Slashdot Mirror
The Chip Card Transition In the US Has Been a Disaster (qz.com)
Ian Kar, writing for Quartz: Over the last year or so in the U.S., a lot of the plastic credit cards we carry around every day have been replaced by new one with chips embedded in them. The chips are supposed to make your credit and debit cards more secure -- a good thing! -- but there's one little secret no one wants to admit: The U.S.'s transition to chip cards has been an utter disaster. They're confusing to use, painstakingly slow, less secure than the alternatives, and aren't even the best solution for consumers. If you've shopped in a store and used a credit card, you've noticed the change. Retailers have likely asked you to insert the chip into the card reader, instead of swiping. But reading the chip seems to take much longer than just swiping. And on top of that, even though many retailers now have chip reading machines, some of them ask us just the opposite -- they say not to insert the card, and just swipe. It seems like there's no rhyme or reason to the whole thing.
As a Canadian I really don't get this. We've had chip and pin here for awhile, and while the initial adoption was a bit rough, it generally works fine.
Confusing
Reader says "insert chip in the bottom".
You insert chip in the bottom.
Reader says "enter pin".
You enter pin.
Painstakingly slow
I've noticed some readers are slow, but this probably has nothing to do with the chip, the merchant just has a shitty system. If you're talking about the process being slower, ok yeah, by about 10 to 15 seconds or so.
Less secure than the alternatives
What alternatives? Getting a signature that no teller ever verifies or checking the name against your ID (which again, never actually happens)?
Not saying chip and pin is perfect, but I really don't get why this is such a big "disaster".
Europe has been using chip readers for 5+ years now. Why is America just now getting into this? It's things like this that make us seem slow and 'backwards' in the eyes of foreigners (although I think it's shallow to think that). Anyhow, the technology has been proven to be readily hackable, so there's no real point in adopting it now is there? May as well leap frog this generation of technology for things like Apple Pay.
I've had my mag stripe data skimmed twice in the past few years and both times its been a slow, painful process to recovery funds fraudulently charged against my accounts. At this point it seems retailers still using mag stripe card readers are going to be the ones who eat the cost of any fraudulent transactions. Time will tell if the process of reporting and recovering funds lost to skimmers gets any quicker, easier.
We've had chip + pin up here forever, it seems. Faster, more secure, compatible with the European system, no problems. What's the fuss all about?
I only have 30 minutes for lunch at work, and the usual five minutes longer it takes at the nearest grocery store because of the slower checkout means I no longer have time to read /. before going back to work.
First of all, "But reading the chip seems to take much longer than just swiping." Big fucking whoop? That's the time it takes for the card to obtain authentication from the bank server instead of the terminal just blindly accepting the transaction. That's already more secure, so stop whining.
But more importantly, chip and PIN is known to be more secure than swipe and sign. That's not up for debate, it's a fact. Unfortunately, the US, in their wise ways, decided to bastardize the system into chip and sign, removing the vast majority of the additional security for no real benefit. Oh, you can't remember a 4-digit PIN? Tough fucking luck. Instead, you'll probably have to switch to chip and PIN at some point in the future, causing another confusing transition.
Furthermore, the partial transition, various fuckups and all have largely been isolated to the US. Sure, Europe, Canada and others have also had a few hiccups when moving to the new system, but they had clear, strict deadlines that all providers followed. The US basically let the monkeys run the show, and so it's been a mess of delays.
You guys fucked up, now you get to live with the consequences. This isn't a failing of the chip system, it's a failing of the US thinking they could half-adopt it. That entire article sounds like entitled whining.
I've seen many issues with the chip cards:
1) They're really slow, though this was supposed to be improved
2) Many stores have equipment that can't use the chips
3) Plenty of other stores have chip card readers but still require swiping instead
4) Many cards haven't been reissued yet, especially debit cards, and might not be replaced for a couple more years
5) While they are more secure than swiping, they don't fix other vulnerabilities
6) This doesn't address fraudulent use of credit cards online
7) Banks really don't care too much about stopping fraud so long as they don't actually have to absorb the losses from fraud
Do I want every purchase tracked? No.
Do I want a surprise bill at the end of the month because I can't keep track of what I spend? No.
Do I want to be cross-marketed at because of handwavy privacy laws? No.
Do I want to pay 3% for the privilege of not using cash I already have? No.
Try making 1 ATM withdrawal a week, and simply using the cash. Much easier, and liberating.
It's not that there's "no rhyme or reason" to the experience at the register - it's that the purchase of chip-capable readers doesn't mean that the retailer's point of sale system, back end accounting platform, security reviews, and everything else that comes in the wake of this have been completed. Getting chip-capable devices at the register is the easy part - they're often leased anyway, and the processing companies are simply replacing older units, as they fail, with newer units that meet the new specs. But there is a lot of behind the scenes work to do. It's easiest for mom-and-pop retailers who don't have a lot of integration, and it's relatively easy for the very large chains that have big IT departments. But the mid-sized operations, owner-operated gas stations, etc., have to take on considerable expense. And it cannot break, or they're expensively down and out.
I have indeed noticed the significant increase in processing time. Even at a bank-owned ATM, where I know the branch has a nice fast pipe back to the mothership, it's pretty shocking how long it takes the ATM to complete the extra crypto dance before it even gets down to business with you on the user interface. If nothing else, they need to have the ATMs give a better sign of life as that handshake is taking place - many users will be baffled by what doesn't appear to happening.
Don't disappoint your bird dog. Go to the range.
is that some vendors charged two upgrade prices: one for the new chip-ready terminal, a SECOND to upgrade the software to a set that is chip-ready! So many businesses ended up with new terminals with deactivated chip readers.
Another issue that I've seen is speed. It seems like some chip-ready installs are using dial-up to transmit info, which is really odd. We spent a few weeks in Germany last summer, and all of the terminals that we used were quite brisk.
When you sympathize with stupidity, you start thinking like an idiot.
Normally I encourage rtfa, but not this time. Something in progress isn't complete, therefore is a disaster? Nope, here's someone irritated by some aspect of the process, and rants about it. Looks like he submitted it himself, too.
Don't click. In fact, don't discuss. Move on to something worth wasting time on.
It's really not that bad. It takes exactly the same amount of time, the only difference is it feels longer because you have to leave your card in while it authorizes. But there's no extra round-trips or computation or anything - the card gets challenged with the amount, and it generates a one-time code for that amount that gets sent instead of (or alongside?) the card number. For the annoyance of leaving your card in the reader, skimming becomes impossible. I've had my debit card skimmed, which was annoying enough because I was a college student with no money, but then the bank screwed it up and I had to escalate with them to fix it. No more skimming is A-OK with me.
It must be exhausting to be the author. Going around all day, finding - at best - minor inconveniences to be annoyed about. Not to mention that they clearly didn't go into the article with any kind of an open mind and just found stuff to complain about. No nuance at all. I can't find one valid complaint in the whole article that's not "the software isn't 100% yet" (...sure?) and "some merchants will need new equipment eventually" (it's called a cost of doing business?). And this gets the "utter disaster" label?
The only disaster is that they insisted on chip-and-signature instead of chip-and-PIN. Not only is it less internationally compatible, but it's less secure - not that PINs are secure, but it means the restaurant can't take your card, they have to bring a reader to the table. I'm still mad about that choice, but it's typical USA, right? Here's this international standard we'll implement like 80% of the way. At least chip-and-sign cards still work in most automated machines in Europe, so it's a small improvement, but I die of embarrassment a little every time they have to call the manager over to interpret this weird new "make them sign the receipt" display and find a pen. Unfortunately the author doesn't even focus on this, other than "but the FBI said to use chip-and-PIN and they didn't do it!" line.
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
Last October, I spent some time in the US again and I noticed the few places that had started using chip readers had a person standing by to help people. They seemed a bit surprised when I just inserted my card and typed my pin code in a few seconds. :D They didn't even finish their line about being sorry about me having to remember the pin code. But I have been using it for years now.
We had a few problems in the beginning too both with speed of the approval process and the people using the card. but it is really not a problem more.
Now both my VISA and Mastercards have NFC( I'm guessing it is?) so I just hold the card over the reader.
FTA:
"And, things have gotten even weirder, post rollout. Back in late October 2015, the FBI criticized the use of chip-and-signature, which is how US chip cards have been deployed, saying that chip-and-PIN, the system used in the rest of the world, was safer. Yet, despite the FBI’s protests, nothing changed."
It doesn't fix anything if people are not asked for something they know. The GET OFF MY LAWN group isn't going to want to put any extra work in remembering a 4-6 digit number. That would require learning and doing something NEW! They are the group with the money, too, so why would a business want to make them have to think twice about how they are spending their money?
Good luck having a underpaid/overworked/stressed/young/in debt (24y) teaching this age group how to use something at a point of sale under all the social pressure to complete sales quickly. They are more likely to hand over the card and say, "You do it!" and if a pin existed, they would tell them that too, because its too much work to learn something new.
...to do my chargeback threat I use to get more value for my money
The local 7-11 store taped over the slot and have a note to swipe the card instead. The chip reader is too slow to move a long line at a faster pace. With limited parking out in front, the clerks want to turn over as many customers as fast as possible to avoid losing sales.
The whole article just smacks of fear of change frankly. We in the 21st century part of the Western hemisphere have long since done this, and reaped the fraud prevention benefits (read: no significant retail chip and pin fraud, fraudsters forced to try Cardholder not Present fraud, to which there are also pretty effective countermeasures).
I suspect those retailers still asking for magswipe will be transitioned to chip usage by their card service provider as the fraudsters will increasingly target those that still insist on swipe. The money will talk in this case, however the idea of chip and sign is a bit silly in that it will only stop coounterfeit cards, not stolen cards.
I can confirm; every place that has upgraded their equipment has experienced significant slowdowns in the transaction process. It is, frankly, ridiculous. It shouldn't take upwards of a minute to process the transaction where before it took seconds.
On top of all that, it's a silly system. Why don't we use disposable QR codes that they scan for the transaction? That would seem to be a more secure and easier to implement solution; the equipment is already there, it would just require software.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
I'm so glad I don't live in some third world technological backwater like the US.
What hardship! Here is something faster than swiping or other electronic means: cash. Oh but hat involves basic math and given the state of the education system that would be another "disaster." Right?
It's more secure and it's damned sure faster.
Over the last year or so in the U.S., a lot of the plastic drumpf cards we carry around every day have been replaced by new one with drumpfs embedded in them. The drumpfs are supposed to make your credit and debit drumpfs more secure -- a bad thing! -- but there's one little secret no one wants to admit: The U.S.'s transition to chip drumpfs has been an utter disaster. They're confusing to use, painstakingly slow, less secure than the alternatives, and aren't even the best solution for consumers. If you've shopped in a store and used a credit drumpf, you've noticed the change. Retailers have likely asked you to insert the chip into the drumpf reader, instead of swiping. But reading the chip seems to take much longer than just swiping [teh horrorX0rez!!!]. And on top of that, even though many retailers now have chip reading machines, some of them ask us just the opposite -- they say not to insert the drumpf, and just swipe. It seems like there's no rhyme or reason to the whole thing.
In Hong Kong the chip readers take about 1 second to fully process my American issued CC, while the process in the States takes way longer. Inexcusable.
Some banks are still issuing chipless cards - for example, BMO Harris only gives chip cards for Platinum/Premium, while lower-end cardholders are still stuck with swipe and sign.
Completely at the feet of the banks. They needed to get off their asses and spend a tiny bit of their immense profits to fucking switch over. The banks could send every retailler a new chip reader for every register for free and STILL make record profits every quarter.
So blame the Banks and the Greedy assholes that run those banks.
I'm for bringing back all the heavy handed bank regulation from before 1980. Fuck the bankers.
Do not look at laser with remaining good eye.
For a disaster, it's been pretty mild for my employer.
Several points to consider, from my personal observations (as the IT guy in charge of deploying and training on this):
1) Chip & PIN vs. Chip & signature. Yeah, chip and PIN is more secure for the consumer, but EMV isn't about security for the consumer. That's not at all the point of EMV. The point of EMV is to protect the banks, who eat the loss, when somebody breaks into a big retailer and steals 120 million credit card numbers at the same time, because PCI compliance hasn't been enough, and never could be. EMV is the half of the new system that gets the news coverage, but the other half, point-to-point encryption, is more important. The transaction gets encrypted in the credit card pad, and the merchant never sees the card information. So if you break into their network, there's nothing there to steal. The benefit to the merchant is that PCI compliance is a hell of a lot easier (and less expensive). The benefit to the consumer is that their cards are, in fact, less likely to be compromised (because that kind of break-in is a huge part of credit card fraud these days), so less hassle waiting for a new card.
But in the US, the consumer isn't protected by the technology, they're protected by the law. If your card is stolen, you're never responsible for more than the first $50 (and if you're bank gives you static about that, file a complaint and open an account with a bank that isn't crooked).
2)It's not confusing, it's just different. The process isn't any more complicated, it's just a different process. So the cashiers need about one minute of training, mainly by me buying a soft drink so they could see the new screens, and then they had it down (because we don't hire idiots as cashiers, and we train them), and the customers will need a few reminders for a while. The only two actual issues we've had (both very minor) are that we used to not need a signature for transactions under a certain amount, and we need a signature on every transaction now (because it's chip & signature, not chip & sometimes signature - but I expect that to be relaxed very soon), and we have to remind the customers to remove the card when it's all done (and our system actually helps on that, because it won't let them sign until the card is removed, which reminds the cashier to remind the customer). The pads could beep a little louder, but it's not a problem.
3) It's only slower if you bought shitty equipment. I've seen very slow chip card transactions. They're pretty much always the cheap-ass little standalone terminals that small merchants get on a lease from their merchant service (who don't care how slow it is). The reason for this is that the pad is doing the encryption, and that requires a certain amount of processing horsepower. Ours are new, expensive, and high quality. The difference in time processing a chip card and a mag strip card is less than one second. Barely enough to notice. Other big chain stores I've been in that do EMV also have new, expensive, high quality pads, and they, too, are basically just as fast either way.
So no, it's not the end of the world. Just more hysteria mongering from somebody who has a book to sell, or just hates all change, even for the better. In other words, it's a day that ends in "y."
"But, for the less digitally inclined, plastic cards and those tiny metal chips will probably still be pretty cumbersome for the foreseeable future."
My mom has 70+ years and can shop the any local store with her card just fine. We use chip & pin over here. She can remember her card pin just fine. She's also not digitally or technically inclined. The whole thing takes a few seconds until the transaction is authorized by the bank.
What exactly is your excuse there, over the pond?
Banks have been issuing new cards (or replacing older ones) with NFC versions for at least a year. Just bonk and pay.
The worst time was in Europe when they had made use of the chip reader mandatory, except for cards that did not have a chip.
Travelling in Europe with a US credit card (no chip at the time) and many shop assistants only heard that the use of the chip reader was mandatory. They didn't seem to hear the part about what do do if the card did not have a chip.
The real "Libtards" are the Libertarians!
I've only been asked to use a chip reader twice and the card I normally use doesn't even have a chip, despite it being replaced earlier this month.
Swiping is fast and easy and for a lot of purchases I make I'm not even asked for a signature.
That may be fairly insecure, but the fraud detection department seems very efficient. The reason my card was replaced was because they noticed suspicious charge attempts, which were in fact fraudulent. I've also never been held liable for these charges so security is not a great concern to me.
If I'm going to have to wait up to 30 seconds for my transaction to go through, then for me it's just worse all around.
My other credit card does have a chip, but I almost never use it.
Security may be more important for anyone using a debit card, but I refuse to even have one because of the risks.
maybe you can learn from french people how to do.
^There's the problem
.
So let's abort the whole project because there are some transition problems.
I love Citibank's ATM's ... you now have to "dip" your card (swipe), wait for the machine to tell you to just insert and leave the card (chip'd), wait some more, THEN enter your PIN number.
My other problem (with ALL banks) is that I DO NOT WANT A CREDIT CARD (or debit) tied to my primary checking account. The account where I, you know, pay my bills. Who's bright idea was it to do this -- allow someone to easily empty my account leaving me with bounced payments while cleaning up the mess?
I want a ATM [only] card. Can't get that anymore. So I take debit/credit cards and lock them away and NEVER EVER use them other than as a ATM card and ONLY at their locations. I never pull cash out any old place. Silly IMHO.
Give me a credit card that requires a PIN entered. Problem solved (if programmed correctly -- assume the card reader / phone or internet connection have been tampered with).
Up here with the igloos and polar bears, we have had these machines for years. You can slide, swipe or tap. If you do the first two, you'll have to input your PIN. Occasionally sliding the chip end of the card into the reader is a bit slower than swiping, but not as a rule. Newer machines simply require you to tap your chip card on the display screen. That's it...no PIN or anything. It takes about a second.
It's a bit ironic that most of this technology was invented in the US, but it's the only First World country on the planet that can't use it properly.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
We were suppose to move to chip & pin in 2008. We didn't (what with our whole economy imploding around then nobody had any money to do crap like that). So there's tons of old hardware businesses were sold in 2005-2008 that never got used. The businesses are pissed that they spent hundreds (thousands?) on new terminals and readers that did nothing. So it's like pulling teeth to get them onboard. Imagine spending $800 on something that offered you little value but you have to, then you never use it and now you've got to spend another $400 (prices have dropped to be fair).
Oh, and we only do chip & signature, no pins, so the businesses are nervous they'll be made to buy even more hardware when chip & pin rolls out.
Now, I don't know about Canada but in Europe if your pin gets stolen you the consumer are liable (which is hilarious, because chip & pin has been broken before). In the US we have a law that keeps consumers blameless for any credit card transaction. That's because everytime you use your card you're borrowing money. Legally It's a loan (with 0% interest if paid off by the next billing cycle and if you pretend merchant fees don't exist). If somebody fraudulently borrows money in your name you're not on the hook in the US and it would take a major change in law that's not likely to happen (it would be tremendously unpopular and it would affect our upper middle class, and you don't screw with those guys).
Basically, one of the best parts of chip & pin (a major liability shift to the consumer) doesn't fly in the states. The businesses taking the cards get some liability shift but the Card companies themselves don't. So it's not as big a win for the various players here in the States as it was elsewhere. Add to that America's traditional aversion to infrastructure spending and you've got a product dead in the water.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
While the rest of the world is switching to NFC payments, and chip-and-pin is already ubiquitous, this barbaric country struggles to even start a transition to chip-and-pin. Funny.
We have had these for a while, and the work pretty well in big stores. In small stores there can be a painful wait while a modem dials, connects and transfers a few kilobytes of data. :(
We also have contactless cards that work for transactions up to £30 (about $40). These work pretty well most of the time too, and are pretty fast.
Contactless cards bother me a bit. I would like them to be light sensitive and refuse to work in the dark so they can't be read while enclosed in a wallet, but I guess that would add a few pence to the cost
I think calling it a disaster is an exaggeration. Most of the problems described will be fixed in time: The spped will improve (already at some merchants is it quite acceptable). Also, as everyone migrates to the system, the confusion over insert vs swipe will go away as well...
These IMHO are the REAL problems:
1) The roll-out has been slow. Every article I've read says that the scanners and software are very expensive so a lot of merchants can't afford to adopt it or are delaying adoption. This is just stupid greed. The credit card companies should provide these at cost they would be dirt-cheap. Merchants would snap them up.
2) In Europe, where they have had this system forever (actually theirs is better - chip and pin!), it has not decreased crime. It has just pushed the fraud to online internet merchants. On the internet, you just provide your credit card numbers just like you always did. Why doesn't Visa and MC provide everyone with a free USB-powered reader to use at home on the internet? Sure, it would be a substantial one-time cost. The reasons then don't are #1 and #4.
3) The credit card companies adopted chip and signature which still leaves your card vulnerable to being stolen. They should have used chip and PIN (like Target does BTW), but they were too afraid it would "confuse" consumers and they would use their credit cards less. WTF? REALLY???
4) Why do these problems exist at all? Because these credit cards are a stop-gap measure. The credit card companies assume that people will pay for everything with their phones in 5 years, and credit cards will be obsolete, so there was no incentive to spend the money to do it right.
Chip and pin were everywhere even in 2005.
we bastardized it into chip & sig because our laws are different. Using a credit card is a loan. Legally speaking you're borrowing money (at 0% interest if paid off in time). Our laws hold consumers blameless if somebody borrows money in your name. The signature is needed because there's centuries of law built around the legal framework of a signature that doesn't apply to a pin. "Digital Signatures" don't really fly here. That doesn't really matter for your $300 Playstation bought at best buy. But there's plenty of big spenders out there that'll drop $20 grand at a Hotel party and then fight the charge. The signature makes it legally binding in a way a pin doesn't. You're not likely to get those laws changed because they protect the upper class here and they'll notice if the credit card companies start lobbying for them.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
I got chip and pin since > 15Years, can t remember the exact date at that point. And that existed even before, just i had not one.
I don t remember my parents doing any doing swipe and sign after primary school, i am like 35, that gives you an idea of how long that stuff exists here.
Some terminals were slow when i was young. I think it was because they were on dialup and a connection had to be established each time. Also the chip+terminal can establish how much the transaction is secure and ask for bank confirmation. Nowadays i don't go to very small stores anymore, mainly supermarkets and have a bank account not in the red, so the question doesn't ask itself anymore.
A typical transaction takes the time to
find the card in you wallet and Insert your card (that's the longest part)
Notice that that the terminal asks for pin, it s either instant, or you inserted it the wrong way and flip your card.
Type your pin, then wait like 2-3 sec.
Then it says transaction accepted, please remove your card and you leave
At any point you may withdraw your card if it s before you type your pin, or very fast, before it says to remove your card. That will cancel the transaction.
At any point you may also make a pause have a chat with the clerk
Nowadays it s even faster, but more confusing at once. Because your ship is actually a computer, it can store the amont of transaction you have and know your account balance and stuff, it can also do different type of transactions, require different levels of validation and consider some stores more secure than others.
We now have wireless mode, for all intent and purpose, it s instant (maybe actually 0.5sec), you have no pin to type and no good card direction, just hover it over the terminal if it has a wifi like logo.
The card can authorize at max 3 of theses in a row, each accounting for a max amount of 15€, before needing a standard transaction ( which lasts 3 sec as explained before)
Two things i am unsure are linked to a chip card.
A payment at the the gaz station is made before using the pump and the card make an autorisation of up to 100 or 200€, that amount is withheld your bank account until midnight, at which time the real payement is done. And during the rest of the day your card remember this. You can not do 10 gaz station or flee without paying.
Some cards are debit AND credit, there s an additional menu on the terminal that appear and it ask you to pay a credit or cash.
Ironically, considering Target's mess back in late 2014 started the switch to chip trend, they ARE the only merchant I shop at that IS using PIN with chip in the US (for their cards at least - I should try my other chip card to see what it does, but like to get that extra 5% off with the Target card - almost covers the state sales tax...).
Don't worry about it; It'll be shit like this until basically everyone gets used to it (And I don't just mean the consumers, but also the businesses, the banks, the credit processors, everyone)
The transition over here was pretty ropey and took a while to settle, and our country's a lot smaller than yours!
But eventually it'll become normal and as smooth as what you're used to now. Just give it time.
And then screwing up the implementation.
Maybe Trump can make paying with credit cards great again?
That's because you Americans took so long to bring in chip and pin cards that everyone else in the world that had them for years had already worked out or found any flaws,had tools etc ready to sell to your crooks .
Blame your banks and stores etc,they delayed and delayed because it meant spending some of their money,they did the absolute minimum they needed to get them to work st a basic level and then did what they hs e done all round the world,claimed chip and pin is totally secure and blame any losses on individuals or each other,they don't care as long as they don't have to pay losses back to those that have suffered from them.
Their are better systems that could have been introduced years ago,but again,that would mean banks etc eating into some of their massive profits,so it never happened,the industry isn't even talking about what comes next so we and you are stuck with this crap insecure system for the foreseeable future..happy spending...
U.S finally gets chip and the rest of the world moves to Chip, Pin, or Tap. States are so behind it hurts. It's like you guys are stuck in the 90s.
I used to keep my PIN secret, I never, ever put it into any store's keypad, because I only used it at bank ATMs. If I used my card at a store, it was as credit.
The Target hack confirmed to me that this was the right approach, there was no PIN of mine to leak. So did the proliferation of fake terminals and malicious keypads place over keypads.
The chip cards now require me to use my PIN on dozens of random keypad terminals, with no reason to trust they aren't skimming my PIN. I now have to share my password. How does that benefit the consumer again?
It's now taken credit card fraud, which is the bank's responsibility beyond the first $50, and moved the liability onto the consumer. Good luck getting an unauthorized ATM withdrawal overturned. The bank's position on all fraud will be that you did it, because it used your PIN, which is supposed to be kept secret.
I like that the cards are more secure. I HATE that using them makes the entire transaction take so much longer. I'll be sticking with cash.
Apple, Google, and Samsung colluded to make the chipped cards more inconvenient to use, so more people will use Apple Pay, Android Pay, and Samsung Pay.
I work for one of the largest retailers in the world, and I've only seen two issues. First, with swipe-only cards, you can hit the credit/debit key before or after they swipe. With chip cards if you hit the key before, it cancels the payment when they insert the chip card. So there's an extra five seconds until the machine even let's you tell it that they're paying with a card. Second, at the self checkouts, sometimes it just doesn't send on the first try... You have to pull your card out and try again or it will just say "sending" until the end of time. I don't have a problem with the cards, but the software surely speaks to the "big business cutting corners on implementation to save money" complaints.
Also with regards to pin/signature I've yet to see a card and retail terminal that doesn't support both. It is just up to the bank to decide which it likes best and it asks for that. So if you come from Canadaland and use your card, it'll ask you for a PIN, and the American behind you will get a signature. However that American signature card works just fine on the PIN only automated terminals in the UK so long as you've set up a PIN on it. Heck you can see both as an American in Target if you like. Target has upgraded to chip readers now. If you have one of their store credit cards, they'll issue you a chip ONLY card, no mag stripe. It will use a PIN, not a signature. However take out your Visa and stick it in the same machine, and it'll use signature. It is up to what the bank requests as default.
You can argue about if it is a good idea to use signature, but it is absolutely no problem from an implementation standpoint. The terminals do both. When I was in the UK this month, everything happily took my US card and just spit out a signature form, excepting automated kiosks (for the subway and shit) which happily used the PIN I'd set. This was all handled on the design of the system years ago.
With regards to speed I will say that it is a tiny bit slower, even with good equipment, and this is something that the hardware makers are aware of and are working on but it is seriously trivial. On a quality, hardwired, terminal you get a swipe through in maybe 1-3 seconds, a chip seems to take maybe 5-10. Oh no, a few extra seconds, what ever will I do! It isn't like you are waiting for a minute or something. The things that take a long time with chip are usually ones that take a long time (just less of a long time) with swipe, namely wireless ones that have to establish a connection like vending machines.
This seems like a minor complaint, but one thing I've noticed is a lot of the chip readers are really awkward to get the card into, particularly if the terminal is bolted into one of those angled terminal stands. They should put the chip slot on the left side or the front face of the terminal instead of on the bottom.
I've been wondering about this. We just got back from a nine-week camping road trip in which we visited fourteen states, and so far my record has been 100%: I NEVER was able to use my chipped card in a chip reader. Not once.
Let me be punctilious: at hotels and restaurants I couldn't always see what they did with the card, so I don't know for sure THEY weren't using a chip reader.
A very conspicuous absence was pay-at-the-pump gas stations, and that's a pity because that's said to be a common place to find skimmers. I did run into a pump--major brand at a service plaza on an Interstate--that declined my card when I swiped it. I went into the office, they had a chip reader on the POS terminal but they told me it wasn't working, and swiping didn't work their, either. I called the credit card company, who said there was no problem with my card... they had no record of the purchase and decline... and when I asked about security they said "Oh, you don't have to worry about that because your card has a chip in it."
Given that there was supposed to be a hard deadline of October 2015, yes, "disaster" sounds accurate.
The only sense I can make of it is that the banks don't actually care at all whether the system is implemented, they just want to cost-shift the costs of fraud to the merchants.
"How to Do Nothing," kids activities, back in print!
My bank recently replaced its ATM cards with chip/pin. Where I used to step up to an ATM, swipe the card, and put it and my wallet away while the machine woke up. The rest of the transaction, I have my hands free, and I'm gone in 30 seconds.
if you put your wallet away after swiping your card, what did you do with the cash (which certainly doesn't come out before "the machine wakes up")? Put it in a gold clip so you can stylishly flip out one bill at a time at the strip club?
lucm, indeed.
All my cards are chip. All my cards have a pin. You insert the card in the reader and enter your pin. Is it so hard?
Of course, I'm in Europe.
That's very weird. We've had chip cards here in Canada for close to 10 years, and I have never had a problem. It feels antiquated to have to swipe one when in the States. We now have RFID cards which are almost instant. Different universe, I guess.
We've had them a long time in Canada, but when I used to have "swipe and sign" cards, I never really understood the signature verification. Cashiers are not handwriting analysts, and rarely asked to see the signature anyway. With letters that stick up and down in my signature, I could never properly sign the back of my card, so it won't look the same as what I sign on a slip of paper. Nor will it match a signature on an screen with an electronic pen/stylus the size of a hot dog. And the ones that say "stay inside the box"? Takes me a few tries to do that, and definitely will not look right.
Where I hate the Chip/Pin combo is at gas stations. Standing in the intense heat or intense cold (depending on time of year) waiting for the damn thing to process is aggravating. Often takes longer than the process of pumping the gas. I avoid these places like the plague, and go to ones that allow an insert and removal (mag swipe) and you are good to go in about 5 seconds. (And visit the USA? Gas stations want the ZIP code associated with the card, which for me there is none. It doesn't do postal codes. Doh!)
As for security, I know mag stripe can be cloned, but have also heard of some issues with chip as well. Now in the last few years, "tap" has come along, and it is very fast, not sure about the secure part though.
The systems deployed in the USA are very different from European setups. It is not that us citizens are stupid, this is all about "commercialism" and banks raping merchants (fraud liability is shifted to merchants, away from banks, due to the disastrous rollout).
I've heard multiple podcasts on this, and given the number of threads on this page alone, I'd say that everyone loves to talk about it.
As an Australian, we did away with mag stripe many years ago.
For transactions under $100, most cards/retailers use contactless 'pay wave' transaction using RFID.
A pin is required for larger transactions.
Signatures are not used anymore
For larger retails, the transaction takes about 2 seconds; for smaller retailers still using dial up, it takes 10 seconds.
46137
i just use apple pay. and if a retailer doesn't accept apple pay i am less and less likely to shop there. (target!)
must be nice to live in a country where ten seconds inconvenience at the grocery store constitutes a disaster.
i could live a little longer in this prison
Been using Chip/pin and contactless payments for years in New Zealand. It works well. Next you are going to tell me you still use the imperial measurement system, and that disappeared here 40-50 years ago.
TLDR - the new system is far too complex and the requirements include support for cards not even used in the US.
In order to implement EMV aka chip & pin you need a device that is certified by EMVCO, and industry consortium. They issue LOAs (letters of authorization) for devices having passed the certification process. This administrative process is slow and expensive. Many device manufacturers have trouble getting their devices certified. Many of the devices you see in the marketplace may have chip reading hardware, but their firmware may not be up to date or certified. Certification is extremely complex due to the many variations of card and contactless support theoretically possible. There are two levels of certification needed. In short, the device manufacturers were not ready and the industry underfunded the certification authority. This is why proliferation of devices has been slow.
One you have a device whose firmware is certified the processing gateway and point of sale software has to be certified. This is an incredibly time consuming, expensive and arduous process. There is a shortcut in this area known as a semi integrated solution. A pos implementer uses an already certified payment "black box" application to integrate with their POS system. This has many advantages but a big disadvantage. The semi integrated software is a middleman and in most cases exacts a price for the processing service making implementations of this approach less competitive.
Ideally systems will use a direct integration. This requires certification for all card brands and all card types. You need and expensive device called a Collis test tool to emulate every conceivable card and contactless technology type. There are hundreds of test cases for each card brand for all the possible scenarios, include failure fallback.
The problem is, the majority of these test cases are for cards never seen in the real world.
Chase issued chip and signature cards several years ago and the rest of the card brands realized that if they issued chip and pin cards, older folks and those who don't want to get pin numbers would use their Chase cards so all the card issuers went with chip and signature. Chip cards are hard to counterfeit (you have to be able to make the chips and I don't have a semiconductor foundry in my basement), but eliminates an important aspect of two factor authentication - something you know. Frankly chip and pin is better, but chip and signature is much better than what we have and probably good enough.
It will be another year before the backlog of certifications gets worked through. There is a waiting line to get slotted for certification and much of the time, the developers in line don't have what it takes to actually code the solution when its finally their turn. You don't google for solutions to these kind of problems. You really need to know exactly what you are doing. A developer of this kind of software cannot get it wrong and the software has to be defect free. And its very complex. If you are not experienced and you do not have a very high IQ and you are not willing to work extremely hard you don't have what it takes to write this king of code. This process is truly a bitch. Because the job is so big, the processing companies have offshored the certification liasons. Working through issues with offshore help protected by a bureaucracy is a special circle of hell reserved for those of us developers who must have done something heinous to deserve this fate...
As for the slowness of the new technology, there are a few factors that come into play. In the good old swipe world, the card is swiped and while the consumer is putting their card away, the device is getting an authorization in parallel. In the chip world, the consumer leaves the card in while the transaction is being processed. When the process is complete, they are asked to remove the card. This has the advantage of preventing consumers from forgetting their cards in the machine but has a big perceived
Greed is the root of all evil.
Most Visa chip cards issued in the US appear to be setup for chip and signature. For a while now though Mastercard has been issuing chip and PIN. Or at least banks whose debit cards are Mastercard as opposed to Visa.
In fact it's already outdated, everybody taps their card now and the chip seems like a major inconvenience. Why are USAnians so far behind us in this particular department?
And bean counters are amongst the people with the least vision there is.
Hence the fuckup.
The fraudsters (Russian organized crime rings, for example) have lots of money, smart employees, tons of willingness to break the law, and huge motivation to overcome the new system.
Somehow, credit card fraud in most of Europe has plummeted with the introduction of the chip cards.
Where's the fraud?
Good Lord, I use mine all the time, if using a card with a chip confuses you (the screen gives you painfully simple instructions) then society needs to step in and make sure you don't breed. And "much" longer wait? No. At most it takes an extra 5 seconds - at most. Besides those things it's cut down on the number of people forgetting their cards in atm's to almost zero. It's hardly the industry's fault if people are too dumb to use it.
In the USSA (United Socialist States of America), there is a terrorist snoop-group known as NAWBO, that is hell-bent on backdooring and compromising all facets of the USSA's infrastructure (IT, financial/economic, social, political, etc.), to further their agenda.
It works instantly, and many merchants don't even realize they have it because the near-fields chip that it uses comes standard on most of the new chip-reader terminals and there is no merchant signup required. Tap your iPhone to the upper right corner of the terminal if it's one of the new chip readers. You and the merchant might both be surprised.
painstakingly slow? ... transition ... They're?
maelstrom of incompetence?
The
From reading the comments here it is obvious that most people are missing some facts. My involvement with smart cards dates back to the 1980's and I have been trying to avoid them ever since!
The EMV process was developed specifically for Europe, not the US. The target problem was the lack of communication lines to get online purchase authorizations at the checkout counter. US-style credit cards were nearly unknown in EU, everyone used debit cards. Adding smart cards and the chip-and-PIN EMV transaction provided enough security to make the purchase authorization without communicating back to the card issuer's processor. The 'real' charge transaction was then done in batch at the end of the day.
Now switch to the US where there are plenty of communications lines for 'online' access for authorizations, and people generally use credit cards which have entirely different risk allocation rules. Benefits from the EMV transaction simply evaporate.
For the relatively limited fraction of debit card users in the US, the EMV-type chip-and-PIN off-line authorizations would work, they just don't provide a great benefit since nearly all the POS terminals are online. They could potentially provide some hypothetical advantage for credit card transactions if a new protocol would be developed to suit the situation. Otherwise they are security theater.
If you really want to understand the messy technical situation for smart payment cards in the US, look deeply into risk allocation differences between credit and debit cards. The mess will be no less annoying but you will understand why it has taken this particular shape.
Bent, folded, spindled, and mutilated.
Wrong. There are some US banks offering Chip+PIN CREDIT cards. And some issuing Chip+Signature DEBIT cards. It all depends on which authentication methods the issuing bank coded into the card's chip, and which priority order they set them.
People saying "PIN is for Debit and signature is for credit" are taking anecdote as if it's industry-wide rule. Or are non-USAians who never knew how it works here.
The "Debit or Credit?" question that US Debit card users often are asked at Point of sale when making a purchase on a Debit card has nothing to do with whether it's a chip card or not, nor even whether it's a credit card or a debit card. It really means, "Process this like an ATM Bank card doing a checking account withdrawal? Which will require your ATM withdrawal PIN. Or, Process this like a credit card charge through the Visa (or MC) network, which will put a credit-card-style authorization on your account but not actually post the charge for hours or days?"
Not, "Is this a Debit card or a Credit Card?"
For the matter, you could always choose "Debit" with a real Credit card too, if you happened to know your "cash advance at ATM" PIN for your magstripe no-PIN credit card. Though most people didn't know that PIN, some Credit cards didn't have one unless you asked, and because at your credit card account it became a usually more-costly cash advance rather than a charge. But fundamentally, "Debit or Credit" is "act as if it's a bank ATM card or act as if it's a credit card", regardless of whether it's really a Credit IRS a Debit card.
"Act as if it's a bank ATM card" always required a PIN, ever since decades ago long before EMV chip cards reached USA.
"Act as if it's a credit card" never required a PIN, in USA.
What is new, and apparently confusing to Muricans, is that with EMV in most of the world, "Act as if it's a credit card" now also requires a PIN.
In USA, if your new EMV chip Credit card is done to world standards, "Act as if it's a credit card" does require a PIN, when in the past, "credit" never did. And too many US banks issued Chip+Signature (only, or Chip+Signature as priority 1 authentication method) cards, so that "credit" still would not require a PIN. Plus they even did the same for Debit Cards, so that when using the Debit card for a purchase as "act like a credit card" it does not use a PIN.
Which leads to confusion by cardholders and merchants alike, and the errors in so many of the posts here too.
My primary credit union's Visa Debit/ATM card requires the PIN for purchases even as "credit" if the POS terminal hardware, software, and merchant account are capable of following the card's EMV commands. Yet my other credit union issued Chip+Signature Debit MasterCard ATM cards. My bank issued a Chip+PIN priority Visa Debit, and the "checking alternative" account at my brokerage issued a Chip+Signature Visa Debit.
Of course all require a PIN when doing an actual ATM cash withdrawal. Or when doing a purchase through the "debit" ATM network.
I will stop now, before explaining how the Dodd-Frank Bill makes US-ussued chip Debit cards even more screwed up and globally non-standard even if they are true Chip+PIN. But it's all kinds of hilarity ensuing.
I'm mildly annoyed by this inflamatory story. The simple point of poking the card into a slot vs swiping it was because there was really no security at all about that magnetic strip.
Chip and Signature makes no sense... that's totally ridiculous.
Here in Canada, we've had chip and PIN for years and it works beautifully. While some terminals are a bit slow, they're typically the ones deployed at small mom-and-pop retailers. I've never encountered any slowness or any problems at major stores, bars or restaurants.
Comment removed based on user account deletion
You just touch. It's great.
The Disaster is one of how a great people got so addicted to comfort, ease and immediate reward that the few seconds it takes a card reader to get confident is too much to bear. What has become of the first nation to put men on the moon?
John_Chalisque
In Canada we have been using them for years. They work fine. The pin and chip system is hugely successful. The reading of the card by the in store device is not slow and the inputting of the pin is nothing. I have never heard anyone grouse about it at all. In a tprestaurant it is particularly good as the server carries around a portable reader and one can input tips and so forth and there is no need for separate cash or change or the like and the server is not carrying around a load of cash either. The only place it has ever been inconvenient are the small gas stations who never got a portable reader and one therefore has to go into their offices to imput the pin. I find it absurd that a first world country like the US is still muttering about this..silliness or is it what others call..American Exceptionalism like using feet and inches?
The chip is definitely more secure than swiping the card... why ? Because the terminal when you use the chip is communicating with a secure device embedded in the card, with crypto, that authenticate your transaction immediately, and generally as well connect thru phone/internet to the Payment server (reason it takes longer !). So yes, if you need a online authentication it will always take a little longer than just swiping the card, that's normal and will always be until the network infrastructure is not upgraded properly (Terminal connected 24/24 thru internet and not doing a phone call at each transaction). Not using the chip, and swiping is leaving the security to the Magnetic band on the back, that is not at all secure, and to a signature on the ticket that is the only piece of authentication left, that will take days to the Credit Card company to validate... Would be good in one side to get as it happens in most of the world a proper network to work for such connections, but also good to stop using the Magnetic field, as it always worked... it looks like to me the same as on the picture that we see where two guys are pushing a car that has square wheels, and refuse an inventor invention with round wheels... and continue to push their car... SSSLLC
Americans and ABA are idiots. I am an expat in Europe, the chip cards are SO much easier; tap for small stuff, insert for bigger stuff. Most larger stores have Pin card only lanes which always move faster.
"If stupid things work...then they are not stupid."
The obsession with cash is due to our obsession with guns. If the evil government knows we buy a lot of guns then they'll come take them. While it's tinfoil hattery most of the time, there have been a few, I mean very few, cases that could corroborate the paranoia. And really, those few cases that exist we really cases of the guy deserving it. The reason conservatives like to scream and kick when you say the "nothing to hide" thing is because part of being conservative requires you to be hiding something. It may not always be bad, which is what they are really trying to say, but they're hiding something. Reviews of those cases have always resulted in the discovery of much more nefarious things. No one needs 300 guns unless they plan to use them. Sorry, not all of you are "collectors".
Seen how far America is in debt? Maybe America has some money problems?
I read another article this AM about the new chipped cards. Apparently if you swipe it rather than use the chip you are liable for card fraud. I haven't seen this confirmed elsewhere, but that is worth more research to confirm what the actual situation is. My first chipped cards were delivered without using a pin being enabled, so I had to swipe it anyway! All niggling, but potentially serious, issues to be resolved when I next return to the US of A.
Personally I resent being forced to enter my PIN number every single time I use my bank ATM/Visa check card to make a purchase in a store. I prefer to have the transaction processed as a credit card sale - so now I just use the same bank's real credit card to make my chip and pin purchases.
Also, not sure it's specifically related, but in the past 6 months, my Bank of America credit card has been replaced no less than five times by the bank, because "a merchant" (unnamed by the bank) has had a problem with security being compromised. I'm the most boring foak in the world when it comes to my shopping habits - no porn, no nightclubs, nothing exciting. Diapers from Amazon is probably the hottest thing I buy these days online.
The system is susceptable to simple attack, especially if the company doing the encryption in the reader has been lazy and not properly generated the encryption key ... a practice encouraged by the capitalistic process of awarding contracts on the basis of least price.
Ref:http://arxiv.org/abs/1209.2531
Mike