. Noticeably slow. Customers keep looking at the screen (which just says "DO NOT REMOVE CARD") and asking me if there is a problem. The customers who still have cards without chips transactions complete much faster. Customers using their phones or the NFC cards process quicker as well.

Re: It's just so slow!

I bet if we listen really closely, there is an old-school modem dialing up an authz service to do these dog slow EMV transactions and then hanging up afterward. Probably some penny-wise and pound-foolish point of sale offering to deploy in ancient retail spots that haven't seen a facilities update since they put in that phone line in the 1980s.

I recently had to make a credit card payment to a road-side assistance truck where his cellular terminal was on the fritz. He had to pull out the old carbon-paper swipe gadget and take an imprint of my card. I haven't seen one of those in a long, long time.

Re:It's just so slow!

[Ash-Fox]

There is 1 exception to this in locations where an IP connection isn't available and to auth you have to establish a dial up connection which can take about 30 seconds.

Offline authorizations however take less than a second.

Re: It's just so slow!

[JamesKeane7745]

Its your payment switch, not the terminal. Guessing you have a PSP rather than a dedicated switch? Swap PSPs if you are sure its not your net connection. The protocol is very lightweight and shouldn't be that slow.

Re:It's just so slow!

[JamesKeane7745]

I will. Any retailer/acquirer that accepts less will pay bigger interchange fees and be held more accountable. If they are unsure they can guarantee identity to a reasonable degree (i.e. for subscribers or B2B customers) then they will be hit so hard by the Card Schemes.

Re:It's just so slow!

[Not-a-Neg]

ApplePay takes 2 seconds, no need to futz around with a wallet, just toss your phone back in the pocket, grab the receipt and go.

Re:It's just so slow!

[thegarbz]

Why are you standing and staring? All machines except for a single brand I've come across do not need you to keep the card in the machine after you've typed in your pin.

Re:It's just so slow!

[rubycodez]

absolutely false, I've recently paid for school district fees for my kids with less info than that. no ccv2, no zip code

you are just spewing what you imagine and hope to be true, reality is harsh

Re:It's just so slow!

[rubycodez]

I will too, fact is you can make purchase with just the number. no name, no zip code, no ccv2, no signing, no expiration date

Re:It's just so slow!

[binarylarry]

You must live in Dirkdirkastan or Africa or something.

I have to give that info out EVERYWHERE I use my cards and I rarely use cash.

Re:It's just so slow!

[rubycodez]

getting warm.....I live in Chicago

Re:It's just so slow!

[Qzukk]

We're talking about the USA Magnited States of America here, we don't need no stinking Personal PIN ID Number.

I went to a grocery store last night that was using the chip and actually paid attention. It took about 1 second after I inserted the card for the prompt to change from "insert card" to "authorizing do not remove card" and about 5 seconds to switch to "authorized remove card now", so it didn't really take 30 seconds in all, it just feels that way compared to getting the card out, swiping the card in 0.2 seconds, putting the card back in the wallet and feeling that I am done with the transaction even if the computer isn't.

I suspect a lot of people also ignore the prompts and just wait for the machine to make angry beeping noises at them to take their card, so they are holding up the transaction more than necessary.

Re:It's just so slow!

[toddestan]

That's because Apple pay prioritizes convenience and ease of use over security.

Re:Christians won't let us eliminate the rest of t

[rubycodez]

just have that anywhere but forehead or right hand and that objection wouldn't hold

having the government "brand" you should be the bigger issue, then they can make you an "unperson" with the flip of a switch

and was that biblical writer a drug user like you imagine, or were they writing allegory about totalitarian state and level of control over people? maybe even making a valid point "and that no one could buy or sell, except they had the Mark..."

More room for improvement

[twotacocombo]

In my experience, they could speed things up a lot if they'd start putting the chip slot on top. I'm 6'3", and can't see those stupid slots on most of the current local checkout terminals. I swipe my card by default, only to have the machine tell me to stick it in some hole I didn't even know was there because the thing is at waist level with the slot on the front of it. I have to bend over and search for the damn thing, and start over. If the slot was on top, I'd know it was there and would just do that from the get go. It also doesn't help that some of these same models of machines don't have the chip reader installed, but do have the slot that's filled with a plastic blank; It's anybody's guess at this point.

Re:More room for improvement

Or just put a sign on the reader saying that you should use the chip reader instead of swiping.

just do it

[supernova87a]

Like so many transitions, they were underambitious and didn't go far enough in the first round. They should've gone straight to chip-and-pin, which Europe uses, and enhances security further.

They worried that having PINs would confuse people, etc. etc. Boo hoo. If history shows anything, it's that providers way overestimate the cost of making these upgrades, and people get used to it and get dragged into the future quicker than you think, and there's no point delaying. Grandma needs to switch, and will deal. Two more years of delaying isn't going to make her any better at using credit cards.

So many decades of transitioning things like digital TV, paperless checks, etc, which are handicapped by half-measures. Just rip the bandaid off all at once. Most people only change when forced to anyway, so just do it now!

Look at the great (even just good) technologies that other countries use in their payment systems. Ability to run the credit card wirelessly at your restaurant table, split the bill, transfer funds (without cost and as a national system) between bank accounts, no more paper checks at all etc. Why can't we do that? A small minority of dumb people, that's who -- and we shouldn't let them hold us back.

Re:just do it

[DogDude]

The transitions have nothing to do with the customer. These transitions are a big expense and a big headache to merchants. We're still waiting until everything gets settled down before we even consider switching systems.

Re:just do it

[PRMan]

So why go through it twice then?

Re:just do it

[Mousit]

They worried that having PINs would confuse people, etc. etc. Boo hoo.

That was always a red herring and never an issue. Especially when you consider that debit card transactions (with PIN) are very common in the U.S. Arguably more common than credit cards, depending on the retailer. Or shit, just think of everyone with a smartphone; if they're not using a fingerprint, they're using a PIN every time they unlock their phone. Americans do not have issues with PINs. I mean, speaking of "Grandma needs to switch", yeah, my grandmother uses debit with PIN herself. She'd likely barely notice the difference if we went to chip-and-PIN.

I disagree with DogDude too: it wasn't about merchants either. Any EMV/chip-capable hardware a merchant purchases would support PIN by default, because it's in the EMV standard. So there was no cost difference, hardware-wise, for the merchant between chip-and-signature and chip-and-PIN. Most merchants anyway. I imagine restaurants there would be a cost difference, because you need a PIN pad you can bring to the table, but I would still say any merchant with a fixed-location point-of-sale register would see no cost difference in the hardware.

No, the real cost is the banks. For most implementations of EMV, the PIN is encrypted in the chip. There are some implementations that do "online PIN" where the PIN is verified directly with the card issuer and is not stored on the card's chip, but this isn't very common among EMV-using nations (though it is fully supported in the EMV specifications). So, if you have a PIN that's stored in the chip, you need to have some way for the customer to change their PIN, right? Well, in the vast, vast majority of the EMV-using world, this is done at an ATM. However, chip-capable ATMs are almost non-existent in the U.S. Think about how many ATMs there are at banks and branches. Replacing them with ATMs capable of accessing and changing chip information and PINs is a massive cost.

The banks themselves have outright said that this is their primary, bulk cost and the process of rolling out new, chip-capable ATMs will take a fair amount of time. Once that is done, however, then you can expect to see PIN added to our EMV cards probably pretty quickly.

Now, why the U.S. couldn't just implement "online PIN", since it's fully supported by the EMV standard, I do not know. It's not like the U.S. banking networks can't handle it. Virtually any U.S.-issued credit card that has an option for PIN-based cash advances/withdrawals at ATMs uses an online PIN. You'd think it wouldn't be a huge change to use that same functionality for EMV cards. :P That I found to be pretty stupid.

Re:just do it

[grim4593]

Do you know of any major US companies that offer chip and pin credit cards? I did some research and the only ones I saw were offered by credit unions.

Re:just do it

[pi_rules]

That was always a red herring and never an issue. Especially when you consider that debit card transactions (with PIN) are very common in the U.S. Arguably more common than credit cards, depending on the retailer.

No, it's not a red herring. People do not remember their PINs. I'm in a weird spot where I went from software development into the garden center business and I wrote our POS software that we've been running for about 4 years now. I also become a cashier on occasion. My POS software looks up the BIN range of the card based on a list given to us by our CC processor and will ask the user for a PIN if they have swiped a debit card. I'd say it's about 50:50 if they actually put in their PIN. I don't have good data on that one. I should but I don't flag the response from the CC provider as debit or credit. But, experience from working a lane is that an awful lot of people will revert to credit instead of PIN debit... and some explain it as they don't know their PIN.

Now that we're on an EMV system some cards register as PIN auth and the pad asks or it automatically. I've already seen customers that don't know their PIN so the sale can't proceed. Not good. One guy came through and explained to us, and this is embarrassing to myself and the CC processing industry trying to secure stuff, that generally if you just hit "enter" or the "green button" when an EMV card asks for a PIN the system reverts to signature. He was right.

Why do PIN pads revert to signature if a PIN isn't provided? People are too stupid to remember their PIN. It's not a red herring.

Re:just do it

[DogDude]

That's my point. We're waiting to do anything until it's settled. Most merchants are still not doing chip & signature.

Re:just do it

[Gavagai80]

But, experience from working a lane is that an awful lot of people will revert to credit instead of PIN debit... and some explain it as they don't know their PIN.

Some may explain it that way, but the most common reason to want to use credit instead of debit is that they get rewards or cash back for using credit and nobody gets anything for using debit.

Re:just do it

And also, my PIN is tied directly to my bank account access. Why would I want to put in a PIN when there is so many PIN skimmers and such, on a daily basis?

--sf

Re:just do it

[JamesKeane7745]

Online PIN is more prevalent than you think in the UK. It's why there is such a big push for T1 retailers to go to P2PE and DUKPT. (BTW - Online PIN is retailer implementation specific, not card specific. Cards still need to do offline PIN.)

Re:just do it

[JamesKeane7745]

Why do PIN pads revert to signature if a PIN isn't provided? People are too stupid to remember their PIN. It's not a red herring.

No no no no no. It's a fallback only in case of an unreadable chip. In 95% on implementations, it is a card scheme rule to try chip CVM first, and a forgotten pin will lead to abort/block (if 3 times)

Re:just do it

[Mousit]

(BTW - Online PIN is retailer implementation specific, not card specific. Cards still need to do offline PIN.)

Support for Online PIN transactions is not mandatory per the EMV specifications (neither is Offline PIN, by the way, so no, cards don't "need" to do Offline PIN either), and support in point-of-sale terminals varies, especially by country. The chip in the card tells the payment terminal what CVM (Cardholder Verification Method) options it has, and it also defines the preferred order of those methods. The payment terminal is then supposed to use the first CVM in the list that it is able to support.

The retailer does of course need POS hardware/software that supports Online PIN in order to process such transactions. I'm not sure I'd describe that as the retailer "implementing" Online PIN though. The retailer either supports that particular CVM option in their point-of-sale system or they don't. That could just be semantics though.

However, my earlier point about American retailers still stands. Any retailer here in the States that supports debit card transactions (as specifically debit-with-PIN, not as a credit transaction) already supports Online PIN, because that's how our debit cards work; they're universally Online PIN only. Since debit card transaction support is very widely available in the U.S., that by extension means Online PIN transaction support is already widely available too. That's why I find it odd that our move to EMV didn't just go with Online PIN instead of signature--or even just support both, in preferred order, so the card would drop back to chip-and-signature for POS terminals that don't do Online PIN. Maybe the methods used for our debit network aren't in any way compatible with EMV transaction processing, don't really know.

WTF is EMV?

[Megane]

It would have been nice if TFS or TFA had explained what EMV is. I only this past month got my first chip card (I'm in the U.S.) and had never seen the acronym before.

And yes, it is annoying to have to leave the card in there for so long, not to mention the card slots that are placed where they are hard to see. Even more annoying is that before I got the chip, I basically was never asked to sign for amounts less than $50. Now I'm sometimes being asked to sign for smaller amounts. I don't mind the industry wanting more security, but maybe they could think about the user experience side of things a bit more?

Re:WTF is EMV?

[Cimexus]

Well unfortunately the US took the half-assed approach of moving to chip, but still requiring signature. Everywhere else it's chip + PIN. By the time you've typed the 4-6 digits of your PIN, the chip reading part of it is generally done and the whole transaction is generally quicker than the whole 'cashier hands you annoying piece of paper and a pen and you sign' rigmarole.

Even better, most places outside the US these days have contactless payments available at most merchants. For smaller amounts ($100, $50, varies by country), tap your card on the reader and you're done. Takes literally 1 second.

Re:WTF is EMV?

Don't feel bad. I've had a chip card for about a decade, and a a paywave card for years, and I've never seen that acronym before either.

Re:WTF is EMV?

The shift to a country which has modern technology.

My Chip card in NZ is also contactless payment, I don't even take the card out of my wallet, just flip it onto the reader (wallets has to be open and used using the "inside", trying the outside of the wallet will not work because I have a piece of foil stopping walk by scanners).

Been doing that for a few years now. And depending on who the retailer is there is varying levels of "trust", some will allow $20, some $60 before a PIN is required.

Re:WTF is EMV?

[drinkypoo]

And yes, it is annoying to have to leave the card in there for so long, not to mention the card slots that are placed where they are hard to see.

My bank's ATMs which use the chip look identical to the ones that don't, so I get to play a guessing game as to whether they want me to remove my card before I make my transaction...

Re:WTF is EMV?

[Anne+Thwacks]

EMV = Electric Motor Vehicle

Re:WTF is EMV?

[cdrudge]

My bank solved that problem. You have to insert then remove your card as you normally would, then wait for it to prompt you to reinsert your card where you leave it until your transaction(s) are done.

This, combined with their chip not being accepted randomly for multiple retailers as a "credit" transaction, and their refusal to support Apple Pay or Android Pay because "it may just be a fad" really makes me want to find another credit union. But they are the largest in the area so I doubt other local CU would be much better.

Re:WTF is EMV?

[sociocapitalist]

Well unfortunately the US took the half-assed approach of moving to chip, but still requiring signature. Everywhere else it's chip + PIN. By the time you've typed the 4-6 digits of your PIN, the chip reading part of it is generally done and the whole transaction is generally quicker than the whole 'cashier hands you annoying piece of paper and a pen and you sign' rigmarole.

Even better, most places outside the US these days have contactless payments available at most merchants. For smaller amounts ($100, $50, varies by country), tap your card on the reader and you're done. Takes literally 1 second.

20 Euros typically.

The problem is that there are portable card readers that scammers take into crowds (ie metro) and scan wallets and purses randomly, taking less than 20 euros each time - no authentication and unless the target is checking their statements carefully they never even notice.

Problem two is where a vendor accidentally or deliberately double taps the card. (so never let it out of your sight).

I've told my bank to remove this service because I prefer to take the few extra seconds to put in my pin code and retain control.

The vendors don't mind because the banks actually charge an extra per month fee as well as a transaction fee for the contactless transaction.

Re:WTF is EMV?

[thegarbz]

They aren't as big problems as you think. This kind of fraud is actually trivially spotted and even as a victim from it you'll often never know as the bank resolves it itself.

As for a vendor accidentally keying in the amount a second time, accidentally tapping a second time, and accidentally printing a second receipt .... wait why is the vendor tapping again? What scenario do you actually hand your card to someone these days?

Re:WTF is EMV?

[sociocapitalist]

They aren't as big problems as you think. This kind of fraud is actually trivially spotted and even as a victim from it you'll often never know as the bank resolves it itself.

As for a vendor accidentally keying in the amount a second time, accidentally tapping a second time, and accidentally printing a second receipt .... wait why is the vendor tapping again? What scenario do you actually hand your card to someone these days?

The fraud is not trivially spotted unless one scrutinizes every transaction on one's statement, which I (and many if not most people) do not. The bank certainly doesn't scrutinize it for me.

There are certainly places where the vendor does the transaction. One is called Cojean, a popular chain restaurant here in Paris (and probably elsewhere) and they do the tapping - for a lot of people who obviously think nothing of handing their cards over. There is no option of doing it oneself at this chain.

Re:WTF is EMV?

[thegarbz]

The fraud is not trivially spotted unless one scrutinizes every transaction on one's statement, which I (and many if not most people) do not. The bank certainly doesn't scrutinize it for me.

The bank most definitely does scrutinize it for you. Constantly. They have entire departments dedicated to it. You're just confusing *where* the scrutinisation is taking place. It's not easily located in your bank statement, it's easily located on the "merchant's". Hence why I said you'll often never know as the bank resolves it itself.

I had a transaction cancelled due to fraud one day and I called up the (Australian, may be different in the EU) bank about it. Their fraud department told me why it was rejected and I asked if it happens often and they said they can send me a summary. I was actually blown away at the number of fraudulent transactions which I never knew happening in my account which banks automatically deal with as they disqualify merchants and transactions. For me it was in the order of 1 transaction per 2 years on a card that has never been used online, and 2 transactions per year on a card which has. I expected a one line answer, not a two page document covering my history of being a bank customer.

Re:WTF is EMV?

[tlhIngan]

Problem two is where a vendor accidentally or deliberately double taps the card. (so never let it out of your sight).

????

I thought the tap cards you're supposed to be the one tapping the reader, not handing it over to the vendor. (This was the biggest change when Canada moved from swipe to chip - everyone handed their card over, the cashier swiped it, and then had to insert it into the chip reader in front of you).

I always thought that was one of the things with the new EMV system - the only person to touch the card is the card holder - if it's chip, they insert it in the reader (if you can find the bloody slot), if it's tap, you tap it yourself. You don't hand over the card at all.

Even in restaurants now they bring the terminal to you rather than you stick the card in for them to swipe it for you.

Re:WTF is EMV?

[sociocapitalist]

The fraud is not trivially spotted unless one scrutinizes every transaction on one's statement, which I (and many if not most people) do not. The bank certainly doesn't scrutinize it for me.

The bank most definitely does scrutinize it for you. Constantly. They have entire departments dedicated to it. You're just confusing *where* the scrutinisation is taking place. It's not easily located in your bank statement, it's easily located on the "merchant's". Hence why I said you'll often never know as the bank resolves it itself.

I had a transaction cancelled due to fraud one day and I called up the (Australian, may be different in the EU) bank about it. Their fraud department told me why it was rejected and I asked if it happens often and they said they can send me a summary. I was actually blown away at the number of fraudulent transactions which I never knew happening in my account which banks automatically deal with as they disqualify merchants and transactions. For me it was in the order of 1 transaction per 2 years on a card that has never been used online, and 2 transactions per year on a card which has. I expected a one line answer, not a two page document covering my history of being a bank customer.

Interesting and good to know, thank you. That being said, I prefer nonetheless to have to use my pin for transactions -

Cheers

Re:WTF is EMV?

[sociocapitalist]

Problem two is where a vendor accidentally or deliberately double taps the card. (so never let it out of your sight).

????

I thought the tap cards you're supposed to be the one tapping the reader, not handing it over to the vendor. (This was the biggest change when Canada moved from swipe to chip - everyone handed their card over, the cashier swiped it, and then had to insert it into the chip reader in front of you).

I always thought that was one of the things with the new EMV system - the only person to touch the card is the card holder - if it's chip, they insert it in the reader (if you can find the bloody slot), if it's tap, you tap it yourself. You don't hand over the card at all.

Even in restaurants now they bring the terminal to you rather than you stick the card in for them to swipe it for you.

Not always the case - in another post in this thread I reference a fast food chain here in Paris called Cojean where a line of cashiers takes cards from lines of customers and it's the cashiers doing the tapping. They do ask if they can, but then it's them that does it.

Re:WTF is EMV?

Sign a piece of paper? I can't remember the last time I had to do that. Now if you have to sign, it's sign the electronic touchpad. I don't even attempt a real signature. I just scrawl a few lines or loops and call it good.

Re: Christians won't let us eliminate the rest of

I can only assume by the nature of what John saw that he either had some serious issues like epilepsy or that he was tripping on some strong drugs. There is some logic to interpreting it as allegory about the dangers of a totalitarian state, which in that case was Rome. The problem is, there are enough nutjobs who interpret it literally that they will prevent something like this from ever happening. And I'm not sure how physical branding would differ in your concerns from any other government issued ID, especially if it's ever done by biometrics. The basic concern about totalitarianism is valid if you don't take the book literally.

Inertia

[Solandri]

The country where something is developed first is saddled with a large installed base of the older tech. Countries which hop on the bandwagon later benefit from the experience of that trailblazer, and get the better tech right off the bat. Other examples include:

• African countries lead the world in ratio of cellular vs landline phones - they just skipped landlines almost entirely.
• Digital cell phones came to the U.S. last because the U.S. was first with analog cell phones - not only did U.S. companies have to build a digital cellular network, they had to transition all their analog customers to digital and dismantle the old analog network.
• Japan initially led the world in HDTV technology. The government pumped billions of dollars into R&D to insure the HDTV standard would be the Japanese standard. But their tech was based on analog broadcasts. In the mid-1990s, computer technology became advanced enough to allow real-time digital decompression of a HD-resolution video signal, and the U.S. leapfrogged Japan and set all the digital HDTV standards we use today.

Re:Inertia

[Cimexus]

Re HDTV though, the US didn't really set any true 'standards', assuming you mean global standards. As is typical, they did their own thing (ATSC) while the rest of the world did something else (DVB-T).

Re:Inertia

[dave420]

Analogue cell phones were first deployed in Japan, and then in the Nordic countries. Clearly your argument is nonsense. I'm sure it's a great weight off your mind to hand-waive the US's technological short-comings away by simply shrugging, mumbling "frist!", but it has no foundation in reality.

Re:Inertia

[Ash-Fox]

The country where something is developed first is saddled with a large installed base of the older tech. Countries which hop on the bandwagon later benefit from the experience of that trailblazer, and get the better tech right off the bat.

We know however that credit card PoS systems were always more popular in the UK and France initially than the USA (1960s). Yet, the USA still can't really compete with the UK and France as far as PoS systems go.

Re:Inertia

You also suffer terribly from NIH (Not Invented Here). Digital Cellphones being a classic - you went and used CDMA and CDMA 2000 protocols where the rest of the world went and used GSM and later UMTS. Sure, you've mostly moved to the same as the rest of the world (and Fiji and NZ have shut down their CDMA networks), but you still have it around.

Why on earth did you do that? Why did you go from Analogue to weird digital, instead what everyone else was doing? No, I dearsay you (the USA) have an aversion to using something that comes from 'communist europe'?

Or, why on earth are you going to chip-and-sign? I mean, honestly, WTF? Most of the security is in the damn PIN, for crying out loud. (Fraud levels in NZ which has used magnetic-swipe-and-PIN since the 1980s have been so low, the only reason we bothered with chips is because Visa and MasterCard were insisting. These days, the focus is on keeping PINs secure - far, far more important.)

Re:Inertia

[mjwx]

The country where something is developed first is saddled with a large installed base of the older tech. Countries which hop on the bandwagon later benefit from the experience of that trailblazer, and get the better tech right off the bat. Other examples include:

• African countries lead the world in ratio of cellular vs landline phones - they just skipped landlines almost entirely.

Erm... this is mainly because when they tried to lay copper, it was being dug up to be sold as scrap metal.

Fibre optic cable between mobile towers isn't valuable enough to be worth digging up.

Re:Inertia

[IamTheRealMike]

One of the first countries to roll out EMV was the UK, where there were plenty of magstripe cards.

Try again. I'll give you a hint. The real reason is that in the USA Visa is an ordinary company, whereas in the rest of the world it was owned by the banks. In one setup there is incentive to fix things. In the other, not so much.

Re:Inertia

[AmiMoJo]

Not really... Japan decided not to get on the digital broadcasting bandwagon too early, because the licence funded broadcaster NHK didn't think the image quality was good enough with MPEG-2. Instead they went straight to H.264 for both SD and HD, starting to 2003. They also resisted the temptation to have 100 terrestrial channels, all of that total crap with low bitrate images, and instead opted for a smaller number of full HD channels and accompanying "1seg" mobile versions (most cars and many phones can display the mobile version).

They are doing it again with UHD. NHK isn't even going to bother with 4k, they are going directly to 8k in time for the 2020 Olympics. Some satellite broadcasters are doing 4k but not on terrestrial.

Re:Inertia

[Eunuchswear]

One of the first countries to roll out EMV was the UK,

Well, for values of "first" that include "ten years after France".

Re:Inertia

[thegarbz]

Countries which hop on the bandwagon later benefit from the experience of that trailblazer, and get the better tech right off the bat.

That would be a great justification except for the complete lack of problems, smooth transition in all countries, and the USA simply implementing something that the rest of the world has had now for years.

Re:Inertia

[kb7oeb]

And we were early enough to standardize over the air on MPEG2 while countries converting later settled on the more efficient MPEG4 DirecTV is another example, they predated the DVB standards and use something proprietary (was once called DSS)

Re:Inertia

[kb7oeb]

This is because congress got to pick and they picked 8-VSB because it was owned by Zenith, then an American company but now owned by LG. The other reason I've heard was because 8-VSB has better range than COFDM. So it works better at the farm house out in the boondocks where the house probably has satellite tv and doesn't work well in the city, where people actually are, because it doesn't handle multipath well,

Hope the quick chip works like this...

[BlueCoder]

I'll have to look up how it works later but this is how it should work.

The card should sign a token given by the terminal for a one time transaction.

The token should then be used to finalize the transaction.

This is completely acceptable. If the terminal is simply copying the private key then it's completely wrong.

Re:Hope the quick chip works like this...

[JamesKeane7745]

No - no its not. And never will. Offline auth is done by the chip on the card. Online auth will use DUKPT.

Re:Christians won't let us eliminate the rest of t

[PRMan]

Amazing how that "drug user" predicted something that we're actually talking about 2000 years later...

Because it breaks the card

Since this new chip was forced on me, the chip has worked zero times.

The system will require three attempts then ask the user to swipe the card using the old magnetic strip.

Several retailers have refused to accept payment using the card since the chip fails.

Prevents fraud and legitimate use. Win/win? I think not.

Heh, if only it worked

[infinite9]

I'm a US citizen living outside the US. Let me tell you that these chip cards are a nightmare for us. They work about 50% of the time, with no rhyme or reason as to when they'll work or why. Trying the card a second time sometimes works. Sometimes the machines ask for PIN codes when there isn't one, other times not. When this happens, I can enter any random number and the transaction goes through. A card will work at a particular gas station one day, then not the next, then works again the following day. The cards will usually work in one store, or almost never work in another store.

Locals with the new machines have no idea what they're doing. Sometimes they swipe cards with no magnetic stripe. Sometimes they pull the card out before the transaction is done. Sometimes they argue with me telling me it's a debit card when it's a credit card.

And in all cases, whenever the card doesn't work at a purchase, the error message is "declined".

My chip Visa ATM cards work in almost no machines here, while the magnetic stripe cards did. Some give the wrong menu options on ATM machines, allowing "savings account" as the only option when I have only a checking account. Others work or don't at random. The error message is useless. Or sometimes I get different error messages depending on whether I select english or spanish at the ATM. In general, I have about a 1 in 5 chance of extracting some amount of money from a machine. When I call the customer support number on the back of the card, they swear up and down the card works just fine.

I'm slowly removing myself from a reliance on banks and even money in general. These idiotic chip cards are only encouraging me to hasten my exit.

I'm convinced this is about 10% pilot error at the point of sale, and 90% a technical problem on the bank servers in the US. The development was probably outsourced to the lowest bidding indian consulting firm.

Re:Heh, if only it worked

[Cimexus]

I would suggest getting a chip card from a local bank wherever you are. The technology works great in most places I've been (Canada, Europe and yes even the US), but then, my home bank is in Australia where chip + PIN has been established standard for well over 10 years. The US cards are kinda 'frankenstein' because they have the chip but generally no PIN (i.e. the US went with the weird hybrid approach of having a chip but still requiring signature).

Re:Heh, if only it worked

[infinite9]

The accounts are in the US. I need to draw the money from there. I don't have a bank account here on purpose because of FACTA.

Re:Heh, if only it worked

[Dantu]

Sounds like your bank has really messed up the deployment.
We've got chip & pin here in Canada and my card works flawlessly both in Canada and in the USA. My card has a the raised lettering, magnetic stripe, a chip, and contact-less payment. I've actually used all 4 recently:
1. Raised lettering - at a Mennonite farm (long story, normally would have brought cash)
2. Magnetic stripe - in the USA last year
3. Chip & Pin - everyday, larger transactions and places that don't have tap
4. Tap & Pay - everyday smaller transactions, including at a drug store in Florida.


New stuff is great - the key to a smooth roll out is great backwards compatibility though.

Re:Heh, if only it worked

[Cimexus]

Fair enough - FATCA is a bitch I agree (as someone who holds accounts in both the US and Australia I'm all too familiar with it...)

Re:Heh, if only it worked

[IamTheRealMike]

The issue is that for mysterious reasons US banks believe Americans are too dumb to remember their PINs. So American chip cards are unlike the cards used everywhere else in the world, they're "Chip and Signature" rather than "Chip and PIN". Not surprisingly, this unique mode of operation causes interop issues because it's never been tested at scale before.

Re:Heh, if only it worked

[sociocapitalist]

I'm a US citizen living outside the US. Let me tell you that these chip cards are a nightmare for us. They work about 50% of the time, with no rhyme or reason as to when they'll work or why. Trying the card a second time sometimes works. Sometimes the machines ask for PIN codes when there isn't one, other times not. When this happens, I can enter any random number and the transaction goes through. A card will work at a particular gas station one day, then not the next, then works again the following day. The cards will usually work in one store, or almost never work in another store.

Locals with the new machines have no idea what they're doing. Sometimes they swipe cards with no magnetic stripe. Sometimes they pull the card out before the transaction is done. Sometimes they argue with me telling me it's a debit card when it's a credit card.

And in all cases, whenever the card doesn't work at a purchase, the error message is "declined".

My chip Visa ATM cards work in almost no machines here, while the magnetic stripe cards did. Some give the wrong menu options on ATM machines, allowing "savings account" as the only option when I have only a checking account. Others work or don't at random. The error message is useless. Or sometimes I get different error messages depending on whether I select english or spanish at the ATM. In general, I have about a 1 in 5 chance of extracting some amount of money from a machine. When I call the customer support number on the back of the card, they swear up and down the card works just fine.

I'm slowly removing myself from a reliance on banks and even money in general. These idiotic chip cards are only encouraging me to hasten my exit.

I'm convinced this is about 10% pilot error at the point of sale, and 90% a technical problem on the bank servers in the US. The development was probably outsourced to the lowest bidding indian consulting firm.

I've been living outside the US for almost 15 years and with various banks and cards I have never experienced any of the problems you're having.

Re:Heh, if only it worked

I'm on my 3rd chip card in China and they are complete shit. What stupid motherfucking idiot decided to put electrical contacts on a plastic card? Eventually, the card won't read properly, requiring yet another new card. I now only use my card at the ATM and just use WeChat Pay.

Re:Heh, if only it worked

[urdak]

The issue is that for mysterious reasons US banks believe Americans are too dumb to remember their PINs.

Maybe not "too dumb", but how can you possibly remember your PIN number if you have more than one different credit cards, like many Americans do?
I have 4 different credit cards, and use at least 3 of them with some frequency, but when I go to Europe (where this PIN stuff is popular) I find myself using the same credit card all the time because I simply can't be bothered to remember all these different PIN numbers.

This whole PIN number thing is pretty stupid - it doesn't protect against fraud, just against use of stolen credit cards. The chip itself (without a PIN) is already enough to protect against fake credit cards with stolen numbers. But why are physical stolen credit cards suddenly a problem, when it hasn't been a problem for more than 30 years? Are there more pickpockets now than ever?

Re:Heh, if only it worked

[thegarbz]

I'm a US citizen living outside the US. Let me tell you that these chip cards are a nightmare for us. They work about 50% of the time, with no rhyme or reason as to when they'll work or why.

The reason is international accounting issues and credit fall-back if the vendor accepts credit cards at all. Lots of people assume a slot in a machine must mean their cards work, not so. Much of Europe still doesn't accept credit cards which isn't an issue since everyone here is issued with bankcards with chip and pin. Likewise ATMs are not typically setup to provide credit cash advances.

You are right about one thing. The problem is almost always something to do with a US bank. I've never had a debit or credit card fail in continental Europe when using chip+pin, but then I have one issued by a European bank. I have had a few problems while travelling in China with similar useless errors (and one ATM machine failing to give me my card back).

The reason there was no problem with the magstripe was that this was treated as a transaction to resolve at a later time. Take the details from the card and account for it after hours. This may be great for you but it's also orders of magnitude more convenient for criminals.

Re:Heh, if only it worked

[Ash-Fox]

Maybe not "too dumb", but how can you possibly remember your PIN number if you have more than one different credit cards, like many Americans do?

I have seven cards, a mixture of credit, debit and charge cards and I just remember the pins.

I have 4 different credit cards, and use at least 3 of them with some frequency, but when I go to Europe (where this PIN stuff is popular) I find myself using the same credit card all the time because I simply can't be bothered to remember all these different PIN numbers.

I live in Europe and remember the pins just fine.

This whole PIN number thing is pretty stupid - it doesn't protect against fraud, just against use of stolen credit cards.

My bank refuses transactions on the magstripe of my cards if the terminal supports chip and pin transactions and immediately calls me to ask me if it was a legitimate transaction (your bank may differ). As far as cloning cards goes, it seems pretty hard to me? You can't clone the chip and the magstripe of my card won't work for you. Of course, it won't protect against online transactions.

Re:Christians won't let us eliminate the rest of t

Not amazing at all because it's not the same thing.

The identification system that is being discussed is a means of identifying people uniquely for the purposes of credit transactions, not a replacement for cash.

The prediction was that the mark would be the name or number of the beast, without which nobody could buy or sell anything. Everyone would have the same mark.

The fact is that idiots freak out every time some form of identification is proposed and insist that it's the mark of the beast. The same freak out happened when social security numbers were introduced, when universal bar codes were introduced and, of course, now with RFID becoming widespread.

Here's a link to the Visa "Quick Chip" spec

[billrp]

https://www.visa.com/chip/merc...

EMV Stinks in the US

[hazem]

They might be great in Europe but they're really badly done here in the US.

The new terminals are just plain slow. Even without the chip, it often takes over a minute to approve the transaction, and (unlike before) you can't swipe the card and put it away until the checker has completed scanning all the items. More than once, I've just left a pile of bagged goods at the counter because the thing didn't work at all.

So I have simply stopped shopping at places that require the chip. Amazon ships most non-food things I need and I just pay cash at the grocery store.

Make these work at least as fast as the old way, and not require me to leave the stupid card in the terminal, and I'll consider going back to those shops. Otherwise, I'll probably just spend less; great for me, less so for the retailers and the economy.

Re:EMV Stinks in the US

You have to leave card in until transaction is complete. To make it not require that would mean a redesign of the entire system, again.

Other guy above commented about typing in any PIN and it works, I've heard this many times. In fact I've never heard of a card being declined because of a bad PIN entered.

Try and figure out how the terminals work. Its actually ridiculous the amount of work you would have to put in to make every possible card work that you are reasonably going to see.

Re:EMV Stinks in the US

[Ash-Fox]

You have to leave card in until transaction is complete. To make it not require that would mean a redesign of the entire system, again.

Eh, if you've got payment processors that are really slow to communicate with, you could do an offline authorization initially (should probably disable the risk profile checking of an existing implementation for offline authorization -- don't need it since you're immediately processing after), which is fairly instantaneous and then do the actual transaction immediately after allowing you to take the card out. So no, the standard is pretty flexible and you wouldn't need to redesign the entire system, just some parts of the PoS systems which can be done with software updates.

Its actually ridiculous the amount of work you would have to put in to make every possible card work that you are reasonably going to see.

Nah, it isn't. I implemented Eurocard, Visa and Mastercard chip support in a PoS system and it wasn't that difficult. What's likely happened above is the Cardholder Verification Method functionality is using online checks and since most payment processors over there probably don't have integration for card pins yet, they're just accepting any pin for online pin checks (really, they should be forcing offline pin checks, but you don't really see that functionality on 'always-online' systems).

Re:EMV Stinks in the US

[Ash-Fox]

Sorry, correction. By Eurocard, I meant Europay.

Re:EMV Stinks in the US

[IamTheRealMike]

PINs are absolutely required in the non-US deployments. It's like an ATM. Get it wrong too many times and it's locked.

Re:EMV Stinks in the US

[Not-a-Neg]

Just last night I was at Wal-Mart (sadly they have the best ice cream selection) and the morbidly obese black woman in front of me was having a problem using her card since she wanted to use it as a credit card but the chip was only allowing it to be used as a debit card. Thankfully, the cashier was able to get it to swipe as a credit card to get her transaction processed. Of course, she still had to stand there for 5 minutes and argue about how much she was charged for a 5-pack of Capri-Sun boxes. According to the cashier it was a limitation of the bank's implementation of the chip forcing it to only allow her card to be used as debit in that way.

I don't have a chip card yet (USAA is taking their sweet time) so I still enjoy the swiftness of swiping. I wish they would accept ApplePay though, it's much faster and safer.

As always, security was broken 5 years back (;-))

[davecb]

See https://www.lightbluetouchpape...

It's actually worse now: for about $20 you can get a stick-on chip to make your own cracker-card.

Chip-and-sign in the US is no more secure, but it has the brilliant advantage of allowing the victims to prove it wasn't their signature and recover from the banks.

What is a "chip"?

Are you so primitive youre still using little peices of plastic ?

I'm already cardless. Google it.

Seriously, whats with you guys ? Your financial systems are still like 1980.

"...withdraw it in two seconds or less"

and American Express was not pleased.

Re:"...withdraw it in two seconds or less"

If you're relying on the withdrawal method you're asking for trouble...

Retrofitted POS

[rsilvergun]

is the problem I see. Brand new shinny terminals knock out the transaction in 10-15 seconds tops. Beaten up old terminals from the early '00s still have the readers but they're processors weren't fast enough to do the cryptography. They're also dodgy and unreliable. Still, it beats waiting for someone to county out change from their fanny pack...

Completely agree.

[Brannon]

I'm astounded at how poorly engineered the entire system is. The slot is hard to find (especially for tall people) and it takes way too long. Wasn't this system in Europe for 10 years? Didn't they test it at all before rolling it out?

Re:Completely agree.

[pacman+on+prozac]

Doesn't sound like you've got the same kind of card units we have in Europe, here they're integrated handset-sized boxes which do all the card interactions and are either wireless or cabled into the POS. They can usually be picked up for use or are mounted high up, some do have swipe slots but I've no idea why as I've not had a card that could be swiped for over a decade.

Re:Completely agree.

[dave420]

Yes, and apparently they don't find the same problems you do. Or maybe there is a good reason for them being the way they are, and you just haven't figured it out in the few seconds you've thought about it before condemning it?

Lots of places in the US support NFC payments.

[Brannon]

I haven't seen anything faster or safer than Apple Pay, for example.

Re:Lots of places in the US support NFC payments.

[Ash-Fox]

I haven't seen anything faster or safer than Apple Pay, for example.

Samsung's Magnetic Secure Transmission always seemed faster to me and the token system seemed fairly secure too.

Re:Lots of places in the US support NFC payments.

[Geeky]

I assume you need to unlock? I'd say contactless cards would probably be quicker than unlocking a phone, even with fingerprints? That said, I believe you can do it with an Apple watch, and that's even quicker - I know someone who uses his on the London tube instead of an Oyster card - just taps his wrist on the reader, no need to even get anything out of a pocket

Re:Lots of places in the US support NFC payments.

[IamTheRealMike]

Apple Pay is much worse than the NFC payments the rest of the world uses.

1) You need an iPhone. Apple's marketshare outside of English speaking countries isn't that high.

2) You need batteries. NFC credit cards don't.

3) An iPhone is physically much larger than a card.

4) Apple Pay has to be initialised by putting in your card details, which makes it perfect for washing stolen CC#s. NFC cards are sent to you straight from the bank, so, there's no intermediate fraud-prone step.

Re:Lots of places in the US support NFC payments.

[aaarrrgggh]

Personally, I use Apple Pay with my watch: no reaching into pockets, no unlocking, just double-tap one of the buttons. (The only challenge is the watch only holds one card.)

As for washing cards... Sure, if you have a burner iPhone that is registered in the same name and you don't mind the GPS coordinates being logged... It is a pretty solid system, not perfect, but well thought through.

Re:Lots of places in the US support NFC payments.

[Not-a-Neg]

With ApplePay you just hold the phone near the terminal and the phone automatically brings up your wallet, you don't need to unlock the phone first, it prompts you to use the TouchID merely to authorize the transaction. The first few times I used it I was unlocking the phone beforehand until I read somewhere that it wasn't necessary. I currently use it an average of 10 times a week, there just are not enough places accepting it.

Re:Lots of places in the US support NFC payments.

[Dahan]

Apple Pay is much worse than the NFC payments the rest of the world uses.

The US has had NFC payments for years. However, it never caught on here... I think people are paranoid about RFID. But Visa, MasterCard, and Discover all had contactless cards for a while, but it seems that the experiment was deemed a failure and they're phasing them out now.

It's not the delay, it's the poor UI.

[RealGene]

In my USA experience, it's not the actual 4-6 seconds that my chip card transactions take,
it is the sluggish and confusing UIs on the terminals that fail to immediately note the card is present,
then appear to go blank, then display a poorly drawn "do not remove the card" splash,
which was obviously an afterthought added when the terminals were put in front of actual users.

The UI problems are obvious, as everywhere I go there are hand-drawn warnings and instructions taped to the terminals, because the device itself isn't clear or obvious.

That's why a well-thought UI like Apple Pay appears effortless in comparison.

And *why* is the chip slot located at the bottom of these terminals, at a weird angle almost parallel to the counter?
The hand motion required to position the card is uncomfortable and out of my sightline.
Why isn't there a "dip" slot at the top of the terminal, where the card could be inserted vertically?

But it's slow...

My wife (a cash register driver) hates the new chip cards that have started showing up. Markedly slower to process than the mag stripes. Slows down her line and hurts her numbers.

I haven't experienced it yet. I just got my chip card last month, but no place I've gone so far supports them.

Re:Christians won't let us eliminate the rest of t

[rubycodez]

So you missed the article where the government is considering eliminating cash and going to pure electronic money with ID system

Re: Christians won't let us eliminate the rest of

[rubycodez]

The USA does not have a national required ID

You don't read sci-fi or fantasy? plenty of sober writers write crazier things than the Biblical John, his work is mild and n00b level at best

Visa wins...

The merchant has to pay more (EMV terminals are not free), the card holder has to pay the same (never had to pay for the card itself anyway, unless you pay an annual fee), and Visa gets to save money / make more money. Sounds like a lose/lose/win. (For consumer/merchant/Visa.)

Wait, why are we doing this again?

Out of band confirmation

[DrYak]

How would you make an urgent purchase by phone? More than once, I've purchased an airline ticket over the phone while I was literally in a cab on my way to the airport, I'd be pretty pissed if my bank would not allow that.

The problem is the same feature that enables you to buy a plane ticket over the phone with a "card not present" type of transaction, would enable absolutely any fraudster to impersonate you and empty you account / buy up to the card's limit simply by using some number printed on the face of your card that the fraudster could even have just glanced over.
(Yes, there are insurances against that, but still somebody is going to need to pay the cost. In the end this cost is passed to the customer as transaction fees and/or monthly fee).

The way I've seen "card not present" type of transaction handled here in around Europe, is out of band confirmation.

- A few years ago, I've got contacted by SMS by my bank asking to confirm directly to them the transaction.
(This part I haven't encountered for the last few years, so I don't know if it still exists.
Though I doubt that it is still in use, because back then the standard identification protocol was answering a couple of question that any one can quickly answer by searching modern social networks)

- Nearly every single transaction of the "card not present" type nowadays happens *on-line*. So still likely to happen over the phone, except using the "smart" part of the functionality of the phone.
A very huge proportion of online transaction I've seen use 3-D Secure system, which is basically also an out-of-band confirmation: a new intermediate page (in the purchase flow) or a new tab is opened asking you to log-in and confirm the transaction.
This confirmation is NOT served by the web merchant (or the plane company in your case) server, but by the bank's webserver. (Clearly indicated in the URL, all transaction authenticated using an up-to-date https).
Only once you confirm on the bank's website does the transaction goes through at the merchant.
(A fraudster would not only need the numbers visible on your card, but would also need to be able to log into your bank's 3dsecure page).
All the plan ticket I've bought online have gone through a 3d secure confirmation (EasyJet, StarAlliance, a few others...). Though I didn't by them while in the cab, but well in advance.

It's not that dissimilar from the way PayPal is handled by merchant: at some point the webshop redirect to page hosted on https://paypal.com/ that asks you to log-in to confirm the transaction.

And let's be serious for a minute:
you're speaking about airlines. with the present security circus, you're at least in for 60 to 90 minutes of queue in front of the security check. It's not that you're going to miss your plane if you take 5 minute more to buy the ticket before getting into the cab.
And there's still plenty of time to purchase your plane ticket at the airport using proper on-line identification while waiting on the queue.

Since I don't have a chip reader in my phone, I don't see how I'd be able to make a mobile web purchase either.

Actually, you do.

Phones' NFC, and card reader/credit card's RFID can talk to each other.

Some european bank do use as a 2-factor to authenticate your online session: stick your RFID card to your phone's NFC antena (example)

There's no *technological* limitation to your smartphone acting as a payment terminal using a simple app, though the only example I've seen use a bluetooth enabled contact-chip reader instead of directly accessing the card over NFC.
(I suspect current certifications won't allow a smartphone app to input a pin and sign a transaction)

but one day you could probably pay simply by sticking your RFID card against the phone's NFC antena.

Eh, I know bad design when I see it.

[Brannon]

I guarantee everything I listed will be fixed in 5 years.

GET RICH FAST

Hi, My name is coco lauren wolf from the united states and i want to share my experience with everyone. I have being hearing about this blank ATM card for a while and i never really paid any interest to it because of my doubts and due to the fact that i lost alot of money to online scam. Until one day i discovered an hacker called mason hardman. he is really good at what he does.so I inquired about The Blank ATM Card. If it works or even Existed, He told me yes and that its a card programmed for random money withdraws without being noticed and can also be used for free online purchases of any kind. This was shocking and i still had my doubts. Then i gave it a try and asked for the card and agreed to his terms and conditions. Hoping and praying it was not a scam. four days later i received my card and tried it with the closest ATM machine close to me, It worked like magic. I was able to withdraw up to $3000USD. This was unbelievable and the happiest day of my life. So far i have being able to withdraw up to $28000USD without any stress of being caught and the wonderful part is that the credit limit is over a 100,000USD. i also wanted to confirm if i could use it anywhere in the world so i traveled to 6 different countries and it worked perfectly well. I don't know why i am posting this here, i just felt this might help those of us in need of financial stability. blank Atm has really changed my life and it can change yours too. It is 100% safe to use this card. Because it will be shipped to you as a gift card.
He can also reload any Active and valid cards, any type of card just contact him for a reload (prepaid cards, credit/debit cards).

CONTACT HIM VIA EMAIL: hacked_legit_blankatm@outlook.com
CONTACT NUMBER: +2348158827165