The Obama administration recently issued an executive order requiring that federal agencies migrate to more secure chip-and-PIN based credit cards for all federal employees that are issued payment cards. The move marks a departure from the far more prevalent “chip-and-signature” standard, an approach that has been overwhelmingly adopted by a majority of U.S. banks that are currently issuing chip-based cards. This post seeks to explore some of the possible reasons for the disparity.
Chip-based cards are designed to be far more expensive and difficult for thieves to counterfeit than regular credit cards that most U.S. consumers have in their wallets. Non-chip cards store cardholder data on a magnetic stripe, which can be trivially copied and re-encoded onto virtually anything else with a magnetic stripe.
Magnetic-stripe based cards are the primary target for hackers who have been breaking into retailers like Target and Home Depot and installing malicious software on the cash registers: The data is quite valuable to crooks because it can be sold to thieves who encode the information onto new plastic and go shopping at big box stores for stuff they can easily resell for cash (think high-dollar gift cards and electronics).
The United States is the last of the G20 nations to move to more secure chip-based cards. Other countries that have made this shift have done so by government fiat mandating the use of chip-and-PIN. Requiring a PIN at each transaction addresses both the card counterfeiting problem, as well as the use of lost or stolen cards.
Here in the States, however, the movement to chip-based cards has evolved overwhelmingly toward the chip-and-signature approach. Naturally, if your chip-and-signature card is lost or stolen and used fraudulently, there is little likelihood that a $9-per-hour checkout clerk is going to bat an eyelash at a thief who signs your name when using your stolen card to buy stuff at retailers. Nor will a signature card stop thieves from using a counterfeit card at automated payment terminals (think gas pumps).
But just how broadly adopted is chip-and-signature versus chip-and-PIN in the United States? According to an unscientific poll that’s been running for the past two years at the travel forum Flyertalk, only a handful of major U.S. banks issue chip-and-PIN cards; most have pushed chip-and-signature. Check out Flyertalk’s comprehensive Google Docs spreadsheet here for a member-contributed rundown of which banks support chip-and-PIN versus chip-and-signature.
I’ve been getting lots of questions from readers who are curious or upset at the prevalence of chip-and-signature over chip-and-PIN cards here in the United States, and I realized I didn’t know much about the reasons behind the disparity vis-a-vis other nations that have already made the switch to chip cards. So I reached out to several experts to get their take on it.
Julie Conroy, a fraud analyst with The Aite Group, said that by and large Visa has been pushing chip-and-signature and that MasterCard has been promoting chip-and-PIN. Avivah Litan, an analyst at Gartner Inc., said MasterCard is neutral on the technology. For its part, Visa maintains that it is agnostic on the technology, saying in an emailed statement that the company believes “requiring stakeholders to use just one form of cardholder authentication may unnecessarily complicate the adoption of this important technology.”
BK: A lot of readers seem confused about why more banks wouldn’t adopt chip-and-PIN over chip-and-signature, given that the former protects against more forms of fraud.
Conroy: The PIN only addresses fraud when the card is lost or stolen, and in the U.S. market lost-and-stolen fraud is very small in comparison with counterfeit card fraud. Also, as we looked at other geographies — and our research has substantiated this — as you see these geographies go chip-and-PIN, the lost-and-stolen fraud dips a little bit but then the criminals adjust. So in the UK, the lost-and-stolen fraud is now back above where was before the migration. The criminals there have adjusted. and that increased focus on capturing the PIN gives them more opportunity, because if they do figure out ways to compromise that PIN, then they can perpetrate ATM fraud and get more bang for their buck.
So, PIN at the end of the day is a static data element, and it only goes so far from a security perspective. And as you weigh that potential for attrition versus the potential to address the relatively small amount of fraud that is lost and stolen fraud, the business case for chip and signature is really a no-brainer.
Litan: Most card issuing banks and Visa don’t want PINs because the PINs can be stolen and used with the magnetic stripe data on the same cards (that also have a chip card) to withdraw cash from ATM machines. Banks eat the ATM fraud costs. This scenario has happened with the roll-out of chip cards with PIN – in Europe and in Canada.
BK: What are some of the things that have pushed more banks in the US toward chip-and-signature?
Conroy: As I talk to the networks and the issuers who have made their decision about where to go, there are a few things that are moving folks toward chip-and-signature. The first is that we are the most competitive market in the world, and so as you look at the business case for chip-and-signature versus chip-and-PIN, no issuer wants to have the card in the wallet that is the most difficult card to use.
BK: Are there recent examples that have spooked some of the banks away from embracing chip-and-PIN?
Conroy: There was a Canadian issuer that — when they did their migration to chip — really botched their chip-and-PIN roll out, and consumers were forgetting their PIN at the point-of-sale. That issuer saw a significant dip in transaction volume as a result. One of the missteps this issuer made was that they sent their PIN mailers out too soon before you could actually do PIN transactions at the point of sale, and consumers forgot. Also, at the time they sent out the cards, [the bank] didn’t have the capability at ATMs or IVRs (automated, phone-based customer service systems) for consumers to reset their PINs to something they could remember.
BK: But the United States has a much more complicated and competitive financial system, so wouldn’t you expect more issuers to be going with chip-and-PIN?
Conroy: With consumers having an average of about 3.3 cards in their wallet, and the US being a far more competitive card market, the issuers are very sensitive to that. As I was doing my chip-and-PIN research earlier this year, there was one issuer that said quite bluntly, “We don’t really think we can teach Americans to do two things at once. So we’re going to start with teaching them how to dip, and if we have another watershed event like the Target breach and consumers start clamoring for PIN, then we’ll adjust.” So the issuers I spoke with wanted to keep it simple: Go to market with plain vanilla, and once we get this working, we can evaluate adding some sprinkles and toppings later.
BK: What about the retailers? I would think more of them are in favor of chip-and-PIN over signature.
Litan: Retailers want PINs because they strengthen the security of the point-of-sale (POS) transaction and lessen the chances of fraud at the POS (which they would have to eat if they don’t have chip-accepting card readers but are presented with a chip card). Also retailers have traditionally been paying lower rates on PIN transactions as opposed to signature transactions, although those rates have more or less converged over time, I hear.
BK: Can you talk about the ability to use these signature cards outside the US? That’s been a sticking point in the past, no?
Conroy: The networks have actually done a good job over the last year to 18 months in pushing the [merchant banks] and terminal manufacturers to include “no cardholder verification method” as one of the options in the terminals. Which means that chip-and-signature cards are increasingly working. There was one issuer I spoke with that had issued chip-and-signature cards already for their traveling customers and they said that those moves by the networks and adjustments overseas meant that their chip-and-signature cards were working 98 percent of the time, even at the unattended kiosks, which were some of the things that were causing problems a lot of the time.
BK: Is there anything special about banks that have chosen to issue chip-and-PIN cards over chip-and-signature?
Conroy: Where we are seeing issuers go with chip-and-PIN, largely it is issuers where consumers have a very compelling reason to pull that particular card out of their wallet. So, we’re talking mostly about merchants who are issuing their own cards and have loyalty points for using that card at that store. That is where we don’t see folks worrying about the attrition risks so much, because they have another point of stickiness for that card.
BK: What did you think about the White House announcement that specifically called out chip-and-PIN as the chip standard the government is endorsing?
Conroy: The White House announcement I thought was pure political window dressing. Especially when they claimed to be taking the lead on credit card security. Visa, for example, made their initial road map announcement back in 2011. And [the White House is] coming to the table three years later thinking that its going to influence the direction the market is taking when many banks have spent in some cases upwards of a year coding toward these specifications? That just seems ludicrous to me. The chip-card train has been out of the station for a long time. And it seemed like political posturing at its best, or worst, depending on how you look at it.
Litan: I think it is very significant. It’s basically the White House taking the side of the card acceptors and what they prefer. Whatever the government does will definitely help drive trends, so I think it’s a big statement.
BK: So, I guess we should all be grateful that banks and retailers in the United States are finally taking steps to move toward chip cards, but it seems to me that as long as these chip cards still also store cardholder data on a magnetic stripe as a backup, that the thieves can still steal and counterfeit this card data — even from chip cards.
Litan: Yes, that’s the key problem for the next few years. Once mag stripe goes away, chip-and-PIN will be a very strong solution. The estimates are now that by the end of 2015, 50 percent of the cards and terminals will be chip-enabled, but it’s going to be several years before we get closer to full compliance. So, we’re probably looking at about 2018 before we can start making plans to get rid of the magnetic stripe on these cards.
Well IRL carding will start to slow down and more cvv carding will take place. Also you should do more stories on internet breaches and not just focus on in store carding.
Yes, card-not-present fraud will increase as more merchants/banks start relying on chip cards, as has happened in every single country that has made the chip migration. But that is a completely different story.
Yes I realize but I know a guy who in June 2013 breached the website of a company that I’m not going to specify. The result was 25 million cards, 1 million of which were sold and the rest he kept.
25 million cards in June 2013? Was it publicized? These are the ones I recorded that where over a million we compromised. The first three were non-financial compromises. If not one of these, which? Absent details you spout phlogiston. Jonathan @nc3mobi
Date Public Name Total Records
03/03/2013 Evernote 50,000,000
04/26/2013 LivingSocial 29,000,000
06/21/2013 Facebook 6,000,000
08/28/2013 Advocate Medical Group, Advocate Health 4,000,000
10/04/2013 Adobe, PR Newswire, NatWCCC 40,900,000
10/21/2013 Court Ventures (now owned by Experian) 200,000,000
11/27/2013 Maricopa County Community College District 2,490,000
12/04/2013 ADP, FB, Gmail, LI, Twitter, Yahoo, YouTube 2,000,000
12/13/2013 Target Corp. 110,000,000
12/25/2013 Snapchat 4,600,000
No it was none of those, it was never publicly disclosed or found out. Also the snapchat one was just account names and phone numbers minus last two digits.
Yes, SnapChat was a non-financial compromise so were some of the others in addition to the top three. Absent some confirmation, a claim of 25M cards is very hard to believe.
Ya’ll have a nice day.
Jonathan @nc3mobi
Thousands of cvv’s are sold every day. Cvvs are so much easier to come by the dumps. Dumps are more expensive because it removes a good chunk or risk but cvvs hold a way bigger profit ratio and if a 3$ cvv is dead on delivery its not as big a problem as if a 80$ dumps is.
Few doubt that dumps are sold everyday. Raising that, especially here, particularly now, is a straw-man argument (or an Aunt Sally if you’re from over there).
The point was that a financial compromise of 25M in mid-2013 should go unreported is hard to believe and the lack of evidence makes for a … disconcerting claim.
see #12 #37 and especially #41
http://ethicsalarms.com/rule-book/unethical-rationalizations-and-misconceptions/
Jonathan @nc3mobi
my last reply on this thread.
Why would it go reported, it was a 0day exploit and he was in and there was no trace. Ya if he had of sold all 25 million at once then it would have been reported but selling 50-100k at a time a couple times and none the wiser.
The reason that scenario is unbelievable to me is that it’s now 20 months later. Let’s give all those cards a half life of 3 years due to expirations/account closures/fraud, and that is a very generous timeline. Credit cards are a perishable item. That means whoever took them is losing over half a million cards every month they are not being sold on the market.
@Ubbs we’re not talking about some russian guy. This is a born and bred american who has other ways of making money then selling cards. Ya sure it was a quick buck but whatever.
Also I don’t care about the breaches that are public, the breaches that aren’t are the ones that get me and they way more then people would have you believe. Look at breaches like Home Depot and Target, no one knew there was anything wrong until the cards started to get sold, now imagine if they weren’t sold, the person didn’t put malware in the PoS terminals and it they only took the information once using an exploit that left no trace. Do you think that that would be publicized at all? No because the only people who would know are the people who know the person who did it, and maybe more people if word of it is leaked but still a very small number of people would actually know that this happened at all.
Conroy: PIN … is a static data element
The underlying account number (the confidential consumer credential) is identification. The PIN (or signature) is authentication and approval.
So, why not make the approval dynamic? Not changed by some pseudo random generator, but dependent (highly context sensitive) on merchant identification, date, time and transaction element. Further, make the algorithm inconsistent among the consumer base. The provider knows who does what which way and crooks would have a hard time working from a compromised data set tainted by inconsistently processed authentication codes. It is probably too much of a pain for humans to do consistently, but smart phones are certainly capable and, absent physical theft (vs compromised information), this at least precludes mass compromises from bearing fruit for crooks.
Crooks are just as smart as we are and absent committee meetings or moral restrictions, a lot more efficient.
Jonathan @nc3mobi
I have always been a fan of MagnePrint. It uses the current cards and the mag stripe physical properties as “something you have.” Like all the others, it still is vulnerable to card not present transactions.
The cost of issuing every consumer a dynamic “token” for each of the cards probably still exceeds the cost of the theft. The cost of replacing the POS readers and modifying terminals is also a factor. It will ultimately be economics that force the change or keep it where it is at.
IIRC, the card agreement small print for my new Chip+PIN card from a major US bank tries to shift liability for fraudulent CC transactions that used the PIN entirely to the cardholder. As far as I know, this is also the situation in Europe. Once we arrive at Chip+PIN here in the US, I expect that every call to the bank to reverse a fraudulent charge will become at least as annoying and lengthy as trying to cancel Comcast.
This actually not the situation in Europe, although some consumer advocacy groups of course tried to badmouth the banks along these lines.
The Payment Services Directive, which is the basis for national payment law in all EU member states, is very specific, and restrictive, in when a consumer actually bears liability.
Basically it´s if he was a party to the fraud or gross (not minor) negligence.
I admit, not on-topic, but I had no trouble canceling Comcast. I brought all the equipment into the more or less local store, handed it to the clerk, and told her I wanted to cancel my account. She asked why. I said, “Price gouging.” She smiled knowingly, did the paperwork, asked me to sign. Done! No more Comcast.
Philip – Worse than Comcast.
The banks presume they are right even when they are wrong. See KOS 10/27 Reply Attacks where BK wrote: “The New England bank said MasterCard initially insisted that the charges were made using physical chip-based cards, but the bank protested that it hadn’t yet issued its customers any chip cards.” Add the change in the presumption of innocence (see Mr. Gambin’s story under May 2014 on http://nc3.mobi/references/emv/).
A pain, and a mostly needless pain at that.
Jonathan @nc3mobi
Somehow I suspect that Lucky Green and the various other guys (CCC) who play with smart cards are rejoicing at the Feds decision.
I’m curious to know how easy it would be for a bank to migrate from Chip & Signature to Chip & PIN? She mentioned how some banks want to teach their customers one thing at a time so they’re going to start with Chip & Signature, but I don’t think banks would be very will to make another migration to Chip & PIN if it involves a lot of time, money, and labor.
If you did your EMV migration right as a bank (which I can´t vouch for in the US market with their lack of experience in that field) it´s a matter of
a) changing the card personalization for newly issued cards and
b) sending a command to issued cards to switch to a PIN-preferring CVM list
Oh, and of course education, educaion, education (mostly of cardholders, sometimes of merchants).
It would be very expensive to go to CHIP and SIG as an interim. It would only yield a part of the benefits (fraud, efficiency, merchant costs, speed for all parties etc.) but would make the process TWO full migration exercises to manage. i.e. there would be twice the costs and twice the work and delays in undertaking the exercise.
An added issue would be that the old SIG as CVM processes would isolate the USA from the ROW for longer and may allow the schemes and issuers to prolong the higher MSC/Interchange rates through the old architectures.
Start asking the MERCHANTS what they want. They will telly that they want ONE migration to a better cheaper, quicker solution without the liability and with lower costs. CHIP and SIG does not deliver any of this to them, CHIP and PIN delivers it quickly and without a whole new terminal update migration.
Remember most / all of the costs are with the merchants and merchant suppliers – NOT with the issuers and cardholders. In the UK the driver for direction very quickly became the large merchant groups who wanted the right solution and who also set the migration time table through their lobby group – “The Retail Consortium”.
Brian, you clearly stole our blog title 🙂
https://getfinal.com/industry-news/2014/10/22/the-emv-evolution/
Ben: Nice description of EMV benefits in card present transactions.
Tell me: Which is growing more?
Bricks&Mortar (physically present)
or
electronic (via computer) plus mobile (via smart phone when not physically present at a merchant) plus person-to-person plus non-present?
To work in those avenues of commerce an EMV card needs a reader, another device imposed on consumers. See http://nc3.mobi/references/emv/#C&D
EMV addresses a subset. A better solution addresses a larger set without requiring additional hardware for the consumer or the merchant.
Jonathan @nc3mobi
I know if our bank were to do it all over again we would go chip and signature. Managing (unblocking/changing) PINs and the systems and technology involved is very expensive. This gets exponentially more difficult and expensive if the issuer doesn’t have an ATM network or branches like most of the monoline banks. PIN offers very little in the way of fraud avoidance and in fact we have seen a big spike in ATM fraud as the article states since the PINs are more frequently used and therefore more frequently compromised.
The main reason we went with PIN was because most of the other issuers had already made the switch to chip and pin and we did not want to seem like a less secure bank/product due to the lack of PIN. So it really was a PR decision more than anything.
How hard would it be for POS malware to capture the PIN as it’s entered, i.e. PIN pad keylogger? Or is this function well-secured on a modern terminal?
And are you safer if you never ever swipe a chip-and-PIN card? (meaning you could remove or tape over the mag stripe)
Brian said: “but it seems to me that as long as these chip cards still also store cardholder data on a magnetic stripe as a backup, that the thieves can still steal and counterfeit this card data — even from chip cards”
For a PIN transaction the mag stripe is not read. So cloning of that data requires access to the card outside of a normal chip and pin transaction.
But, as you have illustrated in the past, some skimmers will attempt to sheath the entire card so it can also read the stripe.
In the UK I used to find most arrests I’d make for card fraud were from cards using numbers stolen from Eastern Europe and Asia. As those parts of the world adopted C&P more, the less I’ve seen fraud. Over the last few years I’ve only seen US card number being used.
The numbers stamped on the plastic seldom matched the numbers on the strips. The big season for card fraud is upon us. I wonder how many cards I will get this year and how many will be from the US, or how few from any other part of the world for that matter.
I refer to the strips because I have yet to see a working chip on a fake card, or a fake card that had a UV mark on it too.
Needless to say I love it when a card fraudster walks in to my shop – I have a better than 95% arrest rate over more than a decade and nearly all have been successfully prosecuted.
Great article until the interviews – where the facts are rather sketchy:
Conroy: The PIN only addresses fraud when the card is lost or stolen, and in the U.S. market lost-and-stolen fraud is very small in comparison with counterfeit card fraud. Also, as we looked at other geographies — and our research has substantiated this — as you see these geographies go chip-and-PIN, the lost-and-stolen fraud dips a little bit but then the criminals adjust. So in the UK, the lost-and-stolen fraud is now back above where was before the migration. The criminals there have adjusted. and that increased focus on capturing the PIN gives them more opportunity, because if they do figure out ways to compromise that PIN, then they can perpetrate ATM fraud and get more bang for their buck.
LATE BE CLEAR
– COUNTERFEIT fraud is wiped out by CHIP and PIN
– Cards cannot be counterfeited.
– In the UK fraud has NOT risen to pre-EMV levels – nowhere near.
– Most of the fraud in EU for POS and Counterfeit is in the USA where the cards are exported to and used in the poor infrastructure.
– The ATM PIN compromise, which I also predicted pre-EMV in UK has simply not happened.
The two areas that are correct are:
a) Criminals have adapted. They have gone to the USA
b) There is a focus on capturing PINs – yes – BUT ONLY to use magstripe counterfeits in the USA
Can you see a common denominator here? If not think about it a lot more.
Counterfriet fraud is wiped out by propper implementation of chip. PIN is not needed to wipe out counterfeit fraud. In our UK business we saw a significant increase in NRI and fraud application fraud shortly after the launch of EMV. in our Canadian business we did not see an increase of NRI or Fraud App but we did see counterfeit and atm fraud shift to the US as you described. Our overall fraud has dropped in Canada but mostly due to better detection strategies. EMV has helped us focus our strategies on a smaller percentage of our transactions making detection easier.
Not sure why a country like the US is taking so much time to implement a PIN based Credit Card.Here in India we have all the major banks moving to the PIN based credit card since the last 1 year!!!!
I remember reading somewehre a few years ago that the cost to implement EMV (both to issuers and merchants) in the US, far exceeds the amount of fraud it would avoid.
I think it is ridiculous that signature verification is even contemplated. Half the time on those electronic signature boxes, I can’t read my own signature. Sometimes the stylus doesn’t work and I end up using a fingernail, which looks about as good as it sounds. If my signature was reasonably forged, I doubt I would even be able to tell if I had signed it or someone else did.
PINS can be stolen, but I do think that they offer a different level of security over a dubious signature from an electronic payment terminal, and I think it’s silly that MasterCard and Visa appear to be advocating for competing standards. You came together on PCI, you can come together on this.
Because the banks are nit worried about stolen card fraud. It pales in comparison to cocounterfeit fraud. Imagine how long it would take to steal 50 million physical cards from Home Depot. It won’t happen. The real losses come from organized crime that steal card data and not physical cards. Chip and Signature is combatting counterfeit fraud not pickpockets. Lost/stolen fraud makes up less than 5% of our fraud losses at our bank. Counterfeit is 50-60% depending on the month.
I’m not convinced by the arguments for chip-and-signature. I suppose it could be an advantage if you have many cards. But chip-and-pin protects against misuse of a lost or stolen card, which I appreciate.
And I hardly use ATM:s anymore (I live in Sweden). I withdraw at the supermarket when I need cash.
You may appreciate it but as I stated earlier the move to chip has nothing to do with stolen card scenarios. The amount of fraud lost due to stolen cards is negligible. Addinf PIN functionality is extremely expensive and the bank would never recover those costs because the fraud avoided (lost/stolen) will not even be close to what it costs to implement. Even the day to day operating costs for PIN are not economical when you consider how little fraud it actually mitigates.
Re: “there is little likelihood that a $9-per-hour checkout clerk is going to bat an eyelash at a thief who signs your name when using your stolen card to buy stuff at retailers.”
I haven’t had a checkout clerk look at or try to verify the signature for years. In fact, at most every store where I use a card the terminal is set up so that *I* swipe the card and the clerk never touches or sees it. If a signature is requested I can scribble anything. Using a signature for any kind of identity verification is a joke. And a bad one at that.
Whether to use PIN or sign depends on the POS/terminal capabilities to accommodate. Online PIN acceptance relies on software settings at POS as well as on EMV card settings. The POS software would do a compilation list of available selection of card verification.
This results in either online PIN or signature choice at the retailers. Bank card with chip and Online PIN still has signature as a second available option.
Check with http://www.pinwise.com.au for possible scenarios.
I’ve read that most chip and pin cards are only issued recently for people who travel out of the country or for card owners who have very high credit limits so that it reduces the liability risk to the bank or credit issuer
Any truth to this claim?
Excellent reporting as always Brian! I would love to hear your insight and report on Apple Pay and CurrenC.
I’m not very optimistic about chip-and-PIN, because so many people use the same PIN for everything, and because so many of them choose a 4 digit date of birth for themselves or one of their children. Stealing the PIN number will not only get into their account at the ATM, it will get into their phone voice mail, their home security system, their iPhones, etc.
Why are we restricted to 4 digits on so many PINs? People are perfectly capable of memorizing longer strings, such as phone numbers. And people usually are memorizing phone numbers that aren’t directly connected to themselves (which aren’t on their speed dial), so they would tend to pick less easily-guessed numbers. Just having different potential string lengths increases the difficulty in guessing significantly.
1.25% of our actice customer base forgets/blocks their PIN every month. while that may seem like a low number, on large protfolio that would be quite a significant increase in call volumes. Imagine a portfolio with 20,000,000 active customers, that would be 250,000 calls a month from customers who need to unblock their PIN or get a new PIN. that’s also 250,000 customers who are foced to stop using your product.
*active customer base.
AlphaCentauri: Why … restricted to 4 digits on … PINs?
Speed. Merchants want checkout to be quick so they got more revenue per unit time. Consumers want checkout to be quick so they can go do something else.
Consider a queue at StarBucks … people are already unhappy at how long it takes to get their beverage. For a 8 digit PIN would that double the time? Triple it? How many more would forget? You might be surprised at how many forget their 4 digit PINs.
The “best” solution has to meet the diverse needs of all constituencies: consumer, merchant and provider. Between them there are a lot of needs.
Jonathan @nc3mobi
PS: I am glad to see such spirited discussion and commentary. Perhaps this dialogue can move from the periphery toward the center of public awareness and receive more attention than an Executive Order delivered on a Friday.
What I’d like to see is a card tied to an app on your phone that issues a one-time PIN. Two-factor, Two-Step authentication using an RSA token. It could be three-factor if the app must be logged into as well (card, app password, random PIN). Almost everyone has a cell phone in their pocket that can be used to authenticate yourself. THAT would be ideal and eliminate both Chip-and-PIN and mag-stripe fraud.
This is just like the two-factor authentication offered by Google and Dropbox (they both offer to use Google’s Authenticator app).
Thoughts?
I think that you have just re-designed ApplePay in one swoop. You have just described EMV, tokenisation, iTouch and Secure enclave. You could also have added NFC to make it easier for the customer and throw in Geo-location too and you have Apple Pay in full.
RSA would not be needed, but proper P2P encryption would be essential to make it fully foolproof. Lets see what CurrentC does next.
NB – Apple have gotten away with delivering this solution from outside the payment sector because of the big gap in the USA. It is much more doubtful that they can make it work commercially anywhere else.
Way too much. If you have issues, can you imagine trying to troubleshoot with a customer service agent over the phone? Also what if I leave the house and I forgot my cell phone, are you going to prevent me from transacting? What if my phone breaks while travelling, now what?
It still hast to be convenient and easy to use and accessible.
I’ve been using chip and signature in Europe for about a year since receiving a chip-based card from Chase. Even though I live in a country where credit cards are much less common than elsewhere in Europe, and certainly the U.S., I have had no acceptance issues at the places I have used it.
But there is another interesting consequence here when using chip and signature. When I had my old mag stripe card, a merchant would occasionally notice the PHOTO ID I wrote in the signature field on the back of the card and ask me for ID. With the chip and signature card, however, merchants treat it like the more common (here) chip and pin cards and never even look at the back of the card. In fact, with chip cards, the merchant usually never touches the card. It is the cardholder who inserts the card into the reader and removes it. And so there is no opportunity for the merchant to check the signature or see the request for photo ID.
I am wondering how gift cards are going to transform, in the future, from magstripe-only cards to chip cards. Gift cards are usually thrown away after one use.
My favorite grocery store carries gift cards for all kinds of other non-grocery businesses, such as hardware stores, fast food restaurants, and even iTunes. One gasoline station chain used to have PayPal prepaid cards a couple of years ago.
Then there are the prepaid debit cards like the Green Dot and other competitors. Most of the ones I have looked at (read the small print on the outside of the package) do not accept charges from businesses outside the United States.
Brian, thank you! I obtained a Chase Saphire Visa card with chip and signature last spring, to use primarily while I’m living in France. It helps to have no foreign transaction fee (3% of purchase) but it’s still a pain because I can’t use it at kiosks, nor online to purchase train tickets. Sorry if this info was in the article and I missed it, but do you know what US banks now issue chip and PIN cards that don’t require signature?
Many thanks!
MasterCard has released a brief, public video for EMV introduction.
The link is
http://media.mastercard.com.edgesuite.net/mc_us/12-MCA-3342_EMV_video_FINAL_9_17_full.wmv
which is located under
http://www.mastercard.us/simplify_emv.html
Well i personally think Signature s better then C&P.
EMV moves most of its responsibility to the acc. holder . Before it was banks who paid the changes .
EMV is not broken yet . BUT it will be .nothing is unbreakable lots of people working on it . ts just a matter of time and then what ??
@Stripe all the way – your name would have been better!
Why do you thing signature is better? Your arguments are entirely about EMV here rather than sig/PIN.
EMV – moves none of the responsibility to any cardholder. There are no liabilities there for the cardholder. What happens is it takes all the fraud out of the POS environment. Banks still pay for the changes. What happens with EMV – is that it makes the sales journey at POS faster and easier for both the Cardholder and merchant. At the end of the day, prices will come down with lower interchange and lower MSCs, and the fraud that gets passed on to the cardholder eventually will come down by $billions – because the USA is seeing some of the biggest fraud losses in the world. Making the retailer check the signature (which no-one does anyway) is not fair. Moving to PIN means that the retailer does not even need to touch or look at the card.
EMV is not broken (yet), and 15 – 20 years has not seen it break, but get stronger and stronger as threats are ‘theoretically’ identified. In contrast Mag-stripe has been broken for 20 years and becomes more archaic and dangerous every year. The USA losses to fraud and abuse are now rising exponentially as every fraud ring globally moves to the USA to perpetrate frauds in the $billions starting with the theft of 10s millions cards from major retailers to abuse. Only going to EMV+sig will not stop the resulting POS fraud and counterfeit problems alone.
Given that I live in the EU, personally, the move to sig in the USA or even a long delay would be better for me, as the costs here are mitigated by the whole criminal world openly moving their efforts to where the weaknesses are.
Bill Trueman wrote:
There are no liabilities there for the cardholder.
You live in the EU. Would you explain to me how a consumer protests a charge the bank says was made with EMV? (See Gambin under May 2014 on www dot nc3.mobi/references/emv/) Or, how banks delete information consumers could have used to protest charges?
Then take a recent incident in the US where a major provider said charges were made with EMV cards even though the issuing bank hadn’t issued any EMV cards!
This leads to a potential logic that is very bad for consumers.
a) The charge was made with EMV
b) EMV charges are perfect
c) Therefore you the consumer made the charge
d) You charged it, you have to pay for it.
e) Resistance is useless
f) Start again at a)
Even if EMV is not broken (see Professor Anderson’s work, Register and BBC reports to the contrary at www dot nc3.mobi/references/emv/ some dating back to 2007 ) it isn’t as useful in the growing avenues of electronic and mobile commerce. New hardware, in the form of card readers, is required for consumers. Merchants require new POS terminals. Target alone has a budget of $100M for that.
There are better solutions.
Jonathan @nc3mobi
JJ – getting into a layer of detail that would deb better to take to email – as it would not add to the group. I know exactly where you are coming from and would comment that this is an issue that exists today with ATM disputed transactions that are harder to deal with in the POS environment – especially with cross-over PIN usage.
The liability is not with the consumer, but with the issuer. Accordingly, the lazy or greedy issuer will try and post such transactions to the cardholder, but at the end of the day, the liability in these situations is governed by:
a) Contract Law in the card issuing T&Cs – which will also need careful writing
b) Consumer protection laws that apply in the state/region where they are operable.
There are always going to be situations where:
1. Genuine customers have their card stolen and PIN (seen) used and where they did not initiate the transaction. Invariably these are situations where errant family members ‘borrow the card’ to get goods to fuel drug habits etc. / or get back at a spouse. Not always I know, OR
2. Cardholders trying it on. We have not considered with any depth the effect of CHIP and PIN that results in the wiping out of the this FIRST PARTY fraud aspect of the proposition – largely as it is dwarfed today in the USA by the overall benefits of the EMV POS fraud problems.
Accordingly, the situation in (2) above also dwarfs the losses in (1) above.
Because of this issue, about 12 years ago I set-up, ran and (eventually) sold a business where we undertook first-party ‘challenge’ interviews with such customers and trained most of the banks how to do it too. We used advanced Psychology interviewing (oddly developed in the US with the removal of hypnosis as an FBI tool for getting to the truth – by Martin Reisner, Ron Fisher and Ed Geiselmann – name spellings by memory) – using cognitive interviewing Conversation management and CBCA (cognitive based criteria analysis) to identify deception from truth. This worked really well in these types of situations (and there are others including – someone stole my car – or it fell down the stairs when a new model came out. It works well as a technique where seemingly impossible things happen.
In all these cases, it ALWAYS turned out to be 1. or 2. above – either with or without the collusion or knowledge of others. There are likely to be exceptions to this if within your market fundamentals such as:
– P2PE/tokenisation is not used properly to avoid interception at various points
– Chips are NOT removed from the cards and replace by dummies – so that the consumer does not know as well as having sight of a PIN in use or written down.
– Interception of cards in transit, where con-men ask for re-issue or secondary cards etc., so this has to be checked too.
– VERY STRONG – not accessible to anyone PIN security at data-centres and/or banks where PINS/cards are produced, despatched, handled.
All of these things need to form part of an investigation and always the patterns looked for.
Having said all of this, the level of problems here are VERY small compared with those in the Mag-stripe/sig environment; and it is much better / nicer to deal with these smaller number of cases than the $billions of POS fraud that goes on today.
I think that you have been dealing with some quite wicked issuers that need to be put in their place with consumer lobby groups if this really is happening this way; and/or taken on in the courts for these sharp practices. Or put them in touch with me and I will show them how to do it properly!
This is how things works in Brazil:
Every card is Chip and Pin but still has the magstripe on the card.
To withdraw money from ATM, a second PIN / Password is needed, or in some banks, some form of security token key card ( https://oarthur.com/wp-content/uploads/2014/10/img_cartao_chave1.gif )
For successful use of stolen card data, they need to steal:
Entire card number plus security key printed on the back of the card (For online shopping only)
OR
Using an modified ATM, steal Card data from magstripe and PIN using a camera. (As previously reported here)
If they get rid of the magnetic stripe on the card, this form of stealing is nullified.
Personally I haven’t used the magstripe a single time in more then 10 years.
Every POS machine and ATM supports Chip and Pin, which leaves me thinking why the hell our cards still has magnetic stripe, which is only used for stealing the card data.
And on top of that, most banks has the option to send (free) SMS on your phone for every transaction made with your card or account. If you receive an SMS from your bank saying “Transaction Approved” and you didn’t bought anything, you can just call your bank and report it immediately.
Thanks Marcelo – a brilliant summary of how it works everywhere except for the USA.
One thing that I would add though, is that there is a weakness in this that you have described:
– Criminal shoulder-surfs to get the PIN number
– Criminal somehow reads the CHIP/Mag-stripe and or embossing (but usually the mag-stripe in order to get the CV2 from the card itself.
– The card details are then sent to criminal agents in the USA who make a fake mag-stripe card (or re-encode it).
But again, the weakness is in the USA because of the poor infrastructure there!
The only thing that banks can then do (and they do this), is to start to build intelligence into their transaction screening systems to decline these transactions – but of course this then inconveniences customers.
I have also helped a lot of issuers and acquirers in their transaction monitoring solutions – and it is always the USA that is a problem these days; and always involves stopping genuine transactions when finding fraud because of the backwards USA infrastructure. Indeed, I am surprised that the USA does not have a consumer lobby that drives the C&P migration, because increasingly the ROW is declining USA travellers because of only a risky mag-stripe and signature; and retailers do not want to start taking passport details to protect them from the chargebacks.
Good post Marcelo. At least the president of the USA understands this issue.
They can steal the magstripe info from the card and fake the card and signature to shop.
Our cards still works on magnetic and signature despise every POS and ATM support PIN and CHIP. If you don’t use magnetic stripe, when this occurs the bank will automatically block your card, warn you and send a new card.
They can’t use our cards in other countries. Our cars only work on national territory, sometimes regional area. Unless you ask the bank to. This is also to prevent fraud, as most people will only use their cards on their region. People who travel a lot asks their bank to use it in any region.
There are some complaining when people travel and can’t use the card because they forgot to tell the bank. This can be solved with a phone call. (If you are in a foreign country, international phone call 🙁 )
Most criminals now target online banking. Several scams comes everyday on our emails, asking to “reconfim”, “update” or whatever your bank account.
If you click the link, or you are asked to install a malware, that reads all the needed data from your computer, specially if you access your bank account on your computer.
Or you are submitted to a fake bank site, where they ask you to input so many data that the bank would never ask you that only very naive people fall for it (still a lot).
Or a fake e-commerce sites where they ask your card data and never send you any product.
Most of our frauds are online today.
Here in the UK the banks used the introduction of Chip-and-PIN as a covert way of shifting some fraud liability onto the customer. See, for instance, this discussion paper by Mike Bond, Steven Murdoch and Ross Anderson dating from around 2006:
http://www.chipandspin.co.uk/spin.pdf
UK banks can supply customers with a Chip-and-signature card if the customer absolutely insists (but are always reluctant to do so). Because Chip-and-signature eliminates the unjustifiable liability shift in the UK, some UK credit card customers (including me) do not use C&P cards, only Chip-and-Signature.
However, according to Bond et al, ‘Regulation E’ in the USA places the default liability for fraud squarely on the bank. Hence this liability shift issue may not apply in quite the same way there.
Does anyone know exactly what the banks are writing off as a loss when fraudulent charges occur? I would bet it isn’t just the amount of the transaction. I would assume it includes fees associated with any type of investigation/card replacement etc . Could this process actually be a money making process for the back thanks to tax write offs?
example: $50 Fraudulent charge + 2 hours of in house investigative fees to determine if it really was fraudulent (at $200 per hour) + $5 to create/mail new card… so a 50 dollar loss is written off as $455.
That’s my line of thinking too.
If the banks still didn’t solved this issue, it’s because they are probably getting some kind of profit every time a fraud occurs.
Only the amount of the posted fraudulent transaction is written of as fraud. any fees or interest charges associated with that transaction are not charged off as fraud.
Also $200/hour for an investigation??? not even close. Try $20/hour.
Chip and signature is likely temporary, part of a merchant and customer education process. But it is less safe (see article) and more expensive to implement for card present transactions. The rest of the world is already moving to Chip only, no more swipe, that is how far behind the US is. Just like paper checks are gone in retail – there is better technology.
If a person can handle Pin with an ATM, they can handle Pin in a store. Cost wise, a signature capable device cost several $100 more than a chip & pin device. For a 10,000 lane merchant that is several million dollars, just in device cost.
It also complicates implementation, due to other applications being used on the device. Plus the merchant will need to maintain his expensive SIG CAP storage and tracking system, which he can get rid of with Chip and Pin
Plus Chip + SIG does not work for kiosks, which are on the rise in many areas (Parking, Transit, High Value electronic kiosks, movie theatres)
Bartb:
1) PIN numbers are normally associated with Instant Debit Card purchases. PINS have NEVER been commonly associated with any credit card purchases.
2) Merchants in my geographical area are now encouraging usage of checks (which they sometimes process s an EFT). I am not sure why you seem to believe paper checks are gone from retail.
3) In my area larger merchants are also now reviving the once thought gone use of Merchant Branded Credit Cards. Good only at the specific merchants establishments.
Which area are you in??????
In all other areas, PIN is common on credit cards where credit cards exist. Most markets treat the debit / credit / deferred credit all the same for routing and transaction completion. It is much easier that was as it makes it SIMPLE – KISS rather than whole parallel but different infrastructures please.
Bill Trueman:
Eaglewerks lives in a place where there is a “feed store” and people say “put it on my bill”. The merchants do and the consumers pay. Same sort of place I live, just a bit removed from the hustle, bustle, crime, pollution and frenetic pace that we call “large cities”. We still suffer from poly-tic-ians and the occasional infestation of other vermin.
You wrote: In all other areas, PIN is common on credit cards where credit cards exist. [ emphasis mine -J ]
Hmm, I’ve had a credit card for about 35 years in Chicago, 15 years here and in some other places where credit cards exist. Didn’t have a PIN code on my credit card then and don’t have one now. Just checked with three “neighbors” (have to put that in quotes because some are a mile or so away) and if they have PINs on their credit cards they don’t know about it.
Jonathan @nc3mobi
JJ – again – you are talking about a small place near a small city in a small country that is far far behind the global front-runners – actually at the back of the race – by a long way.
So nothing personal – but you are in a market where PIN is not prevalent – as we have discussed. It is in the ROW – so you cannot use the argument that your neighbours are not using PIN. This is a circular argument – and you are propagating the: ‘Post hoc ergo propter hoc’ fallacy here. i.e. 1. The USA market is behind the rest of the world because it is not using PIN widely on credit cards, 2. My neighbours in the USA are not using PIN on Credit cards; 3. Majority of people are not using PIN on Credit cards ergo 4. PIN on Credit cards wrong / not used.
Love and kisses from the UK.
@ Bartb – best answer/comment I have seen here – BY FAR. Someone who is looking at this from both a commercial perspective, and considering the merchant infrastructure too.
Absolutely – spot on in every way. Please read Bartb comments.
I’d add that MasterCard has mandated that ALL POS terminals in Europe must by 2020 also accept NFC transactions (which for those that do not know, means an EMV chip transaction on a terminal without actually having to put the card in the POS device. – i.e. it reads the card through an aerial in the card and powers it with an induction coil in the card). This is done with full encryption etc., and tests proven that it cannot be intercepted like the old unreliable mag-stripe based NFC that did not work in the USA.
And how far off is this technology now? It is there today in Europe. All London transport switched-off cash last month and now all buses, tubes (Translation:subways) and trains have to be paid for in the capital with NFC payments. That is millions of transactions each day. And most banks have implemented NFC on there cards already to allow them to be used in this way. And many retailers too – including and especially McDonalds, and most coffee houses for LV transactions. This all needed the CHIP AND PIN architecture, EMV standards updates P2P encryption, etc., etc., and whilst we are at it; it also needed strong/robust off-line chip parameters settings as the underground system has many 10,000 entry / exit point that are offline.
THAT is how far behind the USA is and why Obama has had to encourage with a presidential order! Sheer embarrassment rather than any political statement.