Slashdot Mirror
The Chip Card Transition In the US Has Been a Disaster (qz.com)
Ian Kar, writing for Quartz: Over the last year or so in the U.S., a lot of the plastic credit cards we carry around every day have been replaced by new one with chips embedded in them. The chips are supposed to make your credit and debit cards more secure -- a good thing! -- but there's one little secret no one wants to admit: The U.S.'s transition to chip cards has been an utter disaster. They're confusing to use, painstakingly slow, less secure than the alternatives, and aren't even the best solution for consumers. If you've shopped in a store and used a credit card, you've noticed the change. Retailers have likely asked you to insert the chip into the card reader, instead of swiping. But reading the chip seems to take much longer than just swiping. And on top of that, even though many retailers now have chip reading machines, some of them ask us just the opposite -- they say not to insert the card, and just swipe. It seems like there's no rhyme or reason to the whole thing.
Because here in the USA it's Chip and Signature, not Chip and Pin.
Not saying chip and pin is perfect, but I really don't get why this is such a big "disaster".
Editor is obviously using hyperbole. I just got a replacement card with a chip from my credit union. I went grocery shopping, and 2 of the stores had me swipe, the 3rd had me insert the card. It did take significantly longer, and you need to remove it at a specific time in the process or else the transaction will fail. That store also has Apple Pay, so I think I'll just use that at that particular store in the future. Other stores have told me that the chip reader on their unit doesn't work.
As someone who writes software dealing with those sorts of terminals and transactions for many many banks I can tell you that the problem with Chip and PIN (or Signature) is not the technology itself, but a lack of understanding of the people implementing it in the US. First of all, removing the card before the second application cryptogram (this is after your issuing bank authorizes the transaction and the card sees this auth) ALWAYS results in an automatic decline and reversal generated by the terminal. You could leave the card in the terminal forever after that and the transaction would still be authorized. If you see anything else, it's (again) due to someone not understanding how the process works!
The reason it's slow is probably due to the way the processing bank configured its terminal. I worked with one bank who wanted the terminal configured with every single possible application ID under the sun - even though there are brand specific applications you can use to say "I want to support all VISA". Instead they added over 10 different VISA applications that are region specific in addition to the global VISA application. So what happens when you dip the card? The terminal (usually) asks the card one by one "Hey do you support this application ID?" and it takes a long time to do this. You spend 30-45 seconds waiting for the card and the terminal to agree on what type of card will be presented for payment. I've seen MANY banks do this and its entirely unnecessary unless you want to exclude certain regions. Even then, it would be faster to accept the global AID at the start of the transaction and have the POS application decide that it didn't like your card due to the issuer country code or the application of the card rather than list the dozens of applications that can be available for each card brand.
And for those above who say that Chip and Signature is the worst of both worlds - you're entirely wrong! I can easily clone your mag stripe card and use it to my heart's content. I know of no current attacks against EMV that allow you to clone a chip and use it for online transactions. Since the US requires ALL transactions to go online (floor limit of 0), you cannot effectively use a cloned chip card in the United States. Furthermore, the chip card dynamically generates certain card information at the time of each transaction. This makes it very difficult to steal the track data from an EMV card and turn it into a cloned mag stripe card.
For a disaster, it's been pretty mild for my employer.
Several points to consider, from my personal observations (as the IT guy in charge of deploying and training on this):
1) Chip & PIN vs. Chip & signature. Yeah, chip and PIN is more secure for the consumer, but EMV isn't about security for the consumer. That's not at all the point of EMV. The point of EMV is to protect the banks, who eat the loss, when somebody breaks into a big retailer and steals 120 million credit card numbers at the same time, because PCI compliance hasn't been enough, and never could be. EMV is the half of the new system that gets the news coverage, but the other half, point-to-point encryption, is more important. The transaction gets encrypted in the credit card pad, and the merchant never sees the card information. So if you break into their network, there's nothing there to steal. The benefit to the merchant is that PCI compliance is a hell of a lot easier (and less expensive). The benefit to the consumer is that their cards are, in fact, less likely to be compromised (because that kind of break-in is a huge part of credit card fraud these days), so less hassle waiting for a new card.
But in the US, the consumer isn't protected by the technology, they're protected by the law. If your card is stolen, you're never responsible for more than the first $50 (and if you're bank gives you static about that, file a complaint and open an account with a bank that isn't crooked).
2)It's not confusing, it's just different. The process isn't any more complicated, it's just a different process. So the cashiers need about one minute of training, mainly by me buying a soft drink so they could see the new screens, and then they had it down (because we don't hire idiots as cashiers, and we train them), and the customers will need a few reminders for a while. The only two actual issues we've had (both very minor) are that we used to not need a signature for transactions under a certain amount, and we need a signature on every transaction now (because it's chip & signature, not chip & sometimes signature - but I expect that to be relaxed very soon), and we have to remind the customers to remove the card when it's all done (and our system actually helps on that, because it won't let them sign until the card is removed, which reminds the cashier to remind the customer). The pads could beep a little louder, but it's not a problem.
3) It's only slower if you bought shitty equipment. I've seen very slow chip card transactions. They're pretty much always the cheap-ass little standalone terminals that small merchants get on a lease from their merchant service (who don't care how slow it is). The reason for this is that the pad is doing the encryption, and that requires a certain amount of processing horsepower. Ours are new, expensive, and high quality. The difference in time processing a chip card and a mag strip card is less than one second. Barely enough to notice. Other big chain stores I've been in that do EMV also have new, expensive, high quality pads, and they, too, are basically just as fast either way.
So no, it's not the end of the world. Just more hysteria mongering from somebody who has a book to sell, or just hates all change, even for the better. In other words, it's a day that ends in "y."
There are several issues here in the US with this conversion. Many retailers have the new machines, new POS software, etc. and are waiting and waiting for the card industry to certify them. So they have to tape over the chip readers and tell people to keep swiping. AND the card industry puts fraud on the retailer because they dared to still use swipe with a card capable of chip. But it is the card industry themselves who are delaying the certifications. That's one issue. Another is this whole "chip and signature". With no PIN, there is really no major advantage. Steal a card, forge a signature. Not hard. I know large retailers like Wal-Mart are suing the card industry over that one. Apparently the claim is that it has nothing to do with what the card industry claims (they claim that US people are too stupid to move directly from swipe to chip and PIN) and has something to do with the card industry making more profit if they go to chip and signature. Lots of problems - many of them apparently politically and financially motivated by awful companies.
Which is really seriously stupid since almost anyone can fake a signature.
There is no need to "fake" a signature. Any scribble will suffice. No one, absolutely no one, checks the signature for anything. Just drag the stylus across the screen in a straight line, and it will say "accepted".
This isn't Ars. There is no real "downvote to oblivion" level because that little slider at the top let you set the score of posts you want to see. Some folks put up with the spam/juvenile bullshit/etc. that appears at -1, others refuse to even see shit that's as high as +2.
In this case there's no downvoting at all. He posted it anonymously, and Anonymous posts start at 0.
No one reads the signatures. I would guess they're stored for possible use in court in fraud cases.
It's pointless anyway. My signature looks completely different (and worse) when I try to sign on those stupid little pads then when on paper. Granted, my handwriting is terrible, but I can imagine the same for others.
It must have been something you assimilated. . . .
Seems it's the other way around in Europe. We run a retail with several outlets. When we do "Chip/Mag + Signature" we pay for what fraud we get, when we do "Chip + Pin" the bank is responsible. *But* since Chip+Pin has a "higher transaction cost", we basically do Signature, and only when the fraud happening in that area rises above the cost of the higher pin transaction cost we switch to pin.
( Then again, most of those are direct debit cards which is a whole other beast than the US credit cards )
Debit is chip and pin. Credit is chip and signature. Throughout the US.