Judge Allows Small Businesses To Sue Credit Card Giants For Forcing Them To Adopt Chip Readers

An anonymous reader quotes a report from Computerworld: A federal judge has ruled it is plausible that four national credit-card companies improperly conspired "in lockstep" to set a deadline of Oct. 1, 2015 for requiring retailers to upgrade their technology to accept embedded chip cards for credit and debit card purchases. In an order issued Friday (Case number C 16-01150 WHA), U.S. District Court Judge William Alsup agreed with two small Florida businesses -- B and R Supermarket and Grove Liquors -- which brought the lawsuit in March. Alsup's ruling also allows the antitrust case against Visa, Mastercard, American Express and Discover Financial Services to move forward in federal court for the Northern District of California. The two retailers are seeking to create a class-action case involving millions of small retailers who have been required under the Oct. 1, 2015 deadline to assume liability for fraudulent card charges if they haven't upgraded to the more-secure chip card technology instead of magnetic-stripe cards. The retailers believe there was industry conspiracy over creation of the deadline that violates fair trade practices. In the same ruling, the judge allowed two other retailers -- Los Angeles-based gourmet food chain Monsieur Marcel and New York-based grocery story chain Fine Fare -- to intervene in the case. Lawyers for the retailers have said a class-action lawsuit could include 8 million U.S. small businesses. They would seek repayment of the cost of upgrading to chip card readers and related software, estimated at $6 billion. However, the National Retail Federation has recently estimated the total cost of the conversion in the U.S. at up to $35 billion.

Down the rabbit hole

[mattyj]

The processing of nearly every credit card purchase in the US eventually trickles down to one firm, so perhaps it wasn't the 'big four' conspiring.

I'm not really sure why them setting the same date for themselves affects anyone. Just upgrade your damn terminal already.

Re:Down the rabbit hole

[m0hawk]

Any idea on who pays for the terminal upgrade, it wasn't mentioned in the article? If it is being forced on a business, then the credit card company should be sending them out free of charge (assuming that the terminal will be paid off with transaction fees). I'm guessing this is not the case.

Otherwise, why is there are problem rolling out new terminals?

Re:Down the rabbit hole

[ragnar_ianal]

It makes sense to impose some or all of the cost on the retailer because the retailer controls the number of terminals involved. If a retailer wants a greater number of secure transaction points it makes sense that the retailer pay for this business decision.

Re:Down the rabbit hole

[EvilSS]

Just upgrade your damn terminal already.

Many of them did. The problem is that the new terminals then need to be certified by each card company before they can be turned on, for each business (not just a hardware certification for the mfg, each deployment requires certification). The card companies have been dragging their feet getting them certified, particularly for small to mid sized businesses. However they did not extend the deadline for those companies that installed the terminals but can't yet use them. So these businesses did what they were supposed to do but they are in a bind now with liability shifted to them but they are unable to even accept chip cards because they can't get the big 4 to certify their installations.

This happened to my local grocery chain. They have the new readers, had them well before the deadline, but they can't use them, even now almost a year after the deadline passed, because they are still in the queue for certification.

Re:Down the rabbit hole

[ShanghaiBill]

Any idea on who pays for the terminal upgrade, it wasn't mentioned in the article?

The terminal is owned by the merchant, so they pay for it.

If it is being forced on a business, then the credit card company should be sending them out free of charge

It isn't being forced on them. They have the alternative of not accepting CC transactions, which is something many businesses do. At some point we need to have progress, and magstripes need to die. Many technical standards have deadlines where old features stop being supported.

The merchants have had plenty of time to upgrade, and plenty of warning that the end was coming. Most merchants support the change, since it is the merchants that pay the biggest price for fraud. That is why the plaintiffs are having problems organizing a class action. It is only a few whiners that are complaining.

Re:Down the rabbit hole

[taustin]

It isn't being forced on them. They have the alternative of not accepting CC transactions, which is something many businesses do.

They also have the choice continuing to use the old equipment, but they then accept responsibility for fraudulent transactions that could have been prevented by using chip cards. Hell, as far as I know, they still have the option of imprinting paper slips and depositing them at the bank like checks, but the costs all end up on the merchant, as they should.

At some point we need to have progress, and magstripes need to die. Many technical standards have deadlines where old features stop being supported.

Mag stripes will be around for at least a decade, and probably two or three. But they'll be slowly phased out over the next few years for most people most of the time.

The merchants have had plenty of time to upgrade,

Sort of, but not really. Unless you're Walmart or Home Depot, you don't write your own processing software, you rely on your point of sale vendor, and very few point of sale vendors were ready by October of last year. Many small businesses simply did not have the option to start doing EMV by the deadline.

and plenty of warning that the end was coming. Most merchants support the change, since it is the merchants that pay the biggest price for fraud. That is why the plaintiffs are having problems organizing a class action. It is only a few whiners that are complaining.

Liability issues aside, any merchant complaining about EMV (with point of point encryption) is an idiot. EMV isn't about protecting consumers from fraud against their card (hence the chip & signature instead of chip & PIN), it's about protecting banks and merchant services from idiotic merchants who can't keep their network secure. Implement EMV with P2P encryption, and the merchant never sees the card in at all, and if someone breaks into their network, there's nothing to steal. Makes PCI compliance easier, and pretty much eliminates the chance of the merchant having to pay six figures to investigate a breach.

Re:Down the rabbit hole

[taustin]

You're smoking dope, and they're feeding you a line. The software has to be certified, but even then, not by deployment. And for a small business, that's handled by the point of sale vendor, not the merchant. If your local grocery chain is doing their own processing software, they're not pushing on getting their stuff certified, and that's entirely on them.

There is a point about not extending the deadline - again - for those merchants who had the hardware but couldn't get the software from the POS vendors, but it's a small point unless the business is so poorly run that it gets a lot of fraudulent activity to begin with.

Re:Down the rabbit hole

[peragrin]

Ah but that is half the issue. Chip readers once installed needed to be certified by the card companies. That certification. Is on average 12 months behind.

So you see a terminal but do not use sticker? The software stack, connections, etc haven't been certified to use chips.

Credit card companies failed to provide enough certifiers, and enough time to begin the change over. It has been mentioned by MasterCard executives that they never once talked about processing speed of the transactions, which is why Chip readers, take 30% longer to process after sending your card data.

MasterCard Visa cared about their bottom line, and pushed responsibility to merchants, but didn't provide the tools for merchants to do it right.

Lastly an October 1st deadline is irresponsible, as the slightest hiccup destroys holiday shopping, which is what happened last year. A Feb 1st deadline with a 6-12 month soft start 50% of fraud is paid both issues, and merchant would have been more successful,and less lawsuit prone.

Re:Down the rabbit hole

[TigerTime]

Additionally, they can keep using the magstripe, they just have to take full responsibility for and false charges that may occur at the business as opposed to the credit card company taking that liability. So really, the merchants only have to upgrade if they want to accept CC and be free of any credit card fraud liability. Seems reasonable to me.

Re: Down the rabbit hole

[rickb928]

Terminal hardware is certified before they are shipped.

Software is updated, and verified before deployment.

Nobody ships untested terminals. That's disastrous.

Re:Down the rabbit hole

[youngone]

I'm not in the US, but where I live the merchant pays for the terminal. There are several suppliers and we have had chip and pin type cards for maybe 5 years.

I can't remember the last time I saw a mag stripe machine, and if I did see one, I would pay cash.

Re:Down the rabbit hole

Failed to provide enough certifiers my ass. This is n't new. The reason everyone is behind is because businesses waited till the very last second to even start looking at the issue.

I deal with this crap daily. It's a hassle to do the change, but so what, you have had years of notice and you along with everyone else waited until the cutoff date to implement or thinking about implementing. How the hell is that the credit card processors fault.

Re:Down the rabbit hole

[jrumney]

This is one instance when conspiring is good for the market. If they didn't conspire, small retailers would be buying four different card readers instead of one, and they'd have four different deadlines to remember instead of one. A market getting together and deciding on standards are not really in the same league as price-fixing and other types of conspiracy that adversely affect consumers.

Re:Down the rabbit hole

[jrumney]

If it doesn't make business sense, don't take credit cards. If you decide it is worthwhile for your business to take credit cards, then shell out for the equipment, and be prepared to update it every 10-20 years. Do you ask the central bank to supply you a cash register free of charge?

Re:Down the rabbit hole

[DRJlaw]

You're smoking dope, and they're feeding you a line. The software has to be certified, but even then, not by deployment. And for a small business, that's handled by the point of sale vendor, not the merchant.

Now explain why the POS vendors are losing revenue due to certification delays. Is is your theory that they're tanking their business to support the line? Or selling the dope? My theory is that you simply don't understand that level 3 certification is literally by deployment and too self-satisfied to consider that you might be wrong.

Re:Down the rabbit hole

[ShanghaiBill]

Lastly an October 1st deadline is irresponsible, as the slightest hiccup destroys holiday shopping

The obvious solution for a merchant is to upgrade before the deadline. The deadline is the last day to upgrade. Any merchant that waits until then to start the process deserves what they get.

Re: Down the rabbit hole

[dfeifer]

Not necessarily. We have 3 were I work and they are actually owned by pnc bank.

Re:Down the rabbit hole

[plover]

Any idea on who pays for the terminal upgrade, it wasn't mentioned in the article?

The merchant pays for the terminal, but the upgrade is not being "forced" on them. If they don't want to upgrade to a secure terminal, they don't have to, but then they take on the risks of the customers' cards being stolen and misused.

So if they think their shitty ancient card readers are secure from hacking, and they're willing to bet the cost of fraud that they're so great, they can keep them. Seems fair.

Re:Down the rabbit hole

[jittles]

Just upgrade your damn terminal already.

Many of them did. The problem is that the new terminals then need to be certified by each card company before they can be turned on, for each business (not just a hardware certification for the mfg, each deployment requires certification).

That is untrue. You do NOT have to certify each deployment with the card companies. You have to certify the terminal hardware, the kernel on the hardware (card brand specific), the communication from the card terminal to the gateway, and the communication from the gateway to the processor. The processor has to certify from them to the card brand. Most gateways are offering certified hardware + software deployments that only require you to certify with the processor if you develop against their software. If you just take a package that is already certified, you have to do nothing other than meet your PCI requirements that you're already obligated to do. I spend my life writing card terminal drivers and everything I do has to be certified from the terminal to the payment gateway. This is my every day life. You would only need to certify if you made your own software implementation somewhere in that chain. If you write software below the gateway then you may not even need to certify with the card brand, you may be able to just certify with the gateway, depending on what exactly you did.

The card companies have been dragging their feet getting them certified, particularly for small to mid sized businesses. However they did not extend the deadline for those companies that installed the terminals but can't yet use them. So these businesses did what they were supposed to do but they are in a bind now with liability shifted to them but they are unable to even accept chip cards because they can't get the big 4 to certify their installations. This happened to my local grocery chain. They have the new readers, had them well before the deadline, but they can't use them, even now almost a year after the deadline passed, because they are still in the queue for certification.

Which chain is this? Publix, for instance, chose to write their own card terminal application which requires all kinds of certifications with the card brands, terminal manufacturers, etc. That's a time consuming process. But I've personally had such a project go through certification in a matter of weeks. It's not the card brands holding things up.

Re:Down the rabbit hole

In many cases (our stores, for example) the hardware was not available (from our credit card processor).

We got our first chip capable machine in January -and it did not work. I plugged it in, ran a transaction, and got an error. After a couple of software updates -nope still not working with chip cards. Swap the hardware -still not working. Swap the hardware again -finally everything works. Hey look, it's February, 2016!

We were charged extra fees from October thru February for not having compliant hardware in place. Hardware which was not available -according to the company charging us the extra fees for not having it yet.

Who paid for the equipment? We did. We paid the credit card processor the amount they chose to charge us for the equipment that they said we had to have in order to do business.

I think the upgrades were worth doing, but the rollout was handled poorly, and the companies responsible for setting the timeline profited off of the merchants inability to meet the deadline.

Re:Down the rabbit hole

[drinkypoo]

So if they think their shitty ancient card readers are secure from hacking, and they're willing to bet the cost of fraud that they're so great, they can keep them. Seems fair.

The problem is that the shitty new card readers aren't secure either, because here in the USA we are chip and sign and not chip and PIN. All the same attacks against a stolen card will still work.

Re:Down the rabbit hole

Did you ever notice that a lot of the "certified" chip reading terminals have an exposed USB port on them. Makes me think they forgot about physical security during the certification process. I wonder how long until someone figures out how to use those USB ports as an entry way to the whole processing system. It's going to be interesting, especially if a large well organized group figures out how to take over the terminals.

Re: Down the rabbit hole

[drinkypoo]

Physical stolen credit cards are rare to the point of being not an issue.

I wouldn't call 14% of all credit card fraud "not an issue".

With mag stripe you can be sure that the card wasn't cloned.

What? Who told you that?

Cloned cards where someone makes a fake credit card with you number encoded onto it are actually a bigger problem than physical stolen cards.

Yeah, and EMV actually has inadequate protection against cloning, because it has inadequate standards for the use of the chip, and "some EMV implementers have merely used counters, timestamps or home-grown algorithms to supply" the nonce for the transaction. That does require a compromised reader, but you don't have to compromise the reader itself, only its communications channel. This can often be done from outside a building.

Re:Down the rabbit hole

[larryjoe]

It isn't being forced on them. They have the alternative of not accepting CC transactions, which is something many businesses do.

They also have the choice continuing to use the old equipment, but they then accept responsibility for fraudulent transactions that could have been prevented by using chip cards. Hell, as far as I know, they still have the option of imprinting paper slips and depositing them at the bank like checks, but the costs all end up on the merchant, as they should.

At some point we need to have progress, and magstripes need to die. Many technical standards have deadlines where old features stop being supported.

All of this is true and still tangential to the anti-trust case. Anti-trust collusion that forces actions that are in the interests of society are still illegal. The ends do not justify the means. The key point is that the change was indeed forced upon the retailers because they were denied the right to choose a competing supplier, a right that was illegally removed through collusion.

Re:Down the rabbit hole

[plover]

The problem is that the shitty new card readers aren't secure either, because here in the USA we are chip and sign and not chip and PIN. All the same attacks against a stolen card will still work.

Federal law caps your liability at $50, but under the current PCI liability rules if your chip card is stolen and misused your bank is 100% liable for the fraud, because they could have put a PIN on the card but didn't. Neither you nor the retailer is responsible for a dime of the loss.

The chip has all the anti-skimming technology, regardless of whether it requires PIN or signature authentication, and both are equally excellent at preventing cloning full card data.

What all cards (both chip and mag stripe) still suffer from is the ability to steal the PAN and use it for online fraud. Mag stripes have the worst security, and are almost as easy to clone as pushing the green button on a copier machine. Europe's experience has proven that the effect of chips was to move the fraud online. But eliminating mag stripes is the next step in securing credit. None of the other measures can have much of a beneficial effect on security until that weakest link is removed.

And if chip and signature bothers you that much, nothing is stopping you for applying for a MasterCard from a bank that requires PIN authentication. Your current bank may not offer one, but some of the major retail banks do. Take action instead of whining.

Re: Down the rabbit hole

[Chrontius]

Yeah, and EMV actually has inadequate protection against cloning, because it has inadequate standards for the use of the chip [arxiv.org], and “some EMV implementers have merely used counters, timestamps or home-grown algorithms to supply” the nonce for the transaction. That does require a compromised reader, but you don’t have to compromise the reader itself, only its communications channel. This can often be done from outside a building.

And if you don’t trust your logistics chain - PS, you shouldn’t - you might crack open a terminal and find a burner cellphone inside that’s MitMing every single credit card transaction.

It’s not a new thing, Schneier wrote this in 2010.

With an electronic sticker, you can intercept the command from the EMV card saying the PIN is wrong, and re-write the acceptance command. Alas, the PIN confirmation isn’t encrypted.

Another good walkthrough of what’s become known as a “wedge attack”.

Re:Down the rabbit hole

[davester666]

Actually, most/many of them have. But the problem is, that the 'big four' ALSO require that each retailers system be certified/test to be compliant with whatever protocol in order to transfer liability off the retailer to the bank/credit card company. And, for some reason, many of these companies can't even get a date from the big four as to when they MIGHT be able to start the process of being certified compliant. In the meantime, the retailer is responsible for all fraud...

Re:Down the rabbit hole

[dwillden]

Yet most merchants waited until the last second to install the readers. So who was at fault for the delays? I saw some proactive merchants install chip capable readers in 2014, but most stuck with swipe only readers until just before the deadline, then rushed to install all the new readers. Had they not all waited until the last second there would not have been such a back-up. Plenty of advanced notice was given. The tech was not new or novel it's been in use in Europe for years, the merchants just tried to delay until the last second and then surprise there were delays due to the sudden rush.

This suit has no merit. The retail industry was not willingly moving to the more secure tech as had been done in Europe, so the CC companies who bear the brunt of fraud costs forced the move. If they had not we'd still be years from full deployment and acceptance. We're still a ways from that as I see one of my CC's and my Debit card are still not chipped and they were both replaced after the Oct 2015 deadline.

Re:Down the rabbit hole

[swalve]

It's probably for an external pin pad.

Re:Down the rabbit hole

[peragrin]

The hardware wasn't available until he last minute for most places anyways. I didn't get my american express chip card until june of 2016, I didn't get my visa chip card issued by my back until may of 2016.

The hardware often failed and had to be replaced at the merchants expense several times. from just a terminal side of things the hardware roll out was a mess.

lastly i know at work we were not told of the roll out until 6 months before the deadline. never knew it was coming or what we would have to do to be acceptable. For us we ended up ditching the card readers all together and just process all credit cards through a internet processor. it was lower fee, and works better for our business anyways since we often have to store credit card data for repeated transactions.

Re:Down the rabbit hole

[ThatsNotPudding]

I saw a mag stripe machine, and if I did see one, I would pay cash.

Until that is phased out for being 'too expensive', meaning 'impossible to real-time track everyone using cash'.

Re:Down the rabbit hole

[DRJlaw]

If your businessâ(TM) payment-system implementation is relatively simple with few or no customizations, then most of the Level 3 certification may not apply to your business. This includes simple implementations like single terminals, as well as specific, pre-made software packages that are certified to handle EMV transactions without heavy customization.

So for small places there is no onsite certification.. For some larger, and especially for the ones that do customizations there is a requirement for the site-certification

I must have missed the official announcement that "most" actually means "all."

"No onsite certification" is bunk. There is a suite of scripts that have to be run at each deployment to check for functionality and security. The Intuit material also says:

Level 3 is an end-to-end certification conducted between the merchant and the brand, with checks made with your processor, acquirer and any ISV(s) you are working with. It checks the integrity of the payment chain by testing every type of possible transaction that the terminal can do.

Depending on the types of transactions and CVMs you want to process, you could be looking at upwards of a few hundred tests, especially if you accept all four brands.

The problem is that EMVCo has been riding the "too may businesses waited to schedule certification until the deadline" excuse for more than a year -- as if that wasn't entirely predictable from the start. EMVCo is also owned by Mastercard and VISA (and JCB), which don't exactly have a lot of incentive to speed up the certification process now that transaction liability can be shifted to the retailers (they're not banks, but the banks are their largest and highest volume customers). They've cut down the number of testing scripts required and changed the rules to prevent chargebacks for low dollar transactions ($25), but otherwise haven't addressed the delays and their backlog of certification work.

Re:Down the rabbit hole

[bluefoxlucid]

It's not an illegal trust action unless it abuses power. They have to use one monopoly to move into a new market, or they have to collude to enforce something like price fixing or some other profitable behavior.

Take price fixing, for example. If three manufacturers make a widget for $15 and try to sell it for $75, they can price war with each other until it's a $20 widget. If they all collude to sell for $75, they might not get a competitive edge; but they do get $55 more per unit, which is way more than getting three times as much business at $5 per unit ($55 is more than $15).

In this case, they've agreed on a processing and operating standard. This is similar to agreeing on the standard behind Wifi, or all agreeing to use USB-C instead of Mini-USB to charge cell phones. Someone else actually sells the terminals, which avoids the conflict of interest: the upgrade cost isn't part of the card companies's revenue stream.

So the companies have all standardized on a technology (chip-and-pin, NFC) and a security standard. Cryptographically-secure identifying transactions ensure the cardholder is physically present at POS, unless his card was stolen; magnetic stripes are vulnerable to card cloning and thus more-frequently allow fraudulent purchases. Retailers engaging in insecure practices are responsible for the consequences.

The card companies all adopted this standard at the same date. That means none of them is allowed to hang back and reap further profits by allowing the consumer to face a greater risk of credit card fraud. They protect the consumer from this fraud, and in doing so they reduce their costs from that fraud; this allows them to operate with lower fees (read: they don't have to raise processing fees as quickly--they might lower, or they might end up 0.3% higher rather than 0.8% higher 5 years from now), ultimately lowering the price of products (which factors in credit card processing fees) and maximizing the consumer's buying power.

None of this abuses the consumer or the retailer: the retailer is free to use an old, insecure standard, if they're willing to accept the costs that standard imposes (cost of fraud). Likewise, it doesn't drive a revenue stream to the credit card companies: they don't sell (or don't exclusively sell) processing terminals. There's not much ground for an anti-trust suit here.

Re:Down the rabbit hole

[bluefoxlucid]

The chip contains an encryption key signed and certified by the bank. During processing, a challenge is sent to electronic circuitry on the card, and it uses the encryption key to create a digital signature and provide a response. That key is non-recoverable, unless they use a weak encryption standard (some early cards did).

It has to actually identify itself in a mathematically-meaningful way; it's basically PGP.

Re:Down the rabbit hole

[CrimsonAvenger]

As long as we have that "legal tender for all debts, public and private" thing on our currency, that's not really an option....

Re:Down the rabbit hole

[drinkypoo]

Your current bank may not offer one, but some of the major retail banks do.

Your solution is to ditch my credit union, which puts money into my community, and switch to a major bank, one of the organizations responsible for the current economic and housing crises? Fuck you.

Re:Down the rabbit hole

[DontTrustWhatIType]

But the benefit is not so clear. There is no evidence that the embedded chips have increased security wholesale "in the wild". The sum of all evidence so far (but not yet published) suggests that it's a wash. If there is an effect size, it's almost certainly going to be small. Moreover, notable experts in the field were skeptical of the claims and it was (and continues to be) largely those with conflict of interest who prance around saying that the chips will save the world (*cough* chip manufacturers, card makers, and dumbass CIO/CISO's who drank the kool aide and now need to cover their asses... *cough* *cough*).

Regardless of whether there is a (small) security benefit or not, the chip has added a significant burden to businesses and consumers, adding an average (again, not fully publish ready) of about 15-20 seconds per transaction. Let's assume that part of this added time is because people have not done the song and dance 100,000 times on average like we've learned to do with swipe (this seems unlikely, since there is a rapid drop in time the first 30 or so times someone uses them and then a plateau, for which we can control), and let's assume it's only 7 seconds. If it were 7 seconds for a lot more security, go for it! But at 7 seconds (go ahead and count them out as you pretend to impatiently wait for the person in front of you to finish) for statistically insignificant changes across a few million transactions -- that's bad all around. The added time means you have to have more cashiers on hand, your customers are less happy, and you lose some amount of business.

If these numbers pan out, I'm guessing that the CC companies will want to do something about it, because they do make more with higher numbers of transactions. Unfortunately, they just rammed something down the throats of a few million merchants, so they can't do that level of change again anytime soon. Which means that I silently want to smash that new card reader into the CC companies CIOs every time I'm asked to stick it in and wait for the *beerp berrp beerp* sound telling me it's finally over.

Re:Down the rabbit hole

[plover]

I was assuming you were at one of the Evil Corp megabanks already, because none of them support PIN. I got my PIN based card through a retailer.

Since you have a nice credit union already, ask them to add PIN to their cards. Or don't, and don't worry about what happens if the card is stolen.

Re:Down the rabbit hole

[lsatenstein]

Chip readers have been the norm in Canada since 2005. There was a transition period allowed to accommodate card holders with cards that had only the mag stripe. Even today, if there is a problem for the reader to interpret the chip, the customer can swipe the card as the CC comes with both chip and mag stripe.

The requirement to upgrade should have in part been financed by the CC companies. Using the chip as a standard cuts losses substantially. And with the cut in losses, it would cover the shared price of readers.

Some CC companies rent out the reader at around $10/mo.

Re: Down the rabbit hole

[Grishnakh]

They can only use equipment and solutions that are actually available on the market. Merchants don't have the ability to make their own card-readers and make them conform to standards, just like you're unlikely to be able to build your own car that meets all emissions and crash-safety standards. If driving on public roads suddenly requires having new cars that meet certain standards, and you have 6 months to upgrade, but there's no carmakers actually selling these cars, what do you do?

It looks like they found a solution anyway: ditch the card reader and use an internet payment processor like Stripe.

Re: Down the rabbit hole

[rickb928]

Where I work, an unrecognized (uncertified) terminal will not recieve responses. It will recieve error messages.

Re:Down the rabbit hole

[Grishnakh]

It's just a sign of the times in America. We simply can't get anything done any more, unless it only involves a single company. If it involves regulation at all, forget it, it just won't get done or it'll be completely broken.

Re:Down the rabbit hole

[Grishnakh]

It's probably not a big problem in Japan because people there actually care about their society. Consequently, you don't see a lot of stuff there like littering, cutting in line, etc. Even the mobsters have a sense of serving their community.

Re:Down the rabbit hole

[Grishnakh]

What makes you think that'll always be there? It only takes a small change to the printing presses to fix that, or they could just shut down the presses altogether and pass a law requiring all transactions to be electronic.

Re:Down the rabbit hole

[Grishnakh]

Ridiculous. There's nothing in the Constitution that I know of that says anything about that, so there's nothing stopping Congress from passing laws making the use of cash more difficult or even illegal.

Re:Down the rabbit hole

[youngone]

We have been messing with our cash for as long as I can remember. Inflation took away the usefulness of 1,2, 5 and 10 cent coins, (they have been removed from circulation) and our 1 and 2 dollar notes have been coins for (can't remember) maybe 15 years.

Our notes are plastic so they last longer, and have got smaller too.

I guess cash is expensive.

Re:Down the rabbit hole

[cwsumner]

Not only do the retailers have to pay full price for the terminals, the new terminals do not all have the software drivers to handle chipcards (even now)!

But it is not just the cost of the terminals, but that the agreement for the old terminals was changed.

I'm with you: Sell new terminals at the option of the buyer, buyer should pay. But mandate new terminals, then the provider should pay!

Re:Down the rabbit hole

[Hognoxious]

The American people would never stand for such a violation f our fundamental hey, didn't she used to be Honey Boo Boo? What a pig! Get me a Bud while you're up.

Retailers are holding us in the stone age

They're just not happy about the liability shift strong-arming them into this. But honestly? They SHOULD be liable when they're the roadblocks preventing customers from having good security. They're dragging their feet on this because it's an externality--they don't care if their customers get screwed, as can be seen with, e.g. the Target hack, but they do see a cost for newer, more secure equipment.

And I can tell you right now that they won't make proper upgrades unless someone holds a gun to their heads.

Re:Retailers are holding us in the stone age

[Mitreya]

They SHOULD be liable when they're the roadblocks preventing customers from having good security.

Bah, security of the credit card itself was never an issue because customer is not liable anyway

If credit cards issuers stopped granting credit based on address+birthday+SSN, that would be a bigger improvement.

I'd much rather my credit card number leaked compared to hack losing address/SSN info. Credit card can be blocked and re-issued. Address/SSN info, not so much.

Re:Retailers are holding us in the stone age

[Pinky's+Brain]

The problem from the credit card company PoV was that if they were the only one to implement the liability measure the shops would simply start refusing their cards and the competitors would get their customers.

Re:Retailers are holding us in the stone age

Re: "Bah, security of the credit card itself was never an issue because customer is not liable anyway"

Way to go! With one statement you missed the point of the OP, which isn't about the customers. It's about the vendors and the credit card companies. You also personalized the story, when the story is actually about mass fraud and card skimming. That fraud adds up and, though not normally visible to the consumer, I'll bet a week's pay that the consumer ultimately is paying for it. The CC companies will simply boost the interest rates they charge, or the fees, or whatever.

Chip and PIN works. Wherever implemented, CC skimming rates go to zero, or near enough to zero that it amounts to the same thing. And while chip cloning is technically possible, the barriers remain sufficiently high that it's a non-issue in the wild.

Re:Retailers are holding us in the stone age

[taustin]

They're just not happy about the liability shift strong-arming them into this. But honestly? They SHOULD be liable when they're the roadblocks preventing customers from having good security. They're dragging their feet on this because it's an externality--they don't care if their customers get screwed, as can be seen with, e.g. the Target hack, but they do see a cost for newer, more secure equipment.

EMV has nothing to do with protecting consumers, and has zero effect on security for the consumer. Steal the card, and you can use it, same as before (since it's almost entirely chip & signature rather than chip & PIN) The consumer isn't protected buy the technology, the consumer is protected by the law, with a $50 limit on liability on a stolen card.

EMV is about protecting the banks and processing companies, who have nearly all the liability for fraud, and secondarily protecting merchants, because when fully implemented, EMV with P2P encryption means the merchant never sees the card info at all, and has nothing on their network to steal. All the worst breaches in recent years have been of retailers' networks, stealing millions (or 100 million+) card numbers at a time. And if the retailer is PCI compliant (as Target was, apparently), the banks eat the loss. EMV/P2P encryption eliminates that vector. That is the point of it.

And the upgrade is very, very much in the merchants' best interests because of that.

Re:Retailers are holding us in the stone age

[taustin]

Chip and PIN works.

Pity virtually no US chip cards are chip and PIN.

Re:Retailers are holding us in the stone age

[orlanz]

..That fraud adds up and, though not normally visible to the consumer,..

Yeah, it adds up to about 1 in 1000 transactions and about $7 in $10,000 of credit spend. THATs why it is normally not visible to the consumer.

Other fraud & costs that consumers pay for:
Theft by Employee > 0.5% of sales
Shoplifting > 0.5% of sales
Spoilage Losses > 8%

So in comparison... we are wasting a lot of money on this whole PIN & Chip crap. If it stopped 1/1000 fraud transactions, but due to the added inconvenience we lose 1/100 transactions... its basically a net loss even without the infrastructure sunk costs.

Re:Retailers are holding us in the stone age

[tipo159]

Chip and PIN works.

Pity virtually no US chip cards are chip and PIN.

This is what the US card issuers should be sued for. How is Chip-and-Sign any more secure than mag strips?

Is this yet another way that the powers-that-be discourage Americans from international travel so that they can't see that much of the rest of the world has the same freedoms that America has?

Re:Retailers are holding us in the stone age

[marka63]

I don't know about you, but I hate it when I'm forced to change credit card numbers due to fraud being detected on the old number.

Getting to the state where cards can't be skimmed is a good thing for consumers. It should also reduce the costs of goods marginally where there are only card present sales as the merchant fees should be reduced.

You can't get to a state where cards can't be skimmed until all the point of sale equipment has been upgraded to support chips. This takes time and the US is at the end of the line in doing this.

Re:Retailers are holding us in the stone age

[swalve]

In some comment above it is shown that chip and pin can be defeated with a simple sticker. So stop.

Re:Retailers are holding us in the stone age

[mjwx]

EMV has nothing to do with protecting consumers, and has zero effect on security for the consumer. Steal the card, and you can use it, same as before (since it's almost entirely chip & signature rather than chip & PIN)

I cant beleive you wrote that entire post just to say "I know nothing about EMV".

EMV was never designed to protect against fraudulent transactions or to block stolen cards, it was designed to protect against card cloning. In this endeavour it has been hugely successful. Whilst you can clone EMV cards, it's such a PITA that no-one bothers.

Now the real defence that is stopping stolen cards that is going along with EMV is the elimination of signatures for purchases. This is because signatures are easily faked (including removing the old signature and putting your own on, which is pretty redundant as no-one checks it anyway). You cant sign for a purchase any more and enforcing this means getting rid of the old terminals which would ask for a signature. EMV is about protecting the banks and processing companies,

Again, you're wrong.

EMV terminals push the liability onto the banks and processors, non EMV terminals push the liability onto the merchant. So if a merchant using an EMV terminal has a fraudulent transaction, they're covered and the cost is worn by the bank or processor.

Re:Retailers are holding us in the stone age

[taustin]

Chip and PIN works.

Pity virtually no US chip cards are chip and PIN.

This is what the US card issuers should be sued for. How is Chip-and-Sign any more secure than mag strips?

EMV has nothing to do with security at point of purchase. EMV is the first step to point of point encryption (which is available on may systems now), which eliminates breaking into Target's network and stealing 100 million+ card numbers at the same time.

Is this yet another way that the powers-that-be discourage Americans from international travel so that they can't see that much of the rest of the world has the same freedoms that America has?

A week ago today, I was in Iceland, mostly using my magnetic strip card for everything. I had zero trouble doing so. The only minor issue was that you can only buy fuel for your car with a card that has a PIN, and their system does weird-ass things with authorizations on ATM cards. But I had no trouble buying a gas card with my mag strip card. I just had to walk inside to do so. Big deal.

Re:Retailers are holding us in the stone age

[taustin]

I cant beleive you wrote that entire post just to say "I know nothing about EMV".

That says more about you than it does about me, or EMV.

Now the real defence that is stopping stolen cards that is going along with EMV is the elimination of signatures for purchases. This is because signatures are easily faked (including removing the old signature and putting your own on, which is pretty redundant as no-one checks it anyway). You cant sign for a purchase any more and enforcing this means getting rid of the old terminals which would ask for a signature.

With chip & PIN, perhaps, but since virtually no credit cards in the US are chip & PIN, you have no idea what you're talking about. My employer had gotten to where we didn't need a signature on small transactions. With the implementation of EMV, since most cards are chip & signature, we now must get a signature on all transactions again, even for less than a dollar. That'll change, but you clearly have no idea what you're talking about.

Not Sure if...

[jittles]

I'm not sure if I have any sympathy for these retailers. The card industry did not force them to accept chip transactions, they forced them to accept liability if they refused to accept chip transactions. You can still, to this day, accept magnetic stripe data instead of chip data. You can also choose to take cash at any time. They also gave the warning more than a year in advance and even basically extended the deadline past October 2015.

Disclosure: I do make money off the chip card transition. However, I make money off of magnetic stripe implementations also.

Re:Not Sure if...

In other words it was a conspiracy.

Re:Not Sure if...

[cayenne8]

I hate the fucking chip things....

I keep almost leaving my fucking card in the slot and walking away.

With no PIN, I can't see how it is really any safer to me.

And these days, half the time I get it wrong, if I plug it in, they say "no..still need to swipe", or vice versa.

Re:Not Sure if...

[markdavis]

I would +1 you if I had points.

The chip thing is a disaster as far as I am concerned:

* It is slow as molasses. Just unreal!
* It encourages you to forget your card.
* The other day it took 5 MINUTES for it to finally work at a store, the stupid contacts on my card are already corroded and the card is only 4 months old. Guess what, if it doesn't read, they wouldn't allow me any other way to use the card (key it in or swipe it). So it is NOT RELIABLE.
* There is still no PIN, so it doesn't prevent anyone from picking up my card and using it.
* It doesn't protect anything with online purchases.

Fail for consumers
Fail for stores
Fail for security
Fail for convenience
Fail for economy

*FAIL*

Re:Not Sure if...

It prevents the mag stripe reader from keeping a copy of your card. Michaels, Home Depot, and Target were all hacked and the data on mag stripe were used in fraud. I believe 2 of those companies kept that data, the other got the readers hacked. A chip card in the same circumstances would be immune, they wouldn't be able to clone the card, PIN or no PIN.

I can't help you forgetting your card, but most of them have an annoying beep to remind you.

As for the slowness, there is no reason it has to be. The code the merchants are using is written poorly trying every possible program on the card. If they could agree to use just 1 and all implement it, the reader would be nearly as fast as mag stripe.

Not telling you chips are better, just trying to let you know it stops a specific type of fraud and doesn't have to be as bad as it currently is.

Re: Not Sure if...

Maybe this is an American problem, who knows. In Canada, we have been using Chip and Pin exclusively for 5 years now. No swipe. We have even moved past chip and pin to a new technology called Tap, where we can just tap our card on the reader for any purchase under $50, or $75 at gas stations and grocery stores.

Both are safer because they use rolling codes built in to the chip. If someone skims your card the data they get is only valid for a few minutes after its used .

You get used to it. You don't forget your card. Time to join the modern era America.

Re:Not Sure if...

[xevioso]

At least we aren't upside down, our toilet water circulates in the correct fashion when flushed, and we drive on the correct side of the road...

Re: Not Sure if...

[Opportunist]

Europe here, same deal. I can't remember when I actually used that magstrip of my card outside of the US. Even third world countries have had chip readers in operation for years now, only in the US this seems to be a huge issue.

Re:Not Sure if...

[ArylAkamov]

It is slow as molasses. Just unreal!

This is the biggest annoyance for me. It took a few seconds before, now it takes anywhere from 20 to 30 seconds for it to process. Might be because I'm in a small town in the US, I've heard the equivalent over in the UK is just as fast.

Re:Not Sure if...

[ADRA]

From a Canadian, you'll get used to it.. eventually.

I'd say the lack of PIN requirement was your country's fuck up, but *shrugs*.

Slowness depends entirely on your retailer's merchant broker. Some big box companies like (Walmart Canada) has responses back within a second or two. Others require a frigging dial-up connection before issuing the chip challenge. Ultimately, if you're sick of waiting, poorly performing retailers will suffer and you'll visit their services less. The better responding retailers will actually spend some money to make sure your experience is good.

I have had my card defrauded a couple times (once from card stolen, once from the card numbers being copied for online purchases). Both times, I've had literally 0 problems challenging and refunding the expenses. Almost 100% of the bad charges were made in the US, so it leads me to believe there's a lot of credit fraud happening there (at least when my cards were stolen).

Re:Not Sure if...

[houghi]

The only fail I agree with is that you do not use your PIN.

It takes about 15 seconds for the payment. Due to postings here, I have tested it and also looked at other people trying it out.
I have NEVER forgotten my card, ever. I put it in, type my PIN and take it out while I have my wallet in my other hand. Almost everybody does it like that. Why would you NOT take it out again.
Corroded card? I have been using these cards for I do not know how long. Never had that issue. It does happen that sometimes the card or the reader fails. However when you see how many million of transactions fail, this is an minute amount and the magnetic strip fails more than the chip percentage wise. It is just not used that much any more in Europe.

It was not intended for online purchase security. You could even claim that it does not help open a beer and even if true, it is not relevant.

So I agree with the PIN part, the rest are apparently issue that have to do with the Imperial system as the rest of the world does not have an issue with it and many have moved on to even more modern things, like wireless payments for smaller amounts.

So yes, we get it: people do not like change. It happened when people where forced to go from Win3.1 to Win95. It happens all the time when things change. I know people moaned when HD was deemed stoopid for TV. It is happening now allover again. People do not like change.

There is also a reason that many banks in Europe block the cards for the USofA and you have to ask them to activate it. If that is the case, how bad is the issue in the US you think? Or do you think that walking around the city and throwing in windows is good for the economy, because the window makers are making more money?

Re:Not Sure if...

[Vadim+Makarov]

Don't get me started on the toilet water. We run a data collection, and it failed to remove the shit 4 times out of 102. That's in our rental house in Canada, though.

Re:Not Sure if...

[taustin]

I hate the fucking chip things....

I keep almost leaving my fucking card in the slot and walking away.

That says far more about your than it does about chip cards.

With no PIN, I can't see how it is really any safer to me.

It's not intended to be. It's safer for the banks, and indirectly, for the merchants. You're not protected by the technology, you're protected by the law.

Re:Not Sure if...

[PrimaryConsult]

If you're a small business you could go back to cash only. Usually I pay cash at small businesses anyway since I know the 3% card fee is more painful to them than it is to McDonald's or Home Depot...

Re:Not Sure if...

[houghi]

Read here on /. tyhat it is because instead of just using only the standard check that dopes it all, they load in every check available. So basically it needs to the the same check 50 times.

The data is not that much different then what is send when you do a swipe. Even with the PIN there is not that much extra that is being send. And it does not matter that the I do a payment in Belgium or in Spain or anywhere else in the world. The speed is about the same.

I live in Belgium and I did a wireless payment in Spain. That basically means tapping the card on the reader and not entering your PIN and I could walk away in seconds. Adding the entering of the card and pressing the pin might add 10 seconds or so.

it is crazy that this worked with cards I had in Belgium from an American Bank and that people I know that have US cards with chip and use them in Belgium do not have the same problem here.

So the knowledge is available and has been used worldwide. The problem detection has been done a LOT already and beta testing has been concluded in the rest of the world for decades and the US is STILL able to fuck it up?

And yes, there are smaller towns in poorer countries that are more remote then where you live where it works better.

Re:Not Sure if...

[houghi]

Yeah, but the amount of water you need to that is INSANE.

Re:Not Sure if...

[jezwel]

The US version is a failure, due to the implementation requirements causing significant increases in processing the transaction. It's been detailed somewhere here before already in a previous story.
Every other country I've been to where you can use chip & pin (even tap & pin), will have the transaction completed in 5 to 15 seconds.

Re: Not Sure if...

[maliqua]

Time to join the modern era America.

You're talking about the country that still fears the metric system

Re: Not Sure if...

[SvnLyrBrto]

The difference is that there are actually benefits to the metric system, which is superior to imperial measurements in every way except perhaps for using Celsius in weather reports instead of Fahrenheit. Yeah, I know the freezing and boiling points of water make a lot of sense from a scientific point of view. But for the weather: 0 degrees being a horribly bone-chillingly frigid day, 100 degrees being an insanely and sweltering scorchingly hot day, and 50 degrees being a nice and normal comfortably mild day, does make a decent amount of sense IMO. Pounds, feet, quarts, and the like though, I'd happily say good riddance.

The chip cards, OTOH, provide me with zero benefits without the PIN. And even with the PIN, the benefits would be minimal. And they waste a ridiculous amount of my time vs. swiping the mag stripe. So, I still maintain that they are an epic fail.

Re:Not Sure if...

[jittles]

I would +1 you if I had points.

The chip thing is a disaster as far as I am concerned:

* It is slow as molasses. Just unreal!

That's an implementation problem - one I see all the time. This has to do with the way they set up their AID Candidate list, most likely. An EMV transaction should take 1-2 seconds.

* It encourages you to forget your card. * The other day it took 5 MINUTES for it to finally work at a store, the stupid contacts on my card are already corroded and the card is only 4 months old. Guess what, if it doesn't read, they wouldn't allow me any other way to use the card (key it in or swipe it). So it is NOT RELIABLE.

The US region still has what they call technical fallback. They're not supposed to decline to accept your card if it fails to read 3 times then they are supposed to proceed with it as magnetic stripe. There is no fraud liability shift in this case, at least for now.

* There is still no PIN, so it doesn't prevent anyone from picking up my card and using it.

It protects your card from cloning, which is the most common type of card fraud in the US

* It doesn't protect anything with online purchases.

None of the current card technologies protect against Card Not Present transactions

Fail for consumers Fail for stores Fail for security Fail for convenience Fail for economy

*FAIL*

I don't personally see any failure except in the development teams that do not know how to properly implement EMV.

Re:Not Sure if...

[markdavis]

>The only fail I agree with is that you do not use your PIN.

We don't HAVE a PIN, so there is nothing was and choose to use or not use. There is no choice. No PIN.

>It takes about 15 seconds for the payment. Due to postings here, I have tested it and also looked at other people trying it out.

15 seconds is about 10 times longer than it used to take.

>I have NEVER forgotten my card, ever. I put it in, type my PIN and take it out while I have my wallet in my other hand. Almost everybody does it like that. Why would you NOT take it out again.

Because instead of swipe and put in wallet, which takes 1 second, you have have to insert the card, wait for 15 to 30 seconds or longer, someone is distracting you, cashier asks questions, does something, hands receipt.... all the while, the card is still there saying "DO NOT REMOVE" and you don't notice when it says remove. Again, THERE IS NO PIN. There is no interaction with the system whatsoever after inserting the card. So it is easy to forget during that long delay.

>Corroded card? I have been using these cards for I do not know how long. Never had that issue.

That's great for you. But my card, which is stored only in a clean wallet, had fouled contacts in just 4 months. VISA card.

>So yes, we get it: people do not like

Don't be so condescending. I have no problem with change, I have problems with change that makes something WORSE that it was before- more annoying, less convenient, more time consuming, less reliable. And that is my experience with this so far.

Re: Not Sure if...

[nnull]

It is mostly an US problem because it's been very poorly implemented in the United States. And since a lot of fraud is moving online, it does nothing to prevent that.

Re:Not Sure if...

[AmiMoJo]

Hmm, maybe the system is different in the US, but in other countries it works really well and is faster than the old signature method.

Because you insert the card and hold your hand by the the terminal while you enter your PIN, it's almost impossible to forget to take your card. The old swipe way where you want the card to the cashier was worse for that.

Corroded contacts? Ew, your wallet must be soaked in sweat or something. I've never heard of that happening to anyone. Or maybe US banks are really cheap on the contact material and don't plate it for corrosion resistance.

European cards often don't even work without the PIN. When I'm in Japan using a UK card it will sometimes pass for small amounts without the PIN, but signing isn't an option for anything over about 3000 yen (~$30).

Maybe you should get your bank to issue a PIN number, might make the whole thing work better for you.

Re:Not Sure if...

[markdavis]

I still don't think you understand...

>Because you insert the card and hold your hand by the the terminal while you enter your PIN, it's almost impossible to forget to take your card.

I told you, we don't and can't have a PIN... so the way YOU use it doesn't apply here. We insert the card and just wait forever.

>Corroded contacts? Ew, your wallet must be soaked in sweat or something.

Nope, it is clean and dry and perfect. Perhaps the contaminates came from the card readers. I don't know.

>Maybe you should get your bank to issue a PIN number, might make the whole thing work better for you.

Terminals here don't work with a PIN, it is not an option. So requesting a PIN wouldn't help or change anything because I wouldn't be able to use it anywhere I shop.

Re:Not Sure if...

[mjwx]

Having had an EMV capable card since 2007, you couldn't be more wrong. I've also installed these terminals as they were being rolled out in Australia from 2010 onwards.

* It is slow as molasses. Just unreal!

Its faster than swiping. The hold up is not with the reader, it's with the network. If your merchant has a slow link, any processing is going to be slow.

* It encourages you to forget your card.

Only if you're a forgetful idiot.

The other day it took 5 MINUTES for it to finally work at a store,

Again, this is due to a slow or unreliable link.

* There is still no PIN,

This is due to the implementation in your country, blame your banks or better yet, the technophobes and laggards that are holding you all in the dark ages.

It doesn't protect anything with online purchases

Because it's physical security, not online security. As physical security designed to prevent card cloning it has been extremely effective the world over.

The only fail here is yours, you have to be a complete dolt to leave your card in a machine and walk away. This is a very rare occurrence in Europe, rare to the point of it being practically unheard of, every now and then old Ms Beryl from down the lane leaves it in the local Waitrose, but the staff just give the card back to her along with everything else she forgets on a regular basis the next time she pops by for some milk and jam (but I guess that kind common sense is what you call European style Communism(TM) 'round your parts).

However if you're that forgetful, just start using cash. Its faster (eliminating the slow link problems you're having) and you don't have to retrieve it from a machine where you forgot it. It also cant be stolen online.

Re: Not Sure if...

[cayenne8]

You're talking about the country that still fears the metric system

No fear of it really...just no USE for it really.

I mean, of most of the US citizenry, there is absolutely NO compelling reason to change. It would not benefit their lives, but it would prove to be a BIG PITA to have to learn everything...I know how to dress when it is 72F outside intuitively.

Without googling it every time, I have no fucking idea how to dress for some random metric temp like 45C.

I cook with cups, TBSP, etc...I can measure those without even needing a measuring vessel many times....

So, for the general public, there is no compelling reason to change, but many reasons not to cause ourselves a couple of generations of hassle.

Re:Not Sure if...

[cayenne8]

I have NEVER forgotten my card, ever. I put it in, type my PIN and take it out while I have my wallet in my other hand. Almost everybody does it like that. Why would you NOT take it out again.

That's not how it works here in the US.

You plug the card in...no PIN required, BUT a message pops up on the screen and says "Please card in slot"...etc. The transaction take much longer than a swipe does apparently. Well, during that time I'll often take my attention away from it to usually chat with the clerk, or line mates, etc.

Anyway, after they finish ringing my stuff up, I often forget the fucking card is in the slot and walk out.

In the past, I would pull card out while things were going on, swipe it and immediately put it back in my wallet and be done with it....

Re: Not Sure if...

[fuzzywig]

How long does it take for your chip+PIN transactions?
Here in the UK, the person behind the counter says "that'll be £X please" and presses a button so the total appears on the reader (elapsed time, maybe half a second).

You put the card in, wait about two seconds for it to be read, type in your PIN and press enter, then wait about another three to five seconds to verify. Then just take your card out and walk off.

Admittedly it's been about 10-15 years since I last had to use the mag stripe, but I remember it taking much longer waiting for the receipt to print out, signing it, passing that back to the person behind the counter etc. etc.

Re:Not Sure if...

[markdavis]

>The only fail here is yours, you have to be a complete dolt to leave your card in a machine and walk away. This is a very rare occurrence in Europe

DUH!!! WE ARE NOT IN Europe. As I said in several replies now, there are NO PIN CODES HERE. So there is nothing to interact with on the terminal. You put in the card and wait forever, with nothing inbetween. If you can't realize there is a very different process without the PIN and how that plus the long delays can lead to forgetting the card, then you are the dolt, not me. (Plus I will say I have never left my card, I said I have almost done so a few times).

The chip is NOT faster than a swipe. NO WAY. I used to swipe the card instantly and put it back in my wallet. Done. The fastest I have EVER seen the chip card operate before I had my card back in my wallet was about 6 seconds. Huge difference.

Re: Not Sure if...

[david_thornley]

0 degrees being a horribly bone-chillingly frigid day

Speaking as a Minnesotan - Wimp! I lost a lot of my cold resistance a few years back, but 0 still isn't that bad. You're saying that the Fahrenheit system suits your own temperature preferences more than Celsius. That isn't a really good argument for people living in areas that actually get cold or hot.

Re:Not Sure if...

[david_thornley]

I've actually been at one US retailer that had chip and PIN enabled, and it took me a moment to remember which PIN it had. I don't remember it as being significantly faster than the agonizlingly slow chip & signature.

Re:Not Sure if...

[david_thornley]

Its faster than swiping. The hold up is not with the reader, it's with the network. If your merchant has a slow link, any processing is going to be slow.

Dude, not all of us can live in a First World nation. Some of us are in the US. I don't know the technical details, but chip transactions are always far slower than magnetic swipes and require the card to be stuck in the reader the whole time. In a swipe transaction, I take the card from my wallet, swipe it, and put it back in my wallet. It is never out of both my hand and my wallet. The time needed to get the damn transaction to work is plenty enough for people to get distracted and forget their card is still there, particularly if they're not used to it yet. People talk about fast transactions if they live in fully developed countries, and that would help a lot with the problem.

From my point of view, it doesn't matter if my bank sucks or somehow every retailer in the area has a slow unreliable internet connection (which I don't believe for a moment). Not being an insider, I can only report on my experience, which is that chip transactions suck.

Re: Not Sure if...

[DarkVader]

It's about the same for the total to appear. Then you put in the card, wait 15-30 seconds, put in the PIN for debit cards, or hit enter for credit cards, then sign screen. Wait another random amount of time for it to verify (typically 5-30 seconds), then take card and walk off.

With swipe, it's swipe card while cashier is still scanning, put card back in wallet. When cashier finishes, put in PIN or sign screen, and walk off.

Yes, it's the terminal manufacturers' fault it's slower. But it's still MUCH slower.

Oddly, Apple Pay is typically far faster if it's available, it's nearly instant.

Re: Not Sure if...

[DarkVader]

I deal with both systems on a fairly regular basis, I'd prefer we just switch to metric so I can stop thinking in both, it's annoying.

And at 45C, you don't dress for it, you stay inside where it's air conditioned. That's Phoenix in oven season hot. (Phoenix has four seasons; summer, oven, second summer, and slightly cooler).

Re:Not Sure if...

[DarkVader]

That's for cars, 100LL is still available for airplanes.

Re:Not Sure if...

[houghi]

I am talking 15 seconds for the whole transaction. That means taking out my wallet, taking the card, putting it in the slot, waiting for the beep, entering the code+ENTER, wait for the OK, take out my card, get the receipt, put the receipt and the card in my wallet and pit away my wallet, so I can pick up my stuff.

So with you the swipe will take 1 second, the entering, waiting, pin and taking is about 4-5 seconds. So still slower, but not ny an amount that should bother anybody.

I also have seen cards with borked magnetic strips, so there is that.

So again: the real issue is that you did not adapt the PIN way.

Re:Not Sure if...

[markdavis]

>So with you the swipe will take 1 second, the entering, waiting, pin and taking is about 4-5 seconds. So still slower, but not ny an amount that should bother anybody.

No.

With me, like everyone else in the USA, there is NO PIN. So with swiping, it would be swipe card 1 second and put it in wallet, done. If the transaction is under some large dollar amount, there is no signing or anything either.

With chips, it is insert the card, and now stand there waiting anywhere from 5 to 20 seconds for it to eventually finish so you can finally put it back in your wallet. Net effect is, it is now annoyingly slow- we went from nearly instant to standing there holding a wallet, waiting and waiting for it to tell us to take our card out.

>I also have seen cards with borked magnetic strips, so there is that.

Oh, that is true. But so far it seems those are at least as reliable, based on my limited time with chips.

>So again: the real issue is that you did not adapt the PIN way.

There is no PIN way, we don't have PINs. Has nothing to do with me adapting, it has to do with me standing there waiting 5 to 30 times longer than I used to before I can move on to my next task. If we did have PINs, at least there would be something to do in that time that justifies the inconvenience.

Re: Not Sure if...

[lars_stefan_axelsson]

Yes, well, the European union economy is larger, and we have a couple hundred million more people (which means more CC interactions), and we managed. For quite some time now. So I don't know why that should be an excuse.

Hope they get fined big for this

[guruevi]

There is no reason to upgrade to chip cards except to benefit the card cartels. Forcing a small business owner to eat the fraudulent card charges is a big middle finger to these businesses, you can still fraudulently charge a chip card and the cost-benefit is just too insane for a business. Chip card transactions often not only cost more, but the readers and associated systems are a magnitude more expensive than their mag-stripe counterparts, for no good reason, I can get a Chinese chip card reader for $25, but the bank doesn't certify units under $250 and charge hefty monthly fees to use 'their' (same model) units.

At least with a mag stripe, a developer could interface with a verifiable fully secure API, now you have to trust the banks and manufacturers not to screw with the system. To the strict letter, they can't even be considered PCI compliant because the owners have no control to change the passphrase or keys on them.

Re:Hope they get fined big for this

[thegarbz]

There is no reason to upgrade to chip cards except to benefit the card cartels.

Yeah. There's also no reason to upgrade my 80s muscle car because it's only 1985. What it's not 1985? The rest of the world has adopted chip+pin for the added security? Some countries have outright banned swiping even as a fallback?

We often joke about the USA being a backwards country, but we were only poking fun at you guys, we didn't mean it. You don't need to actually be backwards too.

Re:Hope they get fined big for this

[tlhIngan]

There is no reason to upgrade to chip cards except to benefit the card cartels. Forcing a small business owner to eat the fraudulent card charges is a big middle finger to these businesses, you can still fraudulently charge a chip card and the cost-benefit is just too insane for a business. Chip card transactions often not only cost more, but the readers and associated systems are a magnitude more expensive than their mag-stripe counterparts, for no good reason, I can get a Chinese chip card reader for $25, but the bank doesn't certify units under $250 and charge hefty monthly fees to use 'their' (same model) units.

At least with a mag stripe, a developer could interface with a verifiable fully secure API, now you have to trust the banks and manufacturers not to screw with the system. To the strict letter, they can't even be considered PCI compliant because the owners have no control to change the passphrase or keys on them.

Newsflash - retailers always had to eat fraudulent charges. This is true with swipe, and even the imprint machines (which are still used).

The chip machines shift the liability to whoever is least secure - if your bank still gave you a swipe card and the retailer can take chip, the liability shifts to the bank. If it is all the way, then liability shifts to the cardholder (for not protecting their card and PIN).

And yes, the machines are more expensive, but not by much, because everyone by now has been making chip-enabled machines for years. Heck, I'd be surprised if 90% of the readers actually had chip support, but was disabled because the rest of the world used chip. (In Canada, this happened a few years before the chip migration - and yes, retailers had to swap their "chip capable" machines with the exact same model, because the old unit had the chip unit disabled).

And yes, magstripe security. Yes, it was convenient to swipe at the POS and handle it all on one piece of paper. Unfortunately, Target, Home Depot, and dozens of other retailers have shown the folly of it. (Now the machines talk to the card machine and the amount is transmitted,and a success/failure is returned). The chip machines are a black box and communicate with the bank directly, so even stupid retailers can't be stupid anymore.

Re:Hope they get fined big for this

[spire3661]

Banking is based on trust, not absolute security. The Chip+PIN combo i have been subjected to is incredibly inconvenient only to push the liability to my side of the table. It is not any more secure. The only one benefiting from this whole thing is the credit card companies.

Re:Hope they get fined big for this

[citylivin]

"There is no reason to upgrade to chip cards except to benefit the card cartels."

Are you high? Chip and Pin, the standard for most of the world, works perfectly fine and the reason it is implemented is to protect the merchants! Right now if i go to USA and swipe my card, a fucking signature(!!!) is all the authentication that you need!

This isn't the 1970s, my god. I couldn't even believe how much fraud I could have done with basically zero effort down there. I can't believe that there isn't massive credit card fraud in the USA. Sure, chip cards can be cloned and pins can be captured with hidden cameras, but thats orders of magnitude more effort than simply stealing someones card number and faking their signature. It would be like vendors accepting personal cheques! Mag stripes are relics from a bygone age.

And if you cant program for chip and pin cards, you need to refresh your skills. Every POS software I have worked with in the last 5 years at least, is chip and pin. You get around all PCI compliance issues because cc numbers are never stored or transmitted in plain text anything at any point. The pin authorizes the card at the pinpad and simply transmits a pass or fail to the bank, encrypted. The payment processor has an agent installed on the PC if they are integrated. Or so I understand, i just service them, not a programmer. But the systems are ubiquitous.

Re:Hope they get fined big for this

[amicusNYCL]

There is no reason to upgrade to chip cards except to benefit the card cartels.

Do you realize that most of the rest of the world, including places like Africa, Latin America, and the Caribbean, has been using this since 2005? Hell, France was doing it in 1992. The only reason the US switched at all is because credit card fraud had finally reached the tipping point around 2012 when banks finally figured out that it was going to be cheaper to switch everything than it would to cover the increasing cost of the fraud.

Here you go:

Most card fraud occurs in the United States. In fact, a 2015 research note from Barclays stated that the U.S. is responsible for 47 percent of the world’s card fraud despite only accounting for 24 percent of total worldwide card volume.

The high level of debit and credit card fraud in the United States also impacts other countries. Among U.K.-issued cards in 2015, 35 percent of fraud-related losses occurred in the United States, compared to 10 percent in France and Australia, 9 percent in Canada and 6 percent in Germany.

Cross-border fraud occurs when criminals use a consumer's credit or debit card data in one country to make fraudulent transactions in another country. In 2014, 47 percent of fraudulent cross-border transactions on U.K. credit cards took place in the United States.

U.S. credit card fraud is on the rise, too. About 31.8 million U.S. consumers had their credit cards breached in 2014, more than three times the number affected in 2013.

That fraud isn't cheap. Nearly 90 percent of card breach victims in 2014 received replacement credit cards, costing issuers as much as $12.75 per card.

Most experts believe that the reason the U.S. has a disproportionately high amount of fraud is because it has been slow to adopt EMV, a global standard in which credit cards carry computer chips that cut down on counterfeiting by dynamically authenticating card transactions. Countries that have deployed EMV have enjoyed a decrease in counterfeit fraud as a result -- 70 percent in the U.K., for example, between 2005 and 2013.

Re:Hope they get fined big for this

[guruevi]

Although I agree that 'something has to be done', the chip cards in the US at least are no more secure than mag stripes. If you ever have the chance to hook a chip reader to a computer, you can read most of the data from a chip, unencrypted, the same way you do from a mag stripe (primarily for compatibility reasons). Hell, I have a fully encrypted card and it's useless at many large retailers in the US, my parents came here from Europe with their non-magstripe card which was completely useless even though it was issued as international by MasterCard, except for Tim Hortons (for whatever reason) the readers at Walmart and other places simply refused to work and the machine asked to swipe (on a non-magstripe card lol)

Additionally, there have been papers that describe how to abuse and crack the chip cards, the encryption on these things is about 2-3 decades old by now. On the other hand there are hundreds if not thousands of reports of these chip-and-pin countries (like Netherlands and France) of people that got fraudulently charged but because it was 'chip and pin' now the consumer has to eat the cost.

As far as USian sources: http://www.washingtontimes.com...

Re:Hope they get fined big for this

[lgw]

Chip and signature is not chip and PIN. Nothing you said is relevant to the US. This "upgrade" has downsides and no upside for the consumer.

But do go on about the entirely unrelated system you like.

Re:Hope they get fined big for this

[petermgreen]

The chip machines shift the liability to whoever is least secure - if your bank still gave you a swipe card and the retailer can take chip, the liability shifts to the bank

What i've always wondered is what happens if a criminal clones a chip card onto a magstripe only card.

Is there some mechanism to warn the merchant in this case or does the merchant get screwed for doing a magstripe transaction on a clone of a chipped card?

Re:Hope they get fined big for this

[mattack2]

I realize this is indirect, and not directly related to switching to chip cards.. The new readers ALSO allow (if the business has the functionality turned on) NFC based payment (e.g. Apple Pay, etc.). With that, the business gets the lower fee version due to lower fraud possibility PLUS it's faster than the insert-chip-card-and-wait, or even the swipe method (due to not having to take out your card).

Re:Hope they get fined big for this

[marka63]

The mag stripe says this is a chip card and the terminal will request that you use the chip reader.

You need to modify the data when cloning.

The next step will be to not accept swipes once the pos terminals are upgraded.

Re:Hope they get fined big for this

[thegarbz]

The Chip+PIN combo i have been subjected to is incredibly inconvenient only to push the liability to my side of the table. It is not any more secure

Except for everywhere in the world where chip+pin has been implemented where the liability has not changed, the transaction is processed at a MUCH faster rate and the added security has decimated credit card fraud.

But other these little things your post was ... errr.... grammatically correct?

Re:Hope they get fined big for this

[spire3661]

I was relating my experiences so far, in the US rollout of the Chip+PIN. Perhaps the Chip and PIN we have is different. Its slow, inconvenient and not at all universal.

Re:Hope they get fined big for this

[thegarbz]

Perhaps the Chip and PIN we have is different

This sounds like it may be an understatement. I'm not sure on the specifics but there's definitely differences starting with the name Chip + Signature.

Good

[somenickname]

This "upgrade" is a complete farce. If they had moved to chip and pin then, yes, it would make sense for all businesses to adopt it. As it is, they moved from a "something you have" model to a slower "something you have" model. Without a "something you have and something you know" model, the upgrade is mostly just an inconvenience to all involved parties (except the credit card companies who can now defer more blame).

Re:Good

[Hylandr]

+1 insightful Pls.

Re:Good

[Xenx]

While chip alone may not be as secure as chip and pin, it is still more difficult to skim than the magnetic stripe. Further, the hardware change to chip is still required for chip and pin. It can always be implemented at a future point when the hardware migration is complete.

Re:Good

[naubol]

https://www.citi.com/credit-cards/credit-cards-citi/citi.action?ID=chip-technology-questions

How is it a complete farce if the chip is more secure? My understanding is that the magnetic strips were frequently swiped into card readers in order to steal, but the chip is harder to steal in this way. To use your terminology, it moves from a model where it's "something you can both have" to a model where "only one of you can have it."

Re:Good

[PrimaryConsult]

I have a (apparently rare) US issued chip and pin card - I didn't even ask for the pin, the bank offered me the one time option of setting it, which I did. If I use it in any of these terminals, or anywhere in Canada, it actually prompts for the PIN. So while chip and signature is the "norm" with these new readers, the only roadblock for chip and pin is now the card issuer thanks to the mandate that the readers be upgraded.

Re:Good

[somenickname]

While chip alone may not be as secure as chip and pin, it is still more difficult to skim than the magnetic stripe.

I don't doubt that it's "more difficult" but, after a few years, will it prove to be "less frequent"? Probably not. If someone is determined to commit credit card fraud, the security that the chip provides is just a new technology to adapt to.

Further, the hardware change to chip is still required for chip and pin. It can always be implemented at a future point when the hardware migration is complete.

That's reasonable. But, they made the switch without adding the security part. If you are going to the trouble to redo the infrastructure of credit card processing, why not, I dunno, make it more secure while you do it? It's not like entering a PIN number is a foreign concept to people.

Re:Good

[marka63]

The moved it to from a something that can be cloned to something that can't be cloned.

It would be better if they moved it to something that can't be cloned + something you know.

Re:Good

[marka63]

And the next step is to just stop supporting swipe only transactions like some countries have already done.

Re:Good

[Xenx]

That's reasonable. But, they made the switch without adding the security part. If you are going to the trouble to redo the infrastructure of credit card processing, why not, I dunno, make it more secure while you do it? It's not like entering a PIN number is a foreign concept to people.

Honestly, because people hate change. It's going to be easier to force one change on people than two. I don't know what other reasons were involved, but that can be a big one. We want things to just work, and work like they always have. For most people, credit card fraud is someone else's problem. People only want security as long as it doesn't inconvenience them.

Re:Good

[Larry+Lightbulb]

Who issued it? I've been trying for years to get one.

Re:Good

[taustin]

The part that isn't talked about much, and not yet a mandatory part of the system, is the point of point encryption that goes hand in hand with EMV. When fully implemented, the store never sees any card information at all, it's all tokenized. That means that when somebody breaks into their network, there's nothing there to steal.

That is the point of EMV. It's got nothing to do with protecting the consumer. It's about reducing losses for the banks.

Re:Good

[slomike1]

Many people do not have or know the pins for their credit cards. They likely know their ATM card, but that is about it.

Re:Good

[Loconut1389]

It also does nothing to stop the clerk or anyone from writing down your number, exp, and cvv2 and going on to amazon. I don't know how to fix that without requiring computers have chip readers too, which honestly would be a good move and open people up for chip based authentication/login... Or otherwise coming up with another way with an authentication token and an api provided by the card companies or something, in conjunction with a TOTP or HOTP physical device.

Re:Good

[PrimaryConsult]

First Niagara... which is about to be eaten by Key Bank, so I don't know if they'll still offer it (I know they do not for their own customers). Those of us 'grandfathered in' will get to keep it though until the card expires. I have no idea if I'll be able to change the pin, either.

It was the only credit card that worked in the machines to refill my Opal card [transit pass] in Sydney... so I'd much rather keep it working.

Re:Good

[PrimaryConsult]

Sorry for the second reply, but here is the article about First Niagara choosing pin over signature as well as their press release.

Apparently it is unique in the US in that it will *only* do PIN if you use the chip. Swiping still works for signature, of course.

Chase was almost going to but backed down at the last minute. Almost all other chip and pin are chip+signature+pin ones from my research, and it will choose signature over pin.

Re:Good

[LordLucless]

Nothing's stopping people from cloning the strip. Which is why they're trying to get merchants to use the chip instead.

Re:Good

[Cro+Magnon]

I don't know the PIN (if any) for my credit card because I've never used it. If I used one on a regular basis, I'd remember it.

How can a judge force a CC company...

[mark-t]

... to accept the business of a company that doesn't want to do things the way the CC company requires?

Re:How can a judge force a CC company...

[PopeRatzo]

How can a judge force a CC company to accept the business of a company that doesn't want to do things the way the CC company requires?

Because they are a federally subsidized and insured bank with monopolistic allowances.

If you want to be able to borrow money at 0% and lend it at 20%, then fuck you, do as you are told.

Re:How can a judge force a CC company...

[mark-t]

Let's say I'm a CC company, and I notice that I'm taking a substantial hit on my profits because of fraudulent transactions traceable to not securing transactions in a certain way, If I decide that I'm going to try and secure my transactions that way to avoid the loss, while still being willing to take hits for fraudulent transactions that occur with the new method, why should I continue to take the financial hit for companies that don't want to use the newer system?

Re:How can a judge force a CC company...

[mark-t]

Even if they *had* collaborated (or "conspired", as you say) on the idea, why should they be forced to continue to take a financial hit on a system that they don't even want to continue to support in the first place? Are you suggesting that they conspired to take financial losses with the other method? I hope you realize how ridiculous that sounds.

Re:How can a judge force a CC company...

[Holi]

In what way are VISA Master Card or AMEX subsidized?

Re:How can a judge force a CC company...

[Holi]

They are responsible for fraudulent purchases over $50 by law, so why do we deny them the opportunity to secure their payment system. Or should they just stop their business?

Re:How can a judge force a CC company...

[Holi]

Collaboration does not equal conspiracy. None of this was done behind closed doors, none of this was a surprise, and most of all none of this was illegal.

Re:How can a judge force a CC company...

[mark-t]

All they had allegedly "conspired" to do was simply to have the same effective date past which they would no longer support the older method... a method that they had assessed to be less secure, and there is no sane reason that they should ever be obligated to continue to support the older system after they have given plenty of advance warning of the change, both to consumers and vendors, even if they *did* secretly agree upon an effective date of implementation (although how you call something that they publicly announced years ago a secret is beyond me). There is no way that this could reasonably be considered illegal or unfair because the newer system is considered less likely to have fraudulent transactions in the first place.

Re:How can a judge force a CC company...

[david_thornley]

Some posters have claimed that the credit card companies are not only involved in setting the chip deadline, but also were cozy with the companies that make the machines, which apparently cost a lot more, and and require certification that they don't provide in a timely manner, so it has been impossible for quite a few businesses to get their chip machines operating by the deadline.

As a credit card user, I wouldn't mind a class action suit against the companies that slow down the chip payment process (it isn't the retailers, it's too universal for that).

Re:How can a judge force a CC company...

[mark-t]

The october 2015 deadline was announced in the latter half of 2011, with Amex and MC announcing the same deadline in early 2012. There was no lack of time to make the switch. Some retailer are even being given until 2017 owing to the expense of completing the switchover (most notably involving fuel pump card readers).

Re:How can a judge force a CC company...

[david_thornley]

When did machines and software systems become available to retailers? What about certification? Knowing doom is coming doesn't help if nobody's going to sell doom-proof underwear for another few years.

Re:How can a judge force a CC company...

[mark-t]

The only way the CC companies would see any financial advantage from this is if a retailer that regularly allowed fraudulent transactions to go through continued to do so after the CC company shifted liability to them.

You may be right about it not being enough time, however.

was there a double dip?

[um...+Lucas]

I can't figure out why retailers would refuse new terminals, unless they were being asked/demanded to pay for them.

If these new terminals are trully going to save the credit card companies so much money, it ought to have been a no brainer to provide them to retails on their own dime and see the return on investment come over time, rather than, essentially, demand the retails make investments solely for the credit card companies benefit (with the exception that if the cc co's are going to turn liability over to the retailers, then, yes, they would stand to save their own money, but only because of a change in business dynamics)

Again, I could just be shooting in the dark as I didn't read the article, just chiming in with an opinion and nothing to back it up, which is what slashdots all about, right? :)

Re:was there a double dip?

[Njorthbiatr]

The retailers can just decide not to use them.

Re:was there a double dip?

[Phantom100]

My understanding is that the chip enabled terminals were not being made fully functional for the retailers, but they were still being forced to accept liability.

http://www.nytimes.com/2016/03...

http://blog.credit.com/2016/03...

Enter the 21st century, get sued?

[thegarbz]

I mean it's high time that the USA got dragged kicking and screaming into the 2000s, but to sue the banks over it as well? I mean the USA has the current second highest amount of credit card fraud in the world behind Mexico who are also still in an age where they are marvelling about this fancy new thing called the internet.

Being forced to upgrade to something which in every other country in the world has caused a significant drop in credit card fraud is a damn good thing, not a sueable offence.

Re:Enter the 21st century, get sued?

[stephanruby]

Being forced to upgrade to something which in every other country in the world has caused a significant drop in credit card fraud is a damn good thing, not a sueable offence.

The new chip system in the US works differently than the chip system in Europe, so no, the US isn't being forced to adopt what the rest of the world is already using.

For instance, in France I can use a European chip card in a restaurant in the middle of nowhere where there is no cell phone reception (or no landlines), and the transaction gets reconciled later when the transactions get uploaded. In the US, under the new system, no one is allowed to keep the data around for later reconciliation, even in an encrypted form, so that means that the multitudes of authentication handshakes must occur correctly before the transactions get authorised (even if the amounts in question are tiny).

This is why using smartcards in Europe takes no time at all to get authorized, they're actually faster than magnetic debit/credit cards. But this is also why the current smartcards in US (when used through the chip) are so slow, although in theory they're supposed to be more secure than the European smartcards.

Re:Enter the 21st century, get sued?

[radarskiy]

"They refuse to check ID"
Retailers are prohibited from checking ID, unless specifically requested by the bank.

"they refuse to check signatures"
The signatures on the card are not for authentication purposes. Also, there's no way a minimum wage clerk is going to be able to do handwriting recognition.

Re:Enter the 21st century, get sued?

[jittles]

Being forced to upgrade to something which in every other country in the world has caused a significant drop in credit card fraud is a damn good thing, not a sueable offence.

The new chip system in the US works differently than the chip system in Europe, so no, the US isn't being forced to adopt what the rest of the world is already using.

For instance, in France I can use a European chip card in a restaurant in the middle of nowhere where there is no cell phone reception (or no landlines), and the transaction gets reconciled later when the transactions get uploaded. In the US, under the new system, no one is allowed to keep the data around for later reconciliation, even in an encrypted form, so that means that the multitudes of authentication handshakes must occur correctly before the transactions get authorised (even if the amounts in question are tiny).

This is incorrect. The US requirement for "Online Only" is strictly for fraud liability. You can use offline PIN in the US (though it can be attacked). Furthermore, all EMV cards, including those issued in France have what is called a velocity limit on the card. When this limit is hit, the card itself requires the next transaction to go online no matter what. If the terminal tells the card that it cannot go online, then the card itself will either reverse a pending ARQC (online request) or will just immediately return an AAC (decline). This is true in all regions where EMV has been implemented.

This is why using smartcards in Europe takes no time at all to get authorized, they're actually faster than magnetic debit/credit cards. But this is also why the current smartcards in US (when used through the chip) are so slow, although in theory they're supposed to be more secure than the European smartcards.

This is also incorrect. The chip transactions in the US are slow because most banks have insisted on implementing EMV incorrectly. A properly configured terminal will process an EMV request in 1-2 seconds in the US. That's not (noticeably) slower than an offline approval. It is literally a few hundred milliseconds longer.

Re:Enter the 21st century, get sued?

[thegarbz]

The slower and more confusing thing is only because Americans are somehow incapable of remembering 4 digits, and are also incapable of making a single switch.
I mean at least write the 4 digits on the card then you'll be no worse in security as what you have now.

As for confusing about swipe vs chip, that shouldn't be confusing. In the rest of the world it was chip if you have it. Any attempt at swiping a chipped card would result in a message on the terminal saying "insert card" and an arrow pointing to the chip.

Mind you in the USA do retailers pay for the cost of the reader or are they leased by the banks like in the rest of the world? Because those large pieces of crap including touchscreen and 10 bloody confirmation messages when you use them are both annoying and look expensive as heck compared to the traditional machines which look the same as they always did in the rest of the world.

Re:Enter the 21st century, get sued?

[thegarbz]

And, oh yeah, the majority of our power lines are still swinging in the wind and getting knocked down by falling trees instead of being buried.

There's a good reason for that, and if you want validation of your choices I can send you my monthly electricity bill for comparison.

I've lived in several countries which decided that power outages were intolerable during my stay. In each the electricity price has rise by a factor of about 7. Burying stuff isn't cheap.

Re:Enter the 21st century, get sued?

[david_thornley]

There's nothing wrong with the US customers. There's no point in remembering four digits, since almost nobody accepts chip & pin. Swiping is a one-second action that keeps my card in my hand at all times. Using the chip is a slow process in which my card sits in the machine. If someone leaves their card in the machine and walks away, there's no reason some other person couldn't grab the card, and since it's chip and signature rather than chip and pin the card would work for anyone.

If you want to criticize something about US card processing, there's plenty of blame, but blaming US shoppers for not using capabilities that aren't enabled or not wanting to switch to a considerably less convenient transaction method is just wrong.

Re:Enter the 21st century, get sued?

[david_thornley]

One neighborhood over, the lines are buried, and I'm not aware that they get charged any more. The electric company publishes its rates. Is it that much more expensive?

Re:Enter the 21st century, get sued?

[david_thornley]

We make account-to-account transfers, although they really aren't convenient.

Then some friends of ours needed a substantial loan fast, and transferring a few thousand from one of our accounts to theirs was going to be slow and expensive. We wound up sending them a check.

(They'd asked us to cosign, but I don't do that with friends. If I lend money to friends, I don't want to have to think about it afterwards. Nor do I lend more money than I'm willing to lose, since I'm not going to trash a friendship over money.)

Re:Enter the 21st century, get sued?

[thegarbz]

That's because the utilities don't discriminate on the final link. The costs are spread out over the country. New neighbourhoods are cheaper to plumb with electricity than old ones where utilities play dodge the services as they try and cut users over. Not that it matters. Gold plating may sound like it's good on a neighbourhood scale, but it gets done on a state scale.

Yes it's that much more expensive. When a politician says "we must not tolerate outages" expect a several fold increase in prices over a couple of years. Or maybe not, a recent example from South Australia which had a state wide outage due to many downed powerlines shows politicians reaching a new peak stupid and blaming solar and wind power for the outage. So maybe their stupidity is at an internal stalemate where they can't do any more damage.

In any case power outages where I lived went down, but really they weren't that high to begin with. In serious weather the cities I lived in had at most 1% of the population without power for maybe 1-5 days per year, and rarely more than 2 days in a row (in which case the utilities at least when I lived in Australia were forced to compensate home owners). When I left we were lucky to have a single day outage in any given year. Hurrah. Wasn't worth the doubling of my electricity bill though. It was nice not having overhead lines in many streets though, and the ring mains finally actually looked like ring mains on drawings, rather than half of a ring with the other feeder marked "future".

Re:Enter the 21st century, get sued?

[DarkVader]

There are 5 credit/debit cards in my wallet, plus the contactless card for charging my car and the various "reward" cards that I have to avoid being overcharged at grocery stores and drug stores.

I don't even know/never set PINs for the credit cards, and I have no desire to do so.

And the retailers typically own the terminals. They just had to buy new ones to replace perfectly good swipe terminals.

Re:Enter the 21st century, get sued?

[DarkVader]

Not in the US. Debit cards were also magstripe cards until last year.

Re:Enter the 21st century, get sued?

[david_thornley]

As far as I can tell, power prices where I live are fairly low still.

Boiling frog parable [Re:Not Sure if...]

[Tablizer]

They should have ramped it up gradually. For example, increase the percent of retailer liability by say 5% a month.

I don't know if that makes it "fairer", but it's better "customer relations" psychology. There's a right way and wrong way to be a jerk. (Both prez candidates are doing it the wrong way.)

Resistant To Change?

[labnet]

I wonder what makes Americans so resistant to change, and when they implement change, it has so many compromises to be unworkable?

Whether it be.
- Adoption of the metric system
- More sensible gun management
- Universal basic health care
- Writing dates mm-dd-yy
- Reform of you court/prison system

Australia has changed completely to chip cards. Mag swipe is no longer accepted.
For most merchants, transactions below $100, contact-less is used.
For over $100, a pin is required (and for some cards like amex, you need to insert the card for a chip read).
The transactions take around 2 seconds.

It works great. The $100 threshold is a good compromise for convenience vs fraud risk.

I assume you are complaining because your banks have stuffed up the implementation???

Re:Resistant To Change?

America did adopt the metric system. It is not forced for consumers (but it is for suppliers). It is taught in schools and universally used in scientific fields.

Re:Resistant To Change?

yyyy-mm-dd.

Your date implementation is not an ISO standard and has an 'every century' problem. Furthermore, it doesn't alphabetize in chronological order.

AC

Re:Resistant To Change?

Shh! Any US centric news means its time for "The Hour of Hate" by any English speakers.

The tiniest petty things like being binumeral instead of bilingual will be dragged out yet again. Others that are outright frauds like ignoring the 10:1 ratio of deaths and fetal alcohol syndrome in western nations versus the US while pretending that severe gun laws didn't just shift murder weapons to different categories. All while German beer kills 25 times as many innocent people per capita as American bullets.

Pathetic show that pedantry and elitism means more to them than human lives.

Re:Resistant To Change?

[jrumney]

While we're trolling Americans...

• - adoption of different size and color banknotes to make them more easily distinguished.

Re:Resistant To Change?

[jrumney]

Little-endian has some issues for naive sort algorithms, but now that we're past the mid 80's in terms of computing power, it isn't really a major issue compared with dealing with middle-endianness.

Re:Resistant To Change?

[YukariHirai]

Australia has changed completely to chip cards. Mag swipe is no longer accepted.

Not strictly true; it does still exist as a fallback if chip and contactless fail, and there are still cards out there that lack chips. Australian cards that lack chips are getting much rarer, but I still see a fair few foreign cards that are mag swipe only.

Re:Resistant To Change?

[Solandri]

Credit cards were first implemented in the U.S., so the U.S. has a much larger installed base of the older magstripe credit card readers than any other country. That means a lot more inertia against change.

Countries which implemented credit cards after the U.S. had the benefit of the lessons learned in the U.S. - like the security problems - which eventually led to chipped cards. It's the same reason why Africa has the highest ratio of cellular to landline phones. They basically got to skip the landline phone stage entirely because everyone else went through it.

Re:Resistant To Change?

[AC-x]

Also don't forget ISO paper formats.

The main downside of ISO paper is it would break that stupid printer joke, as "PC LOAD A4" is instantly obvious to everyone outside of North America.

Re:Resistant To Change?

[mjwx]

Australia has changed completely to chip cards. Mag swipe is no longer accepted.

Not strictly true; it does still exist as a fallback if chip and contactless fail, and there are still cards out there that lack chips. Australian cards that lack chips are getting much rarer, but I still see a fair few foreign cards that are mag swipe only.

I think what he means is that new cards are not being issued with magstripes. My last card issued in Jan last year didn't.

Re:Resistant To Change?

[sl3xd]

I can think of zero reasons to switch paper standards. (And there are zero reasons against it too... it' snot like our printers are incompatible or anything).

In this case, the status quo (using Letter/Legal sized paper) requires zero effort, while switching requires almost nothing.

Really, it's just shelf space in stores and trying to move old stock.

Any migration would require governmental decree -- and if you know anything about current US politics, the moment you talk about changing something as, um... traditional as paper sizes, we'll get an entire generation to spew from every orifice against governmental intervention.

Seriously, we're deep enough in shit, and paper size is not the battle to pick.

Interesting point: Amazon doesn't sell A4 in the US (though you can get it from other sellers through Amazon... at 3x the price of Letter sized)

Re:Resistant To Change?

[david_thornley]

- The US is on the metric system. All of the customary weights and measures are specified in metric: The inch is defined as 25.4 mm. It isn't an IS unit, but it is metric. It would be nice to see the metric system used straight more often, but it's getting there. The bottle of water on my desk is a half liter.

- The US government is one of the oldest in the world (the US is not the oldest country by a long shot, but most other countries have radically changed their government, voluntarily or otherwise, since the US Constitution was ratified), and we have some problems with that. One example is the stupid Electoral College, another is the Second Amendment that makes it extremely difficult to restrict weapons. It's not a competence problem, it's a structural problem.

- Universal basic health care - you're dead on there. It would also be nice if the US government, like all others I'm aware of, was legally permitted to negotiate drug prices using it's vast bargaining power.

- The only decent way to write dates is some form of YYYY-MM-DD. DD-MM-YY and MM-DD-YY are both unsatisfactory.

- Once more you've hit on a real US problem. It's more difficult to change since we have a minimum of fifty-one court systems required by the Constitution, and it's difficult to regulate campaign spending without violating the First Amendment to the Constitution.

Re:Resistant To Change?

[david_thornley]

Right now, I have plenty of envelopes that are sized right for letter and (sometimes) legal paper sizes. I don't think A3 or A4 would fit nearly as well. There would be hassle during the changeover, and I really don't see the upside.

Re:Resistant To Change?

[DarkVader]

mmm-dd-yyyy works just fine, and is completely unambiguous. That way today is Oct-06-2016, it works with the US standard way of thinking about dates, and nobody in the world is going to be able to confuse it with Jun-10-2016.

Re:Resistant To Change?

[DarkVader]

Right. And I'll just go get a different size wallet for each denomination.

They've got numbers on them. Green and black works just fine for me.

Honestly, I wish we would go back to the old standard, where the President on a given note is in an oval in the center, and the numbers are in the corners. I HATE the new notes. The new hundred is awful, get rid of the color.

At least the one is still good.

I do think we need to ditch Andrew Jackson on the twenty, he was a shithead, the Trail of Tears is inexcusable. And once Obama is dead we can put him on the 50 and get rid of that shithead Grant too. But we need to keep Washington on the one and Lincoln on the five, and Alexander Hamilton really does deserve his place on the ten.

Re:Resistant To Change?

[jrumney]

Right. And I'll just go get a different size wallet for each denomination.

Seriously, that is your concern? Does your OCD trigger a meltdown down in the middle of the store when someone tries to give you two dimes and a nickel in change and you only brought your quarter purse?

Re:Resistant To Change?

[labnet]

While we're trolling Americans...

• - adoption of different size and color banknotes to make them more easily distinguished.

Yep.. and their still thinking corks are superior on wine bottles

Re:Resistant To Change?

[DarkVader]

I throw the coins all in the coin sorter when I get home, then roll them up when a tube fills and take the tube to the bank, I keep a few of them in a coin holder in the car, which has separate spaces for each coin type. About the only thing I use them for is parking meters.

And no, I wouldn't really get a separate wallet for each different size of paper money, but it would be very, very annoying.

Re:In the UK, we've had chip and pin for years!

[sjames]

We're not getting Chip and PIN, just Chip. And the retailers are expected to foot the bill.

Are you fucking kidding me?

[bistromath007]

There's a million and one reasons small businesses SHOULD sue credit card companies. This is one is stupid garbage.

Ehhh....

[XSportSeeker]

Wild guess, but this here might be why the change took this long, and was this half-assed. :P

Re:In the UK, we've had chip and pin for years!

[whoever57]

Actually, the infrastructure supports Chip and PIN. What makes the card Chip and Signature is something baked into the card by the issuers.

While the new terminals do support Chip and PIN, places like restaurants will need to buy wireless terminals to allow customers to enter a PIN at their table. I haven't seen any wireless credit card terminals in use in the USA.

Force?

[TheGrimmReaper]

Um... where they forced to accept credit cards? If you are accepting someone's 3rd party method of payment, aren't agreeing to THEIR terms?

Re:In the UK, we've had chip and pin for years!

[PrimaryConsult]

A lot of diners and some chains (i.e. Denny's, IHOP) are set up such that you just bring your receipt to the hostess and they cash you out there. So, more places could move to that model.

Honestly waiting for the waitress to come pick up our cards, then bring them back with a pen is a pointless waste of everyone's time. "Just bring up your receipt when ready" works so much better...

Re:In the UK, we've had chip and pin for years!

[Larry+Lightbulb]

3 or 4 years ago I used a chipless card in Sheffield, the machine read it OK but the staff didn't know what to do with the slip of paper which printed. A year before I tried the same card in Amsterdam, that required blowing the dust off the only mag stripe reader they had and getting the one person who knew how to operate it.

Did they scream like this ...

[PPH]

... when the credit card companies moved from carbon paper card impressions to magnetic stripes? Technology moves on and so must you.

Not a small business operator, but I was under the impression that mag stripe readers and yes, even carbon paper imprints are still acceptable. You've just got to pay additional per transaction fees applicable to each non preferred method. To cover added processing costs and risk.

Cloning vs. theft vs. frustration

[tepples]

It depends on the attack model.

Against card cloning A chip is much harder to clone than a magnetic stripe. Against physical theft of a card The chip changes nothing. Against account cancellation out of cardholder frustration with too many changes to the payment method at once A delay of a few years between instituting chip and instituting PIN is less jarring than instituting both at once.

Love and hate the tap

[phorm]

I used to hate the tap because really, it seems like a step backward in security. Nice to know it uses rolling codes, but it still kinda sucks if you have your card stolen.

On the other hand, tap is pretty nice when you're grabbing a quick coffee etc, and the theft thing isn't too bad if you set a low purchase limit. Still seems like a terrible idea for debit though.

Chip & Pin only works in Europe

[rsilvergun]

because their laws allow them to shift liability onto the consumer when your pin gets compromised. It's sorta like if someone breaks into a bank they get to take your money instead of the banks.

In the United States every single credit card swipe is a loan. And you can't enter into a loan without consent. That's why it's so easy to dispute things. But it's also the only way Americans would swallow credit cards. Chip & Pin wasn't worth the extra effort because you don't get a full liability shift to the consumer here.

America...

[YukariHirai]

There is no country on Earth more stubbornly refusing to modernise than the US.

Why does everything in the USA come with a lawsuit

[Computershack]

When we switched over to chip and pin from swipe here in the UK a deadline was set and that was that. Everyone just got on with it without feeling like they were being badly done to, let alone launch a lawsuit.

A lot of stupid people

[whitroth]

1. As of the beginning of this year, the PCI - the organization of credit card vendors section that deals with security, announced, over a year ago, that not having chip readers enabled meant that the store is liable for fraud.. The chip is a *lot* more trouble to clone or steal.
2. What's the big deal? Time them printing out the chit, you signing it, or inputting crap on the screen, then having to sign (I *loathe* "signing" with my fingertip) - as if anyone could read half your signatures - as opposed to shoving the card in and waiting a minute for it to beep.

It's about them not wanting to loose a *lot* of money because users don't care about people stealing their data, or watching you punch in your PIN, or....

            mark

Re:In the UK, we've had chip and pin for years!

[david_thornley]

With the waitress handling the card, I can sit at the table uninterrupted and then get up and walk out when I please. There's usually delays when I have to pay at a register, and the chip implementation in the US will only make that worse.

Re:In the UK, we've had chip and pin for years!

[DarkVader]

It's something you can do while you're chatting with your dining companions instead of standing in line to leave the restaurant.

Denny's and I-SLOP do that because they're crappy restaurants. Nice places take care of all of it at the table, with very minimal intrusiveness.

Rather surprised to see this..

[Rexdude]

In India we've had chipped credit/debit cards for at least 3-4 years now. Every shop and restaurant has a card reader that works with both chip and magstripe, and they give you the machine to enter your pin. Some of them are attached to the cashiers' desk on account of a landline, but many of them use mobile SIM cards, so they just bring the reader over to your table or hand it to you to enter the pin.. On some of them there's a shield over the keypad to conceal your fingers when typing the pin. And for online transactions, Mastercard & VISA both enforce an extra layer of security, either by an OTP sent to your phone (which you presumably have with you while making the online purchase) or by another password known only to you.