Here in NL there's been chip and pin for forever, and 'signing' for a transaction is laughable from a Dutch perspective. Chip + PIN is everywhere, to the point that many merchants don't even accept cash anymore, too much of a liability and hassle. Nor do most places accept credit cards... Chip+PIN is authenticated and secure (online, no offline mode is supported), the merchant fees are low (€0.05/transaction or lower), and the transaction is immediate and not reversible... no dealing with chargebacks.
If you can find a place that takes credit cards, the dutch cards will also use Chip+PIN. Non-PIN credit cards (mostly americans) can swipe, but they'll almost certainly have to enter their PIN... In the many times I've used my US CC in NL I've never had to sign.
Now that RFID transactions are becoming more popular it will be interesting to see how this all develops.
Are you sure no offline mode is supported for Chip+PIN cards?
I don't know about the Netherlands, but it's typically used where the risk is low, or making on-line transactions is inconvenient. For example, paying for a train ticket on-board a train (data signal is unreliable, the real loss to the train company is negligible) or buying fast food.
I'm pretty sure offline is supported, unfortunately in the UK despite this some train services have online-only chip+PIN machines in their buffet car, forcing you to wait until they get good signal to pay for your food!
It's visible to the customer as a much faster process -- you can remove your card around a second after you enter your PIN, instead of waiting 4-5 seconds for authorization.
I think normally cards get a limit of offline transactions before they have to do an online one. I think it's about 7 or so before an online transaction is "forced".
This seems about the correct number. It is similar to how the contactless support works. You are forced to use the traditional Chip and Pin method occasionally. It seemed to be about 5 transactions for contactless initially but I feel they have increased the limit now.
RFID is all over the place here in Australia. It's fantastically easy - just a quick tap and you're done. If you need more than a certain cap (A$100? A$150?), you need to switch to chip + pin, but for anything less, it's hard to see how it could be any easier.
>Where in the US were you that was still imprinting in 2001?
-The east coast, Cape Cod area - if I remember correctly, I was having dinner in Falmouth or perhaps in Woods Hole when the imprinting device appeared. Could have been backup for their normal credit card machine, though - didn't think to ask at the time.
It is amusing how different expectations are in Europe and in the US; I still remember the first time I went to the US (2001, methinks).
The first time I used my credit card and they used one of those card imprint thingies and asked me to sign, I naïvely thought they were trying to con me.
In fairness, though, my native Norway was a quite early chip adopter as the banks had to bear the cost in case of fraud as long as the user had not exhibited gross^2 negligence - my first debit card (1993) was chipless, but the 1995 replacement had a chip - whose use was voluntary at first, then enforced a few years later.
Can anyone explain why the US is so far behind in this case? It seems bizarre that you have apple/android pay used alongside magnetic strips and signatures.
Because in US, signature fraud is still on the bank, not on the merchant. So to give you an example - someone steals your card, goes to a shop, signs the receipt and walks away with the goods. Now if you report your card as stolen to the bank, the bank will refund you, but the merchant also keeps the money. So merchants have no financial incentive to upgrade their terminals, because card fraud does not impact them.
Now the same situation in the UK - you report your card as stolen, the bank refunds you, but also takes the money away from the merchant(saying that the responsibility to check the signature was on them and they failed, so they lose the money). As a result, almost no one in UK accepts signature-only cards, because you could literally buy something, sign the receipt, walk out and report the card as stolen - and the merchant loses all the money. So merchants had all the incentive to upgrade their terminals to chip-and-pin only, terminals which can take magnetic-strips are just super rare and usually not supported even if the machine has them.
edit: it looks like signature fraud in US is not always on the bank. My mistake, sorry.
> almost no one in UK accepts signature-only cards
> terminals which can take magnetic-strips are just super rare and usually not supported even if the machine has them.
I've not found this to be the case. I used a non-chip US card here in the UK extensively over the last year or so, and I've never once encountered a merchant that didn't want to take my card, nor a terminal that didn't read magnetic strips.
I do find people at checkouts to be a little surprised by someone having to swipe & sign, since that's quite rare now. And often they had trouble finding a pen for me to sign with :) But I was always able to complete the transaction nonetheless.
Really? I had my Polish-issued signature-only card with me here in UK just a few years ago and the only place that would take it was the post office - every supermarket I tried just refused(I had one instance where I convinced the cashier to just try swiping the card and it did actually work, to her surprise, but in most places it was just a flat out no).
It's all about the liabilites - the shops are allowed to accept swipe and sign, but the fees and liability are massively shifted to the merchant. A lot of places do have this as a fallback for PIN damaged cards though, you are right. They judge it to be worth the risk to not lose the business.
In the UK, Ireland, and France I've only found a couple of places that wouldn't take a signature card -- Automated service stations and the Autoroute toll plazas in France and a toy store in Ireland. Everyone else has been ok with a chip+signature card from the US.
Yep, I've had that experience trying to buy petrol in France too. That's the only place I can remember running into a problem with it, actually. Never anywhere in the UK.
Maybe it's the same in Europe. I have Italian credit cards with PINs (one even contactless, no choice). I don't remember the PINs because it's chip and signature everywhere I've been, even outside Italy. It's very rare that somebody asks me for a PIN. I say that I'll sign and it's OK.
Contactless, no thanks, I don't want somebody to swipe my purse without me knowing and as far as I googled it's not clear that Faraday bags really work. Contactless passports too.
I literally would close my account if the bank didn't offer contactless. It's so much better. To answer your concern - the only way for anyone to "swipe" your purse is to have an authorized, authenticated terminal which can communicate with your card using the proper key from the bank - which means that the terminal would get invalidated by the bank straight away after people started reporting fraud. Contactless cards literally won't surrender their information to regular NFC readers. But even assuming they could - the most you can be charged is relatively small amount, and only 5x a day until you have to type in your pin - and if that happened your bank would refund you instantly. So seriously, I can't imagine not having a contactless card.
Unfortunately that's only true until the next vulnerability that allows theft via NFC on a mobile device. There has already been one, there will almost certainly be another.
> "With just a mobile phone we created a PoS terminal that could read a card through a wallet," said Martin Emms, lead researcher on the project. "All the checks are carried out on the card rather than the terminal so at the point of transaction, there is nothing to raise suspicions. By pre-setting the amount you want to transfer, you can bump your mobile against someone’s pocket or swipe your phone over a wallet left on a table and approve a transaction. In our tests, it took less than a second for the transaction to be approved."
Absolutely - but that still flags a terminal for review and will get it blocked. There does not exist any vulnerability that would allow you to clone NFC cards, which has the biggest potential for abuse. And again, even then - contactless cannot be used to take out any cash, so it's not an attractive target for thieves. What are they going to buy with a cloned NFC card(if they could get one)? Lunch?
Your fears are mostly unwarranted. Even if they could get close enough to clone your card (and their are cryptographic safeguards that make this difficult) they would be able to do a limited number of transactions before it asked for the PIN (which can not be read directly from the card, so they should not know this).
Then, when you tried to use your legit card, the on-card transaction count would clash and the card and clones would be frozen. You, as the obvious owner of the card, would be free of all liabilty and due a refund (the bank would not kick up a fuss about this, it is in their interest to reduce friction in these low amount cases to drive technology adoption).
The credit card fee is way higher due to fraud; the "insurance" and so on needs to be paid somehow. The margins asked in e.g. Netherlands to pay with a bank card are much lower than any credit card. Partially these low fees are a result of price restrictions set by the government many years back. Then eventually banks figured out they could make much more money with a low fee and huge volume.
Before chip+pin (in Netherlands), swipe+pin was used. For fraud the client was already responsible. In practice the bank almost always reimbursed the client. To restrict the fraud/skimming, cards are often restricted to be used in Europe only. A setting you can easily change.
Due to above, usually non-European tourists are now affected by skimming.
I prefer the tap to pay btw. Banks restrict which machines can get money off these cards and in practice it is usually the typing in of your PIN which is the biggest problem. Depending on the bank you can change the max tap to pay amount.
At first because the incentive wasn't there; merchants -- who'd be the ones needing to set up chip-enabled terminals -- didn't bear the cost of fraudulent purchases.
Last year, the major card issuers changed their contract terms to impose the cost of fraud on the merchant if the merchant didn't have a chip-enabled terminal, but:
1. Merchants are suing to have this overturned because they don't want to pay for an upgrade if they can get a court to force the old terms to stay in place, and
2. They're pushing hard on a narrative of "chip transactions are slow, so slow, you have to wait so long because it's so slow, wouldn't you rather just swipe your card quickly than deal with the slow slowness of these slow chips with their slow transactions, and did we mention they're slow" to try to turn the public against chip cards.
3. Probably the next big upgrade will actually be to support NFC-enabled devices like cell phones, bypassing the need for a separate physical card entirely.
> Merchants are suing to have this overturned because they don't want to pay for an upgrade if they can get a court to force the old terms to stay in place
I haven't seen those. Which merchants are involved?
The lawsuits I've seen over chip cards were merchants who want to switch and are upset either because the card consortium is being too slow, or because the merchants want to require PINs and the card companies won't allows that:
• B&R Supermarket. Bought new NCR Equinox L5300 terminals to be ready for chip cards well before the deadline, installed them, trained their staff, and asked the card network consortium for certification. Liability shift deadline came but the consortium has not certified B&R yet, and now B&R is getting hit by a lot of fraud and chargeback charges that they had not suffered before. They are annoyed that the same group that is taking so long to certify them is also the group the benefits from the liability shift, and so are suing.
• Home Depot. They have upgraded their terminals to accept chip cards, but want to require PINs reather than signatures. Suing to try to force the card companies to allow that.
> 2. They're pushing hard on a narrative of "chip transactions are slow, so slow, you have to wait so long because it's so slow, wouldn't you rather just swipe your card quickly than deal with the slow slowness of these slow chips with their slow transactions, and did we mention they're slow" to try to turn the public against chip cards.
Well... chip transactions are slow. I'd estimate about 3x slower than the old swipe transactions. It's a genuine annoyance and lots of people complain about it, customers and merchants alike.
There has been large-scale resistance from US retailers for some reason, compardd to the rest of the world.
Also there has been this idea that it's for other countries with worse comms networks and high fraud levels, despite the fraud actually being worsr in the US as skimming magnetic stripes is still viable.
For many businesses, it represents a major change in the process. Restaurants, for instance, are having a heck of a time with it. For a few months, one of my favorite restaurants would bring me the check, have me write the tip on the check, then take the card and go enter that information, and then return with the slip for me to sign.
Personally, I liked it, but it's different enough that most customers would probably hate it... And the restaurant definitely didn't like it. I could read it in their faces every time they brought the bill and explained the system. (I'm regular enough that they eventually stopped explaining, though.)
Other businesses have to deal with people just plain not understanding what's going on for a while. Many people here are so set in their ways that a small thing like "insert" instead of "swipe" is enough to confuse them to the point of having a bad shopping experience, which is obviously bad for business, not to mention how much longer it takes to check people out when they spend so long fiddling with the card machine.
Finally, neither the store nor the customer were responsible for fraud. With the credit card company taking the hit for that, there's very little incentive for them to change.
The usual method for tipping with a Chip+PIN card at a restaurant in Europe is for the terminal, which the waiter hands to you, to display a message like "Add tip? Yes/No" or "Tip amount". You type the amount, press OK, then input your PIN.
This is what [1] terms "Table pay", but it also gives "Tip Allowance", which seem to be the system you've described.
At least in Britain, before Chip+PIN cards (12 years ago), paying by card in a restaurant was considered somewhat risky — waiters weren't trusted not to clone the card. Perhaps that's why customers were happy to use "Table pay".
The closest to that I have seen was a terminal in Alaska (or Canada, not sure) which had a option to add a percentage. Had to do a bit of mental math to figure out the right percentage to end up at a nice round number :)
I've certainly never seen an option like that in NL. The three common things I see here are 1) you say "make it amount X" before staff enters the amount in the terminal, 2) you leave some extra cash on the table after paying the normal amount with your card, 3) just don't tip (which is acceptable here since wages are decent enough).
Except that restaurants that have tried that have done rather poorly with it. Americans just aren't used to it, and until there's a larger campaign for it, it's not going to change. To be clear, this is a local restaurant and not a chain.
I cannot explain it but it is odd which stores I cannot use it at. Almost all the chain restaurants, coffee shops, and such, have it. No signature or pin, just the card, which I find just as insecure. I want to have to enter a pin else I am going to Apple pay if I can.
Now my grocery store, Publix, doesn't take the chip card but I don't mind swipe and pin. they also don't do Apple pay so I am out for that option.
So give me A/Pay, chip and pin, or forget it. I guess since I have not suffered an identify theft issue I am not totally dead set against retailers not up to date.
It's also more convenient to just slide your card than to insert, usually type your 4 digit code and retreive your card. It's also very easy to get your money back in the US in case of fraudulent charges compared to Europe. So, the security added by the chip doesn't matter that much to the end consumers compared to the added friction.
Don't you have to sign? I'm from the UK but in Germany I have to sign sometimes and it takes longer to print a receipt and sign it than to enter 4 digits. This is assuming a fast terminal; I've used slow ones in the past.
It's easy to get your money back in Europe too – I just have to log into my phone app and dispute a charge. I could phone or use the website as well. How is it easier than that in the US?
In Australia at least paypass/paywave is ultra common. Just wave and you're done. At least as fast as a swipe, and you don't even have to take your card out of the wallet.
That sounds like "contactless" in the UK. Just swipe for transactions under £30, use your PIN if it's greater than that. It's very convenient, and I feel no need for a smartphone solution at this point.
And yet your new American "chip card" still won't work in Europe when you need to do something important like buy a train ticket at the airport when you land. There was a moment when the US could have joined the rest of the world but decided not to.
This article seems to have ignored the real reason why the US opted for "chip and sign" instead of "chip and pin". The thinking was that if Americans had to remember a PIN for all of their credit cards they would likely narrow their credit card usage to a single card - the one they memorized the PIN for rather than using one of the 3 or 4 other cards they posses.
And I just had to laugh at this:
“Consumers may think that it feels a little bit longer because the card is in the terminal the whole time instead of just swiping it and sticking it right back in your wallet,” said Stephanie Ericksen, Visa’s vice president of risk products. “But the actual transaction itself is taking the same amount of time. It’s just that you’re watching your card be there while the information is going out and coming back.”
Total BS. The actual "transaction time is on the order of milliseconds , the time spent waiting for those milliseconds is closer to 20 to 30 seconds.
For larger stores which have a basic always-on internet connection it will be much faster. In my experience 2-5 seconds is what you see for mobile devices that use 2G or 3G, or places that still use some form of dial-up for every transaction (ISDN still exists..).
Had some practical experience with chip&PIN terminal debuginfo. For that particular hardware, transactions took something like 0.3 seconds to negotiate with the chip, 1.5-2 seconds to make the online part of transaction (most of it to establish a cellular data connection and the ssl handshake, the device had only 2G cell chip so very slow data :-/) but it all was dwarfed by the time needed to physically print the required receipt & confirmation; even we could make the transaction processing instant, it would be just a 25% improvement because of the printing speed.
I've been using my US (Chase) chip and sign card everywhere in Europe for the last few months, no problem. And my Schwab chip debit card works fine too.
The dirty little secret is that banks make money off online Card Not Present fraud. They take back the money from the merchant and charge a $35 fee.
In-person fraud is much lower, so this transition to chip readers is just increasing their bottom line by 1) sticking it to retail merchants who don't upgrade their systems; and, 2) making money off required system upgrades.
Merchants can mitigate that risk by requiring use of a bank operated verification system like Verified by Visa or Mastercard SecurePay or the Amex one which escapes my memory right now. You set a password on the card via your internet banking which is required for card-not-present transactions.
The chip & pin system, at least technically, is a disgrace. It easily takes 2-3x the amount of time a swipe would take, and most merchants still make me enter my PIN as well as sign. The chip readers are prone to malfunction, and I'm sure they will be cracked in due time.
What's worse is you can still do a transaction without a PIN, leaving open the opportunity of someone just stealing your card. The only fraud this really prevents right now is copied cards.
It's crazy to me the payments industry can get away with charging $500 for these card readers too. Most chip readers I've seen still have to dial up to charge a card.
I think you mean the American Chip+PIN system, as implemented. In most other countries, a PIN is required.
I've used Chip+PIN cards since they were launched in the UK in 2004. Malfunctioning readers are very rare, and the suggested flaws don't seem to have resulted in anything.
> It easily takes 2-3x the amount of time a swipe would take
I don't know, unless the terminal has a bad connection it usually takes less time than writing a signature, even in online mode.
> The chip readers are prone to malfunction, and I'm sure they will be cracked in due time.
The technology has been in wide use for decades in Europe. I'm pretty sure the existing chip readers aren't very prone to malfunction, unless for some reason the US is completely redeveloping everything from scratch.
Also, they haven't been cracked yet as far as I know.
For what it's worth, most transactions don't require a signature. They only time I've had to sign when using my debit card is when the transaction is in the 100s (not sure of the exact amount).
If you can find a place that takes credit cards, the dutch cards will also use Chip+PIN. Non-PIN credit cards (mostly americans) can swipe, but they'll almost certainly have to enter their PIN... In the many times I've used my US CC in NL I've never had to sign.
Now that RFID transactions are becoming more popular it will be interesting to see how this all develops.