Following Other Credit Cards, Visa Will Also Stop Requiring Signatures

An anonymous reader quotes SiliconBeat: Visa, the largest U.S. credit card issuer, became the last of the major credit card companies to announce its plan to make signatures optional... Visa joined American Express, Discover, and Mastercard in the phase-out. Mastercard was the first one to announce the move in October, and American Express and Discover followed suit in December... However, this change does not apply to every credit card in circulation; older credit cards without EMV chips will still require signatures for authentication... Since 2011, Visa has deployed more than 460 million EMV chip cards and EMV chip-enabled readers at more than 2.5 million locations.
"Businesses that accepted EMV cards reported a 66 percent decline in fraud in the first two years of EMV deployment," the article notes -- suggesting a future where fewer shoppers are signing their receipts.

"In Canada, Australia and most of Europe, credit cards have long abandoned the signature for the EMV chip and a PIN to authenticate the transaction, like one does with a debit card."

Turn on your damn chip reader

[L.+J.+Beauregard]

Does this also apply to merchants who won't turn on their damn chip readers?

Re:Turn on your damn chip reader

The signature isn't for verification. It's all about signing saying you agree to the charges and agree to pay. The signature doesn't even get sent to the clearing house. I've scribbled,signed heywood blowme, Dick Hertz, Mike Hunt,....and never heard a thing about it.
The signature is just a stupid throwback to the days of the paper credit card slips.

Re:Turn on your damn chip reader

[ShanghaiBill]

Nobody, absolutely nobody, looks at the signature for anything. You can sign anything you want. You can just draw a horizontal line, or even just tap the pad. As long as at least one pixel is set, the card reader will accept the signature.

Re: Turn on your damn chip reader

No. The ones the rest of the world uses successfully and reliably.

Re:Turn on your damn chip reader

[viperidaenz]

They do get kept by the merchant

If the charge is disputed and the merchant can't produce a signature (if that was used for authorisation) then the charge gets reversed.

The person taking the signature doesn't care though, it's not their shop and not their money

Re:Turn on your damn chip reader

[fahrbot-bot]

Nobody, absolutely nobody, looks at the signature for anything. You can sign anything you want.

Many, many years ago, a friend asked me to buy something for him using his credit card, while he was at work. I signed the paper receipt "Eddie Van Halen". The cashier didn't look at or even care about the signature.

For the record, I am NOT Eddie Van Halen (had to be said).

Re: Turn on your damn chip reader

[nospam007]

"No. The ones the rest of the world uses successfully and reliably."

For several years now.

Most of my acquaintances render the magnetic strip unusable with magnets, so that the cards can't be easily skimmed.

Re:Turn on your damn chip reader

[DogDude]

It has nothing to do with merchants. It has to do with particular software stacks not being "certified" as "PCI compliant". Visa/MC handled this very badly, and of course, we've got no real guidance or regulation from our federal government, so the transition has been a shitstorm in the US.

Re: Turn on your damn chip reader

[stephanruby]

The chip readers work differently in the US. Before the transaction is authorized, the amount is verified through a centralized database. Plus all the handshake protocols are done synchronously and no information is allowed to be cached.

This is why the chip readers in the US at times seem to be taking forever to process transactions and the chip readers in Europe are actually quicker than their European magnetic strip reader counterparts.

So in the US, I really doubt that it's the chip readers are even broken. It is more likely that a store owner decided not to use that feature until the business could switch to a more reliable and blazing fast internet connection, or until the business could get more cashier staff to deal with the extra wait time and queue time this created during peak business rush hours.

Re: Turn on your damn chip reader

[AntronArgaiv]

I have an EMV MasterCard. Used it today, in fact, and was asked to sign. I don't think I have a PIN for the card.

Re: Turn on your damn chip reader

[quetwo]

Pretty much this. That and most "mom and pop" stores still use dial-up credit card readers. These readers, in order to have a faster handshake, connect at 2400 baud. The payload of an encrypted session with an EVM chip is about 50 - 75kb, which takes about 20 - 40 seconds over a 2400 baud connection. A non-EVM session transfers about 10kb worth of data and can be done in about 4 - 10 seconds.

In Europe, most credit card readers, even in small stores used ISDN-BRI or better. Even the EVM sessions would take under 10 seconds.

Re: Turn on your damn chip reader

[zifn4b]

I have an EMV MasterCard. Used it today, in fact, and was asked to sign. I don't think I have a PIN for the card.

You really don't seem to understand how credit/debit cards work. Unless you're getting a cash advance, credit transactions never require a PIN. Hence, why they all used to require a signature. That way if the cardholder disputed the charge, the merchant could represent the signature to the cardholder and say "is this your signature?" Debit cards, on the other hand, always require PIN's because it's a completely different type of network with different operating regulations. Visa/MasterCard use variants of the ISO 8583 specification whereas Cirrus/STAR/etc. use something completely different. And, by the way, if you have a debit card from a financial institution that is Visa or MasterCard this is why they tell you to always run it as credit. If you run it as credit, the merchant pays the interchange fees. If you run it as debit, the issuer does and in many cases passes the cost along to the cardholder.

Re: Turn on your damn chip reader

[Wulf2k]

Speaking as a Canadian, credit card transactions always require a PIN unless they're small enough to go through with just the tap.

The dying art of editing

[whoever57]

From TFA:

"In Canada, Australia and most of Europe, credit cards have long abandoned the signature for the EMV chip and a PIN to authenticate the transaction, like one does with a debit card."

That sentence is missing the word "require": "and require a PIN" . This changes the meaning, since in most of Europe the signature requirement has not been dropped, it has been (mostly) replaced with a PIN. I believe banks in Europe will still issue chip-and-signature cards to elderly people on request.

[I now await the replies pointing out the grammar errors in my post. Also, my recent experience is limited to the UK -- perhaps it is different in other European countries, but I don't think so].

Re:The dying art of editing

[PvtVoid]

This. Transaction verification is a long-solved problem that Americans refuse to adopt because we're too fucking stupid.

Re:The dying art of editing

[mrbester]

There's a button that can be pressed that allows customers to tip; the reader is handed to you and there is a blank field for the you to type in an amount. Then you enter your PIN. AFAIK this functionality has always been present so you could do it on chip and signature as well.

If the server has pressed OK twice after entering the bill total (skipping the gratuity step) then the transaction can be voided and restarted if necessary.

Slated to begin in April 2018

[Vektuz]

From TFA, for those asking instead of reading, April 2018 is when the signature requirement will cease.

Most supermarkets already have some sort of deal where signature is only required on purchases larger than $50 anyway.

Re:What they *should* do is enable PIN-priority

[gaiageek]

If you use an American credit card in Europe you still sign (most U.S. cards). The card issuers decide the priority of authentication methods, i.e. signature vs PIN (which has sub-variants), and the vast majority of U.S. card issuers go with signature verification as the first priority. Europe has PIN as the first priority.

Paying with a credit card at supermarkets in Europe is a great way to stand out as an American, as you hold up the checkout line that extra 10 seconds

Re:Ironic

[dfm3]

No, the signature is not a form of verification, so there's nothing to "defeat". If the customer never inputs the correct pin, ultimately the transaction will be declined. No cashier is going to put up with you trying 10,000 possible combinations until you brute force the right one.

Signatures are a holdover from the old days, and serve no more than to give the retailer a way to prove that both the card and a person were present at the time of sale (say, if a transaction were disputed). Note I said a person and not necessarily an authorized person; back in the signature days the burden of proof was on the retailer to determine that the person using the card was actually the authorized user, but this was rarely done in practice. basically, a signature was proof that a purchase was not a "card not present" transaction.

Case in point, many years ago I was at a register and had swiped my card a second before noticing that an item had been rung up wrong (double charged), so I asked if I could just refuse to sign the electronic pad and "decline" the transaction. The answer from a manager was no, the lack of a signature would make no difference as the transaction happened automatically as soon as the card was read.

Re:What they *should* do is enable PIN-priority

[swimboy]

How can I use an American credit card in Europe?

Some credit card issuers will assign a PIN to your credit card if you request it. That way, when you go to Europe, you can use your card just like everyone else.

Re:Dark Ages

[Dutch+Gun]

A ZIP code is just a bit of additional authentication that pre-dates a proper chip-and-pin system. It's a simple "what you know" test that a credit card thief may not know. Gas purchasing is apparently a very common use of stolen credit cards. As soon as chip readers are more ubiquitous, hopefully that stop-gap measure will go away.

The sooner we can get rid of the idiocy of signing as an authentication or verification, the better. It's just outdated and is nothing but security theatre at this point.

Also, apparently the rule for Canadians is this:

If prompted for your ZIP code, just enter the three digits of your postal code plus two zeros. So for example, if your postal code is A2B 3C4, the 5 digit number you should enter is 23400

PIN no need for chip

[markdavis]

>"In Canada, Australia and most of Europe, credit cards have long abandoned the signature for the EMV chip and a PIN to authenticate the transaction, like one does with a debit card."

We never needed a "chip" in the first place. Many millions of dollars wasted to overhaul everything- replacing readers, putting in chips, replacing all cards, updating interfaces and software- and still no PIN! A PIN code is a password. If required, without it, a card would be useless (at least in physical transactions, which is all we are really talking about anyway, since on-line can't use "chip readers"). Doesn't matter if it is a valid card, a stolen card, or a "made up" (cloned) card- put in the wrong PIN too many times and POOF, the account is frozen.

A password/PIN is required for my phone, my Email, my work account, Slashdot, my bank card, voicemail, calling to discuss my cable TV account, just about everything.... except credit cards??? Do they REALLY think people can't handle at least a freaking 4 digit number password in 2018?

>"Businesses that accepted EMV cards reported a 66 percent decline in fraud in the first two years of EMV deployment,"

Add a PIN, and then get a 99% decline in in-person fraud. Again, chip security does NOTHING for online security. Develop a PIN for use online and watch fraud drop tremendously there, too.

Re:PIN no need for chip

[ledow]

Your PIN is your signing key. It encrypts the data to the bank such that only they can read it, think of it like that.

Just transmitting card number + PIN is no more secure than just card number + expiry date, really.

But transmitting card number + nonce generated a secure chip on the card, signed with the user PIN and an internal incrementing number from the chip itself and presented to the bank? Now replay attacks are useless and even knowing card number + the PIN itself doesn't help.

You now have to physically have THAT card itself to make it work (worst you could do is a "cardholder not present" transaction otherwise, which doesn't need the PIN anyway). In the same way, your example of card number + postcode (also used in other countries) shouldn't be enough on its own either.

Though I hate Chip And PIN for many reasons, yours aren't any of them, and it's undeniable that nobody bothers or is even capable of verifying signatures at all. And it has significantly reduced fraud.

Until, that is, we went stupid and put NFC payments on the same card so any kind of temporary physical proximity is enough to charge, even without the user knowing. But that's another matter entirely.

And I don't know about you, but my card provider has online challenges at online stores if I don't use the card very often there or if it's an unusual transaction - by way of asking for a password that I NEVER use at a cash machine or anywhere else - only online. Verified By Visa and/or Master SecureCode.

Your problem is that you don't understand what the PIN is actually doing. Asking for a PIN doesn't work how you think - you use the PIN to unlock the chip on the card which is than able to sign a transaction and give a signature (AuthCode) that you then give to the vendor from where the bank can confirm the transaction came from your card itself.

Because unless you want to give everyone on the planet a way to present data to the secure chip and read responses (probably not good for customer ease of use) by way of some kind of chip reader that plugs into every possible smartphone and every computer, then it's not useful to have every online transaction require a PIN any more than an expiry date or postcode. And, in fact, is why those online system exist with an ENTIRELY DIFFERENT code that only works online. Hell, they even present a custom challenge so you know you're not being tricked into entering your code online on a fake site (i.e. only Verified By Visa and I know what text it should be putting in the box that asks me to verify my code).

Rather than complain about something you don't understand, use it and test it and investigate it. The reason Chip & PIN is there and works is because someone sat down, thought of all the use cases, thought of the attacks, and designed a single cheap chip that could solve most of them effectively enough for pennies-per-card (I've never been charged for a replacement credit card in my life, and chip-bearing smart-cards are so cheap as to be throwaway items if you have any dealings with them in access control / banking / code-signing / etc. applications).

I haven't even signed my last four / five cards (all of which reached their expiry dates), because NOBODY uses the signature and nobody even queries it any more. That's how long other countries have been using Chip & PIN.

Plus... you DO NOT want some cheap random bit of hardware interfacing with your card and just needing to send it a PIN that you type in plaintext onto it to unlock. You'd hope that such devices would at least have to have some kind of bank / merchant secure certificate to sign their part of the transaction to help you a) stop people just playing with credit cards using hobbyist electronics, b) require some form of device certification to be able to talk to your card, c) provide some security over the interface, d) provide some accountability should someone just start cloning a particular card reader that you issue out.

Chip & PIN has many holes. But you don't see that because you don't even understand the purpose of the PIN in the first place.

Re:PIN no need for chip

[Wrath0fb0b]

The PIN is typically verified on the card itself, not transmitted to the back end. The card has protection such that N={3 or 5} incorrect PIN entries will lock the chip, and it will not vend a signature over the transaction until it sees the correct PIN. That protection is implemented in the card software itself.

[ Well, actually, there are both online-PIN and offline-PIN scenarios. But most of Europe is offline-PIN. US Debit transactions are online PIN, but that has its own issues.]

Develop a PIN for use online and watch fraud drop tremendously there, too.

Either that or the first compromised sit would get both your PIN and your card # in one go. How do you think they harvest CC #s anyway? And how would recurring payments work, would the cable company have to persist my PIN into their $0.05 SQL database so they can enter the monthly charge?

Re:PIN no need for chip

[Cederic]

I fucking hate filling a car in the US because of this. I don't have a fucking zip code, I can't enter one, and I don't know how much fucking fuel this shitty hire car needs so I can't easily tell the guy at the desk how much I want to prepay.

Makes filling the car a seriously fucking stressful activity for me. Why the fuck can't I just put fuel in the car, walk in and pay? Works everywhere else in the fucking world.

Chip and pin is STILL more secure than signing

[aepervius]

Signing means only somebody need to know your signature and imitate it, and as far as I can tell it isn't for fraud and signature comparison, as yourself can fake a signature, no this is about accepting the sale as a contract. The CC company does not care at all about comparing signature for fraud as it is utterly stupid (Not difficult for most people to imitate it, especially that you are supposed to sign your card in the back, therefore signature CANNOT be a security device , as it is known by the card holder). Stealing pins and the attack mentioned OTOH ask for a big sophistication. So for your "way too insecure" I think I will trust chip and pin any time of the day over signature.

Re:Signing is for your protection, not the bank's

[Solandri]

You've got it backwards. If the customer initiates a chargeback, the credit card company assumes the customer is telling the truth. It's not up to the customer to prove the charge was fraudulent. It's up to the merchant to prove the charge was legit. And the easiest way for a merchant to do that is to send the credit card processor a copy of the signature on the receipt. If the receipt matches the customer's signature on file, case closed - it's not fraud. (If the signature doesn't match or there is no signature, the credit card company may or may not decline the chargeback. Merchants can submit other info - address, phone number, etc. - that are not on the card but which the card issuer has on file. That's why gas station pumps ask you to type in your zip code when you use a credit card. But in my experience as a retail business, any customer chargeback where we weren't able to produce a signed receipt or if the signature was faint or illegible, we automatically lost.)

Merchants want to get rid of signatures because it's what the credit card companies use to shift the cost of fraud onto the merchants. Think about it. There are two possible ways for credit card fraud to happen. Either you gave away/lost your card, or the credit card processor allowed a charge that it shouldn't have. The merchant has no way of knowing if a card is fraudulent. All they see is a card, stick it into the reader, and the machine tells them the transaction was approved or declined. The credit card companies got laws passed which prohibit merchants even from requiring ID before they have to accept a card. They can ask for ID, but it's illegal to refuse a credit card transaction just because the customer doesn't have or doesn't want to show ID. But somehow the credit card companies have managed to make the party which has no control over fraud (merchants) pay for fraud. (The exorbitant interest fees you pay credit card companies pay for delinquent customers, not fraud.)

This is why the state of credit card security is so deplorable. Online banking is very secure. Online bill pay is very secure. Wire transfers are very secure. But credit cards security sucks because the parties which can do something about security (the credit card companies and processors) aren't the ones paying for fraud. So they've had little to no incentive to improve credit card security for decades because it hasn't cost them a dime. The merchants have been paying for all the fraud. And whatever the merchant pays for, you pay for via higher prices.

Chip & PIN has its problems, but it's still much more secure than Chip & Sign. And problems with the current Chip & PIN implementation can easily be fixed without altering the process (just need to modify the algorithm the chip uses).

Re:Signing is for your protection, not the bank's

[davecb]

You wrote "Merchants want to get rid of signatures because it's what the credit card companies use to shift the cost of fraud onto the merchants. " That's the main point I was trying to make.

Re:What they *should* do is enable PIN-priority

[quetwo]

Last time I was in Germany (a few years ago), I was at a deli and I did the EVM thing. All of a sudden the register beeped and spit out a receipt for me to sign. I already had the pen in my hand by the cashier had no idea what was going on. It was the first time they had ever seen the receipt print out like that and ask for a signature.

I think in the grocery store, they had at least seen it a few times. I couldn't use that card at all for the train since the PIN function had been blocked, and the terminal had no way to use the signature.

Re:Signing is for your protection, not the bank's

[houghi]

The sate of CC security is deplorable in the US. I live in Europe and what we see is that the most insecure country is the USofA and not even because of the fact that is is used in more places, because it isn't. The reason is that they do not have implemented the PIN system.
They have done so in every country in the world. There are merchants in those other countries as well. All the same excuses have been thought of as well, yet everywhere they where able to push it through.

It is so bad that many banks and others have decided that if you go to the US, you need to ask that your card be activated. It is the ONLY country where they do that. None. Not some poor country in Africa, not any country elsewhere, just the US, because it is so unsafe.

Now you could say that the US merchants would need to buy a new machine. This is also valid for the rest of the world. The price of these devices is around 25EUR and more expensive and cheaper versions exist. In Europe these will be given to the merchant and paid by the fee.

The thing is that in Europe these machines will be used for any electronic payment. I myself can pay at the supermarket with my Credit Cards, bank card, meal voucher (I get 8EUR per working day for food. Standard practice in Belgium) store voucher, gift voucher and even can combine them if I like.

Normally when I go to somewhere in Europe, I do not even bother to take cash with me. Just pay everything by card. Luckily I was in the US with a friend who lived there, because I was flabbergasted by the fact that you needed to pay cash for so many things.
Parking and toll roads stand out the most. In Europe at these you can pay electronically.

And there is no difference in the procedure in payment on what card you use, just if they are accepted. So no difference in usage. This has been the case for at least 10-15 years, so it is clearly unwillingness from the US.

As to the merchant not knowing if the card is fraudulent or not, the payments are mostly done online. So verification goes back and forth. (Yes, there are exceptions, as always) so the moment you block your card, the merchant will know. This means there is still a small window that the card is valid.

The other problem with the US system is that beacause of that, many airlines still do accptence without e.g. 3d Secure where you get an SMS to confirm that you are you. This would reduce the fraud seriously. I think they are working of making that obligatory.

Re:Signing is for your protection, not the bank's

[davecb]

You can't prove anything of the sort... .

As to the specific assertion above, signatures are used by the court in deciding if the credit-cared holder must pay, or if it is fraudulent. See CanlII, Western Currency Exchange Ltd. v. National Bank of Canada, 2002 ABPC 147 at https://www.canlii.org/en/ab/a...