Slashdot Mirror
The Chip Card Transition In the US Has Been a Disaster (qz.com)
Ian Kar, writing for Quartz: Over the last year or so in the U.S., a lot of the plastic credit cards we carry around every day have been replaced by new one with chips embedded in them. The chips are supposed to make your credit and debit cards more secure -- a good thing! -- but there's one little secret no one wants to admit: The U.S.'s transition to chip cards has been an utter disaster. They're confusing to use, painstakingly slow, less secure than the alternatives, and aren't even the best solution for consumers. If you've shopped in a store and used a credit card, you've noticed the change. Retailers have likely asked you to insert the chip into the card reader, instead of swiping. But reading the chip seems to take much longer than just swiping. And on top of that, even though many retailers now have chip reading machines, some of them ask us just the opposite -- they say not to insert the card, and just swipe. It seems like there's no rhyme or reason to the whole thing.
Because here in the USA it's Chip and Signature, not Chip and Pin.
The US hasn't done chip and pin.
It's chip and signature, effectively the worst of both worlds. Very little extra security and much slower.
Last October, I spent some time in the US again and I noticed the few places that had started using chip readers had a person standing by to help people. They seemed a bit surprised when I just inserted my card and typed my pin code in a few seconds. :D They didn't even finish their line about being sorry about me having to remember the pin code. But I have been using it for years now.
We had a few problems in the beginning too both with speed of the approval process and the people using the card. but it is really not a problem more.
Now both my VISA and Mastercards have NFC( I'm guessing it is?) so I just hold the card over the reader.
Not saying chip and pin is perfect, but I really don't get why this is such a big "disaster".
Editor is obviously using hyperbole. I just got a replacement card with a chip from my credit union. I went grocery shopping, and 2 of the stores had me swipe, the 3rd had me insert the card. It did take significantly longer, and you need to remove it at a specific time in the process or else the transaction will fail. That store also has Apple Pay, so I think I'll just use that at that particular store in the future. Other stores have told me that the chip reader on their unit doesn't work.
As someone who writes software dealing with those sorts of terminals and transactions for many many banks I can tell you that the problem with Chip and PIN (or Signature) is not the technology itself, but a lack of understanding of the people implementing it in the US. First of all, removing the card before the second application cryptogram (this is after your issuing bank authorizes the transaction and the card sees this auth) ALWAYS results in an automatic decline and reversal generated by the terminal. You could leave the card in the terminal forever after that and the transaction would still be authorized. If you see anything else, it's (again) due to someone not understanding how the process works!
The reason it's slow is probably due to the way the processing bank configured its terminal. I worked with one bank who wanted the terminal configured with every single possible application ID under the sun - even though there are brand specific applications you can use to say "I want to support all VISA". Instead they added over 10 different VISA applications that are region specific in addition to the global VISA application. So what happens when you dip the card? The terminal (usually) asks the card one by one "Hey do you support this application ID?" and it takes a long time to do this. You spend 30-45 seconds waiting for the card and the terminal to agree on what type of card will be presented for payment. I've seen MANY banks do this and its entirely unnecessary unless you want to exclude certain regions. Even then, it would be faster to accept the global AID at the start of the transaction and have the POS application decide that it didn't like your card due to the issuer country code or the application of the card rather than list the dozens of applications that can be available for each card brand.
And for those above who say that Chip and Signature is the worst of both worlds - you're entirely wrong! I can easily clone your mag stripe card and use it to my heart's content. I know of no current attacks against EMV that allow you to clone a chip and use it for online transactions. Since the US requires ALL transactions to go online (floor limit of 0), you cannot effectively use a cloned chip card in the United States. Furthermore, the chip card dynamically generates certain card information at the time of each transaction. This makes it very difficult to steal the track data from an EMV card and turn it into a cloned mag stripe card.
From a fellow Canuckistanian:
Remember that we, in Canada, have a fairly unified banking system. Really, we've got the big 5, and we've got the Interac system, and any bank that wants to sign on, signs on.
In the US, however, you've got thousands and thousands of banks. They don't have a unified banking system; they have the big Credit Card companies.
But, yes, we've been on swipe and pin for decades, and chip and pin for years, and applepay Just Worked when the banks turned it on, because virtually any place that's set up for electronic transactions already has a tap capable terminal, and the infrastructure's all already there.
Vintage computer games and RPG books available. Email me if you're interested.
It's PIN if it's a debit card, but if it's credit card it's signature.
It's only good enough for the banks to have better deniability against the merchants, but provides
the consumer no extra protection.
For a disaster, it's been pretty mild for my employer.
Several points to consider, from my personal observations (as the IT guy in charge of deploying and training on this):
1) Chip & PIN vs. Chip & signature. Yeah, chip and PIN is more secure for the consumer, but EMV isn't about security for the consumer. That's not at all the point of EMV. The point of EMV is to protect the banks, who eat the loss, when somebody breaks into a big retailer and steals 120 million credit card numbers at the same time, because PCI compliance hasn't been enough, and never could be. EMV is the half of the new system that gets the news coverage, but the other half, point-to-point encryption, is more important. The transaction gets encrypted in the credit card pad, and the merchant never sees the card information. So if you break into their network, there's nothing there to steal. The benefit to the merchant is that PCI compliance is a hell of a lot easier (and less expensive). The benefit to the consumer is that their cards are, in fact, less likely to be compromised (because that kind of break-in is a huge part of credit card fraud these days), so less hassle waiting for a new card.
But in the US, the consumer isn't protected by the technology, they're protected by the law. If your card is stolen, you're never responsible for more than the first $50 (and if you're bank gives you static about that, file a complaint and open an account with a bank that isn't crooked).
2)It's not confusing, it's just different. The process isn't any more complicated, it's just a different process. So the cashiers need about one minute of training, mainly by me buying a soft drink so they could see the new screens, and then they had it down (because we don't hire idiots as cashiers, and we train them), and the customers will need a few reminders for a while. The only two actual issues we've had (both very minor) are that we used to not need a signature for transactions under a certain amount, and we need a signature on every transaction now (because it's chip & signature, not chip & sometimes signature - but I expect that to be relaxed very soon), and we have to remind the customers to remove the card when it's all done (and our system actually helps on that, because it won't let them sign until the card is removed, which reminds the cashier to remind the customer). The pads could beep a little louder, but it's not a problem.
3) It's only slower if you bought shitty equipment. I've seen very slow chip card transactions. They're pretty much always the cheap-ass little standalone terminals that small merchants get on a lease from their merchant service (who don't care how slow it is). The reason for this is that the pad is doing the encryption, and that requires a certain amount of processing horsepower. Ours are new, expensive, and high quality. The difference in time processing a chip card and a mag strip card is less than one second. Barely enough to notice. Other big chain stores I've been in that do EMV also have new, expensive, high quality pads, and they, too, are basically just as fast either way.
So no, it's not the end of the world. Just more hysteria mongering from somebody who has a book to sell, or just hates all change, even for the better. In other words, it's a day that ends in "y."
There are several issues here in the US with this conversion. Many retailers have the new machines, new POS software, etc. and are waiting and waiting for the card industry to certify them. So they have to tape over the chip readers and tell people to keep swiping. AND the card industry puts fraud on the retailer because they dared to still use swipe with a card capable of chip. But it is the card industry themselves who are delaying the certifications. That's one issue. Another is this whole "chip and signature". With no PIN, there is really no major advantage. Steal a card, forge a signature. Not hard. I know large retailers like Wal-Mart are suing the card industry over that one. Apparently the claim is that it has nothing to do with what the card industry claims (they claim that US people are too stupid to move directly from swipe to chip and PIN) and has something to do with the card industry making more profit if they go to chip and signature. Lots of problems - many of them apparently politically and financially motivated by awful companies.
Which is really seriously stupid since almost anyone can fake a signature.
There is no need to "fake" a signature. Any scribble will suffice. No one, absolutely no one, checks the signature for anything. Just drag the stylus across the screen in a straight line, and it will say "accepted".
This isn't Ars. There is no real "downvote to oblivion" level because that little slider at the top let you set the score of posts you want to see. Some folks put up with the spam/juvenile bullshit/etc. that appears at -1, others refuse to even see shit that's as high as +2.
In this case there's no downvoting at all. He posted it anonymously, and Anonymous posts start at 0.
No one reads the signatures. I would guess they're stored for possible use in court in fraud cases.
It's pointless anyway. My signature looks completely different (and worse) when I try to sign on those stupid little pads then when on paper. Granted, my handwriting is terrible, but I can imagine the same for others.
It must have been something you assimilated. . . .
An alternative like contactless payments like Apple Pay with a one time use token and biometric authentication.
Actually it's YOU that has fear of change. You don't want to go to wireless for example. The truth is, we should not have gone to chip we should have gone to wireless technology such as RFID/NFC technology. Chip is really inconvenient and takes too long. It has nothing to do with fear of change. Did you read the part where I said we should have gone to a wireless technology like RFID/NFC??? Work badge NFC cards have been the same thickness as a credit card for about 7 years now. There is zero reason to be on chip, we should be on NFC cards.
Seems it's the other way around in Europe. We run a retail with several outlets. When we do "Chip/Mag + Signature" we pay for what fraud we get, when we do "Chip + Pin" the bank is responsible. *But* since Chip+Pin has a "higher transaction cost", we basically do Signature, and only when the fraud happening in that area rises above the cost of the higher pin transaction cost we switch to pin.
( Then again, most of those are direct debit cards which is a whole other beast than the US credit cards )
> And for those above who say that Chip and
> Signature is the worst of both worlds - you're entirely
> wrong! I can easily clone your mag stripe card and
> use it to my heart's content.
Yes, and if you were to so do, I'd be liable by law for no more than $50. All but one of my cards wife that, and I don't even carry that one. It's locked up in a safe at home. (It's my oldest line of credit and I've never gotten a straight answer as to whether or how much the change to my average age of credit would negatively impact my scores. So I keep it active, taking it out and using it a few times per year.)
> I know of no current attacks against EMV that allow
> you to clone a chip and use it for online transactions.
But since we stupidly implemented the chip, but not the PIN, if I were to lose my wallet or get mugged, there's absolutely no additional protections whatsoever preventing whoever gets ahold of my card from charging to their heart's content. Even those stupid-ass gas station terminals that make you enter your ZIP code would be useless. Because if someone has my wallet and credit cards, they also have my driver's license, which has my ZIP code on it.
So, at the end of the day, there is exactly ZERO benefit to the chip cards. And regardless of why exactly the transaction is slower, the fact is that they ARE significantly slower to use. Target seems to be the worst offender, taking 45 seconds to a minute were it used to be: swipe, put card back in wallet, sign, and move on. It's a major pain in the ass, a waste of time, and it forces me to have my wallet out of my pocket and my card out of my wallet for much longer than previously which, it can be argued makes it less secure because it introduces more opportunity for someone to fumble and drop either, or for a particularly brazen thief to grab it.
At the end of the day, hyperbolic headlines aside, the chip cards are a solid lose/lose.
And it's doubly stupid because there's already something better: ApplePay and Android Pay. Even if someone gets ahold of my iPhone, unless they also cut off my hand or develop telepathy to rip my watch's passcode from my mind (In which case I have much bigger problems than credit card fraud.), they can't charge a damn thing. The device tokens cannot be used to reconstitute the device data and add security for online purchases, which is impossible for EMV cards. And it's FAST. Double-pressing the button on my watch and hiding my wrist to the reader is faster even than using a normal swipe & sign create card. The card industry should have just mandated acceptance of ApplePay and Android Pay, and skipped the 20-year-old broken down technologic relic from the 1990s that is EMV.
Imagine all the people...
Debit is chip and pin. Credit is chip and signature. Throughout the US.
NFC doesn't speed anything up, loses cryptograms, and permits contactless compromises.
EMV raises the bar for compromises dramatically.
The card companies and banks don't give a shit about security. The chip-and-signature conversion enabled a huge liability shift. As I understand it, prior to the shift, the card companies/banks were liable for fraud committed with their cards. If fraud is committed now, the liability lies with the retailer.
As I understand it, if fraud is committed with a chip card and the terminal used doesn't support chip authentication - i.e., if a chip card is swiped because there's no chip reader or the chip reader isn't enabled - the liability ends up with the retailer.
See, for example, Chase's FAQ for chip cards, which says:
("payment brands" are the brand names for various cards, such as Visa, MasterCard, and American Express, so it means that Visa/Master Card/American Express/etc. are saying "if the POS equipment you're using to handle credit cards is a real POS that doesn't handle EMV chips, you may be held responsible for fraud"), and also says:
where "In addition, if a counterfeit magnetic stripe card is presented at a chip certified terminal, the liability for the counterfeit fraud will be the responsibility of the card issuer." means "dear retailer: if the card has no chip, the card issuer still eats the fraud, you don't get stuck with it".
What is needed is decent 2 factor authentication.
Isn't that what chip and PIN was supposed to bring us? Something you have (the card) and something you know (the PIN)?
Exactly.
However, the chip *should* make it more difficult for the issues such as those that Target had. AFAICT, there is now a transaction with your chip, instead of your card simply passing on the CC number. So this won't help at all if someone steals your card, and this won't help at all for stolen card numbers that get used online, but it should make the POS transaction more secure.
I don't understand any of the arguments for why the US didn't go with chip and pin. I've heard that people aren't used to it, and that they're used to signatures, but those are useless arguments IMO. Nearly everyone with a card also has a bank card that has a pin, so it'd just come down to them having to have a means for users to register their PIN for the credit card - ie. they (cc companies) are just minimizing their costs in the transition.