February 16, 2016

Many banks are now issuing customers more secure chip-based credit cards, and most retailers now have card terminals in their checkout lanes that can handle the “dip” of chip-card transactions (as opposed to the usual swipe of the card’s magnetic stripe). But comparatively few retailers actually allow chip transactions: Most are still asking customers to swipe the stripe instead of dip the chip. This post will examine what’s going on here, why so many merchants are holding out on the dip, and where this all leaves consumers.

chiptransVisa CEO Charles W. Scharf said in an earnings call late last month that more than 750,000 locations representing 17 percent of the U.S. face-to-face card-accepting merchant base are now enabled to handle chip-based transactions, also known as the EMV (“Europay, Mastercard and Visa”) payment standard.

Viewed another way, that means U.S. consumers currently can expect to find chip cards accepted in checkout lines at fewer than one in five brick-and-mortar merchants.

Why are so many chip-capable checkout terminals already installed that have not been enabled to actually accept chip cards? Allen Weinberg, co-founder of Menlo Park, Calif. based management consulting firm Glenbrook Partners, examined this very question in a recent column that pointed to several factors holding retailers back from enabling dip-the-chip.

WHAT LIABILITY SHIFT?

New MasterCard and Visa rules that went into effect Oct. 1, 2015 put merchants on the hook to absorb 100 percent of the costs of fraud associated with transactions in which the customer presented a chip-based card yet was not asked or able to dip the chip. The chip cards encrypt the cardholder data and are far more expensive and difficult for card thieves to clone.

Despite the increased risk of eating the entire loss from counterfeit card use in their stores, many merchants are taking a wait-and-see approach on enabling chip card transactions. Weinberg said some merchants — particularly the larger ones — want to turn the often painful experience of training customers how to use the chip cards and terminals into someone else’s problem.

“They see [chip cards] as just slowing down lines and chose to wait until consumers learned what to do — and do it quickly — at someone else’s store,” Weinberg wrote.

Weinberg adds that for many larger merchants, switching on the chip readers also can be a big and expensive project. Part of the problem, he says, is that many integrated point of sale systems — particularly the electronic cash register software for these systems — were just not ready in time for the Oct. 2015 liability shift.

“Even if the software was ahead of the game, they faced long certification queues at many acquirers,” Weinberg wrote. “I believe this is going to be a problem for a while.”

Visa said based on recent client surveys it expects 50% of face-to-face card accepting merchants to have chip card transactions enabled by the end of this year. But even 50 percent adoption can mask a long tail of smaller merchants who will put off as long as they can the expensive software and hardware upgrades for accepting chip transactions.

“My dry cleaner isn’t worried about someone using counterfeit cards at his cash register,” Weinberg said, noting that many businesses meanwhile discount the chances that hackers will siphon customer cards by sneaking malicious software onto point-of-sale devices — a problem that has lead to one breach after another at brand name retailers, restaurants and hotels over the past several  years.

AN INVISIBLE HAND

The United States is the last of the G20 nations to move to more secure chip-based cards. As late as the United States is on EMV implementation globally, the process of merchants shifting to all-EMV transactions is still going to take several more years. Visa has said it typically took about three years after the liability shifts in other countries before 90% of payment card transactions were “chip-on-chip,” or generated by a chip card used at a chip-based terminal.

Terry Crowley, CEO of TranSend, a company that makes software to help merchants and their equipment work with the EMV standard, said software code for card-accepting devices has historically been simple — so much so that it could be written on the back of a business card.

“But now with EMV, that same software wraps around the walls of a room three times…hundreds of thousands of lines of code,” Crowley said. “Historically, software was developed by terminal manufacturers and some-few contract programmers who kept up with the old-school operating systems, software development kits and so on for each terminal manufacturer. It was so easy that merchants and processors installed specialized tweaks that created countless variants in the marketplace.”

Now with the EMV liability shift deadline come and gone, Crowley says, suddenly there is a fire drill to replace all of this once-easy software and its countless variants. Compounding the problem, Crowley says, is that EMV code is hard to write and harder to push through the certification birth canal. What’s more, he adds: There are very few EMV software developers who understand the U.S. market.

Crowley predicts that plenty of smaller merchants could soon get hit with a wave of chargebacks from unscrupulous people abusing the liability shift at merchants that still don’t offer the chip dip.

“There’s an invisible hand at work that is about to kick everyone in the pants and accelerate U.S. dipping into EMV slots,” Crowley said. “If you use a chip card at a point of sale that says swipe — and you later say that wasn’t me –there’s very little a merchant can do to dispute that charge. It’s going to happen because what people aren’t thinking about is the friendly fraud. When people are made aware that if I swipe and I have a chip card, that lunch can be free if I’m a bad consumer.”

And the international [banks] are going to be the first ones lay in, Crowley predicts.

“International card issuers are used to all these chargeback codes and minutia that goes around with EMV disputes,” he said. “They know the rules pretty well and have had EMV cards for years. So when this first wave of chargebacks starts hitting next month, things are really going to ramp up for EMV adoption by smaller merchants here in the U.S.  It just takes one chargeback for those [smaller merchants] to get religion on EMV.”

MAD AS HELL?

If you’re curious about chip card swipe adoption in your area, take an informal survey: My own decidedly unscientific survey involved a shopping spree one recent morning to no fewer than seven different retail locations, which revealed exactly seven different chip-capable payment terminals instructing customers to “Please Swipe Card.”

So what’s the takeaway for consumers? Why aren’t consumers mad as hell about being asked to swipe their chip cards, thereby defeating the added security on the card?

For his part, Weinberg said he’s mad as hell, but he says if consumers get mad about anything chip-card related, it’s probably going to be about the 10-15 extra seconds it will take to dip the chip versus swipe the stripe.

“If anything, consumers are getting pissed off at how many more seconds it takes to do chip card transactions,” which require the consumer to keep the card inserted into the card terminal until the transaction comes back as approved, Weinberg said.

“We Americans care more about convenience than we do about security,” he said. “In the end, consumers hold their banks accountable for this stuff, because they’re the ones having to reissue the cards each time there’s another breach.”

Here’s another basic takeaway for any consumers still reading: Use a credit card and kick debit cards to the curb. If a thief makes a charge on your credit card that you didn’t authorize, a simple phone call can fix the problem. If the crooks manage to siphon all cash from your checking account, that’s a bigger problem that could take several days to sort out with the bank (and longer if you count any other businesses you may have just paid with a check).


248 thoughts on “The Great EMV Fake-Out: No Chip For You!

  1. Thomas

    Whenever I use my EMV card, the transaction seems to go much faster.

    1. Brad

      At the few sites that I have used the “dip” I was impressed at the simplicity of the act. The fact that it took so few seconds to complete the transaction was NOT a problem. And I felt safer about the transaction than at the “Slide” machines. HOWEVER, if the checker is graded on the number of customers served per day, and you work at a busy store (eg. grocery) the 10-15 seconds will lower your score.

      1. Robert.Walter

        Any company in its right mind will realize the source of delay is the device, not the cashier and adjust rating scales to compare across peers.

        1. Jacob Givesn

          You can have both speed and security. It shouldn’t have to be either/or.

          This is why we are already moving toward contactless.

      2. Mm

        I’ve noticed the dip transactions take longer. In addition to that, half of the face of my card is exposed during that whole time pointing upward to the ceiling and cameras as well as people walking by with my entire last name and over half my credit card number sitting exposed in plain view for those 15 seconds (like in the image in this article).

        This seems like this is unsafe to leave people’s personal info like that exposed in plain view for so long. Am I just being paranoid?

        1. timeless

          I don’t think anything prevents you from covering the CVV2 field (bottom Visa/MasterCard/Discover or top AmEx).

          Technically this isn’t a new threat, someone hacking a magstripe reader could include a camera to capture the CVV2 if they wanted too.

          The important thing is that because only part of your card goes in, no skimmer can skim the entire magstripe (and get the CVV1).

          In general, the data on the outside of the card is considered “public” (the CVV2 is a really odd edge, since it’s effectively a password printed publicly, which is indeed stupid, but hey).

          The protection for swiping is the CVV1 encoded in the stripe. And the protection for chip is the secret that is used to enable signing of the transaction.

          The “protection” for CVV2 is that “you would never show your card to anyone, since you’re at home”, which is indeed ridiculous in the face of all other uses.

    2. John

      Sadly, the three or four customers in front of you probably slowed things down by attempting to swipe, removing their card too soon, etc.

  2. itsmeitsmeitsddp

    One thing Mr Weinberg and his dry cleaner are missing is that the smaller merchants are indeed a target for apts. They typically go unnoticed longer. They would seem to me to be a smaller target for physical attacks (keypad covers, tampered terminals, etc..).

    In my unscientific survey of emv capable merchants it seems that some of the bigger chain stores in my area – WalMart, Lowes, Target, and Walgreens enforce emv including a couple smaller merchants (local restaurants). In contrast many chain restaurants and the two large pet stores, and many many chain restaurants and fast food joints are not capable even though they have the readers for them. They claim it’s coming soon every time I ask about it.

    1. Eric

      Perhaps, but the ones that are going to get religion first (if they haven’t already) are the stores that sell things that can be easily pawned or otherwise monetized.

      The “lower level” of fraud – where someone eats dinner and then insists that it wasn’t them is going to push over many of the rest. I can’t help but wonder how many of these types of vendors would be tempted to instead install cameras over the registers instead of fixing it to take EMV.

      The first vendor that took EMV that I encountered was our veterinarian. Not because he was worried about fraud, but he had recently purchased the practice and gotten all new payment processing equipment.

      1. Robert.Walter

        My 83 y/o mother’s hair cutter just upgraded her Square to the new chip/NFC version.

        Mom uses her Apple Watch at every opportunity, but is nerves that her mom and pop barbershop takes it, even Kohl’s now takes it, but Kroger, Costco are laggards (to the extent she has adjusted her shopping pattern to shop more at Meijer who is further away but takes ApplePay in the store and at the pump.)

        1. timeless

          https://squareup.com/emv

          Thanks for the headsup. I knew that it should have come out, but I hadn’t actually seen it mentioned.

          Glad to see that Square has deployed EMV support. And it’s apparently Dip + Tap capable.

  3. James Mason

    Unless merchants shift to true Chip and PIN, I won’t use the chip functionality.

    Waiting for the machine to read the chip (3-4 seconds depending on the device) and then waiting to print out and sign the receipt (another 5-6 seconds), it’s faster for me to swipe the magnetic and punch in my debit PIN.

    1. Robert.Walter

      You would do well to heed Brian’s common sense exhortation above about discontinuing debit transactions.

      Either you are new to this forum, like to live with an expanded risk footprint, or are trolling; I can’t really tell which though.

  4. Eric

    I’m consistently disappointed at the lack of EMV use in my area – even the facilities that have device support for it don’t use it. It’s functionally no less convenient and I’d much prefer the added security…

  5. Darlene

    There is also an issue with reader vendors who are not updating their software to handle EMV. They have been dragging their feet because it’s costing them time and money to update their software. As long as they don’t have an incentive to move forward they continue to put retailers and consumers at risk.

  6. Michael Iger

    It did take longer when I first used my EVA card, but after that its no longer than swiping the card. Its really the merchant that doesn’t help consumers get started using EVA which has a cost too when they get charge-backs as the column states. Its just shortsightedness on the merchants part. Credit card companies should stop including the magnetic tape on their cards. That will solve the issue and get immediate compliance.

  7. itsmeitsmeitsddp

    I should also add that most of the grocery stores around me do not use emv even though the terminals are capable.

  8. Paul

    This is troubling as chip tech has been around since the late nineties in Europe. Round up a lot of merchandise have the checker run it through the register and if they don’t accept your chip leave.

  9. Jon Ziebarth

    Brian – Do you have a perspective as to how the delayed EMV transition will impact payment processors that are responsible for underwriting merchant charge-off risk? Thanks

  10. David Lightman

    Publix Supermarket’s in Florida still do not accept Chip and Pin. The supermarket chain have real nice looking P.O.S. machines but are worthless because they still don’t accept the EMV standard

    1. itsmeitsmeitsddp

      Almost all supermarket/grocery store chains near me do not take emv as well.

  11. Matt

    instead of “using a debit card versus credit card” argument, use one that has a PIN. research PIN fraud vs. signature fraud. that is the problem.

    1. tmiw

      The vast majority if not almost all US debit cards have a Visa or MasterCard logo, which means that if one has the physical card there’s really nothing stopping using the card on an online store. PIN isn’t going to help with that.

  12. Gordon

    The only retailer that I have been to that actually has the system completely up and running is Target. Went to Food Lion the other day and proceeded to dip the chip, but was told to swipe because they do not have the system activated yet. I cringe when people tell me that now.

  13. Eric

    Some months ago, I encountered the attitude where people were resisting EMV because they were concerned about how much “longer” the transactions take. It surprised me at first, but then I look at the number of times I see someone buy a bowl of soup and want to put it on plastic.

    I want to see a move towards having restaurants bring the credit card machine to the table rather than have the server walk off with the card and then bring it back again with the slip. That’s a really bad habit that people have come to accept in this country. Chip-and-signature isn’t going to fix that – switching to Chip-and-pin is about the only way that this practice will come to an end.

    1. goldi

      The restaurant where my daughter works recently implemented kiosks where the patrons, omong other things, can pay their bill themselves. Their cards never leave their hands. I’ve seen these at a few of the major chain establishments I’ve eaten at.

      Even so, no matter how positive a change, it will be met with resistance. People HATE changes, even when they are good for them! They have to be dragged, kicking and screaming all the way.

  14. BDJ

    Why should consumers be mad about not using EMV? The handling of fraud in the credit card industry was already structured to place almost zero liability on the consumer. This structure motivated the card companies to implement very good fraud detection to catch fraud immediately and limit their own liability.

    To reduce liability further, they sought to push EMV, but there was no motivation to make the expensive change. So, they have tried a liability shift move in the event of a breach. This motivated some, but the bottom line for cost-benefit still isn’t there.

    The presence of EMV readers has been hit-or-miss in my experience and most (as noted here) who have them do not enforce their use. Only once when I swiped an EMV card did the reader prompted me to insert it instead. Most of the readers happily take the swipe.

    Lets also not forget the many millions of embedded swipes at gas stations, vending machines, parking lot machines, etc. Assuming EMV continues as the new standard, I expect it will be 5+ years before we see adoption levels at 80-90%.

    1. josh

      Why should consumers care about EMV? Simple, while we are not on the hook for more than $50, that assumes we catch the fraudulent charge in the first place, and go through the process of challenging it. Smart crooks will often use very small charges, at least at first, to see if people are watching their accounts and verifying transactions. Also, in restaurants overseas, the card never leaves the customer’s site. Again, this reduces problems in the future due to fraudulent activity. Finally, current signature requirements are a joke in 99% of the transactions. Try signing your transaction with ‘Mickey Mouse’ and see if anybody catches it.

  15. Ryan

    I’ve noticed this same issue. It also seems like retailers are also failing to train their team members on how to talk to customers about their inability to “dip the chip.” All they seem to know is “Oh, that doesn’t work yet.” When I ask questions, like “When will this be up and running?”, I get non-answers. That tells me that the corporate team hasn’t developed a rollout plan yet. They appear to be waiting for the next shoe to drop (i.e., the invisible hand about to kick everyone in the pants). This will result in a lot of unnecessary expenses from chargebacks, which will probably be more costly than conversion to EMV. And instead of highly-capitalized banks taking the hit, now it will (likely) be merchants. How many merchants have the same level of cash reserves to absorb the losses? Could this turn into a few retailers taking a dirt nap?

  16. David

    “We Americans care more about convenience than we do about security,”

    Actually I don’t think that’s entirely accurate. I so much more prefer security over convenience. I don’t think the dip the chip process is inconvenient at all. If someone can’t handle a few more secs on a transaction process then they have serious problem.

    1. Josh

      Getting hit up with fraudulent charges is very inconvenient, IMHO. Especially if it results in one’s CC being canceled and replaced while away from home (as has happened to friends of mine).

  17. Andrew

    I’ve personally found I can use Apple Pay more often than EMV. I actually made a purchase @ TJ Maxx this past weekend and wasn’t able to use EMV or Apple Pay. Considering they’re one of the textbook payment terminal fraud victims of the past decade, one would think they’d be more up on this??

  18. Rich

    I was able to use my chip at Home Depot and then I made a return and was told the chip would not work on a return and I had to swipe. Oh well.

    1. timeless

      “They’re doing it wrong”.

      I returned a product to Canadian Tire (roughly a Home Depot equivalent north of the border). Charging back to the card isn’t a problem.

      It isn’t even a problem w/ tokenized transactions (Google Pay/Apple Pay) — although there, you want to retain the token.

  19. Gary

    No issue with debit cards, that is very misleading. I got money credited back right away with a credit union and a bank whenbi had fraud on my card. Credit cards are a big scam….

    1. Somguy

      It depends on your bank. Some banks give it back right away, some take weeks. And if there’s overdraft fees/bad check fees in the meantime, they often won’t refund those. Plenty of horror stories on the internet from people who have gone through this if you want to do a quick search

      1. Tay

        While the scope of this blog doesn’t extend to personal finance, the advice about using a credit card should be qualified. Running a debit card as a credit card (as long as it has a Visa/MC logo) affords you the same protection as a credit card. For fraudulent charges, your money is reimbursed promptly because of the nature of running it through the credit system. From a personal finance perspective, recommending the use of debt should be avoided. Credit cards are the cigarette of personal finance.

        1. Robert.Walter

          Brian has never advocated spending more than you can pay off at the end of the month.

          Ps one advantage of credit cards are the miles, points and cash back you can earn by using them.

        2. timeless

          So, there are two types of transactions:

          1. a transaction you want to do
          2. a transaction someone else does instead of you

          If you perform a swipe-credit-pin transaction at a terminal with a skimmer, and someone then takes the information from the skimmer and performs an ATM account withdrawal,

          how does the fact that you performed a credit card transaction protect you?

          The terms of your card say “you used a pin, it was you, you agree to keep your PIN secret, any use of the card with a PIN is an authorized use”.

          Using a debit card as if it’s a credit card is incredibly naive. The transaction you need to guard is not the one you perform now, it’s the one you don’t want someone else to perform later — the one that would result in overdraft / bounced checks / insufficient funds fees.

          1. Tay

            I’ve never heard of a swipe-credit-pin transaction. That would suggest you’re running your transaction through both the ATM network (the PIN part), while also running your transaction through the credit system (the Credit part) at the same time. On my Visa branded debit card I always run it as Credit. Visa affords fraud protections to my account just like a normal credit card. I work with my card issuing bank for fraud, not Visa. The bank is the intermediary.

            Using credit cards in life for anything whatsoever is naive. This is personal finance, not information security. Building wealth is not a byproduct of credit card use. Yes, a lot people live paycheck to paycheck and in that scenario, it would seem that a credit card is the wise choice so you don’t lose your cash for a few days. But recommending credit cards for anything should be considered carefully. And if Brian’s philosophical views on debt differ from mine, so be it. I’ll still be an avid reader.

            1. timeless

              Sorry, I was unclear.

              Here’s a much more thorough description of a person (“You”) trying to use a US Bank* issued Debit card to make a “credit” network purchase at a (skimmer enhanced) chip enabled PoS machine (“terminal”).

              Steps:
              0. Terminal is compromised (skimmer + pad/camera) and you don’t notice
              1. Terminal shows how much you’re being charged
              2. You Swipe (out of habit)
              3. Skimmer records mag info
              4. Terminal says “please insert card”
              5. You Insert card
              6. Terminal says “please enter PIN” (because your debit card has a PIN and for whatever reason* the Terminal feels like asking for it)
              7. You Enter your PIN
              8. Skimmer (affiliated pad/camera) records your PIN
              9. Terminal validates your PIN and processes your transaction as a Chip w/ PIN Auth Credit transaction (over the credit network).

              You might think “I’m protected from liability, I used the credit network”. But all of your magstripe information was compromised (steps 3+8), and now a thief can mint a new Debit card and make an ATM transaction w/ the PIN (or a normal debit transaction at a magstripe accepting merchant). Either way, while you might think your account was protected “because credit”, in fact, it isn’t “because leaked”.

              *I had a hard time trying to find a web page from a US bank talking about PIN use with the Credit network for a Debit card. I know it definitely can happen. It’s trivial to describe for Non US debit cards — when they leave their issuing country, they use the “Credit network” via “Visa Debit” [1] and similar to perform transactions (which debit the account immediately), which should be equivalent to using a US debit card with the credit network. CIBC’s instructions [1] for using their Debit card w/ the credit network clearly indicate that you (sometimes) will be prompted for a PIN. I know that it’s strange not to be able to give a precise answer to “will I need to enter my PIN”, but …. Partially PIN entry is a function of risk factors.
              *The Card, Terminal, and Bank effectively negotiate to decide whether a PIN is required (if one is supported) — just as they negotiate over whether Chip or Swipe are even allowed.

              Thus: Always Dip first.

              Actually, I favor Tap first, Dip second, swipe last. Tapping often can be done for values under say $200 w/o needing to enter a PIN (assuming your card requires a PIN, my cards do). I have a US bank and use US credit cards, but I don’t have a current US debit card (I had a debit card but decided that since I only use US credit cards and can walk into my US bank w/ my passport, the risks of having a card I don’t use stolen outweighed any potential benefit).

              The Debit/Credit network description is *complicated* Plus[5]/Cirrus[6] + Visa Debit[2] (has line of credit) v. Visa Electron [3] (no line of credit; mostly in Europe) v. Debit MasterCard [4] (no line of credit, not present in Canada last I looked) v. Maestro (no offline support, no line of credit, no love — afaict MasterCard is slowly transitioning away from this) — in principle, these are all “debit” transactions, but from a network perspective, sometimes they flow over “credit” networks. There’s a difference between “debit accounts” and “credit accounts”, but it’s not well tied to “debit network” and “credit network”. The oddest one is Visa Debit which actually allows you to spend more than your bank balance (whereas the others don’t) — that sure sounds like “credit” to me….

              [1] https://www.cibc.com/ca/how-to-bank/chipcard/advantagecard.html
              [2] https://en.wikipedia.org/wiki/Visa_Debit
              [3] https://en.wikipedia.org/wiki/Visa_Electron
              [3] https://en.wikipedia.org/wiki/Debit_MasterCard
              [4] https://en.wikipedia.org/wiki/Maestro_(debit_card)
              [5] https://en.wikipedia.org/wiki/Plus_(interbank_network)
              [6] https://en.wikipedia.org/wiki/Cirrus_(interbank_network)

  20. Larry

    Chip transactions are much slower than swipe. However, the fastest transactions (when terminals and systems are equipped for it) are Apple Pay. Practically instantaneous, and from what I’ve read more secure than either swipe or dip.

  21. Scott

    Does it make a difference if you use your debit card as a credit card? (selecting “credit card” on the prepayment options, entering a zip instead of PIN) Only for skimmers? What about recovery after a a pirated account?

    1. timeless

      You shouldn’t use a debit card {period}.

      Treat it as a bank card, walk into your bank’s branch and perform your withdrawal/deposit.

      For everything else, there’s (MasterCard, Visa, American Express, Discover, or Cash).

      Your use of a zip would prevent someone from emptying your account directly, but it wouldn’t prevent them from purchasing goods at another store that accepts a zip. Since PINs are generally 4 digits and Zips are 5, I’d expect a criminal in this business to be able to tolerate this difference and still use your card.

  22. Jackie

    As a consumer, I can’t tell you how enraged I am about merchants not caring to turn on the chip enabled machines. Even though I am not out money for fraudulent transactions, the inconvenience of changing all my monthly transactions to a new card number has been exhausting this past year.

    Yes, I would love the opportunity to wait a few milliseconds for the EMV reader. Training? Really? Leave the card in the machine until it tells you to remove it, we do it at the gas pumps pulling it out quickly…

    My role of working on debit card fraud in a financial institution is even more chilling. We now have transactions coded as EMV by EMV enable merchants which are actually being processed by the merchant as magnetic swipe transactions. Why, I can only guess there is money they are saving on the transaction cost, yet are still protected from chargebacks. That’s right; we cannot charge them back because the transactions are coded as failed EMV transactions. I hear it is the same national merchants using this loophole for all their transactions. What kind of consumer protection is that?

    EMV is failing. Can it get better; it all depends on attitude and loopholes.

    1. SLC

      I’d just like to have a chip-enabled credit card at this point. None of my current cards — VISA & MC through our credit union, Discover or AMEX — have this technology and there is no indication they will be providing new cards with chips anytime soon. When I asked our credit union about this the staff had no clue….

      1. timeless

        Someone else reported their Discover card included a chip (my Discover IT which was replaced near the end of the year didn’t, so it must be a 2016 present).

        Consider browsing:
        http://www.creditcards.com/smart-emv-chip.php

        Also, call AmEx and Discover, because quite a few of the cards they have are on that list (the two I have are).

  23. Martín Alejandro Carmona Selva

    Brian,

    There’s something I don’t understand.

    While here in Europe we’re phasing out EMV in favour of Contactless (for transactions up to €20, at least) and, at least here in Barcelona (Spain), the rest is 100% chip enabled, in US are so far behind us?

    Why’s that? Why US is so avant-garde for some things and so, “slow” when it comes to Card Security?

    1. BrianKrebs Post author

      Americans (and others) tend to think of the credit card companies as MasterCard and Visa, but the banks are the ones that issue the cards to consumers, and The United States has thousands of more financial institutions that all of the countries that have moved to EMV already combined. So there’s that complexity and along with it we have a scarily screwed up debit network which has delayed a lot of the EMV stuff, I think.

    2. timeless

      Brian’s answer is pretty good,

      * The extra debit network which is its own mess.
      * The sheer number of credit card issuers
      * The number of processors
      * The number of PoS vendors
      (As a bottle neck, the limited number of certifiers)
      * The number of merchants

      Larger systems are not merely linearly more complex, they’re at least geometrically more complex (probably worse in this case).

      Also, moving from Dip to Tap is pretty simple, since most of the logic is the same, the work was done when your country deployed chip — it fixed the PoS terminals/etc. Adding Tap is really just replacing the readers. And it can be done incrementally.

  24. Gord

    Here in Canada the slower transaction times are being mitigated somewhat by more and more POS systems and reatailers allowing us to just tap the (chip enabled and I guess rfc enabled) cards, at least for relatively small amounts. Costco allows taps for purchases up to $200, others somewhat less. It does make the process faster than entering the pin.

    1. Robert.Walter

      Gord,
      in addition to tap to pay contactless, can you use Apple Pay at Costco Canada?

      My mother and sister keep asking their Michigan Costco when NFC POS terminals will land and nobody knows. Maybe when AMEX is out and replaced by Citi Visa in April.

      Anybody shopping Costco US or Canada able to use Apple Pay yet? If so details on since when, limit, sign necessary, etc. would be appreciated.

  25. Clint

    I’m more ticked at WalMart than anything. They FORCE a Chip-n-PIN thru the Debit network and will NOT allow a Credit/Signature transaction on their terminals for EMV active cards.

    I have vehemently argued with their cashiers (not their fault) asking for a manager (who then doesn’t know why either) trying to get them to understand the benefits of Credit transactions over Debit. I understand the % is higher to the merchant and all that.

    In fact that is why Walmart REFUSED to accept Credit as legal transaction-tender at their terminals. Because they HATE Visa with a passion. But my BANK is encouraging me to use CREDIT (and signature) with my EMV card.

    The damn thing is … if I swipe it … and choose Credit … it works, still! But if I dip it – they have disabled the function to change the transaction and ONLY allow Debit.

    1. Robert.Walter

      But they offer you Walmart Pay as an alternative. What’s not to love about Walmart?! /s

  26. Gabe

    I was told by a rep of Vantiv that they are already seeing an increase in charge backs, as a new scam, for card present transactions at retailers that have EMV readers, but are not yet activated. A ton of charge backs will get attention, maybe…

  27. Gnecht

    Why chip readers aren’t turned on yet?

    Well, if a store’s Point of Sale system only allows certain payment processors, and the processors aren’t EMV-certified yet (but “soon” will be), and in the meantime they promise to cover the liabilities as before – don’t expect stores to change their entire Point of Sale system in such a case.

    http://quickbooks.intuit.com/payments/pos-emv

    “Intuit is working on its payments solutions, but will not begin shipping until the solutions have been certified.”

    “Intuit is extending the EMV liability shift by six months for its QuickBooks Payments customers to allow everyone more time to transition. If you are a QuickBooks Payments customer and unknowingly accept a counterfeit EMV card using your magnetic stripe reader, Intuit will assume your liability for the fraud until March 31, 2016.”

    “If you are a QuickBooks Payments customer, we will notify you with more information on our EMV-ready payments solutions in advance of March 31, 2016, to allow you enough time to purchase the solutions that are right for your business and know when you may be responsible for losses related to counterfeit or stolen EMV chip cards.”

  28. medicalquakc

    Well the best bet is to use cash of course and avoid as much code and algorithms with your hard earned money:) MasterCard and Visa transactions are all for sale to “score” your behavior and sell that data, so if you like privacy, go that route when you can. Argus Analytics, probably a company you have never heard of..they do it, this is just one example. I used to write code so I agree with Krebs on complexity 100%.

    http://ducknetweb.blogspot.com/2014/08/argus-analytics-produces-share-of.html

  29. Clint

    Oy, why’d you delete my comment? It’s a legit email address and a legit comment.

    Walmart is not allowing dipped cards to choose Credit at their EMV active terminals.

    1. BrianKrebs Post author

      Nobody deleted your comment, Clint. It may have been held for moderation or it may be in the spam filter. Patience.

      1. Clint

        Sorry – it was showing “waiting for moderation” then disappeared & stayed gone upon multiple refreshes. Too impatient on my part.

  30. Daniel Gray

    Sorry but this is just as easy or easier to hack then the magnetic strips. Meaning they are already able to be hacked and money has been stolen from these supposedly unhackable/unbreakable cards to the tune of over 600,000.00 in just one go, and according to Interpol, over 2 BILLION has been taken from these supposedly unhackable/unbreakable cards.

    And if you look at the dates of the links posted below…ALL of them were in 2015!

    http://arstechnica.com/tech-policy/2015/10/how-a-criminal-ring-defeated-the-secure-chip-and-pin-credit-cards/

    http://www.wired.com/2015/10/x-ray-scans-expose-an-ingenious-chip-and-pin-card-hack/

    http://thehackernews.com/2015/10/hacking-chip-n-pin-cards.html

    http://www.ibtimes.com/credit-card-hackers-figured-out-how-break-chip-pin-security-years-ago-2150065

    1. Clint

      Per the article:

      “PIN authentication was, at least at the time, decoupled from transaction verification on EMV cards in Europe”

      In the US, banks ARE verifying the PIN and the iCVV (which is different from the CVV imprinted physically on the card) … therefore rendering this kind of hack impotent in the US.

      In fact, if by chance a crook was able to read the card data and attempted to use the regular CVV during an EMV transaction it will fail.

      Because the US (and the issuing banks – that’s key) is using tokenization via EMV, those old hacks just don’t hold water as an argument against EMV.

      1. tmiw

        The more important reason why those vulnerabilities are not a big deal: US banks are still preferring signature verification anyway, so there’s no PIN to even bypass.

    2. Clint

      Also, every one of those articles references the exact-same-event from 2011-2012. So you posted multiple articles about the same thing from 4+ years ago.

      That’s no longer relevant today and specifically not relevant in the US.

Comments are closed.