
EMV Switch This Week Could Threaten Many Businesses in U.S - tanglesome
http://www.eweek.com/security/emv-switch-this-week-could-threaten-many-businesses-in-u.s..html
======
creshal
It's depressing to see the US still treating EMV cards like a strange exotic
novelty while Europe is already upgrading those again and moving to NFC-
enabled cards after EMV has worked without any major issues for _20 years_.

For small, repeated transactions you just hold the card to the reader and are
done in 1-3 seconds. The first transaction on each reader and random
transactions every 20-50$ (and all transactions above a $20 limit) will
require chip+PIN verification, which seems to cut down fraudulent transactions
for now.

~~~
darkr
More like 10 years. UK + Europe rollout of chip+pin/EMV + incentivised
liability shift was around 2005/2006, and has reduced card fraud by around 70%
in most countries. Contactless/NFC payment facilities have been pretty
widespread (at least in the UK) since 2010 or so, and since the last couple of
years or so are pretty much ubiquitous.

I suspect that America being so backwards in this respect has a lot to do with
the power and influence wielded by corporate lobbyists in congress.

~~~
creshal
German rollout was in 2000.

~~~
tgflynn
France had them in the early 90's.

------
brianjolney
I'm pretty sure the article has it completely backwards. If a retailer has a
chip reading terminal, they aren't responsible for fraud. It incentivizes
retailers to update their hardware, or face shouldering the fraud risk for
chip enabled cards that they end up swiping.

~~~
xenadu02
You're correct. If the merchant has the EMV reader but the bank card only has
a mag stripe the bank eats any fraud, period. The merchant is completely off
the hook.

~~~
weaksauce
What happens if the reader is an EMV one but the fake bank card looks like it
has a chip and it was swiped instead of using the chip? I have a debit card
with the chip but I can still swipe it at the hybrid terminals. Who owns
liability in that case?

~~~
cbhl
Once I used my chip cards in a reader in the US, and was told, "this is a chip
card, please insert it into the bottom" so there's definitely a bit that can
be set in the magstripe to tell the PoS that a chip should be available in
case you clone just the magstripe.

------
coleca
I guess I'm not surprised by the lack of EMV capable card readers I still see
in the US. Having worked in this space in the past, I am always checking out
the payment terminals at the stored I visit. I've even seen some larger
merchants that I frequent upgrade their PIN pads recently but to non-EMV
capable models.

If the big-box stores aren't getting it done there is little hope for the mom
& pop type stores who will be forced to either stop taking cards or accept the
liability for fraud since it's unlikely the acquiring banks will want to hold
the bag for their customers once the card brands pass it downstream.

~~~
larzang
The business I work for uses Square, who are rolling out EMV+NFC readers soon
and are covering liability in the meantime, which is nice.

Weirdly a couple months ago my local 7-11 upgraded to readers which have the
physical EMV slot but those slots are non-functional.

~~~
heywire
Most retailers started with the hardware upgrade, which generally has to be
followed up by a software upgrade to enable the processing of an EMV
transaction. Depending on the level of integration with the payment network,
the software changes required at the Point of Sale can actually be pretty
complex.

------
quux
EMV cards are a big improvement for security but the UX is a step big back
from mag swipes. Here's an example from a recent stop at the ATM.

* I dipped my card and then was told to reinsert the card and leave it in for the duration of the transaction. I wonder how long it will take for me to insert/leave by default instead of dipping.

* The machine mechanically locked my card into the slot until I had taken my cash, I wonder how more frequently people are going to leave their cards in the ATM now. Also, what happens if the power goes out or the machine crashes?

* It seems that some EMV cards have multiple "Applications" on them and it's impossible to tell which one should be used in which context. When I inserted my card, the ATM presented me with a menu asking be to select between "US DEBT" and "VISA DEBT" I had no idea which one to choose, and had to pick one, try to make a withdrawal, fail, and then choose the other one to take out cash. I don't remember which one worked, and if that's the one I should use in other locations.

~~~
slashink
1\. I understand coming from only swipe but in my mind (Sweden) you insert
your card while you perform the entire transaction as a identifier compared to
swiping. That's at least how me and my friend think about it after asking him.

2\. Machines in Europe has been doing this for a long time and it's never been
an issue. I guess in the rare case power goes out (aren't these machines on
UPS?) it you just call the provider hotline, cancel that card and get a new
one in the mail the day after.

3\. I have never seen this but i agree this is an issue. That is a unnecessary
UX roadblock.

~~~
davb
1) I agree - I think this is a regional thing. In the UK, ATMs almost always
lock the card in place (typical non-corner-store ones take the entire card
into the machine).

2) In the UK, most machines make you take the card out before dispensing the
banknotes. Bank-owned (non-corner-shop) ATMs "spit out" the card and beep
until you take the card. Only then do they dispense the cash.

3) I don't think many UK card issuers use multiple applications for the same
context. That is to say, if you put your card into an ATM, only one
application is likely to be compatible with that profile. There may be other
applications for travel (ITSO, for example, is a travel card standard built on
Global Platform). I think every EMV terminal has support for application
selection menus (usually in the form of little buttons along the side of the
screen) but they're virtually never used in the UK.

In my experience while travelling, US payment terminals are the most unusual.

~~~
rbobby
Same in Canada... gotta take the card and then the money comes out. Nice thing
is that you never forget your card in a machine :)

~~~
davb
Yeah. And if you do happen to enter you PIN, request cash then just walk away,
the machine will furiously beep for a short time then pull the card back in
("swallow the card").

You've then got to request a replacement card from your issuer but it does
limit the chance of a stranger coming along and retrieving the forgotten card
and attempting to use it (for a signature fall-back transaction after damaging
the chip, or for a cardholder not present - CNP - transaction).

Bank-operated ATMs will also often retain the card if it's been reported lost
or stolen, but this does rob the lucky/brave checkout operator of their £50
bonus if they happen to retain a stolen card that's been used in store.

------
stevep98
It seems to take a couple of extra seconds to process the transaction,
compared to a swipe. I'm surprised that this bothers me so much. I might use
Apple Pay more often if this doesn't get improved.

~~~
MrRadar
That's my experience too. Fortunately most of the EMV-activated terminals I've
run into also accept NFC so I've just been using Android Pay to avoid the
extra hassle.

------
amalag
So there is zero incentive to replace a non-emv reader. Once you have to NOT
use the stripe.

It is a big problem for stores. Credit cards have both so stores have to force
only those transactions to the EMV.

The machines need to be smart enough to figure out if the card has both and
not allow the stripe transaction.

~~~
QUFB
The local Walmart setup chip & signature a couple of months ago. Magstripe
transactions are denied by default on my card that has the chip.

~~~
irl_zebra
I noticed this recently as well at Walmart. Tried to swipe my card and it
didn't work, swiped again and it didn't work. Finally bothered to read the
error message, which was "Insert Card into Slot at Bottom of Terminal."

My experience in Europe has been with Chip and PIN, I wonder why we're
gravitating toward Chip and Signature.

~~~
jdeibele
Me, too. Found [http://krebsonsecurity.com/2014/10/chip-pin-vs-chip-
signatur...](http://krebsonsecurity.com/2014/10/chip-pin-vs-chip-signature/)

"Most card issuing banks and Visa don’t want PINs because the PINs can be
stolen and used with the magnetic stripe data on the same cards (that also
have a chip card) to withdraw cash from ATM machines. Banks eat the ATM fraud
costs. This scenario has happened with the roll-out of chip cards with PIN –
in Europe and in Canada."

~~~
lucaspiller
I don't quite follow this... how do you use your card at an ATM if it doesn't
have a PIN? In Europe cards had PINs for this, even before EMV.

~~~
MrRadar
US credit cards (both chip and non-chip) have PINs they're just used only at
ATMs when taking cash advances. The article jdeibele referred to said that if
you forced people to use their PINs all the time the rate of cash advance
fraud would go up since it would be more likely that a skimmer would have the
PIN (since there would be more opportunities to intercept it).

------
Aardwolf
Yep had chips for decades already in Europe (it's not called "EMV" here
though, just a chip afaik).

I don't know who is liable in Europe for fraud (shop or bank), but, about the
article, I find it odd, the chips should be more secure, so why are banks
giving the responsibility of fraud to merchants while not for the insecure
magstripes? The banks should be able to trust their own chips right?

~~~
davb
It is indeed called EMV here, it's just not marketed as such. EMV stands for
Europay, Mastercard and Visa - the original consortium who agreed the
smartcard payment standard. In the UK it's marketed as "Chip and PIN", but
it's all EMV.

The specifications are all available online too [1] and make for an
interesting, if involved, read.

EMV are responsibly for a number of specifications, including "Chip and PIN"
style payment, contactless (NFC) and CAP (Chip Authentication Program - a two
factor system where users are given self-contained challenge/response card
readers with which virtually every EMV card is compatible).

[https://www.emvco.com/specifications.aspx](https://www.emvco.com/specifications.aspx)

