The Chip Card Transition In the US Has Been a Disaster

Ian Kar, writing for Quartz: Over the last year or so in the U.S., a lot of the plastic credit cards we carry around every day have been replaced by new one with chips embedded in them. The chips are supposed to make your credit and debit cards more secure -- a good thing! -- but there's one little secret no one wants to admit: The U.S.'s transition to chip cards has been an utter disaster. They're confusing to use, painstakingly slow, less secure than the alternatives, and aren't even the best solution for consumers. If you've shopped in a store and used a credit card, you've noticed the change. Retailers have likely asked you to insert the chip into the card reader, instead of swiping. But reading the chip seems to take much longer than just swiping. And on top of that, even though many retailers now have chip reading machines, some of them ask us just the opposite -- they say not to insert the card, and just swipe. It seems like there's no rhyme or reason to the whole thing.

What's the big problem?

[Anrego]

As a Canadian I really don't get this. We've had chip and pin here for awhile, and while the initial adoption was a bit rough, it generally works fine.

Confusing

Reader says "insert chip in the bottom".
You insert chip in the bottom.
Reader says "enter pin".
You enter pin.

Painstakingly slow

I've noticed some readers are slow, but this probably has nothing to do with the chip, the merchant just has a shitty system. If you're talking about the process being slower, ok yeah, by about 10 to 15 seconds or so.

Less secure than the alternatives

What alternatives? Getting a signature that no teller ever verifies or checking the name against your ID (which again, never actually happens)?

Not saying chip and pin is perfect, but I really don't get why this is such a big "disaster".

Re:What's the big problem?

[FrankHaynes]

You should never deny Slashdot the satisfaction of posting an over-the-top headline to attract CLICKZZZ!!

Re:What's the big problem?

Because here in the USA it's Chip and Signature, not Chip and Pin.

Re:What's the big problem?

[grahamsz]

The US hasn't done chip and pin.

It's chip and signature, effectively the worst of both worlds. Very little extra security and much slower.

Re:What's the big problem?

[XxtraLarGe]

Not saying chip and pin is perfect, but I really don't get why this is such a big "disaster".

Editor is obviously using hyperbole. I just got a replacement card with a chip from my credit union. I went grocery shopping, and 2 of the stores had me swipe, the 3rd had me insert the card. It did take significantly longer, and you need to remove it at a specific time in the process or else the transaction will fail. That store also has Apple Pay, so I think I'll just use that at that particular store in the future. Other stores have told me that the chip reader on their unit doesn't work.

Re:What's the big problem?

[XxtraLarGe]

The US hasn't done chip and pin. It's chip and signature, effectively the worst of both worlds. Very little extra security and much slower.

Maybe for some cards in the US, but mine is chip & pin. Probably depends on the bank.

Re:What's the big problem?

[jittles]

Not saying chip and pin is perfect, but I really don't get why this is such a big "disaster".

Editor is obviously using hyperbole. I just got a replacement card with a chip from my credit union. I went grocery shopping, and 2 of the stores had me swipe, the 3rd had me insert the card. It did take significantly longer, and you need to remove it at a specific time in the process or else the transaction will fail. That store also has Apple Pay, so I think I'll just use that at that particular store in the future. Other stores have told me that the chip reader on their unit doesn't work.

As someone who writes software dealing with those sorts of terminals and transactions for many many banks I can tell you that the problem with Chip and PIN (or Signature) is not the technology itself, but a lack of understanding of the people implementing it in the US. First of all, removing the card before the second application cryptogram (this is after your issuing bank authorizes the transaction and the card sees this auth) ALWAYS results in an automatic decline and reversal generated by the terminal. You could leave the card in the terminal forever after that and the transaction would still be authorized. If you see anything else, it's (again) due to someone not understanding how the process works!

The reason it's slow is probably due to the way the processing bank configured its terminal. I worked with one bank who wanted the terminal configured with every single possible application ID under the sun - even though there are brand specific applications you can use to say "I want to support all VISA". Instead they added over 10 different VISA applications that are region specific in addition to the global VISA application. So what happens when you dip the card? The terminal (usually) asks the card one by one "Hey do you support this application ID?" and it takes a long time to do this. You spend 30-45 seconds waiting for the card and the terminal to agree on what type of card will be presented for payment. I've seen MANY banks do this and its entirely unnecessary unless you want to exclude certain regions. Even then, it would be faster to accept the global AID at the start of the transaction and have the POS application decide that it didn't like your card due to the issuer country code or the application of the card rather than list the dozens of applications that can be available for each card brand.

And for those above who say that Chip and Signature is the worst of both worlds - you're entirely wrong! I can easily clone your mag stripe card and use it to my heart's content. I know of no current attacks against EMV that allow you to clone a chip and use it for online transactions. Since the US requires ALL transactions to go online (floor limit of 0), you cannot effectively use a cloned chip card in the United States. Furthermore, the chip card dynamically generates certain card information at the time of each transaction. This makes it very difficult to steal the track data from an EMV card and turn it into a cloned mag stripe card.

Re:What's the big problem?

[Calydor]

PINile Dysfunction?

Re:What's the big problem?

[SuiteSisterMary]

From a fellow Canuckistanian:

Remember that we, in Canada, have a fairly unified banking system. Really, we've got the big 5, and we've got the Interac system, and any bank that wants to sign on, signs on.

In the US, however, you've got thousands and thousands of banks. They don't have a unified banking system; they have the big Credit Card companies.

But, yes, we've been on swipe and pin for decades, and chip and pin for years, and applepay Just Worked when the banks turned it on, because virtually any place that's set up for electronic transactions already has a tap capable terminal, and the infrastructure's all already there.

Re:What's the big problem?

[Z00L00K]

Which is really seriously stupid since almost anyone can fake a signature.

Re:What's the big problem?

It's PIN if it's a debit card, but if it's credit card it's signature.

It's only good enough for the banks to have better deniability against the merchants, but provides
the consumer no extra protection.

Re: What's the big problem?

[Chris453]

Which is it? A "few" or 10? In my experience it takes at least 20 seconds. No big deal right? Until you remember that stores are eliminating as many cashiers as possible so even IF those 5 people in front of you know how to use the cards you just wasted at least 2 minutes per store. The sky is not falling but pretending it isn't a hassle for the consumer is disingenuous at best. The best thing to do is speed up the transactions to the previous standard of 1 to 2 seconds.

Re:What's the big problem?

[ShanghaiBill]

Which is really seriously stupid since almost anyone can fake a signature.

There is no need to "fake" a signature. Any scribble will suffice. No one, absolutely no one, checks the signature for anything. Just drag the stylus across the screen in a straight line, and it will say "accepted".

Re:What's the big problem?

[fahrbot-bot]

No one reads the signatures. I would guess they're stored for possible use in court in fraud cases.

It's pointless anyway. My signature looks completely different (and worse) when I try to sign on those stupid little pads then when on paper. Granted, my handwriting is terrible, but I can imagine the same for others.

Re:What's the big problem?

[AikonMGB]

As a Canadian that recently moved the US, the system here is utterly ridiculous and broken. I never know when I should swipe vs insert the chip, I have never been asked for a pin, sometimes I have to sign and sometimes I don't (there doesn't seem to be a clear limit), and there's no tap-to-pay. It's that last part that was killer; I used tap-to-pay for 90% of purchases in Canada, with chip+pin being the remaining 10% of larger purchases like electronics.

There's also an obsession with literal cash, here. People see it as the default, whereas in Canada, cash tended to be a fall-back for most people.

It's truly bizarre. I find it much more annoying to pay for things here.

Re:What's the big problem?

[DarkOx]

What people mean when they say worst of both worlds is that it does not solve the entirety of the problem where card present transactions are concerned and chip and pin easily could have.

Implementation issues aside the mechanical action of swipe is always going to be faster than insert, wait, remove; pretty much no matter how small you make the value of wait. That said plain text mag strips with no 'real' client authentication was not a realistic security model for 21st century.

Yes its beyond the reach of most attackers to clone a chip card. Stolen card is still a problem though. It might take me hours to notice my entire wallet is missing, could be a day or more before I realize a single credit card is gone AWOL. There is plenty of time for someone to run up a lot of charges there, and cause me a real headache even if I won't ultimately be liable. Chip + PIN would have made it nearly perfect. Sure steal the card from my back pocket, now what? Go get the account locked for exceeding the number of allowed invalid PIN entries?

As a consumer I am getting a lot of new inconvenience ( which I would have found acceptable otherwise ) for a far less than ideal security solution. I could probably bang in a 4, 5, or 6 digit PIN faster than scrawling something on those signature pads anyway.

Re:What's the big problem?

[Austerity+Empowers]

What alternatives?

NFC. Instant, far more secure, available for years now just stupid business types fighting over money and who gets to steal your personal info.

Re:What's the big problem?

[caseih]

As I understand it, this is not the point of the chip and signature system. The point of the chip is to make it much much harder to clone the card. With the old non-chip system, all someone needs is your CC number. They can program that into the magnetic strip and start using it. Many places like fast food never even required signatures. Gas stations only required zip codes, and then only sometimes.

My biggest problem with chip and pin is that banks disclaim themselves of all liability for transactions that go through with a valid PIN, as they feel the chip is secure enough to prove that the card must have been real and if the pin was used, that's because you intended to do it. Nevermind that cards can still be cloned and pin numbers skimmed. This is also a problem if someone steels your card and knows your pin, you're on the hook for everything. Happened to a guy here in Canada when his ex girlfriend stole his card. Back when they were dating he shared his pin with her (big mistake... but what about marriages that end in divorce?).

Re: What's the big problem?

[Yvan256]

Is your family name "Matrix", by any chance?

Re:What's the big problem?

[IcyWolfy]

That's based on card issuer, not the merchant. None of my credit cards are Chip and PIN. Every one is Chip and Signature.
Which is complete BS.

Re:What's the big problem?

[Stinky+Cheese+Man]

I just draw a smiley face. One cashier saw it and laughed. Nobody else has even noticed.

Re:What's the big problem?

[beanpoppa]

Debit is chip and pin. Credit is chip and signature. Throughout the US.

Re:What's the big problem?

[squiggleslash]

Hyperbole or not, it appears to offer nothing but hassle to end users, which probably means it's getting unpopular.

Virtually all US credit cards are chip and signature, offering little in improved security. It's slow. Most card readers have a slot but haven't had that feature activated (honestly, the only store around here that allows chip vs swipe is Wal-Mart. Publix, as one major example, doesn't) leading to confusion. The card readers themselves seem to be bug ridden, with some freaking out if you don't insert the card at the exact moment they expect it. Wal-Mart's even, until recently, made a noise like a submarine klaxon when the payment was accepted - someone and completely unnecessarily embarrassing.

Add to that the delays, and you have the least popular technology since GMX.

Re:What's the big problem?

[slimjim8094]

This is an interesting point. The signature in the US isn't considered an authenticator, it's actually considered agreeing to a contract. If you look at your receipt it probably says "I agree to pay the above amount according to the terms of the cardholder agreement" or something. The idea is (in theory) they could take you to court and say "but you signed a contract saying you'd pay!". If they have someone other than the cardholder in court over that transaction, it's not because of a broken contract - it's fraud.

In Europe, it is considered to be an authenticator, which really slows things down. They do check the signature vs the one on the card. I guess chip-and-signature at least means that someone can't clone your card and use their signature, at least not trivially. They'd have to get your card and then match whatever was on the card, or erase the signature somehow.

Re: What's the big problem?

[sjames]

He probably DOES. He just realizes there's no point in putting an expensive vault door and lock on a canvas tent.

Re:What's the big problem?

[mspohr]

Your card is probably a debit card (which does require a PIN).
This discussion is about credit cards which in the US do not require PINs.

Re:What's the big problem?

[Teckla]

What is needed is decent 2 factor authentication.

Isn't that what chip and PIN was supposed to bring us? Something you have (the card) and something you know (the PIN)?

Why the hell did the U.S. adopt chip and signature? I was excited for my new chip and PIN credit card until I realized it was chip and signature.

Re:What's the big problem?

[Known+Nutter]

AND my PIN is 12 digits long.

That's amazing! So is the combination to my luggage!

Re:What's the big problem?

[Khyber]

Not when both accounts are linked to one card.

Re:What's the big problem?

Nobody checks the signature at time of purchase but if you report a fraudulent transaction and they guy was stupid enough to sign your name, that's forgery which is a felony in most states.. A guy got two years for buying $50 worth of booze with a stolen credit card of mine because he signed it with my name.

Re:What's the big problem?

[unrtst]

What is needed is decent 2 factor authentication.

Isn't that what chip and PIN was supposed to bring us? Something you have (the card) and something you know (the PIN)?

Exactly.
However, the chip *should* make it more difficult for the issues such as those that Target had. AFAICT, there is now a transaction with your chip, instead of your card simply passing on the CC number. So this won't help at all if someone steals your card, and this won't help at all for stolen card numbers that get used online, but it should make the POS transaction more secure.

I don't understand any of the arguments for why the US didn't go with chip and pin. I've heard that people aren't used to it, and that they're used to signatures, but those are useless arguments IMO. Nearly everyone with a card also has a bank card that has a pin, so it'd just come down to them having to have a means for users to register their PIN for the credit card - ie. they (cc companies) are just minimizing their costs in the transition.

Re:What's the big problem?

[swillden]

This. I've been signing with just a horizontal line for years and never once has anyone (including my bank) noticed or cared. And, judging by other people I see signing things, I'm far from the only one.

A horizontal line is so insecure! I try to at least wiggle the stylus a little.

Yeah, it's a joke..

Re:What's the big problem?

[swillden]

I live in the US, and It's chip & pin, not chip & signature, everywhere I go.

You must be using a debit card. Credit is chip & signature in the US.

Re:What's the big problem?

[lgw]

You're using a debit card with a Visa (or MC) logo. Those have always required a PIN, and are now chip+PIN. Credit cards, OTOH, are chip+signature throughout the US.

Re: What's the big problem?

[lgw]

Stores will bombard you with "helpful associates" if you look sketchy. Much more polite than coming up to you and saying "hey, you look like a shoplifter, but don't try anything, cause we're always watching".

Re:What's the big problem?

[rahvin112]

They cannot disclaim liability for anything over $50 in the USA if you report a stolen card or fraudulent transaction within 24 hours of discovering it. This is part of Federal Law. This applies to credit cards, not debit cards, they are not covered.

If you've encountered a bank attempting to do this then you have valid cause to bring a serious lawsuit. Most likely if you encountered this it was in regard to a debit card that does not have the same protections. You should never use debit cards because of this, use a credit card and pay it off monthly. Credit cards have strong federal consumer protections enacted when the Republican actually cared about such things.

Re:What's the big problem?

[uvajed_ekil]

Debit is chip and pin. Credit is chip and signature. Throughout the US.

Yes, but for as long as I've had a debit card (since 2000vor so?) I've almost always signed rather used my PIN, unless I wanted cash back. A lot of people are afraid of entering their PIN in public, especially if they don't have to, and a lot of banks used to limit free debit transactions and would charge fees after a certain number. I even remember commercials telling us how quick and easy it was to swipe and sign, no ID required and no "secret code" to remember. Now it seems that I can still use my debit card (with no credit account linked) like a credit card at some retailers, if I choose to, and sign for a transaction, while at others I must use the PIN.

Also, I have already personally witnessed someone leaving their card in the chip reader on two occasions. For one I was able to point it out before they walked away, but for the other I found the card unattended. Good thing for both of them I didn't watch them enter their PIN and abscond with the card!

Re:What's the big problem?

[fedos]

You're technically in violation of your card's terms of service. A while back the post office was refusing to accept these cards (they likely still do).

This disaster is entirely of your own making

[Nemyst]

First of all, "But reading the chip seems to take much longer than just swiping." Big fucking whoop? That's the time it takes for the card to obtain authentication from the bank server instead of the terminal just blindly accepting the transaction. That's already more secure, so stop whining.

But more importantly, chip and PIN is known to be more secure than swipe and sign. That's not up for debate, it's a fact. Unfortunately, the US, in their wise ways, decided to bastardize the system into chip and sign, removing the vast majority of the additional security for no real benefit. Oh, you can't remember a 4-digit PIN? Tough fucking luck. Instead, you'll probably have to switch to chip and PIN at some point in the future, causing another confusing transition.

Furthermore, the partial transition, various fuckups and all have largely been isolated to the US. Sure, Europe, Canada and others have also had a few hiccups when moving to the new system, but they had clear, strict deadlines that all providers followed. The US basically let the monkeys run the show, and so it's been a mess of delays.

You guys fucked up, now you get to live with the consequences. This isn't a failing of the chip system, it's a failing of the US thinking they could half-adopt it. That entire article sounds like entitled whining.

Re:This disaster is entirely of your own making

[jittles]

First of all, "But reading the chip seems to take much longer than just swiping." Big fucking whoop? That's the time it takes for the card to obtain authentication from the bank server instead of the terminal just blindly accepting the transaction. That's already more secure, so stop whining. But more importantly, chip and PIN is known to be more secure than swipe and sign. That's not up for debate, it's a fact. Unfortunately, the US, in their wise ways, decided to bastardize the system into chip and sign, removing the vast majority of the additional security for no real benefit. Oh, you can't remember a 4-digit PIN? Tough fucking luck. Instead, you'll probably have to switch to chip and PIN at some point in the future, causing another confusing transition.

The US Should start transitioning to Chip and PIN during or shortly after 2017. It's anticipated that MasterCard and VISA will start requiring a transition to PIN in the US in 2018. The biggest obstacle was actually the banks trying to delay the capital costs of replacing all of their terminals and ATMs all at once. They used the "confusion of a PIN" to sell the argument that they should not roll out Chip and PIN immediately. However, I can tell you from the payment processing side that everyone is doing everything they can to support PIN at their gateways and to get certified. I keep seeing companies ask me to help them integrate PIN padless terminals and I keep telling them that they're making a short sided mistake.

Furthermore, the partial transition, various fuckups and all have largely been isolated to the US. Sure, Europe, Canada and others have also had a few hiccups when moving to the new system, but they had clear, strict deadlines that all providers followed. The US basically let the monkeys run the show, and so it's been a mess of delays. You guys fucked up, now you get to live with the consequences. This isn't a failing of the chip system, it's a failing of the US thinking they could half-adopt it. That entire article sounds like entitled whining.

Re:This disaster is entirely of your own making

[nnull]

This is reminiscent of the US industry in general. Everything is half-assed here. A lot of my suppliers in the US that I vet are half-assed that I have to dump them. I go through a lot of resumes for managers and engineering positions, all their stuff on linkdin is about saving me money and how they saved "X" company money. I asked them how they did it, of course they can never tell me (Obvious cost cutting procedures). Even contractors, I had to go through a full year of them before I found one that wasn't cutting corners and was doing things the right way. Even the building that they were building for me, if I didn't bitch, it would have been half-assed.

I follow standards and I don't pick and choose what I like. A lot of companies in the US pick and choose standards they like and they also pick and choose every paragraph that they like in such standards while ignoring the rest. If it costs them too much money, it's not going to be done. This is why, unfortunately, the majority of my vetted suppliers are in Europe. I even tried to help one, giving them a full report on how to fix things, procedure wise and safety wise (They have accidents there every week, I guess they don't mind settling in courts every 50k). They just gawked at the price tag even though being one of my suppliers would have easily covered all the costs while benefiting them in the long term. Most manufacturers in the US operate old broken machines with illegals running them. Management and owners here in the US are sick.

So, the chip and pin disaster is no surprise to me. I already see how a lot of stores are completely failing procedure wise and I already see that a lot of companies do not want to spend the money on better equipment or do anything about it. Everything is short term. They don't see any long term benefits, I actually think they're incapable of seeing anything in the long term.

Re:This disaster is entirely of your own making

[Solandri]

I thought the U.S. screwed up too at first. But then I read an article that in Europe, you basically can't contest fraud on your card. The reasoning is that because the chip cannot be defeated, and you're not supposed to tell your PIN to anyone, any use of "your" card must be legit. Either you made the purchase yourself, or you loaned the card to someone else and told them the PIN. So it must be your fault, therefore you are on the hook for the fraudulent purchases. Even if you're talking with the bank on the phone while sitting at home with your card in your hand, and there are transactions showing up on your account from Indonesia, they'll insist it's your fault. You are presumed guilty, and have to work to prove your innocence.

The problem is the chip isn't hack-proof. A researcher (can't find the article right now) showed that the specs for the terminals have several different protocols, one of which confusingly uses the same signal for "the correct PIN was entered" and "a PIN (any PIN) was entered." He rigged up a card which would make the terminal accept his PIN via this message (card connected to a computer in his backpack via a cable hidden in his sweatshirt), grabbed a half dozen volunteers, and demonstrated his hack allowing him to put charges on their cards at a bunch of random stores in France. Criminals have already been caught using this hack in the wild. There are probably other ways to defeat it too which we haven't figured out yet.

The chip and signature system allows an American cardholder to contest a charge simply by pointing out the signature doesn't match their signature. The system is more secure than magnetic swipe cards, but not so secure that banks and the government start to assume fraud is "impossible" and thus shift the burden of proof onto the victim to prove that s/he was victimized.

Transition costs retailers lots of money

[ScentCone]

It's not that there's "no rhyme or reason" to the experience at the register - it's that the purchase of chip-capable readers doesn't mean that the retailer's point of sale system, back end accounting platform, security reviews, and everything else that comes in the wake of this have been completed. Getting chip-capable devices at the register is the easy part - they're often leased anyway, and the processing companies are simply replacing older units, as they fail, with newer units that meet the new specs. But there is a lot of behind the scenes work to do. It's easiest for mom-and-pop retailers who don't have a lot of integration, and it's relatively easy for the very large chains that have big IT departments. But the mid-sized operations, owner-operated gas stations, etc., have to take on considerable expense. And it cannot break, or they're expensively down and out.

I have indeed noticed the significant increase in processing time. Even at a bank-owned ATM, where I know the branch has a nice fast pipe back to the mothership, it's pretty shocking how long it takes the ATM to complete the extra crypto dance before it even gets down to business with you on the user interface. If nothing else, they need to have the ATMs give a better sign of life as that handshake is taking place - many users will be baffled by what doesn't appear to happening.

In time it will be better.

[Bender+Unit+22]

Last October, I spent some time in the US again and I noticed the few places that had started using chip readers had a person standing by to help people. They seemed a bit surprised when I just inserted my card and typed my pin code in a few seconds. :D They didn't even finish their line about being sorry about me having to remember the pin code. But I have been using it for years now.

We had a few problems in the beginning too both with speed of the approval process and the people using the card. but it is really not a problem more.
Now both my VISA and Mastercards have NFC( I'm guessing it is?) so I just hold the card over the reader.

What a mess...

[__aaclcg7560]

The local 7-11 store taped over the slot and have a note to swipe the card instead. The chip reader is too slow to move a long line at a faster pace. With limited parking out in front, the clerks want to turn over as many customers as fast as possible to avoid losing sales.

Re:What's the point?!

America is a higher trust society than Europe (so the extra security wasn't cost-effective). I think it's because we all speak the same language and don't have to deal with gypsys here.

Nope

[fireylord]

The whole article just smacks of fear of change frankly. We in the 21st century part of the Western hemisphere have long since done this, and reaped the fraud prevention benefits (read: no significant retail chip and pin fraud, fraudsters forced to try Cardholder not Present fraud, to which there are also pretty effective countermeasures).
    I suspect those retailers still asking for magswipe will be transitioned to chip usage by their card service provider as the fraudsters will increasingly target those that still insist on swipe. The money will talk in this case, however the idea of chip and sign is a bit silly in that it will only stop coounterfeit cards, not stolen cards.

Re: Nope

Yeah, there are places in the world where "disaster" means something more than just a few seconds of inconvenience at the supermarket.

Re:Nope

There are several issues here in the US with this conversion. Many retailers have the new machines, new POS software, etc. and are waiting and waiting for the card industry to certify them. So they have to tape over the chip readers and tell people to keep swiping. AND the card industry puts fraud on the retailer because they dared to still use swipe with a card capable of chip. But it is the card industry themselves who are delaying the certifications. That's one issue. Another is this whole "chip and signature". With no PIN, there is really no major advantage. Steal a card, forge a signature. Not hard. I know large retailers like Wal-Mart are suing the card industry over that one. Apparently the claim is that it has nothing to do with what the card industry claims (they claim that US people are too stupid to move directly from swipe to chip and PIN) and has something to do with the card industry making more profit if they go to chip and signature. Lots of problems - many of them apparently politically and financially motivated by awful companies.

Re: Nope

[AgNO3]

Don't even dis my first world horror stories of waiting extra time to buy cake. I've got other luxuries that are waiting for me and I forget to set the DVR to record GoT.

Re:Nope

[NicBenjamin]

This isn't Ars. There is no real "downvote to oblivion" level because that little slider at the top let you set the score of posts you want to see. Some folks put up with the spam/juvenile bullshit/etc. that appears at -1, others refuse to even see shit that's as high as +2.

In this case there's no downvoting at all. He posted it anonymously, and Anonymous posts start at 0.

Re:Nope

[Austerity+Empowers]

The whole article just smacks of fear of change frankly

Maybe, but I actively hate chip readers. They are incredibly slow compared to NFC, and I don't see them adding much security over swiping unless we also used a PIN (which is what Europeans compare this to), but we don't use a PIN because reasons.

It's really just a stupid change.

Re:Nope

[aix+tom]

Seems it's the other way around in Europe. We run a retail with several outlets. When we do "Chip/Mag + Signature" we pay for what fraud we get, when we do "Chip + Pin" the bank is responsible. *But* since Chip+Pin has a "higher transaction cost", we basically do Signature, and only when the fraud happening in that area rises above the cost of the higher pin transaction cost we switch to pin.

( Then again, most of those are direct debit cards which is a whole other beast than the US credit cards )

Re:Nope

[west]

Even at the weakest level, EMV adds one important security factor. You can't simply skim a chip card and make a new working chip card.

Without PIN, chip cards won't prevent the card from being individually stolen and used, but that's not where the industrial level losses were occurring. It had reached the point of being a major business for organized crime, and this will put a serious crimp in it. (When I was more involved in bank security a few years ago, you could find franchising skimmer opportunities on YouTube that were renewed every few minutes as they got taken down.)

As well, as one wealthy hold-out to chip, the US was attracting the attention of the world's high tech criminals. Since crime migrates to the weakest link, you don't want to be the slowest deer in the herd, which the US was rapidly becoming. (The US punitive legal system had kept the US from being a favored target when other countries had left their doors unlocked, but once there weren't any other wealthy countries with low hanging fruit, cyber crime was going exponential.

There'll be other forms of crime (crime migrates to different types of crime as well), but few that worked so well on the an industrial scale.

Re:Nope

[Dahan]

With no PIN, there is really no major advantage. Steal a card, forge a signature.

The advantage is that you now have to steal a card, rather than just skimming the magstripe of one. The idea is that the chip ensures that you have the actual card, and the PIN (mostly) ensures that you are an authorized user of the card. In the US, with chip and signature, we don't have that second assurance, but having the first is better than nothing.

Re:Nope

[Guy+Harris]

The card companies and banks don't give a shit about security. The chip-and-signature conversion enabled a huge liability shift. As I understand it, prior to the shift, the card companies/banks were liable for fraud committed with their cards. If fraud is committed now, the liability lies with the retailer.

As I understand it, if fraud is committed with a chip card and the terminal used doesn't support chip authentication - i.e., if a chip card is swiped because there's no chip reader or the chip reader isn't enabled - the liability ends up with the retailer.

See, for example, Chase's FAQ for chip cards, which says:

Another Payment Brand ruling is the impending chip liability shift. Once this goes into effect, merchants who have not made the investment in chip-enabled technology may be held financially liable for card-present counterfeit and potentially lost and stolen fraud that could have been prevented with the use of a chip-enabled POS system.

("payment brands" are the brand names for various cards, such as Visa, MasterCard, and American Express, so it means that Visa/Master Card/American Express/etc. are saying "if the POS equipment you're using to handle credit cards is a real POS that doesn't handle EMV chips, you may be held responsible for fraud"), and also says:

With the liability shift, if a chip card is presented to a merchant that has not adopted a terminal that is certified for chip card acceptance, liability for counterfeit fraud may shift to the merchant's acquirer – who may then pass this fee back to the merchant. The liability shift encourages chip adoption since any chip-on-chip transaction (chip card read by a chip certified terminal) provides the dynamic authentication data that helps to better protect all parties. In addition, if a counterfeit magnetic stripe card is presented at a chip certified terminal, the liability for the counterfeit fraud will be the responsibility of the card issuer.

where "In addition, if a counterfeit magnetic stripe card is presented at a chip certified terminal, the liability for the counterfeit fraud will be the responsibility of the card issuer." means "dear retailer: if the card has no chip, the card issuer still eats the fraud, you don't get stuck with it".

Re: Nope

[stealth_finger]

Or you can put you wallet back in your pocket. I assume in your original routine you still get your wallet out again to put the cash in?

Re:And longer lines are a pain

[Hartree]

A number of the stores I go to have a solution to that. They just switch off the functionality.

The fault lies....

[Lumpy]

Completely at the feet of the banks. They needed to get off their asses and spend a tiny bit of their immense profits to fucking switch over. The banks could send every retailler a new chip reader for every register for free and STILL make record profits every quarter.

So blame the Banks and the Greedy assholes that run those banks.

I'm for bringing back all the heavy handed bank regulation from before 1980. Fuck the bankers.

They don't make disasters like they used to

[taustin]

For a disaster, it's been pretty mild for my employer.

Several points to consider, from my personal observations (as the IT guy in charge of deploying and training on this):

1) Chip & PIN vs. Chip & signature. Yeah, chip and PIN is more secure for the consumer, but EMV isn't about security for the consumer. That's not at all the point of EMV. The point of EMV is to protect the banks, who eat the loss, when somebody breaks into a big retailer and steals 120 million credit card numbers at the same time, because PCI compliance hasn't been enough, and never could be. EMV is the half of the new system that gets the news coverage, but the other half, point-to-point encryption, is more important. The transaction gets encrypted in the credit card pad, and the merchant never sees the card information. So if you break into their network, there's nothing there to steal. The benefit to the merchant is that PCI compliance is a hell of a lot easier (and less expensive). The benefit to the consumer is that their cards are, in fact, less likely to be compromised (because that kind of break-in is a huge part of credit card fraud these days), so less hassle waiting for a new card.

But in the US, the consumer isn't protected by the technology, they're protected by the law. If your card is stolen, you're never responsible for more than the first $50 (and if you're bank gives you static about that, file a complaint and open an account with a bank that isn't crooked).

2)It's not confusing, it's just different. The process isn't any more complicated, it's just a different process. So the cashiers need about one minute of training, mainly by me buying a soft drink so they could see the new screens, and then they had it down (because we don't hire idiots as cashiers, and we train them), and the customers will need a few reminders for a while. The only two actual issues we've had (both very minor) are that we used to not need a signature for transactions under a certain amount, and we need a signature on every transaction now (because it's chip & signature, not chip & sometimes signature - but I expect that to be relaxed very soon), and we have to remind the customers to remove the card when it's all done (and our system actually helps on that, because it won't let them sign until the card is removed, which reminds the cashier to remind the customer). The pads could beep a little louder, but it's not a problem.

3) It's only slower if you bought shitty equipment. I've seen very slow chip card transactions. They're pretty much always the cheap-ass little standalone terminals that small merchants get on a lease from their merchant service (who don't care how slow it is). The reason for this is that the pad is doing the encryption, and that requires a certain amount of processing horsepower. Ours are new, expensive, and high quality. The difference in time processing a chip card and a mag strip card is less than one second. Barely enough to notice. Other big chain stores I've been in that do EMV also have new, expensive, high quality pads, and they, too, are basically just as fast either way.

So no, it's not the end of the world. Just more hysteria mongering from somebody who has a book to sell, or just hates all change, even for the better. In other words, it's a day that ends in "y."

Re:They don't make disasters like they used to

[taustin]

We actually have the hardware for NFC (near field communications), and I think it's implemented in point of sale as well. We haven't explored it so far because we've had no one ask for it.

Apple Pay, we've had a few queries on, but that's a mess of ideas that are only beneficial to Apple, at the expense of the merchant. (The biggest objection is that it hides transaction information from our marketing people. And I get why some consumers would like that. But it doesn't hide the marketing information. It hides the marketing information from us, while sending it to Apple instead. And they don't have as good a track record on handling it appropriately as we do, and never will.)

What the hell?!

[silviuc]

From the article:

"But, for the less digitally inclined, plastic cards and those tiny metal chips will probably still be pretty cumbersome for the foreseeable future."

My mom has 70+ years and can shop the any local store with her card just fine. We use chip & pin over here. She can remember her card pin just fine. She's also not digitally or technically inclined. The whole thing takes a few seconds until the transaction is authorized by the bank.

What exactly is your excuse there, over the pond?

Banks have been issuing new cards (or replacing older ones) with NFC versions for at least a year. Just bonk and pay.

Lots and lots of old hardware

[rsilvergun]

We were suppose to move to chip & pin in 2008. We didn't (what with our whole economy imploding around then nobody had any money to do crap like that). So there's tons of old hardware businesses were sold in 2005-2008 that never got used. The businesses are pissed that they spent hundreds (thousands?) on new terminals and readers that did nothing. So it's like pulling teeth to get them onboard. Imagine spending $800 on something that offered you little value but you have to, then you never use it and now you've got to spend another $400 (prices have dropped to be fair).

Oh, and we only do chip & signature, no pins, so the businesses are nervous they'll be made to buy even more hardware when chip & pin rolls out.

Now, I don't know about Canada but in Europe if your pin gets stolen you the consumer are liable (which is hilarious, because chip & pin has been broken before). In the US we have a law that keeps consumers blameless for any credit card transaction. That's because everytime you use your card you're borrowing money. Legally It's a loan (with 0% interest if paid off by the next billing cycle and if you pretend merchant fees don't exist). If somebody fraudulently borrows money in your name you're not on the hook in the US and it would take a major change in law that's not likely to happen (it would be tremendously unpopular and it would affect our upper middle class, and you don't screw with those guys).

Basically, one of the best parts of chip & pin (a major liability shift to the consumer) doesn't fly in the states. The businesses taking the cards get some liability shift but the Card companies themselves don't. So it's not as big a win for the various players here in the States as it was elsewhere. Add to that America's traditional aversion to infrastructure spending and you've got a product dead in the water.

10 years behind the rest of the civiliced world

[quax]

And then screwing up the implementation.

Maybe Trump can make paying with credit cards great again?

Re:Whining for the sake of whining

[Fly+Swatter]

What hardship! Here is something faster than swiping or other electronic means: cash.

As a mostly cash paying customer, the new system is noticeably slower. I know this because I have to wait in line so long behind people using it. The learning curve slowing things down, I get that, however even someone that appears to be practiced in using chip and pin it is obviously slower. Often times slower than cash, which I find a little funny.

yo playa

[lucm]

My bank recently replaced its ATM cards with chip/pin. Where I used to step up to an ATM, swipe the card, and put it and my wallet away while the machine woke up. The rest of the transaction, I have my hands free, and I'm gone in 30 seconds.

if you put your wallet away after swiping your card, what did you do with the cash (which certainly doesn't come out before "the machine wakes up")? Put it in a gold clip so you can stylishly flip out one bill at a time at the strip club?

You guys are using the terms wrong

[xenoc_1]

Wrong. There are some US banks offering Chip+PIN CREDIT cards. And some issuing Chip+Signature DEBIT cards. It all depends on which authentication methods the issuing bank coded into the card's chip, and which priority order they set them.

People saying "PIN is for Debit and signature is for credit" are taking anecdote as if it's industry-wide rule. Or are non-USAians who never knew how it works here.

The "Debit or Credit?" question that US Debit card users often are asked at Point of sale when making a purchase on a Debit card has nothing to do with whether it's a chip card or not, nor even whether it's a credit card or a debit card. It really means, "Process this like an ATM Bank card doing a checking account withdrawal? Which will require your ATM withdrawal PIN. Or, Process this like a credit card charge through the Visa (or MC) network, which will put a credit-card-style authorization on your account but not actually post the charge for hours or days?"

Not, "Is this a Debit card or a Credit Card?"

For the matter, you could always choose "Debit" with a real Credit card too, if you happened to know your "cash advance at ATM" PIN for your magstripe no-PIN credit card. Though most people didn't know that PIN, some Credit cards didn't have one unless you asked, and because at your credit card account it became a usually more-costly cash advance rather than a charge. But fundamentally, "Debit or Credit" is "act as if it's a bank ATM card or act as if it's a credit card", regardless of whether it's really a Credit IRS a Debit card.

"Act as if it's a bank ATM card" always required a PIN, ever since decades ago long before EMV chip cards reached USA.

"Act as if it's a credit card" never required a PIN, in USA.

What is new, and apparently confusing to Muricans, is that with EMV in most of the world, "Act as if it's a credit card" now also requires a PIN.

In USA, if your new EMV chip Credit card is done to world standards, "Act as if it's a credit card" does require a PIN, when in the past, "credit" never did. And too many US banks issued Chip+Signature (only, or Chip+Signature as priority 1 authentication method) cards, so that "credit" still would not require a PIN. Plus they even did the same for Debit Cards, so that when using the Debit card for a purchase as "act like a credit card" it does not use a PIN.

Which leads to confusion by cardholders and merchants alike, and the errors in so many of the posts here too.

My primary credit union's Visa Debit/ATM card requires the PIN for purchases even as "credit" if the POS terminal hardware, software, and merchant account are capable of following the card's EMV commands. Yet my other credit union issued Chip+Signature Debit MasterCard ATM cards. My bank issued a Chip+PIN priority Visa Debit, and the "checking alternative" account at my brokerage issued a Chip+Signature Visa Debit.

Of course all require a PIN when doing an actual ATM cash withdrawal. Or when doing a purchase through the "debit" ATM network.

I will stop now, before explaining how the Dodd-Frank Bill makes US-ussued chip Debit cards even more screwed up and globally non-standard even if they are true Chip+PIN. But it's all kinds of hilarity ensuing.