30
Oct 14

Chip & PIN vs. Chip & Signature

The Obama administration recently issued an executive order requiring that federal agencies migrate to more secure chip-and-PIN based credit cards for all federal employees that are issued payment cards. The move marks a departure from the far more prevalent “chip-and-signature” standard, an approach that has been overwhelmingly adopted by a majority of U.S. banks that are currently issuing chip-based cards. This post seeks to explore some of the possible reasons for the disparity.

emvkeyChip-based cards are designed to be far more expensive and difficult for thieves to counterfeit than regular credit cards that most U.S. consumers have in their wallets. Non-chip cards store cardholder data on a magnetic stripe, which can be trivially copied and re-encoded onto virtually anything else with a magnetic stripe.

Magnetic-stripe based cards are the primary target for hackers who have been breaking into retailers like Target and Home Depot and installing malicious software on the cash registers: The data is quite valuable to crooks because it can be sold to thieves who encode the information onto new plastic and go shopping at big box stores for stuff they can easily resell for cash (think high-dollar gift cards and electronics).

The United States is the last of the G20 nations to move to more secure chip-based cards. Other countries that have made this shift have done so by government fiat mandating the use of chip-and-PIN. Requiring a PIN at each transaction addresses both the card counterfeiting problem, as well as the use of lost or stolen cards.

Here in the States, however, the movement to chip-based cards has evolved overwhelmingly toward the chip-and-signature approach. Naturally, if your chip-and-signature card is lost or stolen and used fraudulently, there is little likelihood that a $9-per-hour checkout clerk is going to bat an eyelash at a thief who signs your name when using your stolen card to buy stuff at retailers. Nor will a signature card stop thieves from using a counterfeit card at automated payment terminals (think gas pumps).

But just how broadly adopted is chip-and-signature versus chip-and-PIN in the United States? According to an unscientific poll that’s been running for the past two years at the travel forum Flyertalk, only a handful of major U.S. banks issue chip-and-PIN cards; most have pushed chip-and-signature. Check out Flyertalk’s comprehensive Google Docs spreadsheet here for a member-contributed rundown of which banks support chip-and-PIN versus chip-and-signature.

I’ve been getting lots of questions from readers who are curious or upset at the prevalence of chip-and-signature over chip-and-PIN cards here in the United States, and I realized I didn’t know much about the reasons behind the disparity vis-a-vis other nations that have already made the switch to chip cards. So  I reached out to several experts to get their take on it.

Julie Conroy, a fraud analyst with The Aite Group, said that by and large Visa has been pushing chip-and-signature and that MasterCard has been promoting chip-and-PIN. Avivah Litan, an analyst at Gartner Inc., said MasterCard is neutral on the technology. For its part, Visa maintains that it is agnostic on the technology, saying in an emailed statement that the company believes “requiring stakeholders to use just one form of cardholder authentication may unnecessarily complicate the adoption of this important technology.”

BK: A lot of readers seem confused about why more banks wouldn’t adopt chip-and-PIN over chip-and-signature, given that the former protects against more forms of fraud.

Conroy: The PIN only addresses fraud when the card is lost or stolen, and in the U.S. market lost-and-stolen fraud is very small in comparison with counterfeit card fraud. Also, as we looked at other geographies — and our research has substantiated this — as you see these geographies go chip-and-PIN, the lost-and-stolen fraud dips a little bit but then the criminals adjust. So in the UK, the lost-and-stolen fraud is now back above where was before the migration. The criminals there have adjusted. and that increased focus on capturing the PIN gives them more opportunity, because if they do figure out ways to compromise that PIN, then they can perpetrate ATM fraud and get more bang for their buck.

So, PIN at the end of the day is a static data element, and it only goes so far from a security perspective. And as you weigh that potential for attrition versus the potential to address the relatively small amount of fraud that is lost and stolen fraud, the business case for chip and signature is really a no-brainer.

Litan: Most card issuing banks and Visa don’t want PINs because the PINs can be stolen and used with the magnetic stripe data on the same cards (that also have a chip card) to withdraw cash from ATM machines. Banks eat the ATM fraud costs. This scenario has happened with the roll-out of chip cards with PIN – in Europe and in Canada.

BK: What are some of the things that have pushed more banks in the US toward chip-and-signature?

Conroy: As I talk to the networks and the issuers who have made their decision about where to go, there are a few things that are moving folks toward chip-and-signature. The first is that we are the most competitive market in the world, and so as you look at the business case for chip-and-signature versus chip-and-PIN, no issuer wants to have the card in the wallet that is the most difficult card to use.

BK: Are there recent examples that have spooked some of the banks away from embracing chip-and-PIN?

Conroy: There was a Canadian issuer that — when they did their migration to chip — really botched their chip-and-PIN roll out, and consumers were forgetting their PIN at the point-of-sale. That issuer saw a significant dip in transaction volume as a result. One of the missteps this issuer made was that they sent their PIN mailers out too soon before you could actually do PIN transactions at the point of sale, and consumers forgot. Also, at the time they sent out the cards, [the bank] didn’t have the capability at ATMs or IVRs (automated, phone-based customer service systems) for consumers to reset their PINs to something they could remember.

BK: But the United States has a much more complicated and competitive financial system, so wouldn’t you expect more issuers to be going with chip-and-PIN?

Conroy: With consumers having an average of about 3.3 cards in their wallet, and the US being a far more competitive card market, the issuers are very sensitive to that. As I was doing my chip-and-PIN research earlier this year, there was one issuer that said quite bluntly, “We don’t really think we can teach Americans to do two things at once. So we’re going to start with teaching them how to dip, and if we have another watershed event like the Target breach and consumers start clamoring for PIN, then we’ll adjust.” So the issuers I spoke with wanted to keep it simple: Go to market with plain vanilla, and once we get this working, we can evaluate adding some sprinkles and toppings later.

BK: What about the retailers? I would think more of them are in favor of chip-and-PIN over signature.

Litan: Retailers want PINs because they strengthen the security of the point-of-sale (POS) transaction and lessen the chances of fraud at the POS (which they would have to eat if they don’t have chip-accepting card readers but are presented with a chip card). Also retailers have traditionally been paying lower rates on PIN transactions as opposed to signature transactions, although those rates have more or less converged over time, I hear.

BK: Can you talk about the ability to use these signature cards outside the US? That’s been a sticking point in the past, no?

Conroy: The networks have actually done a good job over the last year to 18 months in pushing the [merchant banks] and terminal manufacturers to include “no cardholder verification method” as one of the options in the terminals. Which means that chip-and-signature cards are increasingly working. There was one issuer I spoke with that had issued chip-and-signature cards already for their traveling customers and they said that those moves by the networks and adjustments overseas meant that their chip-and-signature cards were working 98 percent of the time, even at the unattended kiosks, which were some of the things that were causing problems a lot of the time.

BK: Is there anything special about banks that have chosen to issue chip-and-PIN cards over chip-and-signature?

Conroy: Where we are seeing issuers go with chip-and-PIN, largely it is issuers where consumers have a very compelling reason to pull that particular card out of their wallet. So, we’re talking mostly about merchants who are issuing their own cards and have loyalty points for using that card at that store. That is where we don’t see folks worrying about the attrition risks so much, because they have another point of stickiness for that card.

BK: What did you think about the White House announcement that specifically called out chip-and-PIN as the chip standard the government is endorsing?

Conroy: The White House announcement I thought was pure political window dressing. Especially when they claimed to be taking the lead on credit card security.  Visa, for example, made their initial road map announcement back in 2011. And [the White House is] coming to the table three years later thinking that its going to influence the direction the market is taking when many banks have spent in some cases upwards of a year coding toward these specifications? That just seems ludicrous to me. The chip-card train has been out of the station for a long time. And it seemed like political posturing at its best, or worst, depending on how you look at it.

Litan: I think it is very significant. It’s basically the White House taking the side of the card acceptors and what they prefer. Whatever the government does will definitely help drive trends, so I think it’s a big statement.

BK: So, I guess we should all be grateful that banks and retailers in the United States are finally taking steps to move toward chip cards, but it seems to me that as long as these chip cards still also store cardholder data on a magnetic stripe as a backup, that the thieves can still steal and counterfeit this card data — even from chip cards.

Litan: Yes, that’s the key problem for the next few years. Once mag stripe goes away, chip-and-PIN will be a very strong solution. The estimates are now that by the end of 2015, 50 percent of the cards and terminals will be chip-enabled, but it’s going to be several years before we get closer to full compliance. So, we’re probably looking at about 2018 before we can start making plans to get rid of the magnetic stripe on these cards.

Tags: , , , , , , ,

190 comments

  1. Bait and Switch

    Another huge reason that consumers are not using PIN with Credit Cards, is that Banks will hit you with Cash Advance charges on them. One of the main reasons for PIN debit prevalance outside the US is that a majority of the rest of the world use Debit cards. Back in the 90’s when Debit cards began replacing ATM Cards, Visa and MasterCard and the Banks did not receive the Interchange if the consumer was using their PIN on a purchase, so Banks started billing us between $0.25 and $0.75 per Point of Sale Transaction. In the end it all boils down to money and how much the Banks and Visa and MasterCard make. The risk/reward modeling done in the industry suggests PIN as it relates to credit cards won’t take place for a long time. And if We the People think the White House can influence what V and MA, just look at their stock price and how much lobbying power they have. From being non-profit associations run by the Banks some 7 years ago to publicly traded companies maybe the biggest misstep the SEC ever made. They essentially created a publicly traded Federal Reserve.

    • Terrible!

      But do not shoot the middle-man. This charge is down to the issuers entirely. The CHIP & PIN transaction on a CREDIT card generates a revenue for the issuer from the transaction / interchange / merchant. So if this is happening, i.e. the cardholder is getting charged for the transaction too – then this is the issuer who is racketeering.

      Are issuers really charging for credit card transactions at the POS? In the UK (and in most other countries, I get a FREE credit card from my bank (and lots of others who might want to market to me) – and then I pay using the card and get charges ONLY the transaction value (unless there is a currency exchange rate fee). The issuer (my credit card bank earns from the interchange, which of course the merchant pays for with an MSC of between 1% – 2.5%.

      Does it really work so differently in the USA? I know that there is some protectionism on the routings and that if PIN is adopted that the issuers and schemes may lose some revenues – but that is good for the merchants and for us as cardholders as it will make life cheaper for us all.

      • Bill, in the US, if you use a credit card with your PIN number (regardless of the location) the Banks who issue them will charge that cardholder a Cash Advance fee and interest at Cash Advance rates beginning from day one. Chip or swipe and signature transactions are not charged, it all has to do with the PIN. The Banks will have to/or already decided that they won’t go that route, because the risk of losing transaction volume on the inconvenience of the PIN (stupid) will steer cardholder’s to another form of payment. No one wants to be first.

        • Hey, I’m all for thinking the worst of the banks, but this PIN = cash advance claim is just not true.

          You can have an EMV transaction with out without a PIN, and that does not make it a cash advance.

          This does speak to the general level of confusion, which is perhaps one of the reasons why the issuers are going with chip-and-signature first.

        • This is not true, using a PIN does not make the transaction a cash transaction. you will not get charged a cash fee and you will not lose your grace period on finance charges.

          • Using a PIN on a credit card transaction does not cause any extra fees than a debit card. Unless foreign exchange conversion is required. There is no down side to
            Chip and PIN. Get it now and get rid of the magnetic strip.

            • Every financial institution, credit card company, and merchant can (and will) operate differently. Yes, there are EMV standards, as long as the authorization message is certified….other that than its all subject to interpretation. As an EMV expert (and from a personal experience), if you using a Citi EMV credit card and enter a PIN during an EMV transaction…..Citi views this as a cash advance and they will charge you.

              The general public is still not fully aware on how EMV Debit and EMV Credit cards function. Chip & Signature is a little more secure than magstripe, but only to validate the customer has the card in hand.

              Ex: Purchase something at a large retailer (we’ll use Walmart as an example), swipe your Citi EMV credit card at the POS device. The POS device will read the magstripe and know this is a chip card. The customer will be directed to insert their card into the EMV slot. Once the card is inserted, a message will display “Please enter your PIN”. Here is where people need to be educated on the entire EMV process.

              In order to perform a “Chip and Signature” transaction, the consumer would just need to press CANCEL and then apply their signature. However, at any point in the transaction was a message displayed to the customer stating that they would need to press the cancel button.

              In this scenario, most consumers would enter a PIN and possibly be charged by the credit company. The general public consumer is not truly educated on how EMV works and that not every place your EMV card is inserted will allow both options of PIN and/or Signature.

              • A credit transaction is a credit transaction. Chip card or no chip card makes no difference on fees. Chip just adds security. Chip and pin is more secure.
                The CVM used has no impact on the nature of the transaction or fees either (CVM – Cardholder Verification Method). It is negotiated between the card and the terminal (pin pad). Most cards support multiple CVM. Visa leans to Chip and Signature, Master Card to Chip and Pin.
                See: http://www.tsys.com/acquiring/engage/white-papers/Cardholder-Verification-Method.cfm

              • I find it very hard to believe that any bank charges fees simply because the transaction used PIN as verfication. I would love to see proof. The cardholder agreement would have to specify exactly when fees/interest would be charged so if any issuer us in fact doing this it would have to be spelled out in the terms and conditions.

              • I don’t know where you got your information or if it varies by region (I am in Canada), but I tried to press cancel everytime I was prompted for a PIN and I can tell that each time that just canceled the transaction entirely. there was neve an instance where the transaction went from chip and PIN to chip and sig.

    • The cash advance fees only occur when you use a credit card with PIN to get cash such as at an ATM or at a self checkout, not when you use it only to pay for goods/services. The card brands decided on Chip & Signature to ensure that consumers did not use the wrong card in the wrong situation (i.e., credit card at an ATM) which would then result in a LOT of complaint calls and a LOT of refunding of fees.

    • Bollocks, no, your bank may claim that (some do) but cash advance fees are based on transaction coding, not on whether a PIN is used. This is just poor education of customer support at its worst. Feel free to use your PIN for a purchase, it is still a purchase! (Only some cards actually SUPPORT this though – all Mastercards and Bank of America Visa are two examples of card that allow PIN backup)

      • I believe that most US banks took the easy route with Chip and Signature simply because 1) consumers not used to using PINs for credit card purchases and 2) the US does not currently have the infrastructure setup to facilitate PIN changes on Chip and PIN cards. How many ATMs are there in the US? 400,000?

        From the dialog I see at Barclays, there is a way to change the PIN on a Chip and PIN card, but it’s a bit convoluted. You request a PIN change, then make an purchase at an EMV merchant. The new PIN will be encoded on the card during the authorization. Think of it like a firmware update being pushed to the card during the authorization process.

        Now imagine a bank CSR having to explain to customers that you have to make a purchase at a Walmart to change your PIN since they are currently the only national mass retailer with EMV enabled.

        And for those of you that fear having your credit card info stolen with a PIN, here’s a quick tip for you. Disable cash advance functionality or reduce your cash advance limit to $10. You’ll still need to call to get your card cancelled, but any cloned card would be a lot less valuable for cash.

        • Our bank doesn’t have an ATM network to facilitate PIN changes/umblocks. The customer can request a change/unblock through a secure IVR or via online banking. The updates are pended until the customer goes to a pos terminal at which time the updates are completed as part of the authorization process. We had to get creative with how we prioritize the pin scripts but overall it is actually pretty seamless cand convenient.

          Having said that, if we coukd do it over we would go chip and sig.

          • Curious what bank you are, as very few are chip and PIN. UNFCU? Why would you do signature if you could do it over, as UNFCU has gained so many customers for being PIN. USAA? USAA already switched to chip and signature. Diners Club US? I can’t think of any other chip and PIN options.

            Some, like Barclay’s, have PIN backup but they’re still chip and signature.

            • I am in Canada we are all Chip and PIN. I think one issuer went with chip and signature.

              The reason I would not do PIN is because from a fraud prespective it only mitigates fraud where the actual plastic is stolen. Scenarios like a stolen/lost card or a card intercepted in the mail. however even before chip and PIN those types of fraud account for a very small fraction of our losses. Certainly not worth all the expenses that goes along with PIN. We were shocked at the volume of customers who forget their PIN and the amount of calls we recieve because of that. In addition, since PIN is being used on almost every transaction it means that PINs are more likely to be compromised. what we saw was a huge spike in ATM fraud. our chip cards were getting skimmed by readers that were installed on chip terminals, and then the PIN was stolen by the tampered PIN pad. The magstripe information that was skimmed along with the PIN that was stolen were then used in the US at ATMs for cash advances. I could go on forever on why PIN is more or less useless at this time. It really is not worth the headache.

              • @Brown

                But the figures always show that CHIP & PIN almost remove card-present fraud to £$€ Zero – relative to the losses beforehand (and ergo drive it to CNP fraud of course – for which other solutions are needed). But is also drives the CP fraud to jurisdictions without EMV of any kind. The rest of the world is now adding layers of security to improve these weaknesses now, as the losses and the focus of the fraudsters will turn more to CNP when / if the USA moves on to EMV as the solution (especially if it with a CVM such as PIN).

                It is OK with the rest of the world though if the USA sticks with CHIP & signature as the fraud losses will stay and grow exponentially in the USA CHIP and Signature environment; as it will still be the weaker global market with the lowest security level.

                Someone really needs to pull-together the USA levels of fraud.

                I was pleased to see that Canada has no sig fallback or sig preferring – this is a good protection that the USA must be a year or two from benefit from the protection of.

                YES – of course there is likely to be more PIN compromise if there is more PIN. But the levels of PIN compromise losses are a tiny drop in the ocean compared with the losses of the infrastructure losses pre-PIN implementation.

                In most of Europe though, there has been a major cultural shift with people checking for devices attache dot ATMs and being very discrete about PIN entry (covering up, blind entry of PIN, phantom key-presses etc.), plus coping strategies, such as PIN selection and change whenever suspicions are aroused. But at the end of the day the savings have been massive overall, relative to the previous situation and relative to the other markets.

                As we know, if a hungry bear is chasing you; you only have to run faster than someone else, not faster than the bear. At the moment, everyone except the USA is so far ahead now that it is already sailing into the sunset.

                • Actually, I believe C&S is ultimately not going to matter for the US. Indications so far are that we’re going to skip straight to EMV based NFC/contactless payments and use C&S only as a fallback. Lots of places have upgraded their terminals already but have only turned on contactless and not the chip slot, so there’s a good chance people will learn the tapping behavior before learning the insertion behavior. If it weren’t for Apple Pay then yeah, we would probably need to adopt PIN eventually.

                  BTW, all cards regardless of country have signature fallback; it’s just that it’s unlikely to ever be used since there are few signature-only terminals out there. For instance, my Diners Club card issued by BMO (Canadian company) has offline PIN first, followed by signature.

                • I would argue the the chip part all but removed CP fraud. the PIN part not so much. I am willing to be we would have seen the same reduction in CP fraud if all issuers went to chip and signature over chip and PIN.

                  • Brown wrote: I would argue the chip part all but removed CP fraud

                    CP fraud has diminished greatly and no argument need be made, at least in the UK. It is “Remote Purchase” that has grown to 2/3 of all card related fraud. This means that the most CP could be is 1/3. See http://nc3.mobi/references/uk/

                    For crooks RP has better payoff. One big hack nets thousands (millions) of prizes. Unfortunately C&P/C&S/EMV does not do much to stop that growing form. see http://nc3.mobi/references/emv/

                    We need a change of concept so that merchants (from single proprietorships, to mom&pop, to mega corp size) don’t ever hold the confidential consumer credentials. Merchants get paid, consumers get billed, everyone happy, except maybe crooks.

                    What merchants don’t have, crooks can’t steal.

                    Jonathan @nc3mobi

              • Brown wrote: … since PIN is being used on almost every transaction …

                Oft repeated static data can provide a fertile field for cryptoanalysis. Unfortunately, humans are not well adapted to generating accurate new sequences on the fly. Machines have the advantage there.

                Is the transaction environment so different in Canada vs the United Kingdom as a whole? From your writing it seems that ATM fraud is most prevalent. Analysis from 2003 to 2013 appears to indicate that “remote purchase” had grown to 2/3 of total fraud making it more prevalent. see http://nc3.mobi/references/uk/

                Jonathan @nc3mobi

                • ATM fraud is not the most prevalent, just more prevalent than pre chip and PIN. Pre chip and PIN the only PINs that were compromised belonged to customers who used their cards at ATMs for cash advances, this is a relatively small population. post chip and PIN all trasnactions and not just ATM require PIN therefore 100% of our active portfolio became at risk. I think our proximity to the non EMV environment in the US made this activity very profitable from fraudsters since the stolen magstripe and PIN data could easily be used across the border.

    • I don’t believe there is any difference in the cost to the card holder for a credit card transaction between credit without pin, and credit with pin.

      There is no date for pin debit yet in the US. The debit market is too fragmented, standards for pin debit . It is coming, but not yet.

    • Really? Non Profits? The banks were totally driving them with profit as their motive of course. Just because the association had to return any excess budget back to their for profit members (banks), hardly makes them describable as ‘non profits’. Payment Card Associations (whether they’ve IPO’ed yet or not) are definitely not in the same category as ‘Non Profits’, NGOs, or even the Bill and Melinda Gates foundation as an example.

    • Chase told me in July that if I used my Sapphire, US based, chip enabled, credit card with a PIN, outside the US, it would indeed be treated as a cash advance.
      As of mid summer, the only major US bank issuing a chip and pin card that did not treat these transactions in this manner was Barclaycard. I have their BA Arrivals card and use it extensively in Europe. In stores and restaurants, I put the card in the slot, but am asked for a signature. I have not yet used the card at a terminal/kiosk but expect it to work.
      Btw, I changed the bank issued PIN on Barclaycard’s website, very easy.

      • Yes, the banks say that but that’s not always true. It’s ONLY true if the transaction is coded as a cash advance. ALL Mastercards allow online PIN for purchase, but only some Visa cards do. If a Chase or Citi Visa asks – be suspicious that it could be running as a cash advance, the only thing those cards CVM list allows PIN for. But the coding of the final transaction is what matters.

  2. the basic Error in Thinking is in sending Customer Information to the merchant.

    the transaction should start by the merchant POST sending an INVOICE to the Customer Card.

    Customer card could then encrypt the invoice together with authorization for payment to the PCI PROCESSOR — NOT to the merchant — and forward the cipher text to the merchant POST.

    Merchant POST can’t read the cipher text — nor can their ram scraper — and so must forward the cipher text to the PCI Processor. PCI Processor will then decrypt the cipher text and transmit EFT to the merchant and paid invoice to the merchant POST which is then printed and given to the customer. or SMS to customer phone if preference indicated.

    a PIN or fingerprint of some kind would be needed to activate the computer chip in the customer card; this in order to prevent unauthorized use of a lost card. as soon as the loss of the card is reported customer signature certificate would be revoked an a new one generated.

    • Excellent idea.

    • Yes – err. Idea excellent, but it would take a whole industry to bring the idea to fruition and create a completely new architecture.

      It might just be better to adopt all the standards that are there today, that work, that have been used everywhere in the world for up to 15 years and solve all the problems. They are also cheap, because they are a commodity now.

      Or we could keep thinking about new ideas and design a completely new infrastructure and lose another $100 billion (with 11 zeros) in the meantime.

    • Wouldn’t compromised POSTs still be responsible for all the display and data entry ? I think there would be MITM strategies in the ability on the compromised terminal still.

      But I really like the direction you’re heading, particularly in sending the invoice to a card that does it’s own invoice verification, authentication and encrypted authorization to the processor.

    • Mike~Acker & Bill Trueman

      Mike~Acker: Merchant POST can’t read the cipher text — nor can their ram scraper –

      In describing “What Merchants Don’t Have, Crooks Can’t Steal” you’ve just described a fundamental element of the “No Compromise Charge Card” (NC3). The other complex elements (printing, fingerprint scanners etc) are not required.

      Bill Trueman: It is easier than you might think. No new hardware is required at the merchant or by the consumer. The payment message gets to the provider who can identify their consumer and knows which way the message was encrypted. The confidential consumer credentials are never transmitted, just a true-token (random to content, not generated) for the consumer identity and a highly context sensitive authorization.

      Because the security is in the message, not the medium, the solution works in all commerce avenues. Transactional internet is not required, neither are special security chips in smart phones. Believe there is a solution.

      Jonathan @nc3mobi

      • I understand better now. Thank you.

        A very high-level overview, I know; but from this I think what you are describing here is almost exactly what/how the EMV standard has been changed in recent years to accommodate. i.e. tokenisation that has been built into the EMV standard (and yes, adopted by Apple Pay). So easy to do as you say.

        If it is NOT the tokenisation that is there, then you should see something that is slightly different. To get the standard improved, changed or added to though would take years – as the standards are the things that drive the schemes and the ISO messaging.

        If you need direction to the EMV standards concerned, let me know as I have them on my desktop – so contact me off line at bill.trueman@chipandpinusa.com

    • For normal retail credit card authorization requests customer data is NOT sent to the acquirer. How it is sent is irrelevant, it could be with a POST, or 10 different other methods.

      A lot of acquirers still use very old style binary bit map messages (ISO 8583).

  3. Now if only we could get retailers to do the same. There’s no point in having a card with extra security if these retailers don’t have has POS systems in place that allow for the reading of chips.

    • There are incentives for retailers to upgrade. The main one being that if a retailer is presented with a chip card and they can’t accept it, and later it’s found out that card information was stolen through them, the retailer is the one who is going to be on the line for damages.

      • I keep seeing references to how the merchants will be liable if they do not go to accepting chipped cards. The mystery to me is today, the merchant is always the one that gets stuck for fraudulent use except in very rare cases. The merchants have insurance which covers them for these losses – and it isn’t just large merchants because it is in my business insurance. The result is nobody really loses on credit card fraud because they are either excluded or covered by insurance.

        It would drastically change the attitudes towards credit card fraud in the US if someone, anyone, was actually paying for credit card fraud and couldn’t get out of it through insurance. Today on anything except the largest scale it is a victimless crime and treated as such.

        • Currently, if a fraudulent card gets approval when authorized on-line, and it later turns out that the card was stolen, the card issuer (or the acquirer) absorbs the cost.
          After the liability shift, if the card is a chip card, and the retailer cannot accept chip cards (the chip card becomes a magnetic stripe card) for the same scenario the merchant will be liable.

    • Chicken or egg then?

      • Not really – the retailers are under the gun with a deadline coming somewhat soon (not because of all the fraud recently but because this has been planned for many years…course going to chip and signature cause its more economical).

        There is a deadline in the U.S., sometime next year – where for non chip card transactions the retailers are on the hook for associated fraud (currently its the banks on the line for it for the most part – this will be a huge change).

  4. I’m still amazed that there is so much discussion over the cardholder verification method. The US could support both in the short term – the issuers can certainly support both without too much hassle.

    The retailers could even have paper signatures if they wanted (erg).

    the stats on card fraud from skimming cloning / etc are not accurate. In the UK alone this has dropped dramatically because of EMV.

    In 2008 it was £88m in 2014 it was £24m

    http://www.theukcardsassociation.org.uk/plastic_fraud_figures/index.asp

    What does tend to happen is the fraud shifts to easier / weaker targets. So Moto & ecom rather than face to face.

    • The comment in the story was specific to lost and stolen fraud which the URL you posted substantiates.

    • Andrew Barratt: The site you cited contained an information extract. I went back to the original and found that EMV (and a massive public awareness campaign) had a significant impact and reduced UK Payment Industry fraud when measured from highs in 2004 and 2008.

      The big finding is those gains have waned. Total fraud is up for the last two whole reporting years of 2012 and 2013 and have erased all but 11% of the improvements as measured in British Pounds Sterling (BPS). As 2014 is looking to be a very bad year, the whole-year 2014 report will be an interesting read.

      For more, including links to
      Fraud: The Facts 2014
      The definitive overview of payment industry fraud and measures to prevent it
      Published by Financial Fraud Action UK
      Working together to prevent fraud

      see http://nc3.mobi/references/uk/

      Have a good weekend.

      Jonathan @nc3mobi

      • Fraud is up but you also need to consider how much sales volume has increased. If there are more sales, transactions and plastics out there then there will be mire fraud. I’d be curious to know how the fraud bps has shifted over that time period.

        • Brown: Great thought! If they’d have put the SALES numbers in there it would have been easy to compute the relative fraud portion. One moment … Page 10 has: “At the same time, total spending on all debit and credit cards reached £520 billion in 2013, a rise of 6.7 per cent on 2012, with 10.7 billion transactions made in the year.” which is enough for the two most recent years … only email address I can find is press@ukcards-ffauk.org.uk I’ll email them.

          Thanks for the idea!

          Jonathan @nc3mobi

          • ok, email sent. From page 10 I can see numbers that indicate UK total fraud as a percentage of sales has risen by almost 11% ( (0.087/0.078) – 1 ). That isn’t good news.

            (not sure the formatting will be preserved here).

            2012 2013
            Sales in millions 500,760 520,000
            Total Fraud as % of sales 0.078% 0.087%

            If I get the data I’ll redo the spreadsheet.

            Thanks again,

            Jonathan @nc3mobi

            • Brown – The original source for UK sales via charge cards wrote that some information was, and I quote: “classified to the industry”. I found another source and updated the analysis.

              There is no doubt that that EMV (along with major public awareness efforts) had a significant impact reducing card-present fraud, but the impact on total fraud is waning.

              The impact on Remote Purchase (which includes several card-not-present type frauds) is doubtful. RP fraud grew as a percent of total fraud during all years except for a slight dip during 2008. To me, that means that RP has become the “preferred” fraud for those who commit fraud. It has risen to 2/3 of all UK charge card related fraud as of 2013 (most recent whole year on record).

              More, including a table, a chart, links to sources, and a downloadable version of the underlying spreadsheet at http://nc3.mobi/references/uk/

              Thanks again for the idea!

              Jonathan @nc3mobi

  5. I have one of Citi’s chip+sign cards.

    But Home Depot still doesn’t accept it. The terminal has the slot but it’s not active.

    Sigh.

    • Get used to it! It is an antique now – in a world where Home Depot have been severely burned by such antiques.

      You are going to see a lot more of this decision-making at the POS in the USA now.

  6. “…….as long as these chip cards still also store cardholder data on a magnetic stripe as a backup, that the thieves can still steal and counterfeit this card data — even from chip cards.” That statement needs further clarification. A counterfeit card created from the mag stripe of an EMV chip card will not work if swiped at an EMV chip-enabled terminal. The EMV terminal detects the code in the stolen stripe data that requires the card to work only as a chip card, so as more merchants accept chip, the market for cloned mag stripe data from EMV cards is reduced.

    • And the issuers can also start to implement transactional screening rules that highlight transactions on CHIP cards in CHIP terminals that have been swiped and refer them out to find the fraudsters and look for frauds sooner in the lifecycle.

      It is a win-win-win situation all round.

      Best to have PIN too as this then allows the issuers to make better decisions and offer better customer service. As in these cases with a PIN – there is a likelihood that the problems is with the card (or a PIN compromise) which gives that bank much stronger intelligence on what to do. With a signature transaction, the issuer (and acquirer) are largely ‘blind’.

    • Randy, I used to believe this was absolute (and yes, I know your position, but this might still be news to you based on what you posted). This is no longer true at Walmart, Walmart has actually, shockingly, quit checking the service code on the card to require that the chip be read. You can now swipe or insert, and both will work with no prompt to insert a chip card.

      Obviously, this eliminates the main security benefit of chip cards and all I can say to Walmart is that I think this massive security hole is a terrible choice, and only likely to increase customer confusion long-term.

      • Walmart and their Sams Club chain have been way out in front of the market with their EMV roll-out, and they deserve credit for doing so. They have the option to force EMV cards that are swiped to be inserted as chip cards or allow them to work as regular swipe cards in these early days of EMV. They are putting their customers convenience of speed of checkout before their teachable moment opportunity which is okay while we wait for other big box retailers to enable EMV. After the holidays and prior to the Oct 2015 liability shift, I am sure this will be reviewed. But EMV does catch cloned magstripe cards of EMV cards from going undetected as originals when enabled at the POS.

        • How does it catch them from going undetected? Do you think anyone at Walmart is going to notice the “F” on the receipt and look to see if the card had a chip? I believe someone could swipe a completely blank white generic magstripe card at Walmart, undetected, nearly 100% of the time.

        • Is this still the case that the EMV card read can be overridden to mag stripe instead of chip read at Walmart? My first EMV card from Bank of A was defective (but no one would admit it) and didn’t work despite repeated attempts. I used a different EMV card and it worked.

          I heard you could “jam” the card in the slot in a way to trigger a read error, then a swipe would be allowed. However I demanded a new card from BofA and the new EMV card now works.

          • Yes, Walmart has COMPLETELY DISABLED the main anti-counterfeiting feature of EMV terminals – that is – the fact that you cannot swipe an EMV card under normal use.

            By doing this, counterfeiters can now easily clone the magnetic stripe from an EMV card and use it at Walmart, just as if EMV was not enabled at all. Walmart has set an extremely dangerous precedent and gone from being a market leader in EMV to taking a giant leap backward against the interest of their customers’ security.

  7. I continue to read many well thought out comments on how to properly implement very complicated and EXPENSIVE processes to implement various forms of electronic banking processing and security.

    All seem to have forgotten the one prime rule that makes any process, rule, or practice a success.

    K.I.S.S.

    Everything I read fails the KISS rule.

    • @Eaglewerks – KISS rules apply. It is very simple, and almost every country in the world has implemented EMV with PIN. It works, it is easy and it solves many of the complex problems that exist today as merchants, though chargeback processes, and in issuer and acquirer decisions and processes. It is all very SS – as it also saves $billions a year in costs and fraud.

      I do understand how the latest cars would look very complicated if they were introduced to the buyers of the old Ford Model-T at the time that they were buying them; which is where we find ourselves with the USA at the moment. You have only ever seen the Model-T, and do not realise what is out there, how cheap, easy, fast, safe and simple (KISS) and comfortable the other cards can be. But as soon as you start driving one, you will only want the Model-T in the museum, or to show off on sunny weekends to your grandchildren!

    • Eaglewerks – KISS, not just a band, but a business model. Complexity leads to confusion and in confusion there is opportunity … for crooks!

      A solution that is secure, simple and requires no new hardware for merchants or consumers was offered. The solution supported all constituencies: consumers, merchants and providers with security (confidential consumer credentials are not transmitted via the merchant and what the merchant does not have the crooks can’t steal), speed (supported NFC and defeated its weaknesses by putting security in the message, not the medium), operated in physically present, electronically present, even non-present modes all while offering unparalleled operational enhancements for new (and useful) features.

      Does the industry want a solution as described? If not, what is it about the status quo they find acceptable? If yes, why does NC3 and other potential solutions, fail to get their attention?

      Jonathan @nc3mobi

  8. The card industry should stop fooling around with half-witted security and implement something unforgeable. For example, your card could store a hundred thousand 128-bit random numbers stored in a tamper-resistant chip. On each transaction it would hand out one number. The bank would look up the number, authorize it, and mark it as used. The only way to hack this system would be to break into the bank computers (in which case the bank has worse problems). The card storage for this (about a megabyte) could be reduced by using encryption, if you felt encryption was secure enough.

    • @Earl – brilliant. You have just described exactly what is in EMV. However this is the tokenisation standard that forms and element that was only added to the EMV standard in recent years, so has not been universally implemented yet. Once USA adopts the basics of EMV, then these advanced features can be much more easily adopted globally. It gives the USA a chance to leapfrog, but as can be seen in the rest of the comments in this chain – there is a basic absence of understanding of the issues involved in the non-EMV market that is the USA.

      You will note that Apple understands the concepts as it has adopted them all in its new ApplePay product. It is not doing this for and reason of market concern – but purely self-concerned – as adopting ALL the feature and standards that exist today, it leaps ahead of the game and avoids all liabilities itself and for its customers. The old adage is that – if an angry bear is chasing you, you do not have to outrun the bear, you just have to outrun the others that are also running away. The fraud and the costs and the antiquated environment in the USA is the bear; and Apple is the fastest runner (some might say the only runner) at the moment – everyone else is still crawling.

    • Earl wrote “hundred thousand 128-bit random numbers stored in a tamper-resistant chip. ”

      Great for card-present transactions, but how does that work within the growing avenues of electronic (from computer) and mobile (from cell phones not physically present at a merchant)?

      In that form of commerce the consumer has to be able to access those numbers to use them, right? That just turned the card into a computing device which needs a display and power.

      128-bit sounds large, but at 8 bits/character it is 16 characters long. Why restrict it to numbers? Perhaps because of the human requirement. That is why increasing security generally decreases ease-of-use. Make security the problem of machines.

      Jonathan @nc3mobi

  9. There are HOW MANY DEBIT cards in the USA that already require a PIN? Must be millions of them. Don’t tell me people can’t remember PIN when they need to buy something.

    Don’t remember who said it but basically if you tell a country of people they CAN’T shop unless they do X, Y, Z you would be surprised at how fast people learn to do X., Y, and Z.

    We the people want SECURE TRANSACTIONS. PERIOD. There is NO NEED for a retailer to even have the CHANCE to learn any of my personal information when I pay for a transaction. I’m not filling out a credit application – I’m just giving them some currency for a product / service.

    As many have said – what the MERCHANT doesn’t have the THIEF can not steal.

    • YES YES YES.

      Why are you anonymously posting this. It is one of the best posts so far and I want to congratulate you for seeing sense and reason and wanting security and ease of purchase and lower costs as a consumer. I thought that I was the only one before I read your post.

      Are you female? If so, please marry me.

    • YES, yes, Yes.

      Why are you anonymously posting this. It is one of the best posts so far and I want to congratulate you for seeing sense and reason and wanting secure transaction and ease of purchase at the POS and lower fees as a consumer. I thought that I was the only one before I read your post.

      Are you female? If so, please marry me.

    • AreUkiddingMe: Forcing people to do things isn’t as nice/polite/effective as leading them to a better way. There is a huge-farging caveat: There has to be a better way.

      I read that the average person has 3.3 charge cards. Including my two ATM cards and I’ve got 4 PINs I’d have to remember. I’m a card carrying member of AARP for many years now and I tell you … that would be a bit tough. Even so, PINs are useful mostly in card-present transactions. I wouldn’t want to enter it into a web site (electronic commerce) or via my smart phone (mobile commerce). For that matter, I wouldn’t want to enter in into a merchant’s POS because that POS might have a RAM-scraper or even a keypad reader and the PIN could get stolen. Yes, PINs are not “supposed” to be stored, but malware does not care what is “supposed” to be.

      After two years I’m glad to see the phrase

      What Merchants Don’t Have, Crooks Can’t Steal

      getting around. Use it a lot and we might effect a change and get secure transactions.

      You’ll find it in huge honking letters at the bottom of http://nc3.mobi/ along with a good description of the better way resolving the caveat above.

      Jonathan @nc3mobi

      • @JJ – care – you are talking about the little old USA again with these stats – we are debating a global solution that has not been implemented in this little old place. You are in a big country that is today only a little part of the global world, economy and transactional volumes.

        The problem on card numbers though is MUCH bigger (or was before EMV) in Europe and more familiar for me, in the UK. Accordingly, within certain rules, most UK banks allow you to re-select your PIN at the ATMs. So problem sorted, as long as you are not stupid about it.

        I get around this problem personally by writing my PIN on all my cards (NB – this was my Bazinga – i.e. not really!) – but it easy to encrypt PINS and write the numbers down encrypted somewhere – but usually better to do something more complicated than writing then down backwards.

        • Bill Trueman:

          If you are in/from the United Kingdom I say you have set up an Aunt Sally. We here in the colonies call it a straw man argument, something set up to get knocked down while completely missing the point. This is appropriate for you as www dot chipandpinusa.com is in the business of, and profits from, pushing the EMV solution. I have the EMV standards, but thank you for offering. Among my research I also have PCI-DSS version 3, almost 200 patents, patent applications, and scholarly papers including much of Professor Anderson’s work.

          NC3 does not require a replacement standard. That is another straw man to divert attention from the real point which is there are viable alternatives to EMV which can provide better security and operational enhancements (not detriments) to the benefit of consumers, merchants and providers.

          NC3 is more than using a true-token (random to content, whereas PCI allows for tokens to be a function of something else AND reversible). Its design allows for use in more than physical presence transactions without requiring a consumer to have additional hardware. You could use NC3 in the Chunnel without internet access.

          As for where I live, you wrote “you are talking about a small place near a small city in a small country” I wonder where you got that incredibly wrong information? I live on multiple acres, near a city with the 25th largest population of my nation, and in a nation ranked #1 by 2013 GDP. As for trusting people we know, yep, gollee, aw-shucks, we really do. I didn’t use the “argument” my neighbors don’t “use” PIN. I said I, and they, don’t “have” PINs on our “credit” cards. Twisting my words to suit your point of view?

          In any case, your “nothing personal” points are personal as is addressing me as “JJ”, so puny and insignificant you reduce me to alliterative initials. Reminds me of a big city banker who was trying to be my instant buddy while convincing me to borrow lots of money to invest in a terrible deal on which he made nice transaction fees whether I made a few cents (sorry, a thruppence) or not.

          So, as we say down hear, bless your heart. I’ll keep looking toward the future and a way to protect consumers with secure transactions without burdening them with additional devices just to make a purchase via the growing avenues of electronic and mobile commerce. Ya’ll have a nice day.

          Jonathan @nc3mobi

          • Jonathan

            Thank you. probably my first ever ‘flaming’ or whatever it is called. And many apologies for the shorthand form of address. Euphemisms would have been by error as I do not know the initials in UK. Equally, I was only addressing your locale by your comments about Eaglewerks – which seemingly I misinterpreted – but with no malice intended – not least as your contributions here seem to have included some of the rare ones with a deep knowledge of the subject matter.

            “I live, just a bit removed from the hustle, bustle, crime, pollution and frenetic pace that we call “large cities”. We still suffer from poly-tic-ians and the occasional infestation of other vermin.”

            Turning to the issue though – for which we are actually more aligned than others – The challenge we have though is not in the AUS but in USA. And whilst there are some potentially better solutions that maybe should have been adopted had they been conceived ‘back then’; the USA is far behind on all measures the ROW. It would be rather daft to adopt now a standard that is new, does not align with the ROW and takes payments into a different direction. This is particularly the case as ‘other better solutions’ have been talked about for at least 10 years and there is no common agreed standard there and available yet (and please do not let’s get caught up on ‘agreed’). And sometimes it is better to teach a child to walk before it runs.

            And finally, oddly, I am much more au fait with the ‘straw man’ connotation than the Aunt Sally that is generally attributed to brits.

            Which only leaves me to say “wotcha-cock” – in hope that this is both cockney and colonial rather than subject to any alternative inference where you are.

            With the best of intentions. Cheers.

            • (might be a double post. First one has not appeared in hours.)

              Bill Trueman:

              Please accept my most sincere apologies. Non-vocal email removes intonation and inflection which would have made it easier to recognize you as a resident of the Wonder Down Under and not a Brit.

              > And whilst there are some potentially better solutions that maybe should
              > have been adopted had they been conceived ‘back then’;
              Brother – you are preaching to the choir! I have half a dozen granted patents and another three in the queue. One took over 14 years before a final decision. Most take over three years to get granted. We will just mention the fees and attorney costs. One pending with the US (has to do with railway ties, aka sleepers, for use in environments deleterious to timber, i.e. extremes of wet, heat, bugs and vegetation) has already overcome THREE separate sets of objections. Not satisfied, the USPTO has thrown another pile of dingo droppings at the wall and labeled it “Final”. I know better. Most of my earlier patents reached this point and we filed a Request for Continued Examination (RCE) which is more money and work. While funds are not exactly plentiful the reading I have to do on the patents and patent applications cited are more pages than my aged and damaged eyes can reasonably tolerate.

              > USA is far behind on all measures the ROW.
              Not quite sure of the acronym

              > It would be rather daft to adopt now a standard that is new, does not align with
              > the ROW and takes payments into a different direction.
              Not quite sure what you mean, but NC3 was designed for ease of integration, to work in parallel and within existing communications and transaction architectures. No new hardware is required at the merchant or the consumer. While EMV provides benefit for card-present it imposes new hardware on merchants (Target Corp has over $100M budgeted) and hardware for consumers away from a merchant POS. NC3 will even work in the loo (sorry, the dunny) or the back of the beyond without internet access. Alterations to provider main line code is literally a single line. NC3 is the only concept I know of that be adopted only by providers. It isn’t something created by a fourth party, has no independent profit motive, it isn’t even a stand-alone company. What merchants don’t have, crooks can’t steal. With NC3, mass compromises get no jewels from vaults bereft of value. That makes it worth something.

              “Walking first” is individual linear learning. Human perception of time is one second after another, we can learn no other way. (Skip the hero of Slaughterhouse 5) As a species, we do not suffer that restraint. What one person may take a lifetime to learn the first time, others can learn much faster. This is how we have accumulated more knowledge collectively than any one of us could accumulate individually. This also leads to radical innovation, usually at the intersection of two or more fields of endeavor instead of deeper into just one. IMHO we could have skipped EMV in the USA, provide better security by removing the prize, and add significant operational enhancements in all avenues of commerce for the benefit of all participants: billions of consumers, millions of merchants and a few hundred providers. Cheap too.

              > “wotcha-cock”
              G’day! Or as we say where I am Howdy!

              Jonathan @nc3mobi

              • Jonathan

                ROW = Rest Of (the) World

                NC3 – is this yours? I do not know it and can understand why you push it. I think I have seen you / it posted elsewhere a year or so ago. Send me details bill.trueman@riskskill.com – albeit the momentum globally for EMV – and all the standards setting associated with it means that you are unlikely to get a look in. Being right and brilliant – does not mean you win all the prizes.

                I am a BRIT – but thought that YOU were the Aussie – but now know better!

                G’day / Au Revoir / Auf Wiedersehen / Buono Serra and Howdy etc.

                • > NC3 – is this yours?
                  My concept, yes

                  > I do not know it
                  too bad

                  > and can understand why you push it.
                  “Push it”? Hardly. In almost every post where it is mentioned by name I use it as a model of what “could” be. In many other posts I often refer to “other solutions”. “Pushing” makes it seem I have a profit motive. If I did would I have taken several years to create something which only providers can implement? As a consumer I want better security. As a (see my LI profile for details) I know that any viable solution has to deal with Porter’s Five Factor model. This is why NC3 has major benefits for all involved: billions of consumers, millions of merchants and hundreds of providers. Being cheaper and better should gather some attention, but attention gathering isn’t in my core competency toolbox.

                  > Send me details bill.trueman@riskskill.com
                  The details of WHAT, just not all the HOW, that are public are on the web site. Start with the PDF linked from the bottom of the home page. Absent a CA/NDA I communicate nothing privately that I wouldn’t communicate publicly.

                  > Being right and brilliant – does not mean you win all the prizes.
                  How true. On the other hand: being wrong, ignorant and other attributes can get you a prime time television show or elected to national office.

                  Regarding sensationalist press – you are correct, they do hype fear. I use ITRC, the Privacy Rights Clearinghouse, and other reliable sources for my compromise information.

                  > I am a BRIT – but thought that YOU were the Aussie – but now know better!
                  Well, I do prefer Foster’s and my ancestry is decidedly mixed, but I was hatched mid-USA. Last century an Aussie Lassie stayed with us for a few months while she was researching medical library technology here. That is how I came to learn who were the POME and how the nickname came to be.

                  Maybe when it stops raining I’ll toss another shrimp on the barbie

                  You enjoy your Spotted Dick.

                  Jonathan @nc3mobi

                  PS: Apple users – Beware WireLurker
                  Explanation and links to user and admin test facilities are included.
                  http://nc3.mobi/references/2014-unknown/#20141105

      • Marcelo Brandão

        This is also something that is different in Brazil and USA.

        In Brazil all POS machines (99%) are actually PDQ machines made by a financial institute (VISA, Mastercard, HSBC, etc). They are sealed and the merchant has no access to the software or hardware. Today the PDQ also use their own 3G / 4G for connection and not the merchant’s internet or dial-up line.

        There is a new generation of card-reader equipment that is new to the market. It attaches to an android phone / tablet. https://pagseguro.uol.com.br/venda-pelo-celular/leitor-de-credito.html

        I don’t have the guts to insert my card on this, specially because you can see it reads the magstripe. And this company (pagseguro) is high ranked on problems and frauds.

      • Commom man, If it is wriiten in software, eventually it will be broken by software. Immediate solutions are nothing more than a plaster of paris patch on a leaky dam.

        The solution – bare bones solution of credit cards is never going to be secure. A better way probably will not happen until the institutions responsible for this issue start losing money.

        Its a matter of convenience, or a matter of security. If security isn’t one of the first methods of defense, then what ever the method or product is, it will eventually fail.

        The anti-convenience methods are using your bank to set up automatic payments that are within a set limit/ has tolerances that you approve prior to paying. Case in point, if there is a water leak and its the city’s fault you dont want the bank to auto pay a bill that is thousands of dollars over the regular amount.

        The ultimate anti-convenience is cash, it goes back to basics and may in itself introduce some other risks to deal with, but most should be minimal.

        Again, any electronic means of payment is playing right into the hands of the crooks. If there is a will, there is a way, and eventually a technology will be broken.

        So take the time to burn that bridge once and for all.

        • I think that the topic was: Chip and Pin vs CHIP and Sig – for Cash vs Card please re-set your time machine to 1978.

  10. SIG CAP Is that supposed to be Signature Capture?
    Is that supposed to be the mechanism of signature rather than PIN? I’ve taken to just striking a wavy line and no check out person even looks at it. There’s clearly no electronic validation of signature. So it’s really a choice between card+PIN and card+nothing. I’ll take PIN.

    • I like it.

      Signature capture at the terminal does not get checked, does not get transferred anywhere or get used in any way at the transaction point. So it is pointless in that respect.

      What it does do however, is it gives the merchant electronic access easily to the signature that was taken – so that he can defend all the chargebacks that he gets from customers who dispute transactions. It is just easier than finding the physical voucher, which can be thrown away with a digital capture.

      Of course CHIP and PIN allows the retailer to dispense with not only this level of equipment, the customer inconvenience of signing, the slow-down of the transaction at the tip, the extra equipment at the tip to keep and service, but also removes all those chargeback requests from the issuers. If the issuer has the card CHIP transmission, a confirmed PIN read – then they know that the CARD was there (CHIP handshake), and they know that the customer was there (PIN).

      Simples.

  11. Can this be the reason behind industry preferring signature – http://www.nytimes.com/2010/01/05/your-money/credit-and-debit-cards/05visa.html?pagewanted=all&_r=0
    Although its an old article but i think still relevant?

    • I suggest that EVERYONE reads this article. It explains where the heart of the commercial motivation comes from that drives people towards a CHIP and SIG solution. It is in the interest of the issuing banks at the expense of everyone else!

      And do not forget who owns and drives the schemes.

  12. When it comes to small transaction at vending machines, car wash , or laundries (under $50) how will the pin or signature be handled? The vending, car wash & laundry industries have been adding credit card solutions for years. Now over the past 2 years we have been seeing chip and NFC combo card readers installed. But their has not been a key pad nor signature screen available at these terminals. What is the thought about this growing portion of the credit card market where a card is present but no way to authenticate the card holder?

    • And there you have a real good additional reason for CHIP and PIN. Couldn’t be done with mag-stripe as this then becomes a fraud hot-spot. Can’t be done with Sig – so has to be PIN.

      And it easy to do.

      So, this means that people can, in the CHIP and PIN environment start to reduce costs further with more UPTs.

      There are lots and lots of things that can be done once the infrastructure is there, that just cannot be done without it.

      And then there is a whole further issue of how CHIP and PIN deals with off-line situations (and there always are off-line scenarios. And they all need CHIP & PIN to make them happen. But let’s talk about that another day.

  13. I tend to disregard anyone who insists on talking about a security problem in terms of ‘the business case’. This translates to corporate profits before the security of our money.

    Meanwhile, how is a signature actually supposed to increase my security? No one looks at them. The squiggles I make on card readers have no resemblance to my signature. It verifies nothing.

    • Having read through the comments I personally think that properly implemented Chip and Signature is more secure than Chip and PIN. The EMV implementation on Europe does vary from country to country.

      UK issues both Chip and Pin and Chip and Signature cards. These also come with the legacy features of raised numbers for paper transactions and mag stripe with card details.

      ATM’s are now CHIP and PIN which allows validation of the CHIP to positively identify the card as a unique item.

      Unfortunately for the benefit of US tourists terminals have to recognise Mag Stripe Data, POS fraud in the UK is mainly using compromised card data coded onto mag stripe cards relating to countries that haven’t implemented the Global EMV standard. For instance the guy in front of me a couple of years ago at a Petrol station with a store card encoded with Amex details.

      CHIP and Signature cards are issued to blind/elderly/infirm who may not be able to use a PED or remember their PIN number. When the cards were first issued in 2006, my then 88 year old father could remember his PIN number. By the time he was 92 he could not and would go shopping with his CHIP and SIGNATURE card spending less than a couple of pounds and signing for it. (Before NFC came in). At 93 he was cashless – none in his wallet or house.

      POS / PED equipment in the UK is REQUIRED to handle CHIP and SIGNATURE. The card goes in the PED and a slip prints out that the cashier presents for signature. Some stores have a protocol that any signature card transaction has to be authorised by a supervisor – It’s embarrassing standing next to a 93 year old card kiter spending £15! Other cahiers did check the signature and others didn’t bother.

      Following Fraud Issues at petrol stations, in the UK there is a general instruction to cashiers not to handle cards and the customer inserts them into the PED. However a common crime called ‘Courier Fraud’ has emerged where cards and pin numbers are obtained from vulnerable people and large value transaction are done where the name on the card obviously does not match the customer.

      In Spain, they use CHIP enabled cards with a mixture of PIN entry and signature capture devices. The key requirement is that if a debit or credit card is used the customer’s PHOTO ID must be checked against the card at the time of the transaction. I’ve never had or seen a problem with this.

      The fundamental authentication issue is to check the identity of the person presenting the card, three factors are often quoted:

      Something I have,
      Something I know,
      Something I am.

      SO you’ve got a card and know the PIN number. Is it your card?
      Something I have, Something I know.

      You’ve signed the slip and the signatures match – good copy?
      A biometric something I am.

      The name on the card matches the photo ID? With the above, a much more secure transaction.

      The US needs to implement a CHIP, PIN and SIGNATURE standard compatible with the GLOBAL standards as US citizens won’t be able to travel and you’re late for world war C.

      • @MHur

        Some alternative perspectives

        ELDERLY – Rheumatism, Arthritis and Dementia are all very common elderly complaints that inhibit recall of 4-digit numbers and keying them in much less than holding and using a pen.

        SIGNATURE – is not a ‘who I am’ nor a biometric by any of the definitions used by anyone anywhere – it is just a ‘would you like to copy what I show on the back of my card for you’. Nobody checks the signature, and it leaves the entire onus upon the retailer to validate, and upon the retailer to police. This is not fair to the retailer.

        The amount of ‘that is not my signature’ issues and challenges is phenomenal and a major fraud area before one moves to CHIP AND PIN – so even then no protection for the fraud losses.

        Signature is a very poor CVM – because of all of this and because of the customer issues too.

        CUSTOMER ISSUES
        – It is much quicker (less than half the time to undertake a CHIP AND PIN transaction. The retailer does not need to handle or touch the customer card – so removes all the double swipe issues. The customer just inserts card into machine facing him/her and enters a PIN. removes card, is given receipt straight from tip and goes.
        – It is simple for the retailer. Less time = less queues – more efficient processes and cheaper costs. The retailer staff does not need to check any signature, nor the card and requires no imprint.
        – If there is a dispute the retailer does not need to produce signatures or vouchers as the whole transaction is electronic. So the disputes and costs drop to almost zero.

        UK POSITION
        I live in the UK and do not remember a imprint transaction nor does anyone else in 15 years. Indeed, in the UK, I do not recall a mag-stripe transaction in the last 10 years (at least). The UK is continually looking at the timing for mag-stripe removal, but cannot do so until the USA gets it act together and follows the rest of the world. Then the UK can take the next step forward in this way. And it most certainly will.

        Your ‘courier fraud’ will always happen whatever the card / CVM is.

        SPAIN
        Retailers breach scheme rules and stick fingers up at the schemes when pointed out. No-one in the UK and other countries carry ID, and I do not like to show my passport to shop attendees and do not want to. If I can buy something elsewhere in Spain, I will always walk out of shop where my passport is requested. The transaction is guaranteed with a CHIP and PIN, so there is no liability – and the passport does not add one bit of additional protection.

        And again, why do I want to add a checking of photo ID against a card for a transaction. As a retailer, this will not be something that I should have to do – i.e. be responsible for the banks’ failure to implement a proper CVM at the POS.

        You opening remarks of CHIP and SIG is more secure than CHIP AND PIN are unsubstatiatable – as the losses with CHIP and SIG are much much higher. However, you closing statement that the US should introduce a CHIP and PIN solution is not-congruent with this but absolutely right. This will allow them to move forward 20 years and start benefiting from the infrastructure. And it will allow the rest of the world to start exploring further forward.

        Lastly, there is no point whatsoever in the US going through TWO separate migrations. Just do both in one bash.

  14. Fantastic article Brian, I’d been wondering about all this – as many of us were suspecting, it just comes down to money, thank you.

    Sounds like I’ll be actively leaning towards Chip and PIN cards from providers who are brave enough to offer them and will use those (providing the benefits to the banks that do that) and move Chip and Signature cards to the back of my wallet…

    • I have one (Diners Club). Unfortunately it’s already gotten rejected once because the merchant kept the machine behind the counter and refused to let me enter the PIN. Expect this to happen often at smaller businesses, especially ones without many tourists, because the US is almost universally chip and signature.

  15. I find the Comment by one issuer quoted in the story “We don’t really think we can teach Americans to do two things at once. So we’re going to start with teaching them how to dip, and if we have another watershed event like the Target breach and consumers start clamoring for PIN, then we’ll adjust.” more than a bit disconcerting.

    We are so engaged in the effort to dumb things down in an effort to get everyone to understand it that we seem to be missing the fact that we are likely boring to death more people than we are engaging with that tactic.

    While not a professional teacher / instructor I have done a number of stints teaching a very mundane subject at the corporate level that was basically answering a simple question via a set process of rules and actions. Job was reduced to a repeating process that really did not require a lot of high order thought and analysis. There were some people that excelled at the task and there were others that just could not grasp the process.

    I think no matter how much we dumb something down we are not going to get to everyone. Maybe we need to engage people by offering a bit of a challenge.

    No matter what tactic you use people are going to forget pins and passwords.

    The story in the article about the bank switching to a pin system before having a process in place for someone to reset or recover their pin is a sad statement of the poor corporate planning that is becoming all to common these days.

  16. There’s another good article on this subject at Glenbrook’s site (a payments-industy analyst firm), Payment Views: http://paymentsviews.com/2014/10/28/lets-just-skip-sig-and-go-to-chip-and-pin/.

    • I am a Canadian and have been using chip and pin for many years. I totally agree with the line in that article that says “my main impression was that this chip and signature stuff was stupid, and it would have been so much easier to have been assigned and using a PIN!”

      Another reason you need Chip is that it allows the limit on no CVM (no card holder verification method = no PIN or SIG) to be increased on contactless transactions, because it increases security for the issuer that the card is authentic.

      Additional security provided by Chip is still important, even when complimented with biometrics.

      • The chip does provide additional security in non-card-present transactions. In other avenues of commerce the card (and the chip) are not present unless we require consumers to acquire and carry additional hardware.

        Other solutions allow improved security without requiring expensive infrastructure changes and provides for material operational enhancements to the benefit of consumers, merchants and providers.

        C&P (skip C&S) solidly addresses the environment pre-internet. A solution for today should go beyond that to provide solid protection in electronic, mobile and even non-present commerce.

        Jonathan @nc3mobi

  17. If a retailer opts for chip and sign today, are they cutting themselves out of P2PE tomorrow?

    P2PE has (as one of many requirements), that card readers are certified under PTS v3.0. (That’s a *PIN* Transaction Standard.)

    So if I buy card readers which accept chip and signature only (no PIN pad), and subsequently want to move to P2PE, I have to repurchase the entire estate, right?

    • Chip and Pin (EMV) and P2PE are independent technologies. But many merchants need to upgrade their pin pads to be able to accept Chip cards, so they opt for adding on P2PE while they do that.

  18. Made my first purchases yesterday using Apple Pay. No PII exchange with merchant, no PIN to remember if used infrequently. Downsides: currently, only a small number of merchants accept NFC payments, only a couple of expensive devices can make them, and no doubt, however difficult it may be, this is jack able, too. But it will be a while, and until then, I will use Apple Pay everywhere it’s accepted – and therefore use only those card accounts that work with it – to reduce the chances of exposure of my personal details, which are of far more value (in both hassle and potential financial impact) to me than the card issuer fees on any credit purchase.

  19. At my German bank it also has to do with a shift of responsibility from the bank to the customer (in accompanied change of ToS) with introduction of the chip-and-pin cards (which still had a strip as well) years ago. I.e. with the PIN, it was suddenly entirely customer’s fault when the card gets misused. Because who else than the customer knows the PIN, right? (They pretended to never have heard of key loggers on PoS devices, I guess.) Instead of the old “let’s not scare the customers away from the credit card use and just quietly foot the bill” policy dating back to the advent of the cards and possibly also supported by local customer protection laws. I don’t know if the laws have caught on in the meantime.

    • P.S.: And card copy PIN = ATM ready = jackpot = who needs those risky ATM key loggers any longer when you have one in the form of a PoS on your own shop counter.

    • John:
      can you provide a link to your bank where it says that the responsibility has shifted?

      thx

      Jonathan @nc3.mobi

  20. To Bill Truman.

    Bill, we have another of your ‘Rants’ about this and as usual you are dismissive of other people’s perspectives.

    My entry is factual.

    Have you ever been shopping with a 93 year old that has dementia? My experience with the £15 transaction was in Primark where a supervisor was called to authorise the signature transaction. On other occasions in supermarkets I have seen the signature checked by staff because the transaction is unusual, fair enough but it was obvious to the staff that the transaction was for weekly shopping not for a iPad.

    With reference to the incident at the petrol station the signature was checked and also the card details were from an American express card coded onto a store card. And he did get arrested.

    I have a place in Spain and a Spanish Bank account. Only in my local bar does the card not get checked, on every other occasion matching photo ID is required.

    Perhaps you need a lesson in biometrics and the technology, but I repeat that matching a signature and name to the customer is more secure than letting anybody that knows the card number just enter the PIN.

    ‘Courier Fraud’, card frauds where the victim, mostly elderly, are socially engineered to give their pin number over the phone and the a courier is sent to pick up the card is a serious problem in the UK. The fraudster then relies on no check and challenge with high value transactions and enters the PIN number from Doris’s card when his name is obviously not Doris.

    • It can almost go without saying that chip-and-PIN is a more secure transaction. Anybody can forge a signature.

      You cannot base conclusions about technology on a few single events, or stories about clever fraught. The courier story has nothing to do with PIN; If people can be convinced to give their card to a courier, clever fraught. Actually, having a PIN will probably make people think twice, and probably reduce fraught. Most people know to NEVER give your PIN to anybody over the phone.

      If you are smart enough to phise somebody’s PIN, you can probably forge a signature. That signatures rarely get checked in retail is demonstrated by the common practice in the US for parents to give their teen age kids their credit card to go buy jeans or shoes.

      Chip and signature is inconvenient, and less secure;
      See for example:
      http://www.tsys.com/acquiring/engage/articles/The-Great-EMV-Debate-Chip-and-PIN-vs-Chip-and-signature.cfm

      Re your comment on biometrics – there are no retailers that I know who, at the cash register, apply biometric analysis to signatures.

      They get eyeballed, if you are lucky, by most often a minimum wage clerk who does not want to upset the customer. That is not biometrics, far, far from it.

  21. – Why are you anonymous?

    There is always a different perspective on everything. But there needs to be a balance.

    The issue here relates to whether the USA should be going CHIP and PIN or CHIP and SIG as the only country (almost) in the world that has done neither.

    I have no doubt that your entry is factual, but global card acceptance and that in the USA has to be evolved from a broad perspective.

    Your experiences with a 93 year old in Primark are, I am sure one of many that you will and are be challenged with, when accompanying a 93 year old – and I feel for you, and I agree that there need to be exceptions to cater for everyone. But we (globally) have to move forward in the USA to the common global standard and not hold them back to a costly standard that gives rise to massive amounts of fraud.

    I have enjoyed the pleasures of shopping with elderly people – who generally prefer cash! – and depending upon their individual challenges the hurdles are always different. And the problems are very wide reaching for them depending on their challenges. But we cannot evolve (or even debate) any one technology direction – or indeed inhibit a whole continent based upon a single flavour of inability (in your experiences in this case, the challenges of the 93 year old that you cater for. In the run-up to CHIP & PIN implementation in the UK, I can remember reading numerous reports and submissions to making things easier for the elderly, the blind those with wheelchairs, etc. and how these could all be best catered for and the balances in how some would be restricted and others benefited, but there is, and always has to be a balance. The strongest voice in all these debates was always the retailer community lobby groups, who of course have to do the brunt of the work at the point of sale to accommodate all these groups.

    And the USA has to evolve a similar exercise in their implementation and decision-making. So my point is (and clearly poorly made, with you labelling it as ‘a rant’) is that there are many, many issues to consider; but one should not STOP all progress because of the challenges faced by different groups of people; but to make the best decisions for the right reasons for the greater majority; and at the same time find ways around the challenges for others.

    However, this debate (at the start) was NOT about the exceptions, but about the direction that the USA should take. Elsewhere I have seen an argument that CHIP (with whatever CVM is applied) is insecure in Europe – based upon a theoretical attack scenario seen at a conference before it was implemented in 1993 – so should not be used in the USA. Whereas, CHIP has been a global success, saved $£€billions globally and made the shopping experience faster for merchants and the vast majority of us (you exception again acknowledged).

    Turning to Spain, I know the problem. It is a unique problem of perception in a closed market that is, to my knowledge shared with only one other country. People there (in the Merchant community) do not understand the liability shift issues, or customer perspective. I am sure that you find it harder to shop there than in the UK.

    I suggest that you gather the numbers of courier fraud events that relate to cards and compare them to all other fraud type numbers on cards. I am not going to recount fraud numbers here. Notwithstanding this, it is much easier to simply steal the cards from these people in the same type of fraud WITHOUT the PIN and use them fraudulently. With PIN these attacks dropped massively. Look up the numbers. Doris vs Dave has always been a challenge.

    Your comments on Biometrics are offensive – and I will not address them as you have not substantiated and I am sure that if you tried to do so, you would see that you are completely wrong; unless you pick one exception again rather than looking at the numbers involved.

  22. Bill,

    Like others on this site I use a nickname which is acceptable to the administrator.

    The comments that you make on this and other forums are offensive and I take great offense to your comments about a ‘single flavour’ I cater for several elderly people and have studied and worked in this are for several years. Yes I gave examples to rebut you assertion that signatures are never checked.

    The point of this thread is that our friends in the US are looking at the implementation of EMV CHIP enabled cards and you do not seem to understand that in the UK Merchant systems are required to accept EMV Chipped cards which allow as second factor of authentication a choice of signing a receipt or entering a PIN.

    So for the card issuer it’s a matter of how the card is configured when issued.

    I understand that Amex in the US are issuing their cards as chip and sign, that is their business decision and the cards should be usable in UK retailers.

    Equally, I expect to be able to use my cards in the US in EMV terminals and enter the pin number.

    The reason that UK Retailers, are not encouraged to allow handling of the cards was that card details were being captured and cameras used to capture PIN Numbers which ended up used to fund terrorism in Sri Lanka. The UK Police are still making of Romanians attaching equipment to ATM’s to grab card numbers and PIN Numbers. All this is because Swipe and Sign is the preferred implementation in many countries where the transactions are being made using the stolen details.

    The Courier Fraudsters are making big money in the UK. They target elderly people and losses in some cases have been over £100,000. The Metropolitan Police in London received 2,556 allegations in the year to April 2014. Google it and you will learn more.

  23. I would suggest very strongly that we do not ever take what we learn from google or the newspapers as reliable. The writers are trying to sell newspapers not facts. Whenever I see ‘actual numbers’ and cases in detail – which I am continuously privy to, it highlights that what is in the newspapers and ergo on google, is exaggerated, misreported, guessed and poorly extrapolated, with wrongly reported figures and sensationalised summaries.

    I understand your points and your perspective completely – especially now that you have provided more detail.

  24. Bill,

    I deal in facts – Google “Metropolitan Police Courier Fraud Awareness Day” and you will o to the Met Police Web site where the 2,556 fugue came form and yes, some cases have resulted in losses of over £100,000 where debit card and subsequently bank details have been obtained.

    Interestingly, the Card companies are accepting that the courier fraud victims are victims of crime and not pursuing them under terms and conditions because they have disclosed PIN numbers and handed their cards over.

  25. As a consumer, I find a move to the signature part of enforced CHIP-and-signature quite alarming. We have already established that low-hourly-wage clerks are NOT competent to verify a signature, nor inclined to. Also, many/most POS devices are positioned so that the card holder swipes the card, not giving the clerk a chance to examine the card to compare the signatures. Further, there is a growing tradition in the US to not even require the signature if the purchase is below $XX.

    But my real concern is for a disputed transaction – how does the consumer repudiate a signature? If the transaction was accepted, then the assumption must be that the signature was verified. Do I just say “that’s not my handwriting”? If yes, then why bother with the signature at all? If not, what recourse do I have? Most of the stylus/LDC screen signature capture devices have miserable resolution or do not respond well enough to capture an accurate signature.

    What a miserable situation. I must be missing something.

    Regards,

    • In the US a lot of the larger merchants have their system set up so the clerk has to enter the last four digits of the card on their keyboard, after the customer swipes the card. This is specifically so they can look at the signature on the card and compare it to their display or the signed paper.

      Basically repudiating a transaction in the US is simple – you say you didn’t do it and the charge is reversed. Very few times does the merchant actually dispute a chargeback because it starts to get ugly right about then – and the customer gets angry and is determined never to go to the store again. The quality of the signature is almost never an issue. Some merchants fight chargebacks and even use video to capture people signing so they can “win” such arguments. The problem is, there is no winning in this.

      Another problem in the US is asking for additional ID is specifically against the merchant rules for accepting cards. Sure, it happens, but it isn’t supposed to. If the customer says “no” the merchant should not push it because unless they are very large Visa or MC will just terminate their merchant agreement. So asking for ID is not really a viable strategy in the US. Oh, and an unsigned card that says “Ask for ID” is not a valid card – the signature is in fact the customer accepting the credit card agreement, not a verification.

      • Entering the last 4 digits of the embossed card number is not related to signature checking. It is a fraught detection method to catch the situation where the MAGNETIC stripe of a card has been overwritten with the Track II of a stolen card.
        Another problem that goes away with Chip.

  26. I’m pretty well informed on the added security of the chip cards. Now here is my question-My chip and signature card is used by someone else for purchases prior to my calling the issuing bank. How does a chip card differ from my old magstripe card???

    • Are you asking what happens if someone intercepts your card in the mail? Then nothing it is exactly the same as a magstripe card. Chip technology is only good to deter the copying/counterfeiting of cards. If someone steals your actual card the chip is useless. that’s where PIN comes in. However that type of fraud is much more rare and makes up a small fraction of losses. What the industry is trying to mitigate is counterfeit fraud.

    • If you had a Chip and Pin card this problem would go away. It is also another case that show signatures are not checked.

  27. Just received our new US (Credit Union) chip and pin cards. Tried them yesterday in supermarket and restaurant. Both transactions were approved without PIN entry or signature. No security at all. That can’t be right.

  28. Just received our new US (Credit Union) chip and pin cards. Tried them yesterday in supermarket and restaurant. Both transactions were approved without PIN entry or signature. No security at all. That can’t be right.

    • That’s because you actually got a chip and signature card. The PIN will probably only be asked for outside of the US.

      • Actually it was clearly labelled chip and pin and I am outside the States, UK. No pin requested.

        • Not asking for a signature or a PIN at a staffed counter is the definitive sign that your card prefers signature. If it preferred PIN you would always be asked for one regardless of the transaction amount.

          The only time you might be asked for PIN is somewhere that isn’t staffed, e.g. ticket kiosks and gas pumps.

          • Receipt stated:

            Failed Cardholder
            Verification
            Approved

            Restaurant declined to accept this so I paid with another card. Result? Paid twice. Waiting for refund.

    • Which credit union issued your card? We can better advise. Unfortunately some CSR’s are the least informed people on EMV.

      Search for the list of EMV cards on FlyerTalk. People have listed the card verification method order on various cards. This will help determine what type of card you really have. I suspect it has PIN backup.

    • If you swiped the chip card, and you were not prompted to insert it, it just means the merchant is not ready for Chip.
      In that case the card is treated like swiped credit.

      After the liability shift the merchant will be liable for fraudulent cards if they cannot take chip

      If you are in a restaurant (quick service) you may not be prompted for signature below a certain amount, even if it is a non-chip transaction and the merchant has the proper agreement with the acquirer

      • I did not swipe the card. The merchant was entirely familiar with chip & pin, we have been using it for years here in UK.

        It was an expensive restaurant. My dining partner,also using an American Chip & Pin card was required to enter his pin.