
Chip-based credit cards are a decade old; why doesn’t the US rely on them yet? - Mister_Snuggles
http://arstechnica.com/business/2014/08/chip-based-credit-cards-are-a-decade-old-why-doesnt-the-us-rely-on-them-yet/
======
Karunamon
In short:

Technical debt, network effects, and resistance to change.

It won't be a problem for much longer. EMV is supposed to become a standard
late next year, and the "liability shift" (basically amending the processing
rules so that accepting the old-style card means you're more responsible in
case of fraud) is supposed to happen around that time as well.

I wish IT people had that level of control over their environments. We
wouldn't be dealing with Windows XP anymore :)

------
Mister_Snuggles
As a Canadian, I've always wondered about this when I've visited the States.
The transition from swipe cards to chip cards was fairly painless, from the
consumer's point of view, up here.

I think what helped make it work is the prevalence of Interac. Before chip
cards, you'd swipe your card, verify the amount, select an account, and enter
your PIN. The only thing that changed with the chip was that you inserted your
card instead of swiped.

When credit cards started getting chips, people were already familiar with the
process and just needed to be issued a PIN by the credit card issuer.

~~~
ROFISH
I've recently gotten chip cards for some of my business CCs and they do not
require a PIN. It's possible they'll introduce this later to ease the
transition.

~~~
laacz
That's strange. In Europe you may request a card without magnetic strip (chip
only). And, once chip is present even on a card with a strip, PIN entry is
mandatory.

------
informatimago
Not a decade, FOUR decades. But it isn't a US patent...
[http://fr.m.wikipedia.org/wiki/Carte_à_puce](http://fr.m.wikipedia.org/wiki/Carte_à_puce)

~~~
jevinskie
From the the rough Google translation, does your card contain 64 fuses that
can act as a unit of currency/credit? Authentication seems... minimal. =)

~~~
stangeek
informatimago is absolutely right, chip based (credit) cards is a French
invention. If you want to read in English:
[http://en.wikipedia.org/wiki/EMV](http://en.wikipedia.org/wiki/EMV)

"The first standard for payment cards was the Carte Bancaire M4 from Bull-CP8
deployed in France in 1986 followed by the B4B0' (compatible with the M4)
deployed in 1989. Geldkarte in Germany also predates EMV. EMV was designed to
allow cards and terminals to be backwardly compatible with these standards.
France has since migrated all its card and terminal infrastructure to EMV."

~~~
stangeek
...and he has been downvoted. Way to go, HN!

~~~
DanBC
Ignore downvotes. They usually self-correct over the next few hours as people
see unjustified downvotes and supply an upvote. And sometimes they're just fat
finger errors.

------
zht
The fraud implications aside, as a Canadian living in the United States, I've
always found the payment process much more pleasant with magstripe cards.
Every time I go home, I find it incredibly inconvenient to have to dip my card
in the chip reader, type in my 4 digit pin without feeling like the whole
world is looking at me, and waiting for what seems like an eternity for the
auth/capture to happen.

With magstripe cards, you just swipe and sign.

~~~
arethuza
I pay for pretty much everything with a chip-n-pin debit card here in the UK
and I feel it is generally _much_ faster than the the old swipe and sign
(which always seem very clunky any time I visit the US).

NB The approval step on newer terminals seems to have got a lot faster - I'd
estimate the payments step at the Sainsburys self service machines where I
usually buy lunch takes about 5 seconds after I enter my PIN.

~~~
UnoriginalGuy
Plus in the US you often have to show your ID (e.g. driver's licence), whereas
I've never been challenged for my ID when using Chip and Pin in Europe.

~~~
iak8god
> Plus in the US you often have to show your ID

They're not allowed to do that: "Both Visa and MasterCard prohibit merchants
from requiring customer ID as a condition for accepting their credit or debit
cards. All you need is a signed card, and of course the signatures must match
[1]"

[1] [http://www.consumerreports.org/cro/news/2011/02/can-a-
mercha...](http://www.consumerreports.org/cro/news/2011/02/can-a-merchant-
require-id-for-a-credit-or-debit-card-purchase/index.htm)

~~~
UnoriginalGuy
That's absolutely not the reality on the ground. Just yesterday I got
challenged for my ID when making a sub-$10 purchase in the US.

That isn't unusual.

~~~
iak8god
That's not been my experience: I use cards for every single purchase, which
adds up to hundreds* per year, and have never been asked for ID. In any case,
it's true that they're not allowed to require it. The link I gave above
suggests the following as recourse:

"If you're a Visa cardholder and a merchant presses you for an ID, Visa says
you should notify your card issuer. In the case of Amex, notify American
Express directly. MasterCard customers should report the violation by visiting
the company's merchant violation web page."

*Edit: hundreds of transactions per year

------
Deusdies
I had no idea that chip cards are not accepted in the US. I can't remember the
last time I saw a magnetic stripe card... and I live in Serbia.

~~~
kintamanimatt
Don't your cards have a magstripe too, as well as the chip? I know my British
cards have both.

~~~
yulaow
It depends. In my zone more and more cards are made without stripe for
security reasons ( having it make them a lot easier to clone )

~~~
kintamanimatt
That's really strange to me. That prevents the card from being used in the US
too. I'm guessing not that many people from your part of the world travel to
the US then.

~~~
yulaow
I know that one of the reasons is that here is very frequent that the police
find some tiny electronic systems (skimmers/false_keyboard + minicams) glued
or stuck on a lot of atm and pos with the specific purpose of cloning your
cards using the stripe. So the only strong solution to avoid all this is
making cards only with the chip, making those systems useless

------
jwcooper
We're getting there, albeit very slowly. Almost all the new readers I see at
major stores now have the slot to slide your card in for the chip and pin.
Every Target store I've been to appears to have been upgraded.

Wells Fargo has also started rolling out chip and pin credit cards, not sure
if it's by default or not. I've had one for probably a year now.

That being said, I have no idea if the chip and pin even works end-to-end yet,
as I haven't tried it. I'm likely part of the problem!

Also, we'll see what happens with the liability shifts in the US. Right now
consumers have it fairly good with regards to fraud protection and getting
reimbursed.

~~~
UnoriginalGuy
> Every Target store I've been to appears to have been upgraded.

Additionally Target's own "Red Card" (store card) utilises Chip and Pin only.

~~~
tdicola
Is it a new thing? I got a red card visa last year and it doesn't have chip
and pin.

------
oasisbob
Another reason that the article doesn't touch on: there is so much extra money
sloshing around in the US system due to high interchange fees that fraud pales
in comparison. I don't see how you can ignore this as a disencentive to
change.

IIRC, fraudulent charges account for ~40 bp of total transaction volume, very
little of which is the responsibility of the issuing institution. Interchange
fees are ~200 bp of total transaction volume.

------
srinathh
Primarily because it's a big 1 time total system cost to change due to old
technology that is current. In such circumstances, no one bites the bullet
unless some outside regulatory body enforces it & in the US, regulators tend
to have close links if not prior & post tenure employment with the industries
they regulate. It's not as much of a habit change issue as much it's an
incentives issue of who wants to pick up the one time cost .

In a developing market like India & I'm seeing the big transition to chip &
pin happenning right now mandated by the reserve bank. I also saw the
transition to securecode additional verification for online payments happen
years back similarly - that has still not happened in the Us. The decision
makers there are all primarily career economists in Government Service even
though there's a lot of secondment into policy framing working teams that
happens from the financial industry.

------
eddyg
The worst part is that U.S. banks are issuing "chip-and-signature" cards and
NOT true chip-and-PIN cards. This is so Americans aren't inconvenienced having
to remember and enter a PIN.

Combined with a smartcard reader, Cardpeek [1] can be used to see which
verification methods (and their priority if there are multiple) a card
supports.

A list of what types of cards banks are issuing is maintained by the flyertalk
forum as a Google Spreadsheet. [2]

[1] [http://pannetrat.com/Cardpeek/](http://pannetrat.com/Cardpeek/) [2]
[https://docs.google.com/spreadsheet/ccc?key=0Ani-u3tGk5hedGR...](https://docs.google.com/spreadsheet/ccc?key=0Ani-u3tGk5hedGRvcE1ELVg5UmlGZk01SHZvTUMxdUE)

------
callesgg
More than a decade right?

I am a bit pissed of that our current chip cards do not implement the full
security that they are technically capable of.
[https://www.youtube.com/watch?v=m-VRsksSgM0](https://www.youtube.com/watch?v=m-VRsksSgM0)

~~~
masklinn
> More than a decade right?

About 3 for production deployment ('bit more for chip cards in general, 'bit
less for banking chip card), 4 for patents.

------
sergers
In Canada we have had them for a few years, but still not all places utilize
the pin. Chevron gas station for one all have the pin reader but have the card
slot blocked so u have to swipe.

And if it errors on the chip read u can swipe anyways.

One annoying thing when it first came out and restaurants adopted chip
readers. Many didn't have GPRS/wireless card readers. There was always a huge
line to pay and u had to goto the bar or front desk to pay, no giving them the
card and they bring u back a cheque.

Most places do have wireless readers now.

I like the paypass where u just tap your card but for some reason some places
don't have it working

------
zanny
You could just put up a QR code of a bitcoin address and let people scan over
that with their phone and pay in one click.

Think of the money saved! Run a bitcoin wallet on some junker computer, print
out a million copies of your barcode, and off you go.

Albeit, they have to manually enter the payment amount with static wallets,
the alternative is to have any kind of localized computer that can transmit to
the phone the address and debit (in any form - nfc, bluetooth, wifi, qr codes,
whatever).

------
nraynaud
I had my first contactless transaction a few days ago (I had seen the logo on
my card, but didn't think merchants would have the machine). I'm still
unsettled by the fact that there was no pin required, it felt like in the US
(the merchant told me it doesn't require pin up to 20€, but it might be a bank
specific or a shop specific policy).

edit: but if the US is really about to get out of conservatism, change your
freaking units and mechanical standards first.

~~~
DanBC
Contactless took me a few tries to get the hang of, but I freaking love it now
and can't wait for all machines to switch over.

------
satx
smartcards are a decade old? Try 3+ decades.

Cost of US infrastructure too high to change?

Banks pocket, depend heavily on $30B/year on bank account overdrafts alone,
and have supported smartcards in Europe and around the planet for 30+ years.

Retailers prefer to be cracked (Target, etc) rather than protect themselves
with better equipment and serious IT defenses.

Typical financial (payment) services: sh!tt!est possible product for lowest
possible investment.

------
_kyran
Anyone know what will happen to companies like Square that so heavily rely on
the magstripe? How would square be able to capture chip and pin transactions?
Because as far as I'm aware, the CC specifications require a separate hardware
pin pad, (so a software keyboard can not be used to transmit the PIN)

~~~
Aaronn
Square is working on a EMV compliant reader.
[https://blog.squareup.com/townsquare/posts/emv](https://blog.squareup.com/townsquare/posts/emv)

------
UnoriginalGuy
> Some suggest that we should wait for a newer and more secure standard before
> expending resources shifting systems.

So Americans would continue to have cards which don't work abroad as is the
case now? I know Americans notoriously don't travel very frequently but even
still...

~~~
free652
>So Americans would continue to have cards which don't work abroad as is the
case now?

American cards work just fine, aside from some toll/parking/etc machines.

~~~
UnoriginalGuy
Most American cards lack chip and pin, if you travel to the UK for example a
lot of vendors won't be able to even read your magnetic strip and some
additionally have policies against doing so (for fraud prevention reasons).

Which country are you referring to? Because right now most American cards
don't work in the majority of European countries.

You have to request a special chip and pin capable card from your bank in the
US to be able to use your card abroad (although I believe Amax give these to
you by default).

------
cjdavis
Wait, I just realized that this means I'm not going to have to keep and
securely store 7 years of signed CC receipts for my business! Can't happen
fast enough.

------
cclements
It seems like this is a good step, but it seems limited to physical card
present transactions.

Does it do anything to address online purchases?

~~~
PeterisP
No, online purchases are unrelated.

You don't need to switch the millions of cards nor the whole POS infrastucture
to do changes for online purchases - things like
[http://en.wikipedia.org/wiki/3-D_Secure](http://en.wikipedia.org/wiki/3-D_Secure)
cover it fairly enough, I believe - it will deny online purchases with stolen
CC data or a physically stolen card or both-sides-photographed, copying all
the visible data including the cvv code.

------
lucidguppy
We're even at a point where our swipes _have_ the chip slots but they have
rubber inserts blocking them.

------
timkeller
Wait, what?

South African here. We barely have broadband internet, yet we have chip-based
credit cards.

~~~
nraynaud
you don't even require a connection, you can do an offline transaction, and
it's still safer than a magnetic stripe, because duplicating a chip quickly is
very hard.

Calling the bank to get an authorization is just an optional step in the
process.

~~~
DavidJRobertson
Technically it's possible for some cards to mandate online authorization (ie
'phoning' the bank).

~~~
nraynaud
oh, yeah true, Visa Electron and friends.

