Can anyone explain why the US is so far behind in this case? It seems bizarre that you have apple/android pay used alongside magnetic strips and signatures.
Because in US, signature fraud is still on the bank, not on the merchant. So to give you an example - someone steals your card, goes to a shop, signs the receipt and walks away with the goods. Now if you report your card as stolen to the bank, the bank will refund you, but the merchant also keeps the money. So merchants have no financial incentive to upgrade their terminals, because card fraud does not impact them.
Now the same situation in the UK - you report your card as stolen, the bank refunds you, but also takes the money away from the merchant(saying that the responsibility to check the signature was on them and they failed, so they lose the money). As a result, almost no one in UK accepts signature-only cards, because you could literally buy something, sign the receipt, walk out and report the card as stolen - and the merchant loses all the money. So merchants had all the incentive to upgrade their terminals to chip-and-pin only, terminals which can take magnetic-strips are just super rare and usually not supported even if the machine has them.
edit: it looks like signature fraud in US is not always on the bank. My mistake, sorry.
> almost no one in UK accepts signature-only cards
> terminals which can take magnetic-strips are just super rare and usually not supported even if the machine has them.
I've not found this to be the case. I used a non-chip US card here in the UK extensively over the last year or so, and I've never once encountered a merchant that didn't want to take my card, nor a terminal that didn't read magnetic strips.
I do find people at checkouts to be a little surprised by someone having to swipe & sign, since that's quite rare now. And often they had trouble finding a pen for me to sign with :) But I was always able to complete the transaction nonetheless.
Really? I had my Polish-issued signature-only card with me here in UK just a few years ago and the only place that would take it was the post office - every supermarket I tried just refused(I had one instance where I convinced the cashier to just try swiping the card and it did actually work, to her surprise, but in most places it was just a flat out no).
It's all about the liabilites - the shops are allowed to accept swipe and sign, but the fees and liability are massively shifted to the merchant. A lot of places do have this as a fallback for PIN damaged cards though, you are right. They judge it to be worth the risk to not lose the business.
In the UK, Ireland, and France I've only found a couple of places that wouldn't take a signature card -- Automated service stations and the Autoroute toll plazas in France and a toy store in Ireland. Everyone else has been ok with a chip+signature card from the US.
Yep, I've had that experience trying to buy petrol in France too. That's the only place I can remember running into a problem with it, actually. Never anywhere in the UK.
Maybe it's the same in Europe. I have Italian credit cards with PINs (one even contactless, no choice). I don't remember the PINs because it's chip and signature everywhere I've been, even outside Italy. It's very rare that somebody asks me for a PIN. I say that I'll sign and it's OK.
Contactless, no thanks, I don't want somebody to swipe my purse without me knowing and as far as I googled it's not clear that Faraday bags really work. Contactless passports too.
I literally would close my account if the bank didn't offer contactless. It's so much better. To answer your concern - the only way for anyone to "swipe" your purse is to have an authorized, authenticated terminal which can communicate with your card using the proper key from the bank - which means that the terminal would get invalidated by the bank straight away after people started reporting fraud. Contactless cards literally won't surrender their information to regular NFC readers. But even assuming they could - the most you can be charged is relatively small amount, and only 5x a day until you have to type in your pin - and if that happened your bank would refund you instantly. So seriously, I can't imagine not having a contactless card.
Unfortunately that's only true until the next vulnerability that allows theft via NFC on a mobile device. There has already been one, there will almost certainly be another.
> "With just a mobile phone we created a PoS terminal that could read a card through a wallet," said Martin Emms, lead researcher on the project. "All the checks are carried out on the card rather than the terminal so at the point of transaction, there is nothing to raise suspicions. By pre-setting the amount you want to transfer, you can bump your mobile against someone’s pocket or swipe your phone over a wallet left on a table and approve a transaction. In our tests, it took less than a second for the transaction to be approved."
Absolutely - but that still flags a terminal for review and will get it blocked. There does not exist any vulnerability that would allow you to clone NFC cards, which has the biggest potential for abuse. And again, even then - contactless cannot be used to take out any cash, so it's not an attractive target for thieves. What are they going to buy with a cloned NFC card(if they could get one)? Lunch?
Your fears are mostly unwarranted. Even if they could get close enough to clone your card (and their are cryptographic safeguards that make this difficult) they would be able to do a limited number of transactions before it asked for the PIN (which can not be read directly from the card, so they should not know this).
Then, when you tried to use your legit card, the on-card transaction count would clash and the card and clones would be frozen. You, as the obvious owner of the card, would be free of all liabilty and due a refund (the bank would not kick up a fuss about this, it is in their interest to reduce friction in these low amount cases to drive technology adoption).
The credit card fee is way higher due to fraud; the "insurance" and so on needs to be paid somehow. The margins asked in e.g. Netherlands to pay with a bank card are much lower than any credit card. Partially these low fees are a result of price restrictions set by the government many years back. Then eventually banks figured out they could make much more money with a low fee and huge volume.
Before chip+pin (in Netherlands), swipe+pin was used. For fraud the client was already responsible. In practice the bank almost always reimbursed the client. To restrict the fraud/skimming, cards are often restricted to be used in Europe only. A setting you can easily change.
Due to above, usually non-European tourists are now affected by skimming.
I prefer the tap to pay btw. Banks restrict which machines can get money off these cards and in practice it is usually the typing in of your PIN which is the biggest problem. Depending on the bank you can change the max tap to pay amount.
At first because the incentive wasn't there; merchants -- who'd be the ones needing to set up chip-enabled terminals -- didn't bear the cost of fraudulent purchases.
Last year, the major card issuers changed their contract terms to impose the cost of fraud on the merchant if the merchant didn't have a chip-enabled terminal, but:
1. Merchants are suing to have this overturned because they don't want to pay for an upgrade if they can get a court to force the old terms to stay in place, and
2. They're pushing hard on a narrative of "chip transactions are slow, so slow, you have to wait so long because it's so slow, wouldn't you rather just swipe your card quickly than deal with the slow slowness of these slow chips with their slow transactions, and did we mention they're slow" to try to turn the public against chip cards.
3. Probably the next big upgrade will actually be to support NFC-enabled devices like cell phones, bypassing the need for a separate physical card entirely.
> Merchants are suing to have this overturned because they don't want to pay for an upgrade if they can get a court to force the old terms to stay in place
I haven't seen those. Which merchants are involved?
The lawsuits I've seen over chip cards were merchants who want to switch and are upset either because the card consortium is being too slow, or because the merchants want to require PINs and the card companies won't allows that:
• B&R Supermarket. Bought new NCR Equinox L5300 terminals to be ready for chip cards well before the deadline, installed them, trained their staff, and asked the card network consortium for certification. Liability shift deadline came but the consortium has not certified B&R yet, and now B&R is getting hit by a lot of fraud and chargeback charges that they had not suffered before. They are annoyed that the same group that is taking so long to certify them is also the group the benefits from the liability shift, and so are suing.
• Home Depot. They have upgraded their terminals to accept chip cards, but want to require PINs reather than signatures. Suing to try to force the card companies to allow that.
> 2. They're pushing hard on a narrative of "chip transactions are slow, so slow, you have to wait so long because it's so slow, wouldn't you rather just swipe your card quickly than deal with the slow slowness of these slow chips with their slow transactions, and did we mention they're slow" to try to turn the public against chip cards.
Well... chip transactions are slow. I'd estimate about 3x slower than the old swipe transactions. It's a genuine annoyance and lots of people complain about it, customers and merchants alike.
There has been large-scale resistance from US retailers for some reason, compardd to the rest of the world.
Also there has been this idea that it's for other countries with worse comms networks and high fraud levels, despite the fraud actually being worsr in the US as skimming magnetic stripes is still viable.
For many businesses, it represents a major change in the process. Restaurants, for instance, are having a heck of a time with it. For a few months, one of my favorite restaurants would bring me the check, have me write the tip on the check, then take the card and go enter that information, and then return with the slip for me to sign.
Personally, I liked it, but it's different enough that most customers would probably hate it... And the restaurant definitely didn't like it. I could read it in their faces every time they brought the bill and explained the system. (I'm regular enough that they eventually stopped explaining, though.)
Other businesses have to deal with people just plain not understanding what's going on for a while. Many people here are so set in their ways that a small thing like "insert" instead of "swipe" is enough to confuse them to the point of having a bad shopping experience, which is obviously bad for business, not to mention how much longer it takes to check people out when they spend so long fiddling with the card machine.
Finally, neither the store nor the customer were responsible for fraud. With the credit card company taking the hit for that, there's very little incentive for them to change.
The usual method for tipping with a Chip+PIN card at a restaurant in Europe is for the terminal, which the waiter hands to you, to display a message like "Add tip? Yes/No" or "Tip amount". You type the amount, press OK, then input your PIN.
This is what [1] terms "Table pay", but it also gives "Tip Allowance", which seem to be the system you've described.
At least in Britain, before Chip+PIN cards (12 years ago), paying by card in a restaurant was considered somewhat risky — waiters weren't trusted not to clone the card. Perhaps that's why customers were happy to use "Table pay".
The closest to that I have seen was a terminal in Alaska (or Canada, not sure) which had a option to add a percentage. Had to do a bit of mental math to figure out the right percentage to end up at a nice round number :)
I've certainly never seen an option like that in NL. The three common things I see here are 1) you say "make it amount X" before staff enters the amount in the terminal, 2) you leave some extra cash on the table after paying the normal amount with your card, 3) just don't tip (which is acceptable here since wages are decent enough).
Except that restaurants that have tried that have done rather poorly with it. Americans just aren't used to it, and until there's a larger campaign for it, it's not going to change. To be clear, this is a local restaurant and not a chain.
I cannot explain it but it is odd which stores I cannot use it at. Almost all the chain restaurants, coffee shops, and such, have it. No signature or pin, just the card, which I find just as insecure. I want to have to enter a pin else I am going to Apple pay if I can.
Now my grocery store, Publix, doesn't take the chip card but I don't mind swipe and pin. they also don't do Apple pay so I am out for that option.
So give me A/Pay, chip and pin, or forget it. I guess since I have not suffered an identify theft issue I am not totally dead set against retailers not up to date.
It's also more convenient to just slide your card than to insert, usually type your 4 digit code and retreive your card. It's also very easy to get your money back in the US in case of fraudulent charges compared to Europe. So, the security added by the chip doesn't matter that much to the end consumers compared to the added friction.
Don't you have to sign? I'm from the UK but in Germany I have to sign sometimes and it takes longer to print a receipt and sign it than to enter 4 digits. This is assuming a fast terminal; I've used slow ones in the past.
It's easy to get your money back in Europe too – I just have to log into my phone app and dispute a charge. I could phone or use the website as well. How is it easier than that in the US?
In Australia at least paypass/paywave is ultra common. Just wave and you're done. At least as fast as a swipe, and you don't even have to take your card out of the wallet.
That sounds like "contactless" in the UK. Just swipe for transactions under £30, use your PIN if it's greater than that. It's very convenient, and I feel no need for a smartphone solution at this point.
