16
Feb 16

The Great EMV Fake-Out: No Chip For You!

Many banks are now issuing customers more secure chip-based credit cards, and most retailers now have card terminals in their checkout lanes that can handle the “dip” of chip-card transactions (as opposed to the usual swipe of the card’s magnetic stripe). But comparatively few retailers actually allow chip transactions: Most are still asking customers to swipe the stripe instead of dip the chip. This post will examine what’s going on here, why so many merchants are holding out on the dip, and where this all leaves consumers.

chiptransVisa CEO Charles W. Scharf said in an earnings call late last month that more than 750,000 locations representing 17 percent of the U.S. face-to-face card-accepting merchant base are now enabled to handle chip-based transactions, also known as the EMV (“Europay, Mastercard and Visa”) payment standard.

Viewed another way, that means U.S. consumers currently can expect to find chip cards accepted in checkout lines at fewer than one in five brick-and-mortar merchants.

Why are so many chip-capable checkout terminals already installed that have not been enabled to actually accept chip cards? Allen Weinberg, co-founder of Menlo Park, Calif. based management consulting firm Glenbrook Partners, examined this very question in a recent column that pointed to several factors holding retailers back from enabling dip-the-chip.

WHAT LIABILITY SHIFT?

New MasterCard and Visa rules that went into effect Oct. 1, 2015 put merchants on the hook to absorb 100 percent of the costs of fraud associated with transactions in which the customer presented a chip-based card yet was not asked or able to dip the chip. The chip cards encrypt the cardholder data and are far more expensive and difficult for card thieves to clone.

Despite the increased risk of eating the entire loss from counterfeit card use in their stores, many merchants are taking a wait-and-see approach on enabling chip card transactions. Weinberg said some merchants — particularly the larger ones — want to turn the often painful experience of training customers how to use the chip cards and terminals into someone else’s problem.

“They see [chip cards] as just slowing down lines and chose to wait until consumers learned what to do — and do it quickly — at someone else’s store,” Weinberg wrote.

Weinberg adds that for many larger merchants, switching on the chip readers also can be a big and expensive project. Part of the problem, he says, is that many integrated point of sale systems — particularly the electronic cash register software for these systems — were just not ready in time for the Oct. 2015 liability shift.

“Even if the software was ahead of the game, they faced long certification queues at many acquirers,” Weinberg wrote. “I believe this is going to be a problem for a while.”

Visa said based on recent client surveys it expects 50% of face-to-face card accepting merchants to have chip card transactions enabled by the end of this year. But even 50 percent adoption can mask a long tail of smaller merchants who will put off as long as they can the expensive software and hardware upgrades for accepting chip transactions.

“My dry cleaner isn’t worried about someone using counterfeit cards at his cash register,” Weinberg said, noting that many businesses meanwhile discount the chances that hackers will siphon customer cards by sneaking malicious software onto point-of-sale devices — a problem that has lead to one breach after another at brand name retailers, restaurants and hotels over the past several  years.

AN INVISIBLE HAND

The United States is the last of the G20 nations to move to more secure chip-based cards. As late as the United States is on EMV implementation globally, the process of merchants shifting to all-EMV transactions is still going to take several more years. Visa has said it typically took about three years after the liability shifts in other countries before 90% of payment card transactions were “chip-on-chip,” or generated by a chip card used at a chip-based terminal.

Terry Crowley, CEO of TranSend, a company that makes software to help merchants and their equipment work with the EMV standard, said software code for card-accepting devices has historically been simple — so much so that it could be written on the back of a business card.

“But now with EMV, that same software wraps around the walls of a room three times…hundreds of thousands of lines of code,” Crowley said. “Historically, software was developed by terminal manufacturers and some-few contract programmers who kept up with the old-school operating systems, software development kits and so on for each terminal manufacturer. It was so easy that merchants and processors installed specialized tweaks that created countless variants in the marketplace.”

Now with the EMV liability shift deadline come and gone, Crowley says, suddenly there is a fire drill to replace all of this once-easy software and its countless variants. Compounding the problem, Crowley says, is that EMV code is hard to write and harder to push through the certification birth canal. What’s more, he adds: There are very few EMV software developers who understand the U.S. market.

Crowley predicts that plenty of smaller merchants could soon get hit with a wave of chargebacks from unscrupulous people abusing the liability shift at merchants that still don’t offer the chip dip.

“There’s an invisible hand at work that is about to kick everyone in the pants and accelerate U.S. dipping into EMV slots,” Crowley said. “If you use a chip card at a point of sale that says swipe — and you later say that wasn’t me –there’s very little a merchant can do to dispute that charge. It’s going to happen because what people aren’t thinking about is the friendly fraud. When people are made aware that if I swipe and I have a chip card, that lunch can be free if I’m a bad consumer.”

And the international [banks] are going to be the first ones lay in, Crowley predicts.

“International card issuers are used to all these chargeback codes and minutia that goes around with EMV disputes,” he said. “They know the rules pretty well and have had EMV cards for years. So when this first wave of chargebacks starts hitting next month, things are really going to ramp up for EMV adoption by smaller merchants here in the U.S.  It just takes one chargeback for those [smaller merchants] to get religion on EMV.”

MAD AS HELL?

If you’re curious about chip card swipe adoption in your area, take an informal survey: My own decidedly unscientific survey involved a shopping spree one recent morning to no fewer than seven different retail locations, which revealed exactly seven different chip-capable payment terminals instructing customers to “Please Swipe Card.”

So what’s the takeaway for consumers? Why aren’t consumers mad as hell about being asked to swipe their chip cards, thereby defeating the added security on the card?

For his part, Weinberg said he’s mad as hell, but he says if consumers get mad about anything chip-card related, it’s probably going to be about the 10-15 extra seconds it will take to dip the chip versus swipe the stripe.

“If anything, consumers are getting pissed off at how many more seconds it takes to do chip card transactions,” which require the consumer to keep the card inserted into the card terminal until the transaction comes back as approved, Weinberg said.

“We Americans care more about convenience than we do about security,” he said. “In the end, consumers hold their banks accountable for this stuff, because they’re the ones having to reissue the cards each time there’s another breach.”

Here’s another basic takeaway for any consumers still reading: Use a credit card and kick debit cards to the curb. If a thief makes a charge on your credit card that you didn’t authorize, a simple phone call can fix the problem. If the crooks manage to siphon all cash from your checking account, that’s a bigger problem that could take several days to sort out with the bank (and longer if you count any other businesses you may have just paid with a check).

Tags: , , , , , , , , ,

248 comments

  1. Quoting “Here’s another basic takeaway for any consumers still reading: Use a credit card and kick debit cards to the curb. If a thief makes a charge on your credit card that you didn’t authorize, a simple phone call can fix the problem. If the crooks manage to siphon all cash from your checking account, that’s a bigger problem that could take several days to sort out with the bank (and longer if you count any other businesses you may have just paid with a check).”

    While I understand the logic the argument is short sighted. The pin on debit offers far more security from fraud than a signature. The problem is that the issuers allow pin-by pass as an option. If you made it a requirement to be pin only then there would be far more security offered. With chip cards, even your credit products could easily be modified to allow pin. Why must we thrust this security advancement of chip cards out there and only address part of the problem? Relying on signature as a cardholder verification method is laughable. That is the true weakness and doesn’t require millions of dollars in equipment and software changes to implement.

    You want more security? Insist on pin.

    • Security isn’t the problem. The difference between having your money our of your bank account (debit fraud) vs having a bill you don’t have to pay (credit card) is the problem.

      On debit issues, it could take weeks to get your money back, all the while if you are foolishly living paycheck to paycheck as majority of people do, you have bounces and bad check fees. Banks don’t like to reimburse those.

      On credit issues, a simple call usually is all that’s needed, and by US law you don’t even have to pay that part of the bill while they investigate.

      • IF there is debit card fraud and the bank doesn’t solve or reimburse the client within 10 days they are in violation. Now a days proving it’s not fraud will take more than 10 days. Also if a bank doesn’t reimburse a client for fees associated with debit card fraud they are also in violation of Reg E. Go to a different bank who isn’t willing to pay fines for Reg E violations and get better service.

      • Meh, I cant even get my bank to send me a chipped card let alone worry about the other end (POS) where I will use the card…

        I use the old school cold hard cash most of the time and i secure it with a firearm on the hip.

      • “if you are foolishly living paycheck to paycheck”

        I take issue with that – a very large majority of people live paycheck to paycheck because they are underpaid and are lucky to manage to pay living expenses month to month – and those numbers aren’t likely to decrease any time soon with the state of unregulated global capitalism running amok.

        POOR people live paycheck to paycheck when they are lucky to even find employment.

        • “if you are foolishly living paycheck to paycheck”

          I think what he is calling foolish is taking on $100k in student loan debt, buying a brand new $45k vehicle and then to make matters worse adding a $400k home loan on top of it.

          All my friends think i am crazy living in a 1000 sq ft house but I have ZERO debt (I know zero other people in their late 20’s with a college degree and zero debt). I think this is the “foolish” living he is talking about.

        • I was with you until your point about capitalism.
          1) the problem is too much regulation for crony companies that want to have advantages in the market.
          2) You shouldn’t believe the politicians making those claims (while lobbyists fill those politicians pockets). . .

          • Similarly you shouldn’t believe the politicians crowing about regulation being the root of all evil, since they’re being paid by corporate interests who want to break laws they currently are unwilling to break (its not as though most laws stop them, they simply break the law and pay the fines with a fraction of the profit they made from breaking the law).

            The moral of the story is don’t trust politicians, no matter what flavor of kool-aid they’re selling.

    • The assertion that debit card PIN security is strong enough to protect you in the event of another Target-scale POS hack is dubious at best. Both forms of security are pretty bad, so the assumption should be that your card (either debit or credit) will get hacked eventually. When becoming the victim of fraud (eventually) is a given, the best course of action is to mitigate the damage caused by that fraud rather than worry about preventing it. That’s why credit is much safer than debit.

      That’s a consumer-centric perspective, at least. I’m sure the banks would prefer to prevent the fraud, but they went for chip and signature instead of chip and pin so maybe they don’t prefer it enough.

    • Personally (and having done PCI in the processing world), I could give .02 on the security at the terminal. There are so many back-asswards things going on after the fact that’s it’s practically irrelevant.

      What matters is: How am I protected from fraud?
      The credit network will cover 100% of fraudulent transactions – per Visa/MC regulations. Your debit network does not have that requirement. In fact, my bank will only cover anything up to $500.

      You’re actually more ‘secure’ using a carbon copier from the 70s for a credit transaction, than using PIN for debit.

    • Not sure about the USofA but in the UK credit cards are chip and pin too. I can’t remember the last time I signed for any card in the UK or in Europe. In fact I don’t think I’ve even signed a card for ages.

  2. Brian,
    The merchants are finding a way around the liability shift by intentionally misconfiguring their POS terminals to show swipe transactions on chip cards as fallback transactions, thus making the issuer liable again for fraud. Walgreens and Kohls are the two biggest companies I have seen doing this. Visa has promised to fine the companies for it, but we will see if they go through with it.

    • It’s possible for the major payment processors to prevent falling back to magnetic stripe on chip-enabled cards at chip-enabled terminals. This is commonplace in at least most of the other 19 countries in the afore-mentioned G20, because I’ve personally seen it.

    • Walgreens has being using the chip readers for months.

      • Yes, but if you swipe your card at Walgreens it will still work. The terminals that are EMV activated are supposed to force you to use the chip.

        • Walmart has done a stellar job at this.
          They we’re quick to be chip ready and they force you to use chip if your card has one.

        • This only happens with debit cards, and is a result of EMV debit in the US being a huge and complex undertaking due to the Durbin Amendment, which was not really compatible with how EMV was designed. This is temporary and will disappear in time.

          In any event, it is an issuer’s decision whether to approve or decline a ‘fallback’ transaction, and banks in many other countries already do not authorise ‘fallback’ transactions. If they choose to approve it, then it is on them.

          • Exactly. I recently implemented blocking of all fallback transactions at the issuer where I work. The risk of mag stripe counterfeit is only going to get worse as the crooks race to cash out while there is still some EMV non-compliance out there. No way do I want us to be left holding the baby on that one!

  3. I recently received updated cards from both Visa and Discover and neither of the cards had chips. Why are the card companies taking so long to issue the chip enabled cards? For me, it doesn’t matter what terminals the vendors are using at this point because both Visa and Discover seem to be dragging there feet on issuing the chip cards

    • I got a new Discover in January that had the Chip in it.

    • That’s strange. Discover has been issuing chip cards for almost a year already. Do you have one of the older cards? They have been prioritizing IT because that’s most of the user base. Give them a quick call, and they’ll send you one.

    • It’s not that Visa and Discover are dragging their feet. It’s the actual card production companies that handle the cards being produced (CPI, Gemalto, etc). And they are having problems keeping stock. They are getting slammed with EMV requests and they are not prepared to handle it. Short answer is that in the meantime lots of banks are stuck with magstripe because card production is at a standstill for EMV. If you were lucky enough to get a chip card, then it’s because the bank got in before the others started racing to get their orders in.

  4. …Does it make a difference if you use your debit card as a credit card?…

    WalMart no longer allows that; don’t know about others. You can select credit all you want but if the machine reads your card as debit it will run it as debit, even without asking for a PIN. The new EMV cards are coded and every time I’ve used mine at WalMart – chip, not swipe – it processes as debit even though I’m not prompted for a PIN nor a signature; the receipts are printing “signature not required” on them. My old card (swipe, no EMV chip) processed the same way for 2 months before the card expired: no PIN prompt, no signature required but the transaction processed as debit even though I selected credit.

    • Not surprised. Debit transactions are *cheaper* than credit transactions, so it’s their way of saving money.

      That said, Credit transactions have always been more secure (legally speaking) than Debit since Credit runs through a delayed processing/payment where Debit directly hits the bank account. That little note in the last paragraph is really important.

      Again, that said, I use Debit on some transactions because my bank gives me special privileges for doing so; but in general I do try to only use Credit transactions specifically to have MasterCard/Visa/etc liable instead of my bank account.

  5. A lot of the problems with EMV processing has been with the processors being unable to drive the EMV dip readers because they have not yet implemented the software at their end. The WalMarts and Targets of the world are doing their own transaction switching which is why they are processing EMV dips. Processor solutions should be implemented by the end of Q1 2016 definitely by the end of Q2 2016 that will allow all merchants to enable their dip readers.

  6. What bothers me is that in the end, I know that we consumers will end up paying much of the price of the fraudulent use of CC’s. So, while I may not be on the hook for some fraud committed with my account number today, ultimately, as it these things work their way throught the economy, I will pay for it somehow. Maybe through higher prices, maybe through inconvenience, and probably other ways I haven’t thought of.

    Signatures are no form of security at all. I think we all realize we can scrawl just about anything as a signature and in 99% of the cases it will be looked at must less challenged.

    This is not a victim-less crime.

  7. This article says “The chip cards encrypt the cardholder data”. This is not a true statement. The PAN, the expiration date, the cardholder name are all in the clear. In other words, everything you need to go shopping is available to a crook. It would be a good thing to have the cardholder data encrypted on the chip, but that is not what EMV specifies.

    • The EMV transaction is missing the CVV numbers to make either a duplicate magstripe or the CVV2 “number on the back” to do an internet purchase. So the EMV data is really quite useless (witness the lack of EMV driven card fraud in Europe).

      The predicted fraud increase coming out of this is from the remaining *swipe* transactions, not EMV transactions.

  8. I’m tired of asking merchants if they take the chip, and I know thery’re tired of hearing that question. The chip readers are too slow and not consistent. To me this is one step closer to putting implants in human bodies—and I definitely oppose that. If you can’t refuse to get a vaccine, you sure as hell won’t be able to refuse the chip. Bye bye to the last of our freedom.

  9. So many of the merchants I visit regularly not only require swiping, they often require two or three swipes before the transaction actually completes. The swipe is so integrated into discounts, coupons, loyalty programs etc that if the swipe happens too early (like when the terminal tells you to swipe), they have to start all over again (swipe again, and again). The extra 10 seconds with a chip card could largely be offset if that dance is eliminated. Either that or the dip will add 30-45 seconds due to re-dipping…

  10. As a fraud/risk professional that works in the payment card industry, here are a few points I’ll make:

    The primary issue is that certified software is not ready. We’d love to have EMV available for each and every type of merchant, but that’s just not possible at this time. The U.S. has the world’s greatest card volume and is its most complex market, yet it had the smallest amount of time to make this conversion. On top of this, the Durbin Amendment requires two separate and independent debit networks for PIN accepting merchants. This caused enough problems and expense for the industry, but to add it to the conversion to EMV was another huge hurdle the industry had to overcome. For these and other reasons, the U.S. was not ready.

    As a separate discussion, the U.S. should have leap-frogged EMV (a 20 year old technology) and gone directly to cloud based authentication which is where things are headed albeit slowly. Having said this, terminals which can accept EMV are often dual entry – meaning that they accept contact (dip) and contactless (via NFC) transactions. This means that although EMV may not yet work at a specific merchant, you may be able to use a mobile wallet like Android Pay, Samsung Pay, or Apple Pay. This is better security to begin with because it uses a token instead of the actual credit card number. This way, even if breached, the merchant cannot give up your card number. The fake card number is useless to attackers without the correlating one-time cryptogram.

    There was a comment in the article about EMV and data security. We should not confuse EMV with data security. EMV only authenticates a credit card and does nothing to secure data. Merchants can still be breached and credit card data can still be stolen in EMV environments.

    • I hear a lot of people saying that we should have skipped to things like Apple Pay, but to be honest, I don’t see that happening for at least a decade if not longer. Most (the majority of?) retailers don’t want to give up their data collection gravy train, not to mention that Americans in general are paranoid of contactless payments. If anything people will use it in apps far more often than in person.

      In the meantime we basically had no choice but to do EMV since we’re the last major country to not have it. I think it’ll eventually become fast enough where the slightly extra time over swiping won’t matter to most anymore.

    • ZeroDay, good words.

      I especially appreciate you saying we should have leapfrogged over EVM to the next step.

      The EVM protocol doesn’t take advantage of the amazing crypto or low-power processing that can be done on tiny chips, unless I’m missing something.

      We will spend a ton of $ out of our GDP and get sub-optimal returns.

      I’d like to read a good, professional critique and comparison of EVM and modern best practice. Has anyone seen a blog/article?

      • There was this 2012 article from Cambridge.

        A small group of people in France was convicted of using this attack some months ago, I believe.

        “Chip and Skim: cloning EMV cards with the pre-play attack”
        from Computer Laboratory, University of Cambridge, UK

        http://www.cl.cam.ac.uk/~rja14/Papers/unattack.pdf

        I think they glued a thin chip over the top of the EVM chip. The imposter chip responded with a “yes” to any pin number, when the terminal asked the card if the pin is correct.

  11. EMV cards are crippled technology! Just because Europeans originated these time wasters does not mean Americans also want to stand around and yack with a cashier while they are verified. We have a nation to run! There is no reason that they cannot be inserted, a pin entered, then removed. If they fail to verify while our items are bagged, the cashier can ask us to try again, or use another card! What is wrong with you management folks? Our Martian astronauts are almost back from the Red planet.

  12. The invisible hand that’s about to kick you in the pants, huh? Such mixed metaphors! 🙂

    What’s revealing to me here is that Visa already knew from experience that it takes three years to achieve critical mass – but this is the first time I have heard this from them. Why couldn’t they have used their collected wisdom from the Euro markets to help the US achieve a smooth transition instead of flooding us with FUD?

    • Because Visa is only a payment network.

      They don’t manufacture terminals.

      In Canada, a significant portion of the terminals are issued by the banks (there are about 5 banks in Canada, unlike the thousands in the US), which means they could issue new terminals that supported Dip and Tap.

      Even with that, the rollout has been poor. My American Express (which has had Dip and Tap for 2 years) still doesn’t Tap at at least one major grocery store chain. (And another chain doesn’t even accept it, and their discounter doesn’t accept Visa….)

      Basically, the process is:
      1. The payment networks write rules.
      2. The banks implement backend support
      3. The banks issue cards
      4. The merchants get nudged
      5. The merchants talk to their Point of Sale supplier.
      6. The Point of Sale supplier was never good at making products in the first place, and is trying really hard to understand this incredibly complicated standard.
      7. Then the supplier needs to get their product through testing. I’d bet (based on experience in another Hardware-Software field) that their initial forays into testing result in a rejection, thus going back and fixing the identified issues, and then waiting in line for the next testing slot.
      8. The supplier now needs to produce and ship units.
      9. The merchant then needs to buy and deploy them
      10. Then the software needs to be tested by the merchant
      11. Then the merchant discovers it slows down the checkout process and decides to turn it off, because slowing down the process is bad for business.

      BTW, 3 years ain’t bad. The Cable industry takes 15 years for complete adoption (5 years for early, 10 for middle, 15 for the laggards). The Cellular industry is somewhere in the middle (perhaps upgrading totally in 8 years, but almost certainly not completely upgrading in under 4).

  13. This article is not coming from a business standpoint and is written in a biased tone towards the business. As a business owner, I can tell you first hand that WE did everything on our end to make sure we were compliant. We have new terminals and have had them for a while. However, we can NOT use them because major credit card processors do not have the proper software update to support the terminals. We have been waiting nearly a year for the change. Every day we receive multiple chargebacks from customers disputing charges. The processor refuses to pay us back because of “chip” liability” (not being able to accept chip cards)…when in fact WE are absolutely ready to and it is THE PROCESSOR passing on the blame. As a small business owner, this is killer. Please do not say this is a business’s decision when the majority of the population CAN’T be compliant based on outside parties.

    • I think this article very well represents the merchant viewpoint that the EMV software has not been ready. This point was made at least twice in the article.

    • In normal economics, if this happens, merchants would go find the one or two payment processors who have upgraded their software and switch. And that switch would drive the remaining processors to complete their stuff sooner, or suffer commercial Darwinism (no customers, no income, no business).

      Have you looked to see if another processor is ready and willing to take your business? Are they charging too much of a premium for being ready?

      • In my experience, switching payment processors ranks as more difficult than switching mobile phone companies, and only slightly easier than getting a loan at a bank. A client of mine once tried to switch, and the new processor denied the application due to bad credit. I wasn’t aware such a thing could happen before that.

        • Thanks for sharing.

          I’m not yet a merchant. So I don’t yet have experience here. As a small guy, I think I’d checkout Square [1] and PayPal [2] (Quick Books isn’t ready [3]), but I know that bigger merchants have a much larger infrastructure investment.

          I’ve gotten 3 home loans in my life (one was a switch, and it was fairly painless), none in the USA though. (Actually, I had more pain lowering my recurring payment, but that’s a non-standard activity, which wasn’t allowed under the terms, so I expected it to be somewhat frustrating.)

          I think I’ve only personally switched a phone contract twice: Once from me as the junior on it (this took a bit of time, but wasn’t painful), and once where I had been an employee on a corporate account to being sole (this was slow because the account had thousands of items and the poor accounting software clearly wasn’t written to handle it, but it wasn’t otherwise painful). I’ve helped a couple of people switch carriers, and it hasn’t been particularly painful (the biggest thing is that there’s sometimes a changeover in phone number from a temporary one at a random time).

          I think I’ve actually seen people have more worry w/ phone transitions than I’ve had w/ personal home loans.

          [1] https://squareup.com/emv
          [2] https://www.paypal.com/webapps/mpp/emv
          [3] http://quickbooks.intuit.com/payments/emv-reader

  14. Apple Pay via Watch.

    • If you had bought the CASIO F91W you would have a few extra hundred bux to your name instead of another notification device for notifications that mean nothing i the end. Plus you would only need to “charge” it every 5 years.

      //apple watch sucks sorry.

  15. Mean while up here in the Frozen North (Canada) I get to bitch and moan because there is only a few places I can use Apple Pay (because the only card available is Amex and that is not as widely accepted.)

    Why do I bitch and moan? Because Tap to pay takes like maybe almost at least close to a half second or so to use.

    Apple Pay cuts that in half! And is (so we are told) a lot more secure than Tap, Chip or Swipe.

  16. I live near Cleveland, Ohio. As of this date I have only two cards with the chip. Both were recently replaced due to fraud detected by the credit card company. So far, I have found NO merchants using the “dip” terminals in the northern Ohio area. So much for deadlines.

  17. As someone who runs a map tracking retailers that support EMV/NFC (https://emvacceptedhere.com/), I kinda figured it was a software-related issue a while ago. For instance, Walmart was the first major retailer to turn on support but eventually had to disable service code enforcement for a bit due to bugs. It’s no surprise that at least a small part is due to retailers wanting to get it right.

    Fortunately the latecomers seem to be offering a better EMV experience for the most part. Starbucks seems to have pretty fast terminals, as well as Walgreens.

  18. a debit card is for more secure. banks will immediately replenish funds for fraud. it does not take weeks. use a pin and fraud will go to less than one basis points. to make a recommendation to stop using a debit cards just highlights your lack of knowledge in how banks service their debit customers.

    • The key being that it is up to the banks. You have a bank that treats debit customers well. Not all banks do this. And it still doesn’t stop the hassle of dealing with Insufficient Funds charges charged by other entities that were to be paid with the money stolen from your account before your bank fixed it.

  19. Yep…. Apple Pay… Much better than all of the rest… I also believe that merchants who embrace it as the new technology are also likely those who have a better handle on not only their security and infrastructure but they for sure have a better handle on their business and are in touch with the future…. I much refer Apple Pay to any PIN/Chip EMV etc… The merchant only gets a one time user token and if they get a breach I don’t have to worry bout having my account closed like in the past with other merchants…

  20. All of my VISA and MC cards were converted by the card issuers back in September of last year.

    My local Marathon and Sheetz gas stations now have chip-only reader pumps. But they also have pumps that are mag strip only as well.

    Walmart is funny – go to one Walmart and it’s chip and mag stripe. Go to another, still mag stripe only. Then there are the Walmarts that have where the chip doesn’t work in one lane and does work a couple lanes over in the same store (but when you get in line, there’s no indication if the checkout lane is chip enabled or not).

    What a mess.

    And I have one large chain supermarket which has already stated that due to cost, they’re never going to switch from only using swiping because they don’t want to swap out the non-chip readers they installed.

  21. you mention that EMV transactions encrypt the card transaction but that is false, EMV requires plain text. You must adopt encryption and tokens as part of your implementation to actually protect the EMV transaction. The best part about EMV is that the CVV numbers are not included in track information. Thus, all fraud will eventually move to CNP transactions after 100% adoption. Websites and shopping carts will need to adapt.

    • The key pairs in the card chip could be used to encrypt the data but they are now only being used to sign the one time authentication code. This encryption would add a little more time for the transaction to take place , although it would be marginal. But the issuers are obsessed with concern that any additional time would have more people using cash, and that would mean less fee revenue for the brands. My personal experience is that chip and pin adds a little less than a minute to the whole process. I guess some people are really pressed for time and of course I mean that sarcastically.

      The fact that EMV is not encrypting card data is why the PCI requirement to periodically inspect POS terminals for skimmers is going to be in place for some time to come.

  22. Personally I don’t like EMV from many aspects; only 2 of 5 cards I have support it and when I do use it it takes a long time, often with retries because of issues. (I’ve pulled it out by accident; or the software wasn’t ready or….you get the point.)

    It’s not a training issue. It’s a EMV issue – it just sucks and it *does not* solve any problems – data is not encrypted, etc. The Target breach would still have happened even if EMV was in place – IIRC, there are even articles on this blog showing that kind of failure with EMV.

    • The Target breach would have still happened, that is correct. EMV won’t solve network security issues. What it would have solved was all counterfeit fraud stemming from that breach. EMV Cards have not been counterfeited, and thus would not be able to be used at any merchant that has upgrade terminals, and the merchants that have not upgraded would have eaten the losses. Get the carrot or get the stick.
      The answer is a dynamic CVV in combination with EMV. If a card is stolen, it can only be used online, but with a dynamic CVV, problem solved.

  23. Just an FYI for travelers headed south this winter…

    I typically pay for everything I can using my credit card. One of the main reasons for this is that I feel “protected” since I am “backed” my the card issuer when a dispute arises. However, I was previously in Mexico where I assume the merchant had hard wired the mobile POS printer to short out instead of printing a reciept. This caused the unit to reboot and I was informed to “try again”. Feeling uneasy but assured I was protected, I tried a second time but ended up paying cash with a follow up chat with the credit card company later that day via the Internet. I was eventually charged twice for the same purchases I had ended up paying cash for which if you’re paying attention means I paid three times the actual amount owed. I was originally informed by the credit card company since I used my chip and pin, I was on the hook to pay the charges, regardless of the fact I had contacted them with the scam the merchant was employing. It was a long battle with multiple phone calls where eventually I was renumerated for the loss. What one should take away from this story is “although the chip and pin will protect you from unauthorized charges from stolen mag stripe data, the credit card companies now have the option to also place the blame on you if the crooks can decieve you”

  24. My local Charlottesville CVS had me dip earlier this week. First time in the States since we got our chip cards over a year ago. CVS did not ask for a pin.

  25. StanislausBabalistic

    Isn’t this whole exercise more or less pointless as long as we continue to lag behind the rest of the developed world in implementing chip-*and*-PIN? The chip seems so pointless without a PIN, and that’s certainly not the way the rest of the world operates.

    • Actually, the PIN is pretty pointless.

      If your Card is stolen, you’re obligated to report it to your issuer.

      If you have your card, then you want to pay, and only for what you want to buy.

      The design of the terminals doesn’t guarantee that you know the amount that will be charged to the card (the display can lie, the only safe approach would be for the card to be the display — there is an article talking about a passthrough hack for this purpose).

      The security from EMV is the fact that an effectively random token is generated for each transaction. You generally should not be able to reuse that token to make another transaction * (yes, there were a number of bugs in the design and there were attacks where it was possible).

      A PIN that you enter everywhere you go is *NOT* secure. Read all of the ATM hacking articles here to see the various attacks (cameras, pin overlays, wire sniffing, …).

      A PIN that you enter in plain sight regularly is really really useless and really really stupid.

      I’m glad that the US issuers aren’t bothering with it. The PIN is security theater.

      (Read about shoulder-surfing if you like.)

      FWIW, I’m not a huge fan of EMV. Leapfrogging to Tokenized payment done by a system w/ an integrated display would have been much better (and it could support Internet and Phone payment), and the investment cost would probably have been similar (it’s all new code either way, and new hardware either way, heck, the hardware is already there for Tap).

  26. In Canada, close to 99% (if not more) of all transactions are chip and pin. It has been a very long time since I signed any credit card transactions. And compared to the old swipe method, I have considerably fewer issues with the chip. How many times have people had to put their cards into plastic bags to get the magnetic stripe to work properly?

    This isn’t rocket science — it has proven in other countries to be very effective in reducing fraud. However, until the banks either start to refuse swipes, or the merchants have to start paying out of their pockets for fraud, it will be a tough sell.

    This whole thing reminds me of when debit cards were first introduced. The masses were acting in a very similar method, saying that all transactions had to be cash only. Once you have used the chip, it is difficult going back to swipe!

  27. Frankly I find the whole thing a little bizarre. I’m in the UK and I can’t remember the last time I had to sign for a transaction. Chip and PIN have been around for years. We can pretty much use PIN/Chip, Contactless or Apple Pay. For a country so technologically advanced and security concious as the US it’s a genuinely from an outside perspective a tad odd but I can empathise with the end business users perspective.

    • It’s worth keeping size in perspective. The UK is really really tiny (say 65 million people).

      There are 5 main retail banks in the UK,
      There are 5 medium sized banks,
      There are 20 smaller banks,
      There are 20 foreign banks (~).

      That’s 50 [1] banks.

      There are 20 banks [2] in Delaware (a tiny state in the USA) population 1 million.
      There are 13 banks [3] in Rhode Island (a smaller state) population 1 million.
      There are >130 banks [4] in California (a rather large state)
      population 40 million. (I counted 134, but I’m rounding)

      The population of the USA is 320 million.

      Also worth considering is physical land mass and number of merchants (including ATMs, taxis and gas stations — technically gas stations get a delayed pass).

      Basically, anything that you might think is “simple” for your tiny Island becomes considerably more complicated when deployed at a larger integrated scale (Europe upgraded country by country, not as the EU).

      [1] https://en.wikipedia.org/wiki/List_of_banks_in_the_United_Kingdom
      [2] http://www.us-banks.net/us/delaware/
      [3] http://www.us-banks.net/us/rhodeisland/
      [4] http://www.us-banks.net/us/california/

  28. “If you use a chip card at a point of sale that says swipe — and you later say that wasn’t me –there’s very little a merchant can do to dispute that charge. It’s going to happen because what people aren’t thinking about is the friendly fraud. When people are made aware that if I swipe and I have a chip card, that lunch can be free if I’m a bad consumer.”

    “Bad consumer” is an interesting euphemism for thief.

    • “Bad consumer! Bad! Now go lie down!”

    • Or child/spouse.

      Your child borrows your card and buys something. You see the bill, insist you didn’t buy it

      Your spouse buys something embarrassing, you see the bill, ask, spouse denies it, you reject the charge to the credit card issuer.

      But yes, your terminology isn’t inaccurate on the whole.

      Although, perhaps it’s worth labeling this an opportunist — a shoplifter as opposed to someone who is in the business…

  29. We had a customer of ours that got hit with a denial by a CC processor because they were not ready for the chip cards. None of our customers are ready as of yet because our provider is not ready. Hopefully Q2-Q4 of this year we will start rolling out a solution to our customers. But, in the meantime processors are making our customers eat charges.

    And when we were discussing the liability shift here, the “bad consumer” topic came up. Nothing will keep the customers from doing this once they’re aware, unless the merchants just stop taking credit cards and move to NFC or cash only.

    I still believe the NFC transactions will be more popular in the US. Especially in the hospitality industry. We have restaurants with bigger footprints and drive thrus that Europe had no clue about. EMV works great in Europe, but I feel it will bomb hard in the US for several reasons. I think it’s already been left behind.

    • “I still believe the NFC transactions will be more popular in the US. Especially in the hospitality industry.”

      Eric: In Canada, the hospitality industry is the major holdout I’ve seen in adopting NFC terminals (at least MC PayPass and Visa PayWave), since they can’t direct you to a “tip amount” screen when using that method.

      Fast food is an exception to this.

  30. The only secure payment method is still and will always be cash.
    Software based systems can never be made secure enough to withstand hackers.