Following Other Credit Cards, Visa Will Also Stop Requiring Signatures

An anonymous reader quotes SiliconBeat: Visa, the largest U.S. credit card issuer, became the last of the major credit card companies to announce its plan to make signatures optional... Visa joined American Express, Discover, and Mastercard in the phase-out. Mastercard was the first one to announce the move in October, and American Express and Discover followed suit in December... However, this change does not apply to every credit card in circulation; older credit cards without EMV chips will still require signatures for authentication... Since 2011, Visa has deployed more than 460 million EMV chip cards and EMV chip-enabled readers at more than 2.5 million locations.
"Businesses that accepted EMV cards reported a 66 percent decline in fraud in the first two years of EMV deployment," the article notes -- suggesting a future where fewer shoppers are signing their receipts.

"In Canada, Australia and most of Europe, credit cards have long abandoned the signature for the EMV chip and a PIN to authenticate the transaction, like one does with a debit card."

The dying art of editing

[whoever57]

From TFA:

"In Canada, Australia and most of Europe, credit cards have long abandoned the signature for the EMV chip and a PIN to authenticate the transaction, like one does with a debit card."

That sentence is missing the word "require": "and require a PIN" . This changes the meaning, since in most of Europe the signature requirement has not been dropped, it has been (mostly) replaced with a PIN. I believe banks in Europe will still issue chip-and-signature cards to elderly people on request.

[I now await the replies pointing out the grammar errors in my post. Also, my recent experience is limited to the UK -- perhaps it is different in other European countries, but I don't think so].

Re:The dying art of editing

[mrbester]

There's a button that can be pressed that allows customers to tip; the reader is handed to you and there is a blank field for the you to type in an amount. Then you enter your PIN. AFAIK this functionality has always been present so you could do it on chip and signature as well.

If the server has pressed OK twice after entering the bill total (skipping the gratuity step) then the transaction can be voided and restarted if necessary.

Re:Turn on your damn chip reader

[ShanghaiBill]

Nobody, absolutely nobody, looks at the signature for anything. You can sign anything you want. You can just draw a horizontal line, or even just tap the pad. As long as at least one pixel is set, the card reader will accept the signature.

Slated to begin in April 2018

[Vektuz]

From TFA, for those asking instead of reading, April 2018 is when the signature requirement will cease.

Most supermarkets already have some sort of deal where signature is only required on purchases larger than $50 anyway.

Re:Dark Ages

[Dutch+Gun]

A ZIP code is just a bit of additional authentication that pre-dates a proper chip-and-pin system. It's a simple "what you know" test that a credit card thief may not know. Gas purchasing is apparently a very common use of stolen credit cards. As soon as chip readers are more ubiquitous, hopefully that stop-gap measure will go away.

The sooner we can get rid of the idiocy of signing as an authentication or verification, the better. It's just outdated and is nothing but security theatre at this point.

Also, apparently the rule for Canadians is this:

If prompted for your ZIP code, just enter the three digits of your postal code plus two zeros. So for example, if your postal code is A2B 3C4, the 5 digit number you should enter is 23400

Re:PIN no need for chip

[ledow]

Your PIN is your signing key. It encrypts the data to the bank such that only they can read it, think of it like that.

Just transmitting card number + PIN is no more secure than just card number + expiry date, really.

But transmitting card number + nonce generated a secure chip on the card, signed with the user PIN and an internal incrementing number from the chip itself and presented to the bank? Now replay attacks are useless and even knowing card number + the PIN itself doesn't help.

You now have to physically have THAT card itself to make it work (worst you could do is a "cardholder not present" transaction otherwise, which doesn't need the PIN anyway). In the same way, your example of card number + postcode (also used in other countries) shouldn't be enough on its own either.

Though I hate Chip And PIN for many reasons, yours aren't any of them, and it's undeniable that nobody bothers or is even capable of verifying signatures at all. And it has significantly reduced fraud.

Until, that is, we went stupid and put NFC payments on the same card so any kind of temporary physical proximity is enough to charge, even without the user knowing. But that's another matter entirely.

And I don't know about you, but my card provider has online challenges at online stores if I don't use the card very often there or if it's an unusual transaction - by way of asking for a password that I NEVER use at a cash machine or anywhere else - only online. Verified By Visa and/or Master SecureCode.

Your problem is that you don't understand what the PIN is actually doing. Asking for a PIN doesn't work how you think - you use the PIN to unlock the chip on the card which is than able to sign a transaction and give a signature (AuthCode) that you then give to the vendor from where the bank can confirm the transaction came from your card itself.

Because unless you want to give everyone on the planet a way to present data to the secure chip and read responses (probably not good for customer ease of use) by way of some kind of chip reader that plugs into every possible smartphone and every computer, then it's not useful to have every online transaction require a PIN any more than an expiry date or postcode. And, in fact, is why those online system exist with an ENTIRELY DIFFERENT code that only works online. Hell, they even present a custom challenge so you know you're not being tricked into entering your code online on a fake site (i.e. only Verified By Visa and I know what text it should be putting in the box that asks me to verify my code).

Rather than complain about something you don't understand, use it and test it and investigate it. The reason Chip & PIN is there and works is because someone sat down, thought of all the use cases, thought of the attacks, and designed a single cheap chip that could solve most of them effectively enough for pennies-per-card (I've never been charged for a replacement credit card in my life, and chip-bearing smart-cards are so cheap as to be throwaway items if you have any dealings with them in access control / banking / code-signing / etc. applications).

I haven't even signed my last four / five cards (all of which reached their expiry dates), because NOBODY uses the signature and nobody even queries it any more. That's how long other countries have been using Chip & PIN.

Plus... you DO NOT want some cheap random bit of hardware interfacing with your card and just needing to send it a PIN that you type in plaintext onto it to unlock. You'd hope that such devices would at least have to have some kind of bank / merchant secure certificate to sign their part of the transaction to help you a) stop people just playing with credit cards using hobbyist electronics, b) require some form of device certification to be able to talk to your card, c) provide some security over the interface, d) provide some accountability should someone just start cloning a particular card reader that you issue out.

Chip & PIN has many holes. But you don't see that because you don't even understand the purpose of the PIN in the first place.