
Chip Credit Cards Give Retailers Another Grievance Against Banks - msoad
http://mobile.nytimes.com/2015/11/17/business/chip-credit-cards-give-retailers-another-grievance-against-banks.amp.html
======
voltagex_
Reading something like this is really strange to me in Australia. We've had
chip-and-PIN for ages - August last year, signatures were phased out
completely.

I'm paying with my phone via Commbank Tap & Pay [1] and the one part of going
overseas I'm not looking forward to is going backwards in banking systems &
technology.

Initially, chipped cards were (are?) slower because the approval was
transmitted via dial-up (!) or GPRS. The newer terminals (that also support
NFC) are using 3G and are fine speed wise. Some retailers even do batched
approvals - the terminal does some kind of check and displays "offline
approve".

1: [https://www.commbank.com.au/personal/online-
banking/commbank...](https://www.commbank.com.au/personal/online-
banking/commbank-app/tap-and-pay.html)

~~~
dcw303
It's certainly convenient, but I find it a little scary that the PIN is not
needed on purchases under $100. Granted, your phone is going to have its own
security lock before you can run the app, but what about the smart chip debit
cards in your wallet?

~~~
feint
There's really no issue. If your card is stolen and fraudulent charges made
the bank will reverse them. Having used chip payments for years now, I
couldn't imagine living without them.

~~~
gnopgnip
What if the card is stolen alongside your pin? Will the charges not be
reversed because the pin was stolen?

~~~
mike_hearn
The only way for a PIN to be stolen is if you wrote it on the card, or if it
was forced out of you e.g. at gunpoint.

The latter is incredibly rare. The former is your own fault. That's why
generally if a PIN was provided the liability is on the card holder.

~~~
jjnoakes
Card skimmers.

~~~
rwmurrayVT
Card Skimmers will only copy track1 and track2 of the magnetic strip. In order
to get the pin you need an additional piece of equipment that records the
pinpad, such as a well placed camera.

~~~
jjnoakes
Many skimming devices do both... They even capture the CCV.

------
steven2012
One of my good friends is Canadian, and he is a manager at a Shopper Drug Mart
in Toronto. He said once Canada went to chip-and-PIN, that the incidence of
fraud essentially went to zero. The only time there is fraud is when the
cashier isn't paying attention and allows a transaction that is swipe instead
of PIN, via some special way the customer can swipe the card (pulling it out
too quickly or something).

The idea that PIN doesn't bring fraud down to almost zero is ridiculous and it
really is about fees. That's why debit card transactions with PIN have such
low interchange, because the PIN brings the fraud down to essentially zero as
well.

~~~
cperciva
_some special way the customer can swipe the card (pulling it out too quickly
or something)._

When chip cards were introduced here, the cards and the readers weren't very
reliable, so the rule was "if the reader can't talk to the chip, you swipe the
card instead". This would happen if the card wasn't fully inserted, if the
contacts were dirty or corroded, etc.

That lasted maybe two years before the fraud increased and the reliability
improved to the point that the fallback wasn't worthwhile. Now if a chip
doesn't read the answer is "try it again" followed by "do you have a different
card?"

~~~
danbolt
I vividly remember that turning point in Canada a few years ago. My techno-
enthusiastic brain had never been so excited to pull out cash to pay for a
coffee.

------
khromium
> said it cost the average convenience store $26,000 to upgrade its gas pumps
> and point-of-sale terminals.

This seems backwards. Here in Australia we just pay a rental fee to the bank,
for the pin pad human interface device. Everything else is business specific
and shouldnt need upgrading...

~~~
tyoma
In the US the merchant owns and is responsible for the POS equipment. The
banks had to strong-arm merchants into upgrading via liability changes for
non-compliant merhants.

~~~
Khaine
Do the merchants need to validate there devices are maintained and operated in
accordance with VISA requirements?

Banks (including PEDS used by the bank) are audited by VISA to make sure they
follow required stanadrds/processes (i.e. see [https://www.visa-
asia.com/ap/center/merchants/riskmgmt/inclu...](https://www.visa-
asia.com/ap/center/merchants/riskmgmt/includes/uploads/Visa_PIN_Security_Program_Auditors_Guide_aug_06.pdf)
although this looks out of date)

------
nuand
From the article: "Banks say interchange fees help cover the cost of fraud.
Retailers argue that fees should therefore decrease if fraud is reduced."

In my three year history of taking credit card payments online there has never
been a time when I was not made to bare the entire cost of the chargeback plus
Stripe's chargeback fees. So I am wondering When, if ever, does the bank or
the processor bare the costs of a fraudulent purchase?

~~~
mike_hearn
Does Stripe do in person payments?

EMV reduces fraud a whole lot for card-present payments. It does absolutely
zero for online transactions, due to some unfortunate history around (not)
integrating chip readers into laptops and desktop computers.

------
davidf18
This article had been submitted earlier:
[https://news.ycombinator.com/item?id=10577790](https://news.ycombinator.com/item?id=10577790)

Apple Pay is the best solution. It is quick and since Apple sends a token and
not the CC number there is perfect security from hackers as long as the bank
ensures that the correct CC is entered in the iPhone. In other words, Apple
Pay does not depend on merchants updating their software.

Target and later Lowes (and perhaps Neiman-Marcus) were hacked because they
were running their POS terminals on Windows XP embedded which had been last
updated in 2006 (the embedded version). Microsoft told the retailers such as
Target and Lowes to update their POS terminal software to Windows 7 embedded
which is still supported yet they ignored this manufacturer recommendation.

At any rate, the quickest, most efficient approach is to use Apple Pay when
you can and all retailers should support it for its efficiency of use and its
security.

------
joshmn
Kind of a rant, sorry.

Chips are great, but in-store fraud transactions (from unauthorized purchases)
have scaled downward, until...

Google Wallet, and Apple Pay.

In fact, it's now easier to perform in-store credit card fraud, thanks to such
technologies.

This is important because stores are becoming more and more complacent with
chip tech, when what they should really be doing is not allowing transactions
via Google Wallet, Apple Pay, or any similar technologies.

We'll hear on the news that chips are a big deal — and don't get me wrong,
they are — but with new technologies comes new opportunities, and it's now
100x easier to perform a fraudulent in-store transaction, it really makes me
laugh how much of an afterthought we're giving these technologies when all you
have to say is "chip" and everyone's like "oh okay that's safe."

~~~
peteretep

        > In fact, it's now easier to perform in-store credit
        > card fraud, thanks to such technologies.
    

How is it easier for someone to perform fraud using Apple Pay? You'd need to
both have and then unlock either my phone or watch to make a payment using
them, which is still two-factor authentication...

~~~
mike_hearn
Apple Pay is an effective way of 'laundering' stolen card details due to weak
enrollment procedures.

~~~
nommm-nommm
More info: [http://www.nytimes.com/2015/03/17/business/banks-find-
fraud-...](http://www.nytimes.com/2015/03/17/business/banks-find-fraud-
abounds-in-apple-pay.html)

An industry consultant, Cherian Abraham, put the fraud rate at 6 percent,
compared with a traditional credit card fraud rate that is relatively
minuscule, 10 cents for every $100 spent. Mr. Abraham wrote in a blog post,
one of the first to spotlight the issue, that the Apple Pay fraud “is growing
like a weed, and the bank is unable to tell friend from foe. No one is bold
enough to call the emperor naked.”

The vulnerability in Apple Pay is in the way that it — and card issuers —
“onboard” new credit cards into the system. Because Apple wanted its system to
have the simplicity for which it has become famous and wanted to make the
sign-up process “frictionless,” the company required little beyond basic
credit card information about a user. Nor did it provide much information to
the banks, like full phone numbers and addresses, that might help them detect
fraud early.

~~~
ubernostrum
This has largely been debunked elsewhere -- the fraud is entirely on the poor
verification by the banks.

When I got an iPhone supporting Apple Pay, I added two cards to it. One just
set up with nothing more than entering the information. The other one
triggered a phone call to the issuing bank where I had to jump through
multiple verification hoops to convince them I was the cardholder.

Apple can't fix the first bank's security problem, and I don't really expect
them to.

~~~
serge2k
I had to call the bank for one and install the companies app (and login) for
another.

Both took a few minutes, not really an issue.

------
envy2
"Mr. Scheeler testified that it cost the average convenience store $26,000 to
upgrade its gas pumps and point-of-sale terminals..."

Really? This strikes me as a nice bit of hyperbole. Most convenience stores
I've ever come across have, at most, two or three PoS terminals. Even the most
expensive card readers with EMV support—the ones with the fancy colour
screens, NFC, and so on—don't cost more than $800 or so.[1] Even with paying
someone to set it up, I just can't see the average convenience store spending
more than a few thousand dollars.

[1]
[https://www.barcodesinc.com/verifone/mx-880.htm](https://www.barcodesinc.com/verifone/mx-880.htm)

~~~
seszett
Gas pumps often are not just a payment terminal though, they use an integrated
system handling gas type selection, pump control and payment, so I can imagine
they're a bit more costly to replace.

------
tyoma
There is very little direct benefit to US consumers from chip cards. Sure, it
will reduce fraud, but from a consumers point of view it doesn't matter. By
federal law, unless the bank can prove negligence, they have to refund your
money. In practice they take your word for it over the phone, and overnight
you a new credit card.

There is a small chance retailers and banks will pass on fraud savings via
lower prices, but it will be hard to notice a 2-3% price decrease.

It is very easy to notice waiting 5 more minutes for youe morning coffee since
each transaction takes 30s instead of the old 3-5s, though.

~~~
mike_hearn
Bear in mind that the rest of the world is already moving on from actually
inserting the chip card into the reader. Contactless transactions can happen
in around 400 milliseconds and even regular insert card+type PIN payments
often don't take 30 seconds.

------
jbb555
Really, they don't have this in the US yet? Wow...

~~~
ubernostrum
I've had chip-and-signature on credit cards for years here. What changed this
year was that the issuing banks shifted liability to the retailers, but only
if the retailers don't support at least chip-and-signature.

Meanwhile, in April one of my cards reissued and now does chip-and-PIN. I've
been to Europe twice since then and enjoyed, for the first time, being able to
use the automated ticket kiosks in train stations.

------
orthoganol
In the last couple weeks, two of the major banks I have credit and debit cards
with have forced me to cancel the old cards to 'upgrade' to their chip cards.
Aside from the incredible annoyingness and inconvenience of dealing with their
forced measures, does anyone have any insights on why they are doing this, and
now? I don't feel good about it, and it makes me want to move banks.

~~~
Terribledactyl
Presuming you are US based,
[https://en.wikipedia.org/wiki/EMV#United_States](https://en.wikipedia.org/wiki/EMV#United_States)

POS // Retailers are having fraud and liability shifts forced on them from the
payment networks and banks. If a POS // Retailer accepts a fraudulent swipe,
they eat the bill now, fraudulent chip purchase (much harder), bank pays.

~~~
CyberDildonics
That was always the case. The real question is why did it take the US a decade
longer to do poorly what the rest of the world has been doing effortlessly.

------
gayprogrammer
These complaints are all "first world problems". It's a non-issue.

~~~
creshal
The first, second, and third world are all on Chip+PIN. The US is the sole
holdout for mag-stripe cards.

~~~
serge2k
"The US is the sole holdout" is such a common phrase for things the rest of
the world takes for granted.

------
jsprogrammer
These machines have backed up the local grocery stores. Seriously terrible UX.
Worse, it was a forced upgrade; swipes are rejected.

~~~
peteretep
If us dummy Europeans have managed it for years, one would think you clever
Americans would be able to get to grips with it too...

~~~
jsprogrammer
Dummy?

You can't enter your card until about 10 seconds have passed after all your
items have been scanned, or it blows up.

You must leave your card in for ~20sec, or it blows up, while the machine does
seemingly nothing.

The quickest you can complete a transaction is ~30+ seconds; _after all the
items have been scanned._

Compare this to ~5 seconds with the swipe method.

Now, take 25 seconds / registers * people. That is the lower bound on how much
additional time we must wait in line because of these BS machines.

Trader Joe's is now a wasteland of wasted time standing in line.

~~~
geographomics
Sounds like a poor implementation. This problem is rare in the UK - the time
from card entry to PIN entry, and PIN entry to completion, is typically near-
instant on most terminals.

~~~
seszett
> _Sounds like a poor implementation._

That's the US we're talking about, I'm quite sure their banks built everything
from scratch without taking into account what a few decades of use have taught
European banks.

It was also slower than is it today when introduced, at least in France
(though mostly because connection was over dialup or GPRS).

------
kennydude
> In early October, the F.B.I. issued a warning that chip-and-signature cards
> were still vulnerable to fraud. The original announcement seemed to
> incorrectly indicate that banks were issuing chip-and-PIN-enabled credit
> cards, and urged consumers to use the PIN instead of a signature whenever
> possible. The bureau also warned that the new cards “can be counterfeited
> using stolen card data obtained from the black market.”

Amazing. It's as if they should have just caught up with the rest of the world
on Chip and PIN instead of going half the way there.

