16
Feb 16

The Great EMV Fake-Out: No Chip For You!

Many banks are now issuing customers more secure chip-based credit cards, and most retailers now have card terminals in their checkout lanes that can handle the “dip” of chip-card transactions (as opposed to the usual swipe of the card’s magnetic stripe). But comparatively few retailers actually allow chip transactions: Most are still asking customers to swipe the stripe instead of dip the chip. This post will examine what’s going on here, why so many merchants are holding out on the dip, and where this all leaves consumers.

chiptransVisa CEO Charles W. Scharf said in an earnings call late last month that more than 750,000 locations representing 17 percent of the U.S. face-to-face card-accepting merchant base are now enabled to handle chip-based transactions, also known as the EMV (“Europay, Mastercard and Visa”) payment standard.

Viewed another way, that means U.S. consumers currently can expect to find chip cards accepted in checkout lines at fewer than one in five brick-and-mortar merchants.

Why are so many chip-capable checkout terminals already installed that have not been enabled to actually accept chip cards? Allen Weinberg, co-founder of Menlo Park, Calif. based management consulting firm Glenbrook Partners, examined this very question in a recent column that pointed to several factors holding retailers back from enabling dip-the-chip.

WHAT LIABILITY SHIFT?

New MasterCard and Visa rules that went into effect Oct. 1, 2015 put merchants on the hook to absorb 100 percent of the costs of fraud associated with transactions in which the customer presented a chip-based card yet was not asked or able to dip the chip. The chip cards encrypt the cardholder data and are far more expensive and difficult for card thieves to clone.

Despite the increased risk of eating the entire loss from counterfeit card use in their stores, many merchants are taking a wait-and-see approach on enabling chip card transactions. Weinberg said some merchants — particularly the larger ones — want to turn the often painful experience of training customers how to use the chip cards and terminals into someone else’s problem.

“They see [chip cards] as just slowing down lines and chose to wait until consumers learned what to do — and do it quickly — at someone else’s store,” Weinberg wrote.

Weinberg adds that for many larger merchants, switching on the chip readers also can be a big and expensive project. Part of the problem, he says, is that many integrated point of sale systems — particularly the electronic cash register software for these systems — were just not ready in time for the Oct. 2015 liability shift.

“Even if the software was ahead of the game, they faced long certification queues at many acquirers,” Weinberg wrote. “I believe this is going to be a problem for a while.”

Visa said based on recent client surveys it expects 50% of face-to-face card accepting merchants to have chip card transactions enabled by the end of this year. But even 50 percent adoption can mask a long tail of smaller merchants who will put off as long as they can the expensive software and hardware upgrades for accepting chip transactions.

“My dry cleaner isn’t worried about someone using counterfeit cards at his cash register,” Weinberg said, noting that many businesses meanwhile discount the chances that hackers will siphon customer cards by sneaking malicious software onto point-of-sale devices — a problem that has lead to one breach after another at brand name retailers, restaurants and hotels over the past several  years.

AN INVISIBLE HAND

The United States is the last of the G20 nations to move to more secure chip-based cards. As late as the United States is on EMV implementation globally, the process of merchants shifting to all-EMV transactions is still going to take several more years. Visa has said it typically took about three years after the liability shifts in other countries before 90% of payment card transactions were “chip-on-chip,” or generated by a chip card used at a chip-based terminal.

Terry Crowley, CEO of TranSend, a company that makes software to help merchants and their equipment work with the EMV standard, said software code for card-accepting devices has historically been simple — so much so that it could be written on the back of a business card.

“But now with EMV, that same software wraps around the walls of a room three times…hundreds of thousands of lines of code,” Crowley said. “Historically, software was developed by terminal manufacturers and some-few contract programmers who kept up with the old-school operating systems, software development kits and so on for each terminal manufacturer. It was so easy that merchants and processors installed specialized tweaks that created countless variants in the marketplace.”

Now with the EMV liability shift deadline come and gone, Crowley says, suddenly there is a fire drill to replace all of this once-easy software and its countless variants. Compounding the problem, Crowley says, is that EMV code is hard to write and harder to push through the certification birth canal. What’s more, he adds: There are very few EMV software developers who understand the U.S. market.

Crowley predicts that plenty of smaller merchants could soon get hit with a wave of chargebacks from unscrupulous people abusing the liability shift at merchants that still don’t offer the chip dip.

“There’s an invisible hand at work that is about to kick everyone in the pants and accelerate U.S. dipping into EMV slots,” Crowley said. “If you use a chip card at a point of sale that says swipe — and you later say that wasn’t me –there’s very little a merchant can do to dispute that charge. It’s going to happen because what people aren’t thinking about is the friendly fraud. When people are made aware that if I swipe and I have a chip card, that lunch can be free if I’m a bad consumer.”

And the international [banks] are going to be the first ones lay in, Crowley predicts.

“International card issuers are used to all these chargeback codes and minutia that goes around with EMV disputes,” he said. “They know the rules pretty well and have had EMV cards for years. So when this first wave of chargebacks starts hitting next month, things are really going to ramp up for EMV adoption by smaller merchants here in the U.S.  It just takes one chargeback for those [smaller merchants] to get religion on EMV.”

MAD AS HELL?

If you’re curious about chip card swipe adoption in your area, take an informal survey: My own decidedly unscientific survey involved a shopping spree one recent morning to no fewer than seven different retail locations, which revealed exactly seven different chip-capable payment terminals instructing customers to “Please Swipe Card.”

So what’s the takeaway for consumers? Why aren’t consumers mad as hell about being asked to swipe their chip cards, thereby defeating the added security on the card?

For his part, Weinberg said he’s mad as hell, but he says if consumers get mad about anything chip-card related, it’s probably going to be about the 10-15 extra seconds it will take to dip the chip versus swipe the stripe.

“If anything, consumers are getting pissed off at how many more seconds it takes to do chip card transactions,” which require the consumer to keep the card inserted into the card terminal until the transaction comes back as approved, Weinberg said.

“We Americans care more about convenience than we do about security,” he said. “In the end, consumers hold their banks accountable for this stuff, because they’re the ones having to reissue the cards each time there’s another breach.”

Here’s another basic takeaway for any consumers still reading: Use a credit card and kick debit cards to the curb. If a thief makes a charge on your credit card that you didn’t authorize, a simple phone call can fix the problem. If the crooks manage to siphon all cash from your checking account, that’s a bigger problem that could take several days to sort out with the bank (and longer if you count any other businesses you may have just paid with a check).

Tags: , , , , , , , , ,

248 comments

  1. I have been following the EMV trend pretty closely, and I have one major confusion that I am hoping someone can clarify. All chip-enabled terminals come with a magstripe channel on them so they can take cards that are not yet chip-enabled. But nearly all of these terminals are customer-facing.

    What happens when the customer just doesn’t follow directions and swipes a chip-enabled card because that’s their habit? Is there a way for the payment terminal to (programmatically) reject the swipe and insist on the customer using the dip method? That is, does the magstripe contain information about the card’s security features, or can the payment terminal tell the processor that it is chip-enabled when it submits the transaction?

    Because this ultimately falls on the merchant, and the liability shift requires a VERY high level of compliance. It could be decades before the necessary percentage of consumers are comfortable with the new payment interaction.

    • Nick, via software (and assuming the merchant is EMV deployed and operating), if a customer swipes a card, the terminal should tell the customer to insert their card so that the EMV chip can be read. Terminals will continue to have magstripe readers in the event the chip cannot be read. This is called magstripe fallback. In the past, if a card did not swipe, merchants could key enter the card number. Now, it’s chip first, then swipe.

      However, this leads to a conundrum in that there is currently no sunset for magstripe since it is the fallback. If we continue with magstripes on cards as the backup, then we will continue to see various counterfeiting related to compromised magstripe data and disabled chips.

    • Yes. Cards can include an annotation saying (digitally) “please tell user to dip me”.

      And any reader with a chip reader should honor that and display a note to the user to do so.

      Unfortunately, by the time the user has swiped, they’ve compromised their card for cloning and use somewhere else (that doesn’t have a functioning chip reader), which means they’ll eventually get a new card…

      So: always dip first.

      –It’s the same reason you should try https://{site} before http://{site} — speaking of which, @Brian: when will you switch to https by default?

      • @timeless, Crowley

        Timeless hits upon a key problem with prompt after swipe for chip cards, namely that a compromised system will have already grabbed the swipe data….and likely change to ‘enter pin’ for extra point.

        The issue is that we reinforce swipe first with the prompt after swipe approach. That is likely to make insert first as the first attempt even harder to extinguish as a behavior.

        Of note in at least one very large bank, customers swipe and enter pin in the branch at the teller. No insert, no chip first, second or otherwise. It is clear to me that they must be aware they are reinforcing the swipe first( and only), and thus are setting up problems for merchants. Perhaps just another blind spot good, yet with risk shifting it may be more.

        Secondly, regarding Crowley’s ‘absorb or pass on’ is exactly why all fraud ultimately is paid by grandma. There may may be stickyness, lag times, and etc., but ultimately it hits grandma in lower rates of deposit, returns on retirement portfolio, higher fees, fewer economic choices, etc. It is the fallacy that risk shifting helps…given economic friction, in the aggregate, everyone is poorer.

        I will point out once again, as timeless has done re. Display on card, that the consumer has limited ability to authenticate the system being used. Thus even if we authenticate the users perfectly, we are only solving half the problem.

        I agree with timeless (in various posts) that mitigating scope, tokenization, and smarter cards are where we will end up.

        And again, Brian and others pulling and scanning bt, etc. Are examples of users trying to authenticate the sysystem. Had the consortium included consumers in addition to merchants, banks, processors, they may have seen into this blind spot better.

        Bottom line is risk shifting does nothing to lessen risk (financial cmbs disaster showed this well).

        Anyway, I am heartened that folks are working on the issues…we have made progress.

      • Timeless — Both EMV and magstripe contain the cardholder data in the clear. So even if you dip first, unless the terminal is using P2PE encryption, the bad guys already have your data and can still use it online (even if they can’t actually clone your card for use in retail). The prevalence of this misconception (especially at sites like this that are all about cardholder data theft) is disheartening.

        • Card issuers can request the CVV2 code for Card Not Present (CNP) transactions. This isn’t included in Tap/Dip/Swipe transactions.

          It isn’t great security, but it isn’t nothing.

          Unfortunately, the more issuers insist on CVV2 for all online payments, the less secure the number is, since it will inevitably be compromised.

          • Actually, the CVV2 number is generated from a formula that is based on the card number and expiration date. I’m sure the formula is known to the crooks. Given the rest of the data, if they have the formula, they don’t need the CVV2.

      • Read the screen first. From my experience EMV enabled terminals will say something to the effect of “insert or swipe card” whereas non EMV terminals will say “swipe card”.

        • Plus non EMV terminals will not tell you that you cannot insert your card. So you will sit there awkwardly waiting.

    • hey, Nick.
      good +certified EMV terminal software -like RevChip- WILL programmatically detect that a chip card has been swiped and prompt for a card dip.
      for Holiday 2015 shopping some retailers disabled the functionality so as not to slow down checkout.
      a few retailers may still be doing so.
      Best,
      Terry

      • I was told by a merchant services technical support representative working for a bank issuing VeriFone terminals using FirstData’s SoftPay, that even though their terminal software programmatically detects a chip card has been swiped and prompts the customer to insert it; for merchants using host capture (versus terminal capture), it does not also cancel the transaction initiated using the mag stripe data; which can lead to the possibility of a duplicate charge once the card is dipped, unless the merchant cancels the transaction and initiates a new one before the customer inserts their card.

        We have already experienced this and were told to refund the customer ourselves each time, where we had no knowledge of the duplicate charge until seeing our deposit statement, and where a single charge was listed on the terminal settlement report.

        This seems absolutely ludicrous to me; but I have not gotten the chance to follow up with FirstData, whose software *still* does not support chip-based debit transactions, which are run as chipped credit, leading to a host of problems. This seems like a class-action lawsuit waiting to happen just due to the difference in merchant fees associated with debit versus credit.

    • From a Card transaction approval/switching as well as fraud detection perspectives, there’s very much ways to deal with mag-strip vs EMV based transactions. It’s essentially a flag that gets used to determine what other data to check for.

      With fraud detection, you can generally tune he alerting/blocking parameters based on the type of transaction (Mag Strip of EMV).

    • yes, the magstripe on a chip card identifies the card as such and the typical response to the customer when they swipe on the reader screen is ‘please insert card’. walmart, walgreens, home depot and target terminals are working examples of this terminal behavior.

    • Yes this happened to me at Walmart. I swiped and it said to insert the chip instead. I thought that was great that it did that cause I don’t know who in my area takes chip cards yet. So far only Walmart does.

      • So far Walmart’s systems were setup incorrectly. The chip bypasses pin code requirement. So basically is someone gets your card and it has EMV chip someone could rack up thousands of dollars in fraudulent charges very easily.

        • The US card issues have generally adopted “chip and signature” over “chip and PIN”. I don’t have any cards that are chip and PIN. All of mine are signature, which obviously gives up some security for convenience and easier support for the banks (people forget PINs).

      • I was just re-issued a chip-and-pin ONLY card from a major US retailer about 6 months ago. My only option when purchasing there is dip and PIN.

    • As a regular user of this type of system, I can assure you that a chip enabled card will have a swipe rejected and be required to use the slot instead. As to the time factor there is very little difference in time due to both systems requiring a network connection and it associated response the times of which will vary. I’d rather a terminal with a persistent connection than a dial-up which seems to be the case with many small businesses.

    • The magstripe contains information on that there is a chip on the card. This shall cause a compliant terminal to request the Cardholder to use the chip. If the customers is using the magstripe in an EMV terminal, then the terminal shall mark the in the transaction data that this was a ‘fallback’ transaction. The card schemes have ‘incentives’ to ensure that not too many fallback transactions are processed.

  2. Commenter, Shannon, highlights one of the key conundrums arising with U.S. EMV:

    Honest/hardworking merchants want to adopt EMV, but are suffering “unfightable chargebacks” because their processor hasn’t yet provided EMV software. Worse yet, punitive terms within their processor contract make it very difficult to switch to another provider who has EMV working. As a result, merchants are being caught between a rock and a hard place.

    Cost of Security has a lot to do with resolving the conundrum. EMV software, particularly for the U.S., is somewhat complicated to author and takes time/money to certify. It also needs to be updated periodically to protect against new threats. Payment processors are struggling with how to absorb-or-pass-on this new Cost of Security.

    Card issuers who read Krebs will surely testify to their contribution to the Cost of Security with re-issuance and infrastructure upgrades. It would be interesting to get perspectives from readers on the merchant side about the Cost of Security.

  3. Ally bank refuses to issue chip+pin cards. What banks actually care about their customer security?

    • Good question.

      USAToday [1] says per creditcards.com [2] only 2/5 do, and generally only for wealthier customers.

      creditcards.com [2] has a nice list:
      Chase
      Citi
      BoA
      AmEx
      CapOne
      Discover
      Barclay
      Hilton
      CreditOne
      BritishAir
      AlaksaAir
      Expedia
      USAA
      TD
      Marriott

      [1] http://www.usatoday.com/story/money/personalfinance/2015/09/30/chip-credit-card-deadline/73043464/
      [2] http://www.creditcards.com/smart-emv-chip.php

      • Don’t know about being wealthy, but we asked one of the companies shown above for a pin for our chip cards and they complied.

      • I received 2 chip cards from the banks above but they would not give pins to me. So I dip and then have to sign. Seems to defeat the purpose to me. Anyone else getting that from their CC banks?

        • My experience has been that most places in the US are still chip-and-sign, not chip-and-PIN. Even when I used my EMV credit cards in Germany this past year, I was still asked to sign a receipt instead of entering a PIN. Seems to defeat the purpose, IMO.

          • Chip+Sign will protect you against someone cloning your card, because a skimmer reading the transaction won’t get enough information to replicate the full functionality of the chip.

            Chip+PIN will also protect you if your (legitimate) card is lost or stolen.

            A Chip+Sign is not as good as a Chip+PIN, but it is still a whole lot better than swiping (where a skimmer can get all the information necessary to create a perfect clone of your stripe.)

        • The security really is in the chip and not in the PIN.

          If I give you a piece of paper and you sign it and give it to me, I can now draw your signature on something else.

          If I give you a terminal and you enter a PIN, I can now enter your PIN on any other terminal.

          OTOH. If you dip your Chip into my terminal, your chip doesn’t give me the secret data it uses to sign a transaction, so even though I (and anyone else who has hacked the keypad w/ an overlay or camera) now know your PIN, I can’t* emulate your card for another Chip transaction.

          * This assumes that your card’s protocols aren’t buggy and that your bank properly validates the data that terminals send it. Your mileage may vary, but when it does, threaten to get a better bank (i.e. drive away, and fast).

          • Unfortunately, I found Chip+Sign cards are often not accepted at kiosks outside of the US. Case in point: no one I’ve asked (BoA, AmEx, my small regional bank) was able to offer me a chip+pin card ~1 year ago when I traveled to Europe. My chip+sign card from BoA worked at merchant counters no hassle, but not the train kiosks. This meant waiting ~ 30 minutes for a teller and some translation difficulties that could have easily been avoided.

            • With time, those systems will be upgraded to support Chip+Sign.

              They’re suffering from early adopter penalties.

              In some places you can buy a transit card with running balance elsewhere and use that.

              I’m sorry about this part. You can tweet to the various merchants who don’t accept your card and complain (include an @ to your issuer). Public consumer pressure can speed things along (and it’ll also help others be alerted to the problem).

  4. Planet earth as correctionalcenter

    Order from chaos, first there is nothing and then it become something in order to bring complete order there must be chaos in first place so more the crooks criminals taking advansce of vulnerable system the more stronger the system gets so humans are on this planet eart like in correctional center mankind will get better and better everyday thru the experience so people want safety then they loose liberty and once the liberty is lost they want back this so first was banking system weak so now it gets stronger and better we all have 1 goal here and it’s just to get corrected so welcome to planet earth as mankind correctional center!! Remember when there is complite chaos then there will be placed on day complite order and our actions are related with everyone first credit cards was complite chaos no chip just go and buy dumps, but now slowly slowly it gets on order so we see everyday that thru the bad experiences we get more and more corrected!! So who think I’m wrong ??

  5. This is a disorganized effort anyway. Why do some stores have me sign, some have me enter a pin, some nothing?

    Plus the pin check of the emv’s is flawed, so a stolen card really has little protection now.

    I sometimes thing there is some gain for allowing cc fraud to continue in the minds of the card companies but I can’t figure out what it is.

    • re: pin vulnerabilities, i believe only the old Static Data Authentication method was vulnerable to blocking and MITM. This reference page has significant info on the standard.
      http://www.smartcardalliance.org/publications-emv-faq/#q5

    • Hi Rick,

      To answer your questions…

      Some stores do not require signatures on credit transactions depending on the dollar amount of the transaction. Signatures are used by retailers when a customer claims that they didn’t use a card at that location, and a chargeback request is initiated.

      Large retailers, like Target and Wal Mart, have their threshold for signature set at greater than $50USD, because they make more money in the time spent not gathering signatures than the losses they incur due to fraudulent charges (by allowing more transactions to take place, per hour/day/month/year). Smaller mom and pops stores will often require a signature on all transactions, because they want to recoup all money lost – they don’t want to accept a loss, for example.

      Some retailers have the customer enter a PIN automatically on a debit card if they have PIN debit capability. A store that does not have PIN debit capability will still allow for a debit card to be used without the PIN as a credit card. It may seem silly, but some stores may not want customers to enter a debit PIN into their system, or simply do not have the capability.

      If you want true security when making a payment, I highly recommend using Apple or Android Pay. If the merchant is not utilizing Point to Point Encryption (P2PE) along with other methods of security, its only a matter of time before the retailer has a compromise.

      I won’t touch the subject of how the CC brands profit from fraud/breaches.

  6. Kroger has gotten greedy and is forcing all customers with chip cards to enter a pin (think 0.25 cents to process a debit transaction versus 3% for a credit transaction). This is at a store that performs no checks, daily, weekly or monthly, for skimmers.

    I am an employee there and I’ve stopped shopping there. They can have my PIN when they show the same vigor protecting my banking details as they do protecting their cash.

    • Kroger is not forcing PIN as much as they’re going with the issuer recommendation. The issuer defines the verification method order (PIN, signature, no verification). All Kroger is doing is falling in line with the customers’ bank preference. As Kroger, I would be concerned about training if this is how my employees interpret these actions.

    • Kroger checks for tampering consistently. No better retailer when it comes to trying to maintain customer privacy and protection.

    • Must not be a consistent thing, because i’ve been using my chip-containing card at our local Kroger for months now (self-checkout and the pharmacy), and it hasn’t once forced me to enter a PIN.

  7. Thanks for the explanation Brian. I have been wondering. In the small town in which I live in SW Washington state most of the merchants at which I shop have chip enabled card readers but only two, Walmart and Home Depot, have started using them.

    As you say, once merchants start getting hit in the wallet things will probably start to change much faster.

    • Another issue a lot of merchants are having an issue with is vendor support, both software and hardware. Our hardware supports it, but software does not, and we will not see a build that does until possibly Q4 2016. Then months of QA testing and rollout to make a Q3 2017.

      Some may ask why not switch vendors… When you have hundreds to thousands of stores, it is not that simple. That could take years as well. These vendors have a hold on you and they know it. How many of them will be ready for the Windows 7 EOL? Probably not many, just like the XP EOL.

  8. A restaurant client of mine says he doesn’t want to be upgraded because he was told by the Aloha POS vendor that the system will automatically prompt for a pin in a chip and pin transaction, even in a sit down restaurant environment. Is this true? It really would only make sense if that were the case for counter serve restaurants and other scenarios where the terminal is customer-facing.

    • So we switched to chip + pin only sometime last year in Australia. At first people need to go to register if they want to pay by card but now they have all these wireless enabled (via mobile network) card terminals so wait staff can bring the terminal to the table if customer want to pay by card. Pretty much all the restaurants in Sydney have wireless enabled card terminal these days. It’s also eliminate the need for an extra landline for the restaurant as well.

      • This.

        For credit and debit transactions we have the chip & pin. It doesn’t take any more time than a swipe, so it must just be the perception of more time because you haven’t put your card back in your wallet early enough.

        For sub $100 CREDIT transactions we use Paypass/tapngo/NFC or whatever. These are pinless, but the bank is still responsible for any fraud.

        • Indeed, we’ve used chip and pin for blooming ages in the UK, this paranoia about checkout speed is bizarre, it really is not an issue. In fact compared with print and sign, it’s at least as fast.

          Going contactless is even faster, it’s been commonplace here and indeed it’s now unusual not to be able to tap for under £30 transactions.

          • Part of the obsession with speed is the merchants themselves. Checkers are measured by managers on their number of scans per minute, number of customers per minute, all the minute and infinitessimal statistics. They are scored and disciplined if they do not reach specific (often hurried) goals by managers. In the US retailers have an obsession with the numbers rather than the quality of the numbers or the customer experience.

            • I always swipe my card (or insert it when the vendor support chip) and finish the payment process while the cashier keep ringing up the goods. In most places (except self-checkout) you can swipe the card as soon as the first item have been scanned.

              I hate people that stand like sheep, doing nothing for 2-3 minutes until all the items have been scanned, and then start digging in theirpurse for the card…

              • In my supermarket, it won’t accept the swipe until the cashier initiates the interaction with the cash register. If you swipe a moment too soon, you must start over.

      • We have these handheld wireless chip and pin terminals in the UK. Given how little attention most merchants pay to the security of their wireless network – could these be subject to a Man in the Middle attack? A virtual skimmer!

        • I won’t comment on the likelihood of a MitM attack because I don’t know the systems involved well enough, but I would like to stress that the data obtained from a chip read is not sufficient to counterfeit the card – so intercepting your POS comms is of minimal value to criminals.

          When I started working against fraud, Germany was the world capital of card skimming/counterfeiting. Since they became fully EMV chip & PIN compliant I have seen *zero* counterfeit frauds following card use in Germany. For years now.

  9. I always assumed if there was a place to dip the chip then I should. However people always seemed upset with me dipping the chip because it was never enabled and you could tell they’re tired of telling every customer. Now I always swipe the card until someone tells me otherwise. What’s interesting about this is if you swipe the card you will actually be told by the terminal, if emv is active, to retry by dipping the card. Now I assume there’s something on the stripe that tells the terminal this is a chip based card. Maybe this isn’t good logic for me. If I’ve already swiped my card then the terminal already read my stripe containing the numbers so what good is it to actually insert the chip other then paying for merchandise?

    • From a security perspective, swiping first is bad (see another comment by me).

      Each time you’re told to swipe, ask when they’ll enable it, and tell them that you’re considering changing merchants until they switch, because you’re tired of having your card reissued each time some terminal is compromised.

      That’s the only way you as a consumer can influence things.

      It’s best if you can name a competing merchant that has enabled it.

  10. Remember 19 out of the G20 have already successfully adopted this. I’m in Australia (where EMV was made mandatory by MasterCard in 2013), and an EMV transaction takes 1-3 seconds generally. Also, you’re not reliant on how clean your mag strip is or the POS mag reader; so there’s no need to re-dip as often as you generally have to re-swipe.

    Given the US is a very late adopter for EMV, I would have assumed that much (by no means all) of the coding work as well as roll out and support issues would have been discovered and worked through already in other countries. I understand every country’s different, but statements indicating up to 15sec transaction latency or that Americans are somehow different with regards to acceptable trade-offs between Convenience and Security seem to have an agenda behind them.

    I think that agenda for US companies is to take advantage of US Early Adopters who will have a “cost” in educating their customers; but in doing so the create an positive externality for everyone else. The last adopter gets the easiest ride. It’s the same strategy and payoff the US has used in their EMV adoption, but now it’s localised. They’re each waiting for the other guy to “blink first”. I suspect, once a big US player has a policy for EMV to be “preferred”, there will be a rush of adoption following that (think penguins).

    • Here in the UK, a supermarket called Tesco has really fast EMV terminals, almost immediately after entering the PIN, the terminal shows “transaction complete, please remove card”. I’m not sure why the other large merchants or the US don’t have this speed. As far as I found, Tesco is the only company that has this speed.

      • I think Tesco do the authorisation with the issuer before the PIN is keyed rather than after. Time between inserting and removing the card to make a payment isn’t really any faster at Tesco in my experience.

      • KrebsonSecurityFan

        Who makes Tesco’s EMV terminals?

  11. Great piece

  12. Home Depot will not allow you to swipe a chip card. If you have a chip card, you have to dip the chip.

    • But then, after a long wait—they ask you to sign. The complete process is MUCH slower than the old swipe.

  13. Apple Pay is the best! Not only is it secure, but also lightning fast.

    EMV has proven to be quite slow, and a pain because you can’t put your wallet right away, but have to wait for the transaction to finish before you can pull the card.

    I’m also really disappointed they don’t require a PIN or some second form of authentication. Instead some vendors are still requiring a absolutely useless signature, which I insist on signing: “Mickey Mouse”

  14. In India, we had a Chip in the credit card for more than a year now. I am not sure how safe it is – where ever I present my card in India, he dips it into the reader and I have to enter the ATM pin. In a retail store, there are at least who can look at the pin I am entering! Every merchant in India (or at least the ones i have been to in big cities) have this chip reader now-a-days …..

  15. FWIW, I’m living in Switzerland (Zürich area) since 2012. I never, ever had to swipe, anywhere. It was “dip” from the beginning. And yes, the delay can be a bit annoying, especially if there’s a long queue.

    Now the trend is towards “bump”; most large retailers (e.g. Migros and Coop) allow for contactless credit card payment. They don’t even ask for a pin below CHF 30 or 40. I often wonder how secure *that* is.

    • Jim,
      if you have a CC issued from a US, UK, etc. bank that supports Pay, and an iPhone 5s (plus Watch) or an iPhone 6/6s, you can use Pay at Coop, Migros, Jumbo, IKEA, McD (Visa), BurgerKing, even single restaurants down to little barbershops (each of the foregoing I use AMEX at), and although I haven’t been able to find a single gas station taking Pay, my local Coop station recently installed NFC POS terminals with the intent of taking NFC/Pay payments in March or so.
      Cheers from the Ostschweiz,
      Bob

    • It’s secure, because the card cannot be copied in the transaction process. The risk with this type of transaction is all down to lost or stolen cards.

  16. So it is time to get the blocker wallets? Or to tinfoil the new cards? No more carrying the credit cards in my checkbook. Darn. Years ago, the 2600 group had a article on hacking emv enabled devices. They used a breifcase device and were able to read at a 60 foot radius. That was years before i retired, finally in 2005. Now lets add a few years development to that.
    Now, reciently, there have been reports of new wiring to atm’s? And better looking covers in the us at retail, could webe looking at the start of the downfallof the emv card? Intercept the cc reset, of the machines? CArds and types, not necessarly looking for the card and user, but the two way stream to use the card? There has to be acommon start. To identify the process, to who to charge, to who to credit.
    This is where the money is, so, like willie horton, banks, and no one seems to be taking the bad guys out of business..the mob is still active. And schools still teach the gods and devils.

    • You need a blocker wallet or sleeve for your cards with a chip and your U.S. passport.

    • Don’t confuse two different things.

      The gold EMV chip and the embedded RF chip in a tap to pay card) are not the same.

      There are how to articles on the internet about disabling the RF chip by punching a hole in the card where the RF chip is.

      Or you could do as I did, both with US Bank Visa and AMEX and requested replacement cards with EMV but w/o tap to pay. Better alternative is get into the Pay way. If you retired at 65, then you are 8 years younger than my mom and she is using Pay almost exclusively on AMEX, or absent AMEX, Citi Visa from her Watch. There is no easier or safer way to pay today (and you get rewards as well.)

  17. I like the ‘two step’ authentication where they call/text you on your cell and ask if you want it done. If they’d give me a ‘three step’, whatever it entailed, I’d use it.
    I think about making up new profanity to describe these A-holes that think there is no karma.

    • I can’t say I am a fan. To use an example, let me explain the steps required to purchase something with PayPal.

      First I have to find my keychain, as this is where the Yubikey lives. Plug that into the USB slot, use it (together with a password) to open up the password vault, find Paypal in the vault and then copy the password to the web page.

      Now it wants to send a text to verify. So now I need to find my phone, use my fingerprint to unlock the screen (sometimes takes several tries), find the text message that it just sent, and mentally note down the stupid number that it just sent me, and copy it back to the web form.

      There are times in the evening when I don’t have my keyring or my phone with me, and I just decide to not bother as it is too much of a hassle to go fetch the thing. Even when I have all of these things, it gets to be a nuisance.

      • If you’re willing to compromise your security, you could get Google Voice, and change your sms to deliver to the Google Voice number, that would be an email in your mailbox (in addition to an sms to your mobile — it forks).

  18. That Heartland Guy

    For those concerned about man-in-the-middle attacks on chip transactions for wireless/wifi terminals- the concern is little. If there is a man-in-the-middle attack, the bad guys only get the tokenized card number. The power of the chip card transaction is that the actual account number is tokenized before it reaches the POS. The token is effectively useless to the fraudsters since it’s signed by a secure private key exclusive to the card itself.

    Most people see the chip card and assume it’s a passive device. The truth is when a card is dipped, the chip is activated and works similar to a computer. The POS has to request the chip to power up, the chip checks a public key that the POS will have for communicating with the chip, and then determine how the transaction proceeds (or doesn’t).

    What’s interesting about the mag stripe on a chip card is the fact that even the raw track data that the bad guys could glean from the stripe still says the card is a chip card. If they duplicate the track data to new plastic, the fraudulent card is swiped at a retailer, they’ll still get a request to dip the chip.

    EMV isn’t perfect, but it’s far less flawed than regular mag stripe transactions.

  19. I don’t get it. In Canada we’ve had the chip cards for over five years at this point. EMV vendors “not understanding” the US market just falls flat with that. It’s not that much different, other than the number of banks out there.

    Then there’s the “wait for training” comment. The first week of October I was at Walmart in the States and I had to chip+pin my credit card. If a large retailer like that requires it, the argument falls flat on its back.

    I, too, was annoyed how long it takes to chip+pin. Not the part where I enter my pin, but the communication afterwards. This has largely been alleviated by the contactless technologies that seems to be built into all my cards. So, that argument is also not going to hold water.

    Lastly, not sure who coined the phrase “dip the card”, but it sounds lame. Everywhere else it’s called “insert” rather than “swipe”, and I don’t see why a country coming to the game ten years late should try to invent a new term for it! 🙂

  20. My experience has been that a lot of stores (drug stores, groceries, liquor stores, department stores) have the terminals in place to deal with chip cards. However, all of them have swipe & sign, plus a special slot for chip cards (is that “dip”?), and a “wave” reader as well. Unfortunately, in only one of those stores was anything other than the swipe & sign enabled.

    Having three choices, only one of which actually works, definitely slows down checkout.

  21. Finally, an article in the local news. In kc there are un-noticed chip readers. Inside the gas pumps. One of the servicer agents caught/ found two this week that were bluetooth enabled. Then the article goes on about security tape. But it talked about this being the third device this week. No other information proffered. Apparently no investigation, no police, and no problem. Guess its legal.

  22. Anyone catch the article on /. That means slashdot.org, on the russian guy, with a point of sale device, getting on a subway, remember rfid, can be read, farady cages mean your card will not be read. Also. Dont set your purse down next to a reader, that may be a tap. Not trap, but tap. The closest rfid object will be read, you may be trying to pay with one card, but is another interfeering. Another interesting article, was about 2000, with rfd invantories, you had to read each item, barcode, with each device, and associate with each rfid chip, but there were only so many numbers then that could be associated,and each frequecy therefore the readers had to be multi frequency. And resonance frequencies overlaping. Makes me wonder?

    • Payment cards use NFC not RFID – it’s packet-switched on one frequency, not frequency-switched. RFID is a passive system and easily copied, while NFC is an active system with exchanges of cryptograms and transaction counters that make copying the chips pointless even if it were possible (provided implementation by the issuer is correct, which it generally is these days). With the right equipment you can read some information off a NFC card, sure – it’s a neat party trick for security researchers and conspiracy nuts – but not enough to copy the card itself.

  23. In New Zealand we have been using chip cards for a while now (I’m not sure but at least 3 or 4 years I think) and recently we have now got contactless on said chip cards.

    Talking about the problem of time, the contactless system is by far faster than the swipe system, here in NZ any transaction below $80NZD the card is the only auth. used (over $80 you need to use a pin) so at the checkout tap your card on the terminal wait a second for it to process and you are done, if its over $80 you just need a pin.

    Also the bank or credit card issuer cover fraud on the contactless system if you lose your card.

    I’m surprised at how long it’s taken the US to take this up.. but then we had a big upgrade years ago so that all the terminals could accept the chip cards which I think was kinda forced on the market by the banks or credit card companies and we are a much smaller market than the US…

  24. It annoys me to no end when a credit card is touted as being more secure than a debit card. Yes, having all your cash gone would suck but where are people living that it takes days to correct? Its probably easier to use credit and keep the cash locked away, but people don’t need to fear contacting their bank about fraud and asking for provisional credit. One phone call usually gets a provisional credit issued. If this isn’t the case, find a new bank. The same fraud detection is place for credit cards is being more widely used for debit as well. No bank wants to be on the hook regardless of debit or credit.

    • Yet it is a false equivalence to suggest that having your money in your bank in the case of CC fraud is the he same as having no money in your account, having to request credit, and hoping everything sorts itself out.

      Your position is as unfathomable as is your annoyance.

  25. Mr. Krebs, long time reader, first time commenting…

    Last fall we went on a 12 day trip to Ireland (highly recommended!) In preparing for the trip we got EMV cards for our purchases and cash withdrawls. They worked perfectly, everywhere. It took us one time and about 3 minutes to master their use.

    Now the interesting observation. We went all over the country for 12 days and no where did we find the card processing system connected to or integrated with the point of sale system. In every case when we presented a card, the merchant pulled out a standalone card processing device to complete the transaction. We did not see a single fuel pump where you pay at the pump. Grocery stores had their checkout lanes oriented back to back so two lanes could share a card processing device. The card processing devices used the phone system, not the merchants network or the Internet.

    Think about it.

  26. Sad / amusing point. Here in the U.S. basically all the wireless card functionality has been dumped over the last several years (Citibank just dropped theirs, had to request it previously, with the new chip cards) and that was partly because of the perceived security issue with the wireless cards but also because you didn’t get a benefit compared with just swiping (timewise).

    Now that we’re switching over to Chip cards, there is a time penalty and we’ll have to wait for the banks to realize this is a solution to a problem and bring con-tactless payment functionality back to the chip cards as it will be noticeably faster for the consumers.

    ApplePay and GooglePay are both wireless, secure and significantly faster than Chip and Sign….but alot of merchants disabled their wireless functionality when ApplePay came out…so we’ll have to wait for the Merchants to see this is a solution to a problem for them too.

    • I noticed that, too; in fact my old AmEx card was contactless, but my new chip-enabled one is not. In fact the chip is exactly where the old RFID chip used to be (I can tell because the cards are transparent.)

  27. Of course consumers don’t care, they’ve got no reason to–the bank issues and accepts liability either way. Cardholders, myself included, will just use whatever the bank wants us to use in good faith and leave it at that.

    That being said, what *does* aggravate me as an end user is that most retailers that have the readers installed but deactivated don’t indicate this, and others force the use of the chip if the card has it. This leads to a lot of 10-15 second delays futzing with the wrong interface.

  28. Sure, your experiment is unscientific. But the way you convey the results is deceptive as well.

    If you visited “no fewer than seven” stores, that means that you visited 7, 8, 70, 700, 7million, etc. Any of those values are no fewer than 7. So when you say that 7 of those chip-enabled stores asked you to swipe your card, that could be 100% of them, or nearly 0% of them. Without knowing how many you visited, your statement has no value.

    • Your post is very precise, pedantic even, and yet I’m sorry, as I’m having great difficulty to find a productive point in it.

  29. Galaxy Hitchhiker

    I just had to give kudos to SeymourB’s comment above. You made my day, Seymour. Made my day. Thanks (but not for all the fish).