Why does the introduction of chip & pin appear to be so controversial in the United States?

Question

The past few weeks there have been many news articles about the introduction of chip & pin in the United States; most of these articles are against it and citing such 'issues' as:

"Some people are experiencing a 20 second wait times with these chips," said Avivah Litan, vice president and analyst at Gartner Research. "We're a more rushed society than anyone else. So me, I'm going to be a little mad when I have to wait longer at checkout. You have to wait until the very end to get your card."

We've had chip & pin in Europe for years and I noticed that the time taken to complete a card transaction is actually longer when I have to swipe & sign. The explanation behind the 20 second wait time could easily be that the system hasn't been fully adopted yet, and as such it can be slow.

"It's easy to forget your card in the reader," said Nick Leffler, another credit card user who has been using his card at retailers that have already installed the new terminals.

I've never heard of anyone forgetting their card in the reader, but then this might simply be down to the fact that it's 'new technology' in the U.S.

As it becomes more difficult to skim and copy physical cards, many experts actually predict an increase in online fraud.

Besides the chip & PIN, I don't see how it would increase the chance of fraud online, especially since most other countries already have the system.

Source: time.com

This is just from a single article, I used this Google search and there are many more results just from Time in regards to the risks of the chip & PIN system.

My question is, why exactly is the system so controversial in the United States? It's not like it's a brand new system.

It's never as controversial as the 24/7 news makes it seem. They have to report on something. — Rocky, Oct 11 '15 at 15:00
I've deleted the comments that have been posted since the previous comments were moved to chat, as it's not possible to move them again. The same will likely happen to any further comments. PLEASE CONTINUE THE DISCUSSION IN CHAT. — GS - Apologise to Monica, Oct 13 '15 at 05:04
Note that Chip & Pin method is not necessarily more secure as it has various problems. — Maja Piechotka, Feb 25 '16 at 02:37
@MaciejPiechotka It's hundreds of times more secure than simply swiping your card without the need for identification though. — AStopher, Feb 25 '16 at 10:59
@cybermonkey I was comparing with Chip & Signature which AFAIK is as secure as Chip & Pin - both don't protect against malicious readers charging more then required, stolen cards (by MITM in chase op C&P), security downgrade attacks or taking a photo of both sides and using online. I'd argue that C&P is less secure for customer as it is belived by many banks to be secure so customers has harder time arguing that it did happened (see those and many other links). — Maja Piechotka, Feb 25 '16 at 17:55

score 80 · Accepted Answer · edited Jun 16 '20 at 10:49

80

The way credit and debit cards work in the US, all liability for unauthorized purchases is on the card issuer and/or merchant, not on the cardholder. Customers have no reason to want measures that increase evidence (and perceived certainty) that they authorized a purchase, and every reason not to want it. The same applies to "Verified by Visa" and similar systems for online card use - they protect the merchant and/or card issuer at the cardholder's expense.

Here's a great real-world example from another money.SE question: Dispute credit card transaction with merchant or credit card company? See in particular these comments:

Since merchant does not have my signature, can that be used as a proof that credit card transaction should not be honred? [sic]

I seriously doubt it. The proof of physical presence is the chip, not the signature.

edited Jun 16 '20 at 10:49

Community

1

answered Oct 12 '15 at 01:36

R.. GitHub STOP HELPING ICE

2,584
16
18

2

The statement that "[t]he way credit and debit cards work in the US, all liability for unauthorized purchases is on the card issuer and/or merchant.... " is not, actually, correct. First, with new payment industry rules that just took effect here in the U.S. --for the purpose of encouraging the use of chip transactions , actually--in some circumstances liability will be shifted on to the merchant where the unauthorized charges were made. Second, with the plethora of data breaches that have hit the U.S. over the last 2-3 years new legal doctrine is being developed as banks, consumers, and ... – mostlyinformed Oct 12 '15 at 05:09
...other interested parties who have suffered financial losses due to those breaches, including via having to pay the costs of unauthorized charges made with stolen credit/debit info, are increasingly going after merchants whose poor cybersecurity allowed the theft of the approximately 100 million card numbers stolen in various breaches to begin with. So things have gotten a little bit more complicated in the U.S. payments industry recently. – mostlyinformed Oct 12 '15 at 05:15
19

@halfinformed but the point is the end user is NOT liable. So for any credit card user it is actually a disadvantage to use a more secure system. I have a old diners club card here in Europe too, that only works with magnet stripe. Often they don't even ask for my signature in restaurants (I assume they are not used to it?) and even if they do in shops, 90% of the time no one even checks it. Once I had a "fraud" case. (a hotel charged additional money without reason). I called the card company and they asked the hotel for my signature. There was none, I got the money. – Josef Oct 12 '15 at 09:44
17

With a PIN-card, in such cases it's always "you entered your PIN, your fault". (The hotel thing probably wouldn't have happened, though). There where ways to crack the PIN discovered already, but even if someone would steal my card and crack the PIN, the bank would say "someone knew the PIN, so either it was you or you didn't protect your PIN. Your fault!"
So there is just no incentive for the end-user to want any changes. I could have gotten a new card with chip and PIN free, but I decided not to.
– Josef Oct 12 '15 at 09:49
13

@Josef Unlike in Europe, in the US Federal law prohibits banks from holding cardholders responsible for more than $50 of fraudulent charges in the event of a card being stolen/compromised. Even if they wanted to, banks here are legally prohibited from repeating the financial responsibility shifting to consumers they've done in other parts of the world. Even if they could do so, with zero fraud liability a standard feature on US cards for many years I doubt any bank would want to be the first mover on the change and get beaten up badly in the court of public opinion over the change. – Dan Is Fiddling By Firelight Oct 12 '15 at 15:18
5

@DanNeely: The problem is that they can claim it's not fraud if the cardholder's pin was used. Beyond obvious issues like card theft (perhaps with a pin written on a note stored with the card), there are all sorts of ways this can happen analogous to Josef's hotel story. For example a merchant could add on an unauthorized fee or enter an extra digit that goes unnoticed by the customer when they're asked to authorize with pin. With simple swipe the customer can just tell the issuer they didn't authorize the transaction and the burden is on the merchant. Not so easy with pin. – R.. GitHub STOP HELPING ICE Oct 12 '15 at 15:42
5

@Josef It's short sighted to say that in the US customers don't pay for fraud. Those 150 million USD that the target breach cost the company certainly didn't materialize out of nowhere. To the best of my knowledge the only attacks against EMV are against SDA cards (obsolete for good reason) and when using offline PIN verification (that used to be a problem in the UK although I'd hope they managed to update their terminals to support online PIN verification since 2015; German cards required online verification even back in 2010). – Voo Oct 12 '15 at 20:55
@Josef Well, I won't pretend that my personal expieiences could speak for U.S. consumers in general. But as someone who had my debit card information compromised in a major retailer breach last year and had almost $1000 taken from a particular account I can say that the process of having my money taken from me and then having to face the prospect of convincing my bank that the charges were fraudulently made, even in the best case (my bank was quite cooperative, fair, and timely in resolving the matter) it was a very unpleasant and unsettling experience. – mostlyinformed Oct 12 '15 at 22:09
And yes, it is ironic that a guy who was information security consultant sometimes working on merchant security compliance got robbed because of a breach in merchant security. (Although it did drive me to focus more on working more with merchants.) – mostlyinformed Oct 12 '15 at 22:17
@Josef: Counterclaim: You foolishly limited the PIN to 4 digits. – Joshua Oct 12 '15 at 22:27
@halfinformed well, but better to have your money taken and then get it back because eventually the bank has to give it back is still better than your money gone and the bank telling you to **** yourself because your PIN was entered and EMV cards are totally secure so you probably want to scam them... – Josef Oct 13 '15 at 07:07
@Josef But I honestly don't think it will have such dramatic impact here, from a legal standpoint. It's true that because it would take a very sophisticated attacker to counterfeit the chip & the info contained inside and steal the pin then in certain scenarios demonstrating fraud would become harder. But not impossible. The legal statutes here in the U.S. that protect consumers don't exclude chip-card transactions from their protections. Moreover, judging by the record that EMV has had in the rest of the world actual counterfeiting & abuse of a chip-card would likely be extremely rare. – mostlyinformed Oct 14 '15 at 03:33
4

@halfinformed: The argument you made - that "it would take a very sophisticated attacker to counterfeit the chip & the info contained inside and steal the pin" - is exactly the argument that card issuers can and will make to deny cardholders' claims. – R.. GitHub STOP HELPING ICE Oct 14 '15 at 04:03
3

@Joshua: Many (not all) US banks only allow four digits. Crazy, I agree. – Charles Duffy Oct 15 '15 at 04:07
"Verified By Visa" is a bad analogy. People rejected it because it made purchasing online even more complicated (an extra step and an extra password to remember) and It behaved like a fraudulent web site. – Schwern Oct 15 '15 at 17:59
1

@Schwern: You're right that "Verified by Visa" had additional problems, but the problem of making it harder for consumers to claim fraud is shared by both. – R.. GitHub STOP HELPING ICE Oct 15 '15 at 18:41
@R.. Unless you're arguing that people's dislike of chip & pin is because they want to defraud the system, I don't see the relevance. – Schwern Oct 15 '15 at 18:53
2

@Schwern: Not at all. The relevance is that, when their card does get fraudulently used because the password/pin/whatever was obtained by an attacker (in the case of chip&pin cards, both the physical card and pin getting stolen), the card issuer can and will claim the cardholder authorized the payment, using these things as evidence. Whether you're committing fraud or the victim of fraud, additional evidence that the transaction was authorized by you works against you. – R.. GitHub STOP HELPING ICE Oct 15 '15 at 19:43
As a US citizen who has had his card compromised and used for illicit purchases, I am quite happy that I was able to get all my money back, and the creditor essentially had to eat the loss. Of course, I also had to spend close to an hour on the phone with the bank going through the process, and I'd rather not repeat the experience. I'm all for more secure options. Arguing "customers don't want more security" is false. Arguing "banks will use this as an excuse to screw fraud victims" is possibly true, but that's not really what the answer originally said. – GrandOpener Oct 15 '15 at 19:45
2

@R.. While that is all true, it requires an understanding of credit card fraud that the average consumer does not have. They're not thinking about fraud claims, nor do they understand how VBV or chip & signature changes the fraud equation, nor are they aware of the magnitude of the fraud problem at all. That's my basic problem with this and many other answers, they assume the consumer is informed about credit card fraud. This is getting too big for comments so I turned it into an answer. – Schwern Oct 15 '15 at 19:51
@halfinformed: "It would take a very sophisticated attack" http://www.wired.com/2015/10/x-ray-scans-expose-an-ingenious-chip-and-pin-card-hack/ and consumer concern about liability: https://twitter.com/antumbral/status/656227693147484160 – R.. GitHub STOP HELPING ICE Oct 20 '15 at 00:15
1

Added a great example from a new money.SE question about why the chip is a liability to the cardholder. – R.. GitHub STOP HELPING ICE Aug 02 '16 at 14:48

score 37 · Answer 2 · answered Oct 12 '15 at 05:03

An article describing the risks of "chip and pin", along with related economics and regulatory issues, appeared last year in Communications of the ACM. The ACM is one of the two major organizations for computing professionals in the U.S. See http://cacm.acm.org/magazines/2014/6/175170-emv/abstract

Two points the authors make in their conclusion are:

The good news is that EMV systems have been deployed in Europe for 11 years now, and there is a lot of experience to build on. Almost everything that could go wrong, has gone wrong: several protocol flaws that allowed attacks nobody had anticipated; tamper-resistance that did not work; certification schemes that turned out to be a sham; and evidence-collection systems that were not fit for purpose.

The bad news is that the interests of banks, merchants, vendors, cardholders, and regulators diverge in significant ways. In Europe, many failures were due to banks dumping liability on merchants and cardholders, who were in no position to defend themselves. In the U.S., the dynamic is different and more complex, with the main fight being over the interchange fees the merchants pay the banks for processing their transactions.

The article has an interesting discussion and comparison of the "chip and pin" and "chip and signature" schemes. I recommend reading it at your library, if it has a copy.

This article - Chip &PIN is Broken - is dated, but nevertheless interesting, particularly for the way the bank ignored the demonstration of an attack and denied all the evidence that it, or something like it, had been used. Instead, the bank continued to insist that the customer pay for fraudulent transactions. The problem is that the banks' priority is to shift liability to customers and merchants, not necessarily to reduce fraud. — sdenham, Oct 14 '15 at 20:40

keshlam · Answer 3 · 2015-10-11T23:21:30.693

29

It isn't controversial, per se -- it's just expensive. We have a huge established base of magstripe -- or keypad! -- billing terminals, and of software to support them. The credit card companies don't want to have to pay to replace those, nor do the stores. Arguably it's recently become a bit worse with all the tablet/smartphone stripe readers now on the market.

Customers will need to start demanding chipcard support, I suspect, to make the cut-over happen.

Note that I'm not offering an opinion on the situation, just clarifying why it hasn't already happened.

(Note that this is the same reason the US is still primarily using land-line phones rather than switching over as thoroughly as some other countries to cellular. We had a huge existing investment in copper running to every house; it's easier to continue using that and to move to new technology comparatively slowly.)

edited Oct 11 '15 at 23:21

answered Oct 11 '15 at 15:56

keshlam

45,770
6
77
152

Yes, you need POS terminals and new software to process them, which is expensive and time-consuming respectively. But I don’t think having customers demand EMV support will force the issue so much so as the October 1st issuer–merchant liability shift is apt to. – tchrist Oct 11 '15 at 17:28
1

But isn't the legacy issue (for magstripe, and indeed for landlines) the same for any country which had those in the past? What's different for the US? – Steve Melnikoff Oct 11 '15 at 21:55
Other countries often do not have as well-established, as large and expensive, or as well-entrenched banking and telecom sectors. – keshlam Oct 11 '15 at 22:12
5

Last mile may be wireless,but landline is still major infrastructure , esp. if you include data. – keshlam Oct 11 '15 at 23:15
16

Here’s another reason why American industry is slow to adopt: because the restaurant industry has to redesign the whole customer-interaction experience, and somehow find a way not to force the customer into an embarrassing situation. If they cannot do that, the chip cards will simply not be used because they are too embarrassing and inconvenient. – tchrist Oct 12 '15 at 00:42
8

@tchrist: Given the recent trend to bring a user-friendly terminal to the table and let the customer do their own credit card transaction, I think this is moving toward becoming a non-issue. And chip-and-sig is not significantly different from stripe-and-sig, except for being harder to spoof. The real problems are the cost of transition and educating people out of the myths. – keshlam Oct 12 '15 at 01:31
5

@SteveMelnikoff Our infrastructure is older and more extensive, so it's just more costly. The consumer does not take any liability for fraud here, so you can be sure that if it was less costly to change the system than to eat the fraudulent charges, the big companies would have done it. I've also read that there was some argument within the financial community to try to "skip" the chip technology and go for a yet more secure, future alternative before investing in an infrastructure change. – Oct 12 '15 at 01:52
3

@tchrist If we're lucky, maybe all of our restaurants will just convert to the same style as the one in Texas that simply shares food sales with the waitstaff and charges more. – Wayne Werner Oct 12 '15 at 15:49
1

@Brick if that were to happen, somehow I get the feeling U.S. would be the only ones to adopt that alternative - and then it turns out to actually be a worse option than the chip technology.. but maybe that's just my pessimism coming through ;) – DoubleDouble Oct 12 '15 at 17:38
3

@Brick I see you never worked for corporate IT if you think that just because the long term cost of not switching would be much higher that this would cause most businesses to change immediately. Hell even for something as predictable as software lifecycles many companies have to pay for extended support. – Voo Oct 13 '15 at 06:36
1

@tchrist that was an interesting read, but I still don't understand the issue: here in northern Europe sometimes you write the tip amount on the receipt, sometimes you enter the final amount on the terminal; sometimes the tip shows up as a different transaction on the bank report, sometimes it does not. Plenty of options, not really embarrassing or esoteric stuff - also, no 50$ pre-auth, which sounds quite insane... – mccc Oct 13 '15 at 08:09
1

This answer is completely false. Almost all countries who now require EMV also had magstripes before. USA is no different - but their implementation is hugely different. The landline argument is also misplaced: in other countries it was free-market competition from cellphones what ruined landline operators and left their miles of copper unenergized. Every copper by definition runs to every house. The question remains - why is the market (customers) so different? – Agent_L Oct 13 '15 at 15:20
There is no technical barrier. There is only an existing investment that companies are reluctant to invest in replacing. The answer accurately describes the situation. Whether it's perception, reality, or mismanagement, that's what we've been fighting. – keshlam Oct 13 '15 at 15:42
@keshlam Definitely agree, retailers are probably not very excited about this and this is possibly one reason for the Time article. (NOTE: landline copper cables are commonly used, in conjunction with advanced forms of data compression, to provide internet to DSL customers @ much higher throughput than cellular wireless can provide... so there are other reasons... so the comparison probably doesn't fit for this discussion...) – MER Oct 13 '15 at 23:42
1

@tchrist can't US restaurants simply start paying their employees a decent wage rather than offloading their wages to the customer? I don't mind a 15% price increase if that means I won't have to arbitrarily pay 15% extra to not get spit in my food. – Hugo Oct 14 '15 at 09:10
1

@tchrist European restaurants have absolutely no problem with tipping via chip and pin terminals. There's no reason that American restaurants can't do exactly the same. (The typical interaction is that they come to your table with a portable terminal, which displays the amount on your bill. You hit OK, type in how much you want to tip, hit OK again, type your pin, hit OK.) – David Richerby Oct 14 '15 at 10:23
2

This is the same old argument. "America is big, we have all this existing incompatible infrastructure and it's impossibly expensive to change anything." Well, look. Europe is bigger. Europe has existing infrastructure. Europe didn't find it impossibly expensive to change. I mean, do you really think that Europe doesn't have landline telephones available in every home? – David Richerby Oct 14 '15 at 10:26
2

I think the "it's expensive" argument is pretty flawed. Canada switched to chip and pin relatively quickly, and we're not in the process of switching to tap and pay. The way it was done is just that any new terminals came with the newer tech. Restaurants turn over fairly quickly, and terminals are replaced every so often anyways. So they just switched whenever they had to buy new ones, and now most places have it – mirhagk Oct 15 '15 at 19:24

score 17 · Answer 4 · answered Oct 12 '15 at 06:44

17

As someone who has worked with merchants (in a cybersecurity and PCI compliance consulting role), and has often--alas, often unsuccessfully--advocated to one client or another that they move to EMV (ie. "chip"-card) compatible readers or terminals in a timely fashion I feel an irresistible impulse to offer some thoughts here. Why has EMV adoption in the U.S. has been slower to this point than one might have hoped? Well...

The most important reason--not the only reason, but the most important reason-- that the U.S. has been slow in adopting EMV is simply that regulatory authorities have taken much, much longer to require that merchants support chip-card transactions than they have in other parts of the world. In the U.S. the question of when merchants (and payment processors) must move to supporting EMV has been left to the Payment Card Industry's ("PCI') self-regulatory council. The PCI Council has been very slow in prodding U.S. retailers to buy new Point-of-Sale equipment that can handle chip-card transactions. Before that, the PCI Council was slow in compelling the payment processors who take card data from those merchants to update their equipment and software to handle the new transaction type. (Although that's now pretty much in place.) And when I say PCI has been slow, I mean slow. In fact, despite the degree of public attention that's come to the EMV adoption issue as merchants have been confronted by the deadline for liability shift that just this month passed here in the U.S., there is still no, actual firm, you-must-support--EMV--by--this-date PCI rule in place for merchants. In other words, if you're a merchant and you don't see any reason to use anything for card processing beyond a 10-year old magnetic stripe reader hooked up to your 8-year Point-of-Sale PC, as long as you're willing to bear the (hypothetical, potential) risk of liability for unauthorized charges in some circumstances there's still nothing from the PCI Council that says you aren't allowed to keep on going on like that. Will there be, someday? Yes. But not yet.

Sigh.

But now we're left with another question: why has the PCI Council been dragging its feet on requiring that merchants accept chip-card transactions? Well, we're kind of necessarily starting to go from fact territory to opinion & speculation territory here, so I won't dwell on this point. I'll just say that in my estimation the PCI decision-makers have been very, very, very sensitive to the concerns of merchants on this issue. Too sensitive. For merchants, buying and setting up new card readers or terminals that can handle chip-card transactions often looks like nothing more that a source of expense (and, potentially, some configuration pains here and there) that doesn't directly benefit them in any way. This perspective is wrong, mind you. (I won't go into the details of why here; suffice it to say PCI compliance & cybersecurity stuff). But the PCI Council, in the past, has proven very deferential to it. We will see if the numerous and awful credit/debit card info breaches that have occurred here in the U.S. the past couple years will lead to a lasting change in this attitude (ie. a shift in priorities to being more protective of the interests of consumers who have their card data stolen and of banks/card issuers who must still usually bear the financial consequences of unauthorized transactions). But for now the Payment Card Industry is still partly dragging its feet.

Oh, one final thing: you may be surprised to learn that even at U.S. retailers who have adopted chip-card compatible terminals use of the "chip-and-pin" procedure, as you folks in Europe know it, is still quite rare. Instead, "chip-and-signature" transactions are the norm. In these scenarios the chip is inserted into the reader/terminal in the way that you do it, but after the "dipping" of the chip into the reader is complete rather than enter a PIN a user merely needs to sign a paper receipt. This practice is not as secure as chip-and-pin, and everyone knows it isn't as secure as chip-and-pin. But, again, the Payment Card Industry decision-makers aren't in any urgent hurry. The speculation is that, say, 2-3 years down the road a rule requiring PINs instead of just signatures will be put into place. Maybe.

Anyway, just a perspective of someone who's worked on the ground to try to hasten EMV (and chip-and-pin) adoption where I could. YMMV.

Cheers.

PS: Typically, chip-card transactions do not take much longer than magnetic stripe transactions. By that I mean that, as things stand today, when everything's set-up correctly, on both the merchant's end and the payment processor's end, and working properly chip transactions should only take slightly longer than magnetic stripe transactions. (Meaning a few seconds, perhaps.) If a chip transaction is taking 20 seconds longer something is most definitely askew somewhere.

answered Oct 12 '15 at 06:44

mostlyinformed

270
1
5

3

As a UI issue, though, some of the time in a chip and pin transaction is spent doing nothing other than waiting for a machine to tell you to take your card back, whereas usually all of the time in a swipe-and-signature is spent with someone doing something (shuffling paper, operating a pen, whatever). I don't personally feel that chip and pin is slow, but the simple fact that it's a different routine will tend to affect perceptions of slowness, and so cases of chip and pin terminals that take 20 seconds longer than they ought to might receive more attention than cases of dropping the pen. – Steve Jessop Oct 12 '15 at 15:30
1

... however chip and pin does suck pretty badly on the rare occasions when the terminal communications are intermittent or down. – Steve Jessop Oct 12 '15 at 15:33
@Steve Jessop Hmmm, "perception of slowness". That's a really interesting thought. You might be on to something there, as it is more of a kind of "dip-and-wait" sort-of process... – mostlyinformed Oct 12 '15 at 23:03
10

@SteveJessop: Many retailers' terminals used to allow me to get out my wallet, swipe the card, put it back in my wallet, and put the wallet back in my pocket, all while the clerk was ringing up the sale. Being unable to put my wallet away until the sale is complete is a major step backward in efficiency. – supercat Oct 13 '15 at 07:51
1

@supercat I understand what you're saying, and obviously anybody would prefer a faster, cleaner process vs.a slower, less efficient process. But the old magnetic stripe way of doing transactions is just inherently & totally insecure. You need a way of doing transactions where even if every piece of equipment a merchant has has been subverted to maliciously steal your card info, even the reader itself, a bad guy can't take information from your card and make a working counterfeit of it. A chip can do that --via something called dynamic authentication--where a magnetic stripe just can't. – mostlyinformed Oct 14 '15 at 03:53
@halfinformed: If the terminal itself is subverted, nothing will prevent it from secretly issuing phony transactions in addition to legitimate ones. If it is not subverted, I'm not quite clear why the terminal couldn't be trusted to hold information securely between the time the card is presented and the time the purchase is complete, so that the bank would get proof that the card was presented during the transaction and that someone was shown the amount and pushed "accept" without anyone having pushed "cancel" in the interim. A merchant could have a sign saying that transactions over... – supercat Oct 14 '15 at 04:47
...some amount would require that the card be presented at the end of the transaction, but I don't see what real security risk there would be with having the card sign a one-time use token supplied by the bank, and having the bank sign a token from the terminal indicating the receipt of the transaction amount associated with the token before the terminal passes along the signed token. – supercat Oct 14 '15 at 04:49
@supercat: Which is why the future standard will be mobile payments authorized from your mobile phone, precisely because that is a trusted terminal (physically trusted by you, cryptographically trusted by the payment infrastructure). – MSalters Oct 14 '15 at 14:31
@MSalters: Given the quality of mobile phone security, I'm not sure that's such a great idea. BTW, how does chip & PIN work in situations where the customer may be long gone before the exact billing amount is known (e.g. at hotels)? – supercat Oct 14 '15 at 15:29
"regulatory authorities have taken much, much longer to require that merchants support chip-card transactions" Just think it should be mentioned that the idea that regulatory agencies should be imposing those kinds of requirements is a bit of a politically charged statement in the US (even if no one is doing anything about it in practice). This would be an extremely visible requirement, and as such I have little doubt it would rapidly become a political issue. – jpmc26 Oct 14 '15 at 17:38
2

@jpmc26 That's quite true, and a good thing to point out. Actually, if a proposal were to come forward to transfer credit and debit card regulation to the federal government and out of the industry self-regulating model that PCI represents I really don't know whether I'd personallysupport it: I think PCI has made some rather substantial errors obviously, but OTOH I would be concerned about whether we were just trading private regulatory problems for a set of different kind of problems that come with/from government regulation. I would have to think a lot more about that choice... – mostlyinformed Oct 14 '15 at 19:18
1

@supercat The goal of EMV is to prevent what security professions call replay attacks; cases where a bad guy is able to steal your static payment information during a transaction and then later use that during other transactions that you haven't consented to.. To do that you need some kind of authentication feature that actually changes from one transaction to the next. Its the same kind of general idea that one-time codes and pins operate on when you use two-factor authentication to login to certain websites. Thus the idea has gotten the name "dynamic authentication". Moreover, the way... – mostlyinformed Oct 14 '15 at 19:33
@halfinformed: Would you see a problem with a protocol where, when the person presents the card, the secure terminal hardware exchanges information with the bank sufficient to establish a one time-use token authorzing that terminal to make one purchase within the next 30 minutes? And repeating my question to MSalters: how do things like hotels handle the fact that by the time the exact final billing amount is known the card may be long gone? – supercat Oct 14 '15 at 19:50
EMV is implemented each transaction must be digitally signed by the chip in the card and a unique cryptogram sent off to the payment processor for the processor to authorize the transaction. Thus, even in the worst case where you have a totally-compromised card terminal the card terminal captures no information that could be used in replay attacks to make other, future transactions. Which is a world of difference vs. magnetic stripe transactions. – mostlyinformed Oct 14 '15 at 20:00
One note: I should not have implied that in a case with a compromised card reader that the card reader could not change the amount of the transaction vs. what you believe you are paying at the sales counter. The card has to "sign" the real amount that's being authorized, but as it has no screen (yet, anyway) you can't see and compare that amount to what the store's equipment is telling you. Such fraud would be easily and specifically tied to that retailer and that transaction – mostlyinformed Oct 14 '15 at 20:07
@supercat I don't think I'd necessarily have any problem with something like that. If there were a scenario where it was more convenient for a customer & merchant to authorize that limited amount of time beforehand instead of at the point where it typically is that would seem alright to me. I guess it's possible there's some issue I'm not thinking of at the moment, but off-the-cuff, wouldn't have any big issue with it. – mostlyinformed Oct 14 '15 at 20:17

score 14 · Answer 5 · answered Oct 12 '15 at 04:15

14

I develop point-of-sale software, and I'm not aware of any controversy. From my perspective, merchants are eager, consumers don't care, and processors are dragging their feet.

The real issue seems to be that the shift in liability does not create an economic incentive for payment processors to convert their systems. Once the processors are EMV-capable, they will briefly enjoy a transfer of liability to merchants who have not upgraded. But when the merchants upgrade, the liability will return to the processors. So it's only economical for the processors to convert to EMV if doing so will result in a significant long-term reduction in liability. According to some sources, that's questionable. Not only are there doubts (which may be FUD) about the security of EMV itself, but many merchants will still need to accept online or telephone payments, and criminals will likely shift their attention to those transactions.

answered Oct 12 '15 at 04:15

Kevin Krumwiede

281
1
6

2

Actually, from the perspective of somebody who does a fair amount of cybersecurity and PCI compliance work for merchants I'd say that in my experience it's merchants who hate having to make the switch, comsumers who are either for it (if they know the issue even exists) or apathetic about it (for the (90% who don't at all understand why the change is being made). Merchants I've worked with--and had extensive discussions with about why moving to EMV is important--have almost entirely wanted to put off getting new card readers or terminals as long as they possibly can. :) – mostlyinformed Oct 12 '15 at 05:24
Isn't the whole point of this to increase actual security, and therefore reduce liability all around by reducing the real number of fraudulent transactions? – Random832 Oct 12 '15 at 14:51
From my POV, I've had chip and pin for around 10 years now. Twice in the last few years my card has needed to be cancelled due to online fraud, never due to chip fraud. So I'm sure it's true criminals will shift their attention to things they can successfully exploit, and away from things they can't such as chip and pin POS. But what's the current theory as to why criminals are leaving a whole lot of online/telephone fraud on the table at the moment, that supposedly they'll pick up once the cash cow of POS fraud stops paying out? Why aren't they taking both? ;-) – Steve Jessop Oct 12 '15 at 15:19
... because the most obvious explanation is that currently they're not doing so much online/phone fraud as they might, because they can't get so much value out of it as they can with cardholder-present transactions and/or there's more risk of them being caught or prevented. Forcing criminals out of safer/more-profitable crimes and into riskier/less-profitable ones is generally considered a win when it comes to this sort of crime... – Steve Jessop Oct 12 '15 at 15:23
3

@SteveJessop I think you're onto something there. The risk (to the fraudster) with online transactions is that they have to provide a usable address to receive the goods. When fraud is discovered, that address becomes quite risky for them to use. With point-of-sale fraud, they can walk out the door and be gone with the goods in seconds. – GalacticCowboy Oct 12 '15 at 17:40
1

As a customer, I don't like the chip as implemented since it makes it necessary to physically handle the card at the end of a transaction, thus adding to the overall time required, whereas swipe cards could be handled during a transaction and then put away. I wouldn't mind the chip if it could support the same usage pattern, but the implementations I've seen don't. – supercat Oct 14 '15 at 13:38
The "online payments" part is another area where the US is lagging. I have been able to make online payments with PIN+chip for a decade (https://www.ideal.nl/en/) – MSalters Oct 14 '15 at 14:34
@MSalters Wait so you enter the PIN online!? chip+pin online sounds horrible! – Navin Oct 18 '15 at 13:14
1

@Navin: No, our banks aren't that stupid. I use my banking device to take a picture of the screen, enter my PIN on the device, and it generates a crypto code to authenticate precisely that transaction. – MSalters Oct 18 '15 at 20:36
1

@MSalters Not sure I'd trust a device with a website that autoplays not just one, but multiple overlapping audio tracks when you open it. Autoplay is so 1997. – Kevin Krumwiede Oct 18 '15 at 21:25
@KevinKrumwiede: The device uses a color camera, not a microphone! The linked site is an explanation, not the actual payment web interface itself. – MSalters Oct 19 '15 at 10:37
@MSalters I know. But it's hard to trust a company with a site like that. – Kevin Krumwiede Oct 19 '15 at 20:06

score 7 · Answer 6 · answered Oct 11 '15 at 15:03

7

I would have trouble saying this is controversial. I think that most people haven't even heard of it. I've had a chip in my cards for a while, but it's only in the last few weeks that it was even used. (In the most recent case, the system failed and the clerk had to swipe anyway.) The PIN, if we ever need one, seems like a hassle, but so far even with the chip, I need no PIN.

Most likely people who post online voluntarily are going to be the ones who are grumpy. In addition, this is the type of technology that's not going to excite consumers - Either you find a reason to dislike it or you just roll with it and don't care. Finally, there's the general factor that people don't like change. Overall, though, I think it's a blip in the news cycle and nothing more.

answered Oct 11 '15 at 15:03

5

I wonder if you (Americans) know in how many countries you can use this futuristic stuff in just about any grocery store. – kubanczyk Oct 11 '15 at 17:33
3

@GeorgeRenous Nobody can remember a dozen four-digit PINs for all the plastic in their billfold. It's a major hassle. There's also the problem of not being able to pre-swipe before the total is known, plus the problem of not being able to add the tip. Perhaps the rest of you should catch up with the issues facing Americans; you seem behind on your homework in many many ways. – tchrist Oct 11 '15 at 21:00
7

@tchrist Not sure whether you're being serious or just trolling? For small payments (for example with my bank it's 25 euros per day) you have contactless payments and for bigger payments the pre-swipe only saves a few seconds... whilst the swipe & sign system is absolutely horrific from a security point of view. Honestly, here in Europe the biggest problem is that not all systems support six-digit PINs (4 is really too short security wise...), but at least we're getting there slowly... and you guys complain it's too hard to remember? (Oh and, at everyone, sorry if I was slain by a troll O:) ) – David Mulder Oct 11 '15 at 21:21
4

@GeorgeRenous wtf do you need a wallet full of different cards? I have 2 and only use one of those regularly cos I can use it everywhere. – JamesRyan Oct 11 '15 at 22:35
2

@tchrist That's actually an excellent point, maybe you could promote that to an answer? It would be even better with some stats but I would guess that it's more common to have multiple cards in the US than in Europe. Most people there have one or two (say debit and credit or both rolled into one) and might not realise how this works in the US. Ditto with tips. – Relaxed Oct 11 '15 at 23:12
@DavidMulder Contactless has been rolled out in the last, what?, 2-3 years. It's not an explanation for anything, chip-and-pin was already very common in Europe long before it existed. Also, nobody is arguing about the security benefits here. – Relaxed Oct 11 '15 at 23:14
4

Because people don't tip in Europe?!?! BS!! Though the multi-card thing might be more of an issue: you really need multiple cards in the US to get a decent credit score. – Peter K. Oct 12 '15 at 00:11
@tchrist Not being able to tip sounds like a good thing, same with not knowing the actual total when you order :) – curiousdannii Oct 12 '15 at 02:05
@JamesRyan in the US there is a bigger culture of amassing huge debt by having a lot of "free" credit cards and spending a lot of money you don't have. – Josef Oct 12 '15 at 09:53
2

@tchrist: if you can't tip with chip and pin then you need a better chip and pin terminal. If US retailers are reluctant to invest in this part of the technology, preferring to inconvenience customers, then that might indeed be what's causing the general reluctance to take it up at all. Password memorization is a real problem though, maybe a possible solution is to chip+PIN-protect only the card or three that you use the most. Leave the others at the lower level of security offered by the stripe, but since they're used less they'll get cloned less. – Steve Jessop Oct 12 '15 at 15:47
1

@SteveJessop The tipping problem is that you have to have the full transaction amount, including the tip, before you enter the PIN. Previously, a waiter would run your card through and return it for a signature, and walk away. You then added the tip and your signature, and yourself escaped without ever having to meet the waiter's eyes after deciding how much tip you were leaving them. With the PIN, that is not possible. I'd heard that the EMV folks were planning on addressing this but haven't found an exact reference yet with details on the remediation plan. – tchrist Oct 12 '15 at 15:51
@JamesRyan: it's complicated and it's not just about running as many lines of credit as possible in the hope of maximising your total credit. You also get weird offers that mean you should be buying fuel on one card, coffee on another, using store cards in the relevant places, and blah blah. I'm not in the US so I don't know the full horrible details, but providers use fairly complex incentives to consumers to hold particular cards. – Steve Jessop Oct 12 '15 at 15:52
1

@tchrist: ah, the way it works here is that you enter the card into the portable terminal, enter the tip, then the pin, then remove the card and hand the terminal back to the waiter. I actually don't know whether or not the amount of the tip (or the total) is displayed to the waiter, but there's no need for it to be and even if it is the waiter could walk away from you before looking. So you meet the waiter's eyes as you hand the terminal back, but he doesn't know how much the tip was at that point, only you do. Is the US sense of shame too highly-developed to tolerate this UK workflow? ;-) – Steve Jessop Oct 12 '15 at 15:56
... come to think of it, the paper receipts do of course have the total on them, so the waiter would have to refrain from (or be prevented from) looking at those until after you've beat your retreat. Some people in the UK are starting to prefer cash tips anyway at the moment, since (for tedious administrative reasons of our own making) there's less chance of them being partly or wholly confiscated by the restaurant before the waiter gets the money. – Steve Jessop Oct 12 '15 at 16:00
@SteveJessop It depends on the business; some do sometimes check the signature, although this isn't common in restaurants. In retail transactions one trick they use for streamlining that checking is to make sure the capital letters look close to the same and not worry so much about the others. – tchrist Oct 12 '15 at 16:27
@josef having a lot of credit cards is also a good way to build credit. debt utilization ratio and all that. sure, some people have too many cards and overspend, but if you're smart it actually works to your advantage. @ stevejessop, it's not "horrible" at all, the benefits you can get from free cards, or even ones with annual fees, in the US are often well worth it, especially if you travel a lot. – user428517 Oct 12 '15 at 21:48
2

@sgroves: sure, the benefits themselves aren't "horrible" or people wouldn't take them. I meant that carrying around 12 cards and figuring out which one best to use at a given moment is "horrible" to someone who's used to (say) one fee-free card with a flat rate of cashback and nothing in the market that they consider beats that rate by enough to justify carrying it around for special purposes. It's just a matter of what you're used to and James is used to one card plus a spare. Micro-economists are starting to doubt the wisdom that more choice is always better ;-) – Steve Jessop Oct 13 '15 at 00:25
... albeit not to the point of saying that no choice is best. – Steve Jessop Oct 13 '15 at 00:31
@tchrist How does that work for tipping? Do they swipe the card a second time with the tip you've written on the receipt? Do they alter the transaction afterwards? What's the point of the swipe? – curiousdannii Oct 13 '15 at 11:15

score 5 · Answer 7 · edited Oct 16 '15 at 17:16

5

I work in the electronic banking department of a large multi-national bank; in a country where chip and PIN has been mandated for many years.

The normal scenario that you face when using a debit or credit card that is chip-and-PIN enabled is nothing like what was described by kape123, it goes like this:

You walk up to the counter and start unloading your groceries onto the conveyer belt.
The cashier starts scanning your groceries as you wait/see what is being scanned.
Once all the groceries are scanned, the cashier asks you how you like to pay. You say card.
Cashier asks for your card, inserts it into the POS machine, enters the amount and hands the POS terminal to you, where you verify the amount and enter the PIN; and you hand the terminal back to the merchant.
The transaction is posted and the terminal prints two receipts; one for you and one for the merchant.
Merchant hands you back your card with the receipt.
You pick your groceries and go on your merry way.

The entire process is 15 seconds if that. The majority delay is when the terminal is trying to connect to the payment network - which is the same delay that you would be facing with the swipe and sign method currently in the US.

I don't know where all this FUD is coming regarding fraud; what I can tell you in terms of reality is that the majority of fraud transactions happen in the US.

This is because only in the US does skimming/cloning pay off for fraudsters. Of course, not all is the fault of the US or their merchants; if the issuing bank chooses (or the acquirer bank) they can disable swipe transactions or otherwise limit their use (such as putting a financial limit on them); but then again, this is not something mandated by any regulation so it's up to each bank to decide their own policy on this.

edited Oct 16 '15 at 17:16

Peter Mortensen

341
2
6

answered Oct 14 '15 at 14:11

Burhan Khalid

645
5
6

2

Note that this 7 step process is only needed while transitioning. The local process here pretty much assumes PIN+chip so you insert your card during stage 2. Payment terminals receive the amount directly from the POS terminal, and have a permanent connection to the network. This eliminates steps 3 to 6, except for the verification of the amount in step 4 - and that's a good thing. – MSalters Oct 14 '15 at 14:41
The flow you describe is available at self-serve kiosks. – Burhan Khalid Oct 14 '15 at 14:45
2

In the US, in many places, the flow is "Customer puts groceries on belt; customer swipes card in machine while grocer starts scanning groceries; customer puts card away, punches in PIN, and starts picking up groceries while grocer continues scanning. Grocer finishes scanning, customer examines screen, pushes "ok" (using hand which may also be holding groceries), takes receipt (same hand), and can leave instantly. Chip cards as presently implemented break that parallelism. – supercat Oct 14 '15 at 20:55
2

@supercat Except that it's not really parallelism because you can't type your pin at the same time as packing groceries. You have to pause your grocery-packing briefly to type the pin. You're not actually saving time by typing the pin in the middle of packing; you're just doing things in a different order. – David Richerby Oct 15 '15 at 08:34
2

@DavidRicherby - Grocery stores in the USA have baggers. Customers don't tend to bag their own (although it does happen). Its essentially an assembly-line operation customer->checker->bagger. So typically once everything is unloaded the customer is standing around waiting for the process to end (perusing that aisle's impulse buy items / tabloid headlines like a good little consumer). Using some of that time to perform the data-entry part of the transaction is just sensible. My cards are all chipped now, but I don't use the CHIP system when I can avoid it because it is always slower. – T.E.D. Oct 15 '15 at 09:36
1

@DavidRicherby: Even many stores that don't have baggers have a bag-holding system such that a clerk can fill two bags, rotate the bag holder, fill two more bags, etc. Customers will need to periodically move bags from the holder to the cart (trolley) but unless the time for the customer to handle the the PIN pad exceeds the time for the cashier to fill four bags there will be perfect parallelism; even if the customer runs a little slow the customer can simply step away from the PIN pad, grab some bags, and then finish the transaction. – supercat Oct 15 '15 at 15:02

score 3 · Answer 8 · edited Oct 16 '15 at 04:47

3

TLDR: Within the US, retail point-of-sale systems accepting the new chip have done so with a user interface that makes transactions quite noticeably less convenient, with no visible benefit to the user.

--

As someone who lives in US and was recently forced to get a chip credit card, I may give you my personal observations about the recent roll-out.

To be sure, this is being blown out of proportion by popular media... as most everything is nowadays. This contributes to a toxic environment in which it's hard to get to the core of the problem, as evidenced by comments on this page that talk about "dumb Americans", "US is so behind in many many ways, they need to catch up", etc..

At its core this is simple "software is changing, it's natural to expect productivity drop at first" problem. Previously, here in US you had swipe and sign system. Terrible from security standpoint obviously... yet chip is not that much better.

But, terminals were fine tuned for swipe and sign, users knew how to use it and all of the "unauthorized transaction" burden was on companies who issue credit cards. Let me give you a concrete, personal example of my purchase in Walmart. Previously, here is how checkout process went:

Cashier starts scanning my groceries
I would swipe card while cashier is working on scanning and packing
Cashier is done, signature dialog pops up, I sign, done

When I first went to Walmart with my new card, here is what happened:

Cashier started scanning my groceries
I swiped the card... got a message that I need to insert the card instead
Luckily I had experience with chip technology so I knew how to insert card — if I didn't obviously I would need 10-20 seconds from cashier to explain
"DO NOT REMOVE CARD" dialog showed. Now, I could no longer see the list of groceries being scanned... meaning I had no idea if cashier inadvertently miss-scanned something.
I've removed card and "groceries scanned" list showed... I've started waiting for all groceries to be scanned
Once done with scanning cashier asked me to insert the card, which I did
She waited for dialog on register to allow her to process transaction
5 seconds later terminal started beeping, "TRANSACTION DONE, REMOVE YOUR CARD"
I've started to walk away with my card and cart, but cashier told me to wait - I needed to sign
Went back to terminal and signed the dialog that popped up - finally done.

Obviously, my next checkout was a bit faster, but even a perfectly-trained customer would be unable to carry out the new procedure as fast as the old one. Even for transactions small enough to not require a signature, it forces the customer to wait about five seconds after the clerk is done before being able to remove the card; if it takes another four seconds for the customer to put the card away that's nine extra seconds added to the transaction. Technical improvements might reduce the five-second delay, but unless the customer can put away the card before the transaction is complete the extra four-second delay will be unavoidable.

edited Oct 16 '15 at 04:47

supercat

878
6
5

answered Oct 12 '15 at 17:06

nikib3ro

207
1
7

Comments are not for extended discussion; this conversation has been moved to chat. – JohnFx Oct 13 '15 at 13:49
1

(-1) Most of the answer is about chip+signature, which is not what the question is about, and fails to adequately acknowledge the difference. The only cogent observation – about the time it takes to swipe and sign vs. chip and pin – is doubtful and unsupported. I guess that's possible but it's certainly not obvious to me or the complainers and therefore begs the question. – Relaxed Oct 13 '15 at 17:43
@Relaxed: At merchants which use card-swipe, I can and routinely do get out my wallet and swipe the card while the clerk is ringing up merchandise. The only action I need to perform after the clerk is done is to push "OK" and/or scribble a signature when shown the purchase amount. The process of putting my card away can be overlapped with the time the clerk is ringing up merchandise. The new cards require that formerly-parallel operations must be done sequentially. How is that "doubtful and unsupported"? – supercat Oct 14 '15 at 19:57
The fundamental problem with chip-based systems is the requirement that the customer physically handle the card after the transaction is complete, rather than being able to get all the physical card handling out of the way while merchandise is being rung up. The "always will be" claim hinges on that. – supercat Oct 14 '15 at 19:58
@supercat Parallel operation is also possible with chip+pin so that's not true and does not explain anything. And even if it were so, it would at the very least need to be stated, ideally to be documented with actual data. Like I said, it's possible but this answer provides no evidence for it. And it's also easy to make up a story going in the other direction: As someone who lived in various chip+pin country, the idea of having to get a pen, find a spot to write and scribble a signature sounds like a long painful process compared to entering a four-digit PIN. – Relaxed Oct 14 '15 at 20:00
@supercat Thinking about it, it's precisely the other way around. Entering the PIN can in principle (and actually is, at least in some countries/with some POS terminals) be done at any point but you can only sign once the receipt has been printed, i.e. at the end. So how is that supposed to prove conclusively that chip+pin is slower? – Relaxed Oct 14 '15 at 20:08
@Relaxed: At least at the retailers where I've seen the chip used, the customer can't remove the card until about 5 seconds after the final amount of the transaction is known; other comments here would suggest that's a design limitation of the technology. Do units in Europe not have that same limitation? – supercat Oct 14 '15 at 20:57
@supercat I think it's often quicker but the most important point is that we are now discussing the finer point of the technology and making all sorts of assumptions that need to be explicitly addressed in the answer. I'd rather have precise data about all this but even some cogent arguments like the ones you are trying to develop now would be better than an answer that goes on and on about something else and then just states chip+pin is obviously slower, because obvious it isn't. – Relaxed Oct 14 '15 at 21:10
@Relaxed: US retailers previously used stripe+sig or strip+PIN. Within the last few weeks some large retailers have started using chip+whatever. As someone in the US who has noticed the change and finds the new cards far less convenient than the old ones, I would suggest that if my experiences are typical this answer was the first I saw which answered the question of why people would dislike the new cards. – supercat Oct 14 '15 at 22:33
@supercat It's not unusual to be inconvenienced by the change itself and it's possible that it feels slower to you at the moment because you are not used to the technology or because of some other detail of the way it's used in the US. But the answer does not even state that clearly. It seems you are keen to defend it because you can somehow relate to it but most of what you said in your comments isn't in the answer itself so I stand by my down vote. – Relaxed Oct 14 '15 at 23:03
@supercat seems it's pointless to argue with Relaxed or mostly anyone who is in zone that is used to CHIP. – nikib3ro Oct 14 '15 at 23:11
1

Indeed arguing is pointless, that's not what this site is about and I tried to avoid it as much as I can. What about actually answering the question with something else than “It's obvious” instead? @supercat and others have made many relevant points but as long as the answer isn't edited to include them and present the issue in a more objective light, it's still a very bad one. – Relaxed Oct 15 '15 at 12:47
@kape123: Your answer could be improved considerably if you were to better focus on the fact that the protocol that was used in many US retailers for small purchases with magstripe cards (present and put away card while clerk is ringing up purchase) was, and always will be, faster than the protocol that is presently required with chip cards (must keep card out until clerk is done ringing up purchases). If retailer systems could be configured so that customers could put their cards away immediately when making small purchases, that would alleviate the speed difference. – supercat Oct 15 '15 at 14:57
@supercat feel free to edit answer in any way you see fit. Initially I wrote my answer not to argue for strip or chip - I wrote it to provide my experience of switching from stripe to chip hoping it'll give some insight to OP... and to point out that strip is faster in US for numerous reasons, including: retailers have fine tuned the system for decades and that customers are used to it. Yet people bashed on me and I allowed myself to get dragged into pointless discussions... so I withdraw, hoping I've gave enough info for anyone who truly wants to understand the situation. – nikib3ro Oct 15 '15 at 18:47
@Relaxed see my comment to supercat - and edit answer to include whatever you think is relevant. – nikib3ro Oct 15 '15 at 18:49
@Relaxed: I've edited the answer; watch for the edit to appear before adding any additional info you think appropriate. – supercat Oct 15 '15 at 21:57
@kape123: Do you like my edits? – supercat Oct 17 '15 at 14:34
@supercat Thanks, I think it makes the answer much better (and understandable for someone like the OP, who doesn't know the US context) and I turned my down vote into a positive one. – Relaxed Oct 26 '15 at 15:56
FYI, regarding Europe, in the last couple of weeks I travelled through three countries, using both debit and credit cards, and paid a little more attention to the issue. What I observed is that the delay between the moment you press “validate” after entering your PIN and the moment the transaction goes through (and the “remove card” message appears) is more like 1-3 s than 5 s. In very few cases, it was even instantaneous (didn't see any “Please wait” message). Being able to remove the card completely before the end of the check-out process is very rare but not unheard of. – Relaxed Oct 26 '15 at 15:57
@Relaxed: Incidentally, I've taken to waiting until after the total is ready and observing the time required at a couple of retailers; neither retailer was consistently faster, but validation consistently took at least five seconds and sometimes as long as eight. I have no idea why things take so long, given that even modem-based credit card terminals were faster than that [obtrivia: those terminals use 1200 baud because the connection sequence is faster than at higher baud rates; a 1200baud modem can connect and exchange all needed data before a faster one would connect]. – supercat Oct 26 '15 at 16:59

score 2 · Answer 9 · answered Oct 15 '15 at 19:14

2

From the consumer point of view (and that is all I am addressing in this answer), the change is pointless. People don't understand credit card security, what problems the chip solves, or that there's even a problem. The change to chips appears to bring them no value, just change and hassle. If people feel secure they will not value increasing security, even if they are told they are insecure.

People aren't aware just how easy it is to commit credit card fraud with a swipe card. If customers are aware of credit card fraud, they're vaguely aware of identity theft or something about using their card online.

All you need is a credit card number and you can create a swipe card that will work in any swipe reader. Nobody checks signatures. Credit card users don't think about this, same way they don't think about how easy it is to pick a lock in their home (or break a window). But credit card companies do, all the time, because they pay for it by law.

The consumer is kept unaware of this problem by throwing the liability onto the credit card processor, insurers and the merchant. This is by design, it's worth it to the credit card companies to keep consumer confidence. If the consumer were liable for fraudulent use of their card, people would use credit cards less and the credit card companies would make less money than they're making now just paying off fraud.

Now chips are introduced. It isn't obvious how this is any more secure to the consumer. The consumer hasn't been kept safe from this security problem, so they don't even know it exists. The consumer has no interest in change, they don't know why it changed. The old way seemed to work fine, why change it? Banks are already held in low regard, so the change is going to be attributed to something sinister, self-serving or incompetent. All they see is hassle to benefit the bank. Every single little change, whether for the good or bad, is seen as pointless.

Small merchants are in a similar boat. They have to change their procedures and change their equipment all to solve a problem they don't fully understand. However, merchants can be given financial incentive to switch by increasing the fees on swipe cards (or decreasing them for chip & pin). Consumers get no such incentives.

And there's a chip in it, so conspiracy theorists have something to get excited about.

answered Oct 15 '15 at 19:14

Schwern

121
3

I understand where you're coming from, but already there seem to be a significant number of consumers who insist on running their cards as "credit" rather than "debit". In some cases this is because their bank only gives "rewards" if you do it as credit, but my (reasonable, I think) guess is that consumers feel a greater risk entering their pin than swiping a card. For some they may have personally experienced additional difficulty getting charges reversed when running their cards "as debit", but in the big picture, I think it's the "feel" that matters. – R.. GitHub STOP HELPING ICE Oct 15 '15 at 20:13
The same concept exists with signatures. People (not everyone, but at least a segment of the population) are a lot more cautious about signing their name to something than making a verbal or implicit agreement. People are averse to actions which give others evidence/certainty of their authorizing something, especially if they don't fully understand what they're doing. – R.. GitHub STOP HELPING ICE Oct 15 '15 at 20:15
@R.. I've never heard this idea that people want to avoid to authorizing their valid transactions. Do you have any citations? – Schwern Oct 15 '15 at 20:29
Having both worked in retail and observed (as a customer) others in line paying, asking to run the card "as credit" or punching buttons on the terminal trying to figure out how to get it not to ask for a pin is common. – R.. GitHub STOP HELPING ICE Oct 15 '15 at 20:34
@R.. The behavior may be common, I'm asking about the reasoning. Many debit cards charge fees for too may transactions (less prevalent now, but the idea is still in many people's minds), while credit cards LOVE IT when you use them (they make money) and will give the consumer benefits for use. I prefer my credit card solely because it gives me airline miles. – Schwern Oct 15 '15 at 20:35
The "as credit"/"as debit" thing is for cards which are actually debit (associated with a checking account) either way. "As debit" means to run it as a pin-based transaction through one of the ATM networks (NYCE, Star, etc.) and "as credit" means to run it as Visa or Mastercard (depending on which logo it carries). In some cases customers only get rewards for "as credit" transactions (the merchant pays the fees that become these rewards) but that's less common than it used to be. – R.. GitHub STOP HELPING ICE Oct 15 '15 at 20:39
@R.. As for verbal vs written contracts, written contracts imply reams of legalese that the signer may not fully understand. A verbal contract must be short. Even if the verbal agreement provides less security, the person agreeing thinks they know what they're getting into. Then there's the trust question. A verbal agreement has the cultural aspect of saying "I trust you not to screw me". Asking for even a short written receipt for a personal transaction can imply "I do not trust you". – Schwern Oct 15 '15 at 20:39
Let us continue this discussion in chat. – Schwern Oct 15 '15 at 20:39

NL - Apologize to Monica · Answer 10 · 2015-10-16T15:56:29.663

I think the sentiment among many who have answered here (that there is not much incentive given the liability structure in the US) is certainly correct, and it explains why chip and signature has gained some traction while chip and pin has not, but I think there is an additional element at play here.

I think most consumers are looking forward to a future technology that allows all payments to be done with a mobile phone so that they can leave their wallets at home (or significantly reduce their holdings say with a drivers license holder in their phone case). Google Wallet and Apple Pay are already usable in many stores, so why use an old technology that never caught on?

I am personally looking forward to the day that I can fill up the cart and walk through a scanner on my way out the door. All the RFIDs on the items I purchased will allow for a receipt to be created on my way out the door, and my phone will provide the payment information. Why should I wait in a line at all?

Your last paragraph - that's what the ultimate target should be. — Dan Henderson, Oct 18 '15 at 04:33

score -1 · Answer 11 · answered Oct 17 '15 at 17:07

RE Bob's point: "As it becomes more difficult to skim and copy physical cards, many experts actually predict an increase in online fraud."

The chip card enables each transaction to have a unique authorization code, not the card number. The gist is that the magnetic card can be easily duplicated. The chip card cannot be duplicated. So using a duplicate card in the store with a chip reader is theoretically impossible.

When you buy on-line from your computer there is no chip card reader. On-line purchases just use the card number and the PIN code printed on the back of the card. So anyone who has seen the card has all the necessary information to use the card on-line.

So the chip card is expected to greatly lower in store fraud. However it is anticipated that fraud will move from the store to on-line purchases.

Why does the introduction of chip & pin appear to be so controversial in the United States?

11 Answers11

Linked