The lack of chip and pin still surprises me. I'm surprised a lot of the bigger retail companies haven't put pressure on the banks to bring this in.
0 – The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach (without end-to-end encryption of card data, the card numbers and expiration dates can still be stolen and used in online transactions).
So do we know if it would have stopped the Home Depot breach?
So this, like chip and pin, would not have helped these particular issues.
Currently, if my CC information is stolen, I am not liable for any fraudulent charges. So why would I care?
CC security is for the CC companies and the merchants, not for the consumers. That is why Americans (with the exception of those with Europe Envy or those who are merchants) don't care. There is no reason for them to.
(In past discussions on this, somebody has mentioned that C+P would be beneficial for American consumers because it would mean less confused American tourists in Europe. The typical American does not vacation in Europe very frequently.)
You might not think you are paying for card fraud, but it's all priced into the products you buy.
Edit: clarifying - what I meant was that the US EMV cards will be chip and sig, not chip and pin. Most US cards are obviously still mag stripe. I'm traveling to Europe later this year so I was looking into the CC issues, and as a US traveler not being able to get an EMV card with pin priority is annoying.
Edit 2: jvm, not sure what you meant to link to, but that link just goes to the Forbes splash advert.
On the plus side Google Wallet works at Walgreens. I have yet to see any other brick and mortar support it. Paying for stuff with your smartphone is such a no-brainer. Shame Apple won't play ball with Google (or even put NFC in its phones) and Verizon is doing its own thing with ISIS and not allowing Google Wallet to be installed on any phones on its network. There's a lot of wrong here and its not just limited to credit card number theft.
If we have a more diversified way to pay for things it could limit the damage when one method is cracked but the others aren't. Sure Targets credit cards got stolen, but imagine if we were allowed to use Google Wallet. We'd be immune to it.
The newer cards have a microprocessor inside them, with exposed contacts about 10mm from the left edge. With chip + pin transactions, the pin "unlocks" the payment authorization .
There was a period where it was a guessing game every time you paid for something whether it was magstripe or chip (some locations even had a chip-capable machine, but didn't have the service enabled with their payment processor, so you still used the magstripe...).
It's pretty consistent now.
Literally using it as a revenue generating opportunity and a way to raise fees. My friend who owns the store declined to participate as they weren't interested in raising their prices just to pay Visa more money. Had Visa come at it the other way, reducing fees due to likely less fraud it would have been a different story.
This is the crux of it. In the US, every change is an opportunity to raise margins. Vinyl to CD. Book to Kindle. It kills me when the dead tree version is less than the Kindle version, but it's the same thing at work as with C+P.
I don't see why they don't just provide credit cards with both options for a while until enough of the PoS hardware has been upgraded that they can get rid of the magnetic stripe. I guess cost plays a role, but I would assume that the decrease in fraud might offset that somewhat.
What's the point of buying the POS systems when no-one can use it and there's no guarantee the cards will be rolled out?
It happened very rapidly here in Britain once the cards were out.
Readers wear out. As people buy new ones they were chip/pin ready. A lot of these terminals are rented as well, making it easier for providers to swap them.
Their forum is also utterly amazing, and downrigh scary:
Would be interesting if payment processors such as Stripe, Braintree, Amazon Payments, and Balanced periodically got CC dumps, and proactively blacklisted cards before the issuing banks notice and decline.
Now, these charges are clearly fraudulent. Without going into details, we can 100% detect the fraudulent transactions from real ones. I've suggested to Stripe that this could be a honey-pot setup to identify stolen cards but they've told me that there card processing doesn't have that type of infrastructure. Even if I know a credit card number has been compromised, there is no way to alert the card holder.
It's a shame really. It's not the fault of Stripe that we can't alert the card holder but it's important to know that there is no mechanism to protect card holders, even if you know their card has been compromised.
I don't get why stripe can't do this because my IPSP definitely can and we use this daily.
Stripe provides a fingerprint, and it would be nice if stripe provided a service to rate/track various card fingerprints and receive a score when adding/authorizing a card -- or develop some community based feedback scoring system with feedback from companies like ours!
Wouldn't purchasing them create just one more incentive?
Also, this opens the door to disgruntled employees blacklisting all of the customers of their former employers (assuming they have access to credit card data, which shouldn't happen but often does).
For some reason, it became popular way back then and that's what nearly everyone uses ever since. Why did the rest of the world switch?
Although the fact I still remember mine, more than a decade after I've last used it, discredits my claim somewhat.
I've had a chip card for, what, some seven or eight years in Canada.
Here is a July 2007 story about how RBC (Royal Bank of Canada) logged 10 million chip transactions:
"RBC today announced it recently surpassed over
10 million successful chip transactions at compatible merchant locations in
Canada and worldwide. This milestone comes four years after RBC became the
first Canadian financial institution to begin issuing chip cards nationally to
its Platinum Avion Visa cardholders in 2003."
Also, if the card is stolen and my bank account is emptied, with a credit card all that would happen is that my credit limit on one of my cards is temporarily reduced.
I have another account in a different bank, were I send small electronic deposits periodically. I retire about 1/2 of that in cash at ATM, to pay either at places that do not accept cards or I do not trust (i.e. gas stations). I have to keep a small balance in the account, and it is not always practical to use cash, so I use the corresponding debit card at places I neither trust or distrust.
When you pay using the debit card, you have to insert the part of the card with the chip into a reader and enter your pin. Typically you can not do this until the cash register has transferred the amount to pay to the terminal.
You can also use it as a credit card when abroad or even in Norway. However, I'm not sure if the card will actually allow you credit (i.e. borrow money) per se -- I believe the account must have a sufficient positive balance, and I believe the domestic terminals are able to check that in real time (i.e. in a few seconds) and decline the sale if not funded.
As for online purchases, every time I use it as a credit card, I get re-routed to a card verification process. This means I get taken to some third party site (typically Visa or MasterCard) where I have to authenticate using my password and generate a one-time password (pin) on my phone. You can also use a FOB, but I find a phone more practical. After the verification is done, you get taken back to the merchant site. This is the same verification process that is used for online banking.
After living 15 years in the states I found this to be a bit annoying at first, but that had more to do with the speed of the implementation and the fact that it's applet-based (Java and Chrome -- have to switch browsers and hope that you don't lose your session).
If I had to authenticate every time I bought something on Amazon it would get old pretty fast. However, one could simply authenticate once to indicate that this merchant is trusted. A new merchant would trigger the authentication before the transaction can be accepted.
The difference between US banks and mine though is that if I try to pay by signing my bank won't authorise it - I have to enter my PIN (and sometimes sign too) to make a payment.
Payments online is more of the retailers fault though. They shouldn't accept payments where the CVV check or address check fails. Here in the UK most retailers won't accept payments unless it all matches up, but as I understand this isn't as common in the US.
The problem is inertia, nothing else.
Recently many places also support RFID with no pin required for small purchases (I think it's €25). Goes much faster than the employee can bag your order up.
I was surprised to find in Safeway recently that a < ~$20 transaction required no signature either.
For instance, one oft used optimization is that you can insert the card in the reader prior to the register sending the amount to the chip&pin terminal.
Some other problems with chip-and-pin:
- You get really cheap merchants who would prefer to waste your time rather than shell out for the contactless reader.
- You get international merchants who have no idea what's going on and make you sign two receipts in addition to entering your pin after trying and failing to swipe it twice.
- You have to type your pin in with your bare hands in -40C weather at the gas station.
- You have to tip waiters with them standing right there and judging you.
- It breaks square and the like
IMO it's an unnecessary mess for anything under ~$50.
Online it's not a problem either (fairly easy integration here with a system called 'iDeal'), typing in your pin at -40C at the gas station is still a requirement with the current prices of gas and I'm not one bit bothered by 'waiters judging me', that's a self esteem issue, not a technical one.
As for international merchants who have no idea what is going on: I spend more time abroad than I do in my home country and chip-and-pin have made my life a lot easier than it ever was before in this respect.
Something like 7 countries in the last 3 weeks and I have yet to use my 'cash backup' or my 'credit card backup'.
Contactless is a nice technology but it is as far as I'm concerned a step backwards, I can see the advantages only for bars and festivals where the risk of contaminating your card with fluids is significant and purchases are very small (<$10).
Well YMMV, of course, but here in Vietnam I've had to go around the other side of the checkout to type in my pin because the terminal was bolted to the desk. Multiple times. And then they still make me sign two receipts anyways.
Has a pretty explicit note that Vietnam is still primarily a cash based society, I think that is where your problems stem from, not necessarily from the technological merits or lack thereof of chip&pin.
Paypal provide a Chip-and-PIN payment system for mobile devices here in the UK. It'll break Square no more than it breaks everything else; I have no doubt that Square already have a working prototype of such a thing.
In the US currently you write down the tip and leave, they can then charge you whatever they feel like after you're gone. As a tourist I was really paranoid about this, as by the time I looked at my statement when I got back I had no idea which charge was which restaurant and how much it should have been.
A common thing to do in the UK is pay without tip on card, then tip in cash
There is lots to optimise, but chip and PIN is not inherently slow. In fact, for me it’s already as fast as cash in most cases.
I really can't say I've ever felt frustrated waiting for the person ahead of me to pay (except for maybe old people hand writing checks at the grocery store—and even then it's kind of interesting to see such old-school payments in action).
Debit or credit? Debit is the default everywhere. Why? Because credit has a surcharge for the merchant.
It is complete bullshit that the merchants put the onus on their customers and then shrug their shoulders when fraud happens. At least with credit you are insured. They get your pin and you are screwed.
Here's a 1:47m video from MasterCard explaining it: https://www.youtube.com/watch?v=DkxxhvVJjuM