
Visa: Some merchants see dip in fraud thanks to chip cards - prostoalex
http://www.usatoday.com/story/money/2016/04/19/some-major-merchants-see-dip-counterfeit-fraud-thanks-chip-cards-visa-says/83194722/
======
elecengin
Interesting - I was suspicious that this "Quick Chip" process they refer is
less secure, but apparently it is just a matter of poor implementations
requiring the card for the entire authorization process:

"According to Ericksen, the ability for EMV transactions to continue as usual
without the card remaining dipped after the creation of the cryptogram is
actually already an existing EMV process, but it is just not widely used. With
the implementation of Quick Chip, no additional testing or certification is
needed from a Visa or EMVCo point of view, there are no changes to the process
and the technology is inherently EMV compliant."

[http://www.pymnts.com/news/emv/2016/visa-puts-the-quick-
into...](http://www.pymnts.com/news/emv/2016/visa-puts-the-quick-into-emv/)

~~~
praseodym
I've been wondering about that for a while now. In Europe (The Netherlands for
me), it seems like paying with NFC is a _lot_ faster than paying with regular
'chip and pin' where the card needs to stay in the reader for ~5 seconds after
entering the PIN. Since both use the EMV protocol and the same chip (just
contact vs. contactless), I'm not sure why the contact method is so much
slower.

~~~
ultrafez
I believe it's down to how your bank sets up your card, and how the retailer's
set up. In the UK, when I pay with my debit card at Tesco, after entering my
PIN it _instantly_ says I can remove my card. Apparently it's because the card
reader skips communicating with my bank until they cash up at the end of the
day (the "available balance" of my card doesn't reduce after shopping there
until the next day). Tesco is the only retailer where I've seen the card work
almost instantaneously, but I expect that NFC payments work that way every
time.

~~~
brianwawok
How do they detect invalid or cards with no balance? Seems you have to round
trip to the bank at least once or you would be no better off than checks.

------
swombat
When I hear that the US still hasn't adopted chip+pin it sort of sounds
unbelievable. This is the country that created VISA International, after all -
a fantastic story chronicled in Dee Hock (founder of VISA)'s book. It seems
like the financial industry in the US has taken giant strides backwards since
then.

~~~
giarc
I'm in Canada and have had chip tech in cards for a number of years (5+ I'd
say). We've since moved on to tap/swipe/wave which requires no pin but does
have a transaction limit.

~~~
vinay427
> We've since moved on to tap/swipe/wave which requires no pin

This is growing in the US as well, which is why chip-and-PIN seems less
helpful coming this late in the game to the US market. I'd much rather it be
required that restaurants (among other merchants) use portable credit card
readers like they do in Canada to keep cards in the hands of their owners.

~~~
giarc
The one thing I've seen in the states that I'd like to see here is pre-pay at
the grocery line. I know Target has this, and I imagine others. Basically
while the cashier is ringing up your groceries, you go through the process of
paying and basically say "I agree to pay the amount of this purchase." Then
when the cashier is finished, the payment is immediately processed and you are
done. Saves 30-45 seconds for each customer.

------
showerst
I always find these things to be much slower to process than the swipe-
readers, which is pretty annoying when you're in a long line.

~~~
spdegabrielle
Just wait till you get 'contactless'
[https://en.m.wikipedia.org/wiki/Contactless_payment](https://en.m.wikipedia.org/wiki/Contactless_payment)

~~~
Gnewt
The US actually had a lot of contactless cards for a while, before EMV, but it
seems like that's been phased out (outside of the use of NFC via Apple Pay /
Android Pay.

~~~
the_mitsuhiko
The US had NFC which just sent the magstripe which is different from EMV NFC.

------
stegosaurus
I'd like to see average payment size data (median, mean).

Is it necessary for the average person to be able to instantaneously spend
hundreds of pounds? I don't see why all retailers need such high security
(e.g. sandwich shops).

I personally rarely spend more than 50GBP in a store. Large amounts of
groceries in bulk, full fuel tank when I owned a car.

The contactless limit is 30GBP and that makes sense to me. If I cared about
losing that amount of money I wouldn't go outside. I can sit on the metro and
see that 25%+ of the people there are playing with smartphones worth 300GBP+.

Given all of that I don't find the US stance on security very odd. I want
large payments to be verified, I don't care if someone buys a sandwich on my
card, even if I never get that back from the bank.

To put it another way - huge payments should not be possible using a physical
object that is used all over the place. I'd be happy for my bank to call me
(2FA) for all payments above 100GBP, and for them to freeze payments if many
many small payments happen in a short time span.

Otherwise, I'll see problems on my statement, cancel the card, and carry on
with life.

------
blahkins
I don't understand how these help mitigate fraud in any way. You still have to
sign afterwards, there is no PIN which is the way it works in Europe. How is
this ANY different other than harder to implement a scanner which would steal
the swipe, and those are bound to get implemented sooner or later anyway.

~~~
Veratyr
The purpose of EMV isn't really to counter physical theft, it's to counter
passive theft using devices like skimmers.

> How is this ANY different other than harder to implement a scanner which
> would steal the swipe [...]

The magnetic stripe on the card is essentially just a barcode read by magnets.
Like a regular barcode, it's trivial to copy.

The chip on a card is actually a very low power computer that uses
cryptography to produce an authentication token the scanner can present to a
bank to authenticate a single purchase. It's essentially impossible to
recreate the entire chip and the token can only be used on the purchase it was
intended for so skimmers are pretty much dead.

You can read a little more about it here
[http://www.firstdata.com/downloads/thought-leadership/EMV-
En...](http://www.firstdata.com/downloads/thought-leadership/EMV-Encrypt-
Tokenization-WP.PDF)

~~~
dikdik
While this sounds great, I was just given a debit card with a chip in it.
While extra protection is afforded at terminals built for cards with chips, I
still only use the magnetic strip on my card at the 90%+ of terminals that are
not built for chipped-cards.

------
hbcondo714
Most places I've been to have the new chip readers installed but they are
disabled leaving you to swipe your card.

