It's depressing to see the US still treating EMV cards like a strange exotic novelty while Europe is already upgrading those again and moving to NFC-enabled cards after EMV has worked without any major issues for 20 years.
For small, repeated transactions you just hold the card to the reader and are done in 1-3 seconds. The first transaction on each reader and random transactions every 20-50$ (and all transactions above a $20 limit) will require chip+PIN verification, which seems to cut down fraudulent transactions for now.
More like 10 years. UK + Europe rollout of chip+pin/EMV + incentivised liability shift was around 2005/2006, and has reduced card fraud by around 70% in most countries. Contactless/NFC payment facilities have been pretty widespread (at least in the UK) since 2010 or so, and since the last couple of years or so are pretty much ubiquitous.
I suspect that America being so backwards in this respect has a lot to do with the power and influence wielded by corporate lobbyists in congress.
In the US (even without a chip) you usually don't need to sign for smaller transactions - the shop assistant just swipes your card and it's done. This can even work on some European cards there (it did for my UK credit card).
Chip-and-PIN was invented to make card transactions more secure at a time when most transactions were 'offline', i.e. there was no direct connection from the card terminal to the issuer, so it wasn't possible to ask the issuer whether a transaction should be allowed. To attempt to combat card skimming, the chip was added, and terminals upgraded to require the PIN to be entered if the card had a chip [1].
Nowadays almost all transactions happen 'online', so the bank is asked whether the transaction should be authorised first (this is why there is sometimes a delay on terminals as they connect to the issuer). This means the issuer can run their own fraud detection before the transaction takes place. In the US they took this a step further, and just used that instead of requiring a signature to be collected for most purchases. To the end user it's an even better experience than NFC provides.
[1] This also means you have no reason to give your card to anyone, when the card needs to be inserted above/below the PIN pad, so it prevents another opportunity for skimming.
> The first transaction on each reader and random transactions every 20-50$ (and all transactions above a $20 limit) will require chip+PIN verification
Not necessarily. In the UK (at least, at the banks where my fiancée and I hold accounts), you need to enter your PIN:
1) On the first transaction after activating a new card
2) On transactions above £30 (~$45) starting 1st Sep 2015 (however apparently some terminals have the former £20 limit hard coded and require a firmware update to increase the limit)
3) On random transactions
In the case of the random PIN verification for contactless payments, the frequency with which these are required isn't entirely clear. I have spent ~£100 over numerous successive contactless transactions (local store then rounds of drinks at the bar) without requiring PIN verification. In fact, I've never needed to enter my PIN - every contactless transaction has been automatically approved.
Over a typical week, I do contact a good mix of contactless and Chip-and-PIN transactions, so my risk profile might be different from someone who has, for example, a 80/20 contactless-to-chip ratio.
I'm unsure whether the PIN verification requirement is triggered by the application running on the card or by the transaction processor. This might actually be covered in the EMV spec [1].
I believe the fact you haven't been caught by the random transaction issue is because you use Chip&Pin a lot, which might reset the contactless counter (since it knows that you have the pin, so you're likely the card holder)
When I went to the MetroCentre the other week, I did about 5-6 contactless transactions in a day (probably somewhere around £100 spent total), by the end of the day my card got declined and I had to use Chip&Pin, so it does definitely happen in the UK, though the limits may be quite high (wonder if this may also vary based on the bank, I'm with a certain bank which refused to give me a contactless card until I had a credit check).
This is the first time since I got the card (quite a few months ago) that it was actually declined however, so it's quite a rare occurrence.
As for the EMV spec, It sounds like the terminal is the one that decides whether or not to request Chip&PIN:
During kernel processing, the kernel will determine from the acceptance environment and issuer settings in the card whether a cardholder verification is needed for the transaction. Methods that may be supported are online PIN and signature – offline PIN is not suitable due to the “card in field” timing issues.
what is the kernel?
The kernel contains interface routines, security and control functions, and logic to manage a set of commands and responses to retrieve the necessary data from a card to complete a transaction.
Fully agree, the few times i visited the U.S. it always surprised me that a country with such technological speed still relies on the "unsafe" magnetic swipe. Not saying the chip is foolproof in any way but it's a good step from the magnetic system in place.
The same problems was raised when countries in the EU switched to chip but it was mostly vendors who was on old cash registers with no interfaces for the new card systems. That was solved through a manual total price entry into the EMV system, acting as it own system basically.
And as the parent comment mentioned, contactless payment is just really nice for smaller transactions. The ability to buy a coffee without opening your wallet (goods under $20) makes lines in stores so much faster since no signing/code entry is needed.
In this UK (at least), this is known as "card clash". You can't select which card is used. I'm not sure what the EMV contactless specification actually says, but anecdotally terminals will either fail to process the transaction (general card read error or a more specific collision message) or unpredictably select a card to charge.
Most card issuers (and companies like TfL - Transport for London, the transport authority who use contactless travel cards) recommend taking your card our of your wallet if you have more than one contactless card.
Indeed. There were a bunch of security objections to the system by Ross Anderson et al at launch; it has turned out that EMV is not at all the weak link compared to online transactions, which are where most of the fraud is. Or skimmed ATMs, which don't seem to use the chip.
As far as I can tell, skimmers in Germany still copy the (fallback) magnet stripe and PIN, to use those in countries that don't require EMV. It's far easier than trying to break EMV chips.
When it became more difficult to use cloned magstripe-only cards in the UK, banks relied more heavily on behavioural profiling and risk analysis ("has this card been used in this country in the past?", "does this cardholder travel frequently?", "is this vendor known to have weak cardholder verification processes?").
In Canada, EMV and NFC rolled out at around the same time -- EMV gets used for big transactions where you want PIN auth, and NFC gets used for low-risk transactions like buying a coffee.
There was definitely a learning curve for figuring out the new terminals at first (some PoSes required both swiping and using the chip), but that only lasted about a year or two.
I'm pretty sure the article has it completely backwards. If a retailer has a chip reading terminal, they aren't responsible for fraud. It incentivizes retailers to update their hardware, or face shouldering the fraud risk for chip enabled cards that they end up swiping.
Agreed. The simplest way I've heard it described is that whoever has the lowest level of EMV support is liable. So if the bank hasn't issued you a chip card, but the retailer supports it, the bank is liable. Likewise, if you have a chip card, but the retailer doesn't have the EMV readers, the retailer is now liable -- and that is where the change is.
You're correct. If the merchant has the EMV reader but the bank card only has a mag stripe the bank eats any fraud, period. The merchant is completely off the hook.
What happens if the reader is an EMV one but the fake bank card looks like it has a chip and it was swiped instead of using the chip? I have a debit card with the chip but I can still swipe it at the hybrid terminals. Who owns liability in that case?
Once I used my chip cards in a reader in the US, and was told, "this is a chip card, please insert it into the bottom" so there's definitely a bit that can be set in the magstripe to tell the PoS that a chip should be available in case you clone just the magstripe.
I guess I'm not surprised by the lack of EMV capable card readers I still see in the US. Having worked in this space in the past, I am always checking out the payment terminals at the stored I visit. I've even seen some larger merchants that I frequent upgrade their PIN pads recently but to non-EMV capable models.
If the big-box stores aren't getting it done there is little hope for the mom & pop type stores who will be forced to either stop taking cards or accept the liability for fraud since it's unlikely the acquiring banks will want to hold the bag for their customers once the card brands pass it downstream.
I've actually found more mom-and-pop type places have upgraded than big box stores. The first place I was able to use Google Wallet with my Android phone was a locally owned grocery store. The first EMV transaction I performed outside of Walmart was at my local liquor store on a stand-beside terminal (not directly integrated with the point of sale).
I work in this space, and while both the software and hardware have been ready for some time, retailers are just really slow to change. When you're talking about potentially hundreds to thousands of new card readers at nearly $1k each, followed by many hours of testing new software versions, piloting and rolling it out, etc., it is a significant investment for them to add support for EMV. That said, it's not like this was on short notice. They've had plenty of time (and incentive) to get this done.
Most retailers started with the hardware upgrade, which generally has to be followed up by a software upgrade to enable the processing of an EMV transaction. Depending on the level of integration with the payment network, the software changes required at the Point of Sale can actually be pretty complex.
It's funny - the only two businesses that have made me use the EMV features on my card are the locally owned butcher shop down the street and Wal-Mart.
Same here. I just relocated to Austin and have been making frequent trips to Home Depot and they must have just turned it on because one day I could swipe, the next I had to insert.
EMV cards are a big improvement for security but the UX is a step big back from mag swipes. Here's an example from a recent stop at the ATM.
* I dipped my card and then was told to reinsert the card and leave it in for the duration of the transaction. I wonder how long it will take for me to insert/leave by default instead of dipping.
* The machine mechanically locked my card into the slot until I had taken my cash, I wonder how more frequently people are going to leave their cards in the ATM now. Also, what happens if the power goes out or the machine crashes?
* It seems that some EMV cards have multiple "Applications" on them and it's impossible to tell which one should be used in which context. When I inserted my card, the ATM presented me with a menu asking be to select between "US DEBT" and "VISA DEBT" I had no idea which one to choose, and had to pick one, try to make a withdrawal, fail, and then choose the other one to take out cash. I don't remember which one worked, and if that's the one I should use in other locations.
Every ATM I've use in the UK will wait for you to remove the card before finishing the transaction (e.g. dispensing the receipt or cash you asked for). If you lose the card in the machine, a new one can be mailed to you (within two days IIRC), though this has never happened to anyone I know.
I've never seen a "Application" choice, so I can't really comment on that. Is that US specific?
Overall, I've found the UX on new cards to be a big improvement on magstripes.
I was talking to a manufacturer of fuel pump payment terminals and he was commenting that in the US we have spent the last 10 years training customers to dip their cards into the terminal and remove them before pumping fuel. Now the cards are going to be clamped in the terminals (in 2017) and not available until after the pump is returned. He guaranteed that it will be a nightmare with people leaving their cards behind at the pumps.
1. I understand coming from only swipe but in my mind (Sweden) you insert your card while you perform the entire transaction as a identifier compared to swiping. That's at least how me and my friend think about it after asking him.
2. Machines in Europe has been doing this for a long time and it's never been an issue. I guess in the rare case power goes out (aren't these machines on UPS?) it you just call the provider hotline, cancel that card and get a new one in the mail the day after.
3. I have never seen this but i agree this is an issue. That is a unnecessary UX roadblock.
1) I agree - I think this is a regional thing. In the UK, ATMs almost always lock the card in place (typical non-corner-store ones take the entire card into the machine).
2) In the UK, most machines make you take the card out before dispensing the banknotes. Bank-owned (non-corner-shop) ATMs "spit out" the card and beep until you take the card. Only then do they dispense the cash.
3) I don't think many UK card issuers use multiple applications for the same context. That is to say, if you put your card into an ATM, only one application is likely to be compatible with that profile. There may be other applications for travel (ITSO, for example, is a travel card standard built on Global Platform). I think every EMV terminal has support for application selection menus (usually in the form of little buttons along the side of the screen) but they're virtually never used in the UK.
In my experience while travelling, US payment terminals are the most unusual.
Yeah. And if you do happen to enter you PIN, request cash then just walk away, the machine will furiously beep for a short time then pull the card back in ("swallow the card").
You've then got to request a replacement card from your issuer but it does limit the chance of a stranger coming along and retrieving the forgotten card and attempting to use it (for a signature fall-back transaction after damaging the chip, or for a cardholder not present - CNP - transaction).
Bank-operated ATMs will also often retain the card if it's been reported lost or stolen, but this does rob the lucky/brave checkout operator of their £50 bonus if they happen to retain a stolen card that's been used in store.
You remove your card first, then it dispenses cash.
> Also, what happens if the power goes out or the machine crashes?
Seriously? Where do you live where the grid is this unstable?
Living in Canada, I can tell you that using my cards in the US where there are no EMV/chip readers feels tremendously insecure to me now. It's just a matter of getting used to things.
It seems to take a couple of extra seconds to process the transaction, compared to a swipe. I'm surprised that this bothers me so much. I might use Apple Pay more often if this doesn't get improved.
That's my experience too. Fortunately most of the EMV-activated terminals I've run into also accept NFC so I've just been using Android Pay to avoid the extra hassle.
The machines (and/or PoS software) are smart enough to know if the card that was swiped contains a chip (it is in the track data on the magnetic stripe). But if the card reader lacks the chip reader, it obviously won't reject the swipe. The incentive to upgrade is that now the retailers will be on the hook for any fraud when a customer has to swipe their chip-enabled card due to lack of support at the store.
I noticed this recently as well at Walmart. Tried to swipe my card and it didn't work, swiped again and it didn't work. Finally bothered to read the error message, which was "Insert Card into Slot at Bottom of Terminal."
My experience in Europe has been with Chip and PIN, I wonder why we're gravitating toward Chip and Signature.
"Most card issuing banks and Visa don’t want PINs because the PINs can be stolen and used with the magnetic stripe data on the same cards (that also have a chip card) to withdraw cash from ATM machines. Banks eat the ATM fraud costs. This scenario has happened with the roll-out of chip cards with PIN – in Europe and in Canada."
US credit cards (both chip and non-chip) have PINs they're just used only at ATMs when taking cash advances. The article jdeibele referred to said that if you forced people to use their PINs all the time the rate of cash advance fraud would go up since it would be more likely that a skimmer would have the PIN (since there would be more opportunities to intercept it).
> My experience in Europe has been with Chip and PIN, I wonder why we're gravitating toward Chip and Signature.
Americans love credit cards and those who use them tend to have a lot of them. I personally have six credit cards and three debit cards (and, yes, I have a reason for having each card). My father has a wallet more than 1 in (2.5 cm) thick from all the cards he carries. According to the Boston Fed the average cardholding consumer had 4.0 credit cards and 1.6 debit cards in 2012[1]. Forcing people to memorize a PIN for each card they have would discourage people from signing up for more than one or two cards which would be a nightmare scenario for the credit card industry.
Chip and pin isn't any more secure than chip and sign, and is a greater hassle. For a while, merchant banks would deny fraud claims from skimmers claiming that the victim must have let the fraudster know the pin. However, as the card has to be on the magstrip as a backup, it's trivial to clone a pin. A friend had to fight for a fraud claim on her card a few years back, with the bank giving her that line. thankfully, she is dyslexic, and has chip and sign as an accommodation, so she was finally able to get enough words in for the rep to check her account flags and realize there was no way in hell she gave a pin to anyone, because her account doesn't have a pin attached to it. Chip and sign cards have pins on them for various silly reasons, even if there is no way it would ever be used.
The first few times it was really slow, but recently it's only added a couple seconds to the transaction. I really think this will be a non-issue in a couple months.
It seems to me like it's only going to get worse as more people get chip cards. The cafeteria at the office where I work replaced their card machine earlier this year with a model that accepts EMV cards and since we have a lot of employees that travel internationally a good chunk of the people that work here pay with an EMV card (myself included). The increased card processing time has resulted in a noticeable increase in the wait time at the register, commonly backing up the line by 1-3 people. I recently figured out the terminal also supports NFC payments so now I use my phone with Android Pay (since it only takes 1-2 seconds vs 10-15) but I'm the only one who uses it so far and I'm not sure anyone else knows.
Yep had chips for decades already in Europe (it's not called "EMV" here though, just a chip afaik).
I don't know who is liable in Europe for fraud (shop or bank), but, about the article, I find it odd, the chips should be more secure, so why are banks giving the responsibility of fraud to merchants while not for the insecure magstripes? The banks should be able to trust their own chips right?
It is indeed called EMV here, it's just not marketed as such. EMV stands for Europay, Mastercard and Visa - the original consortium who agreed the smartcard payment standard. In the UK it's marketed as "Chip and PIN", but it's all EMV.
The specifications are all available online too [1] and make for an interesting, if involved, read.
EMV are responsibly for a number of specifications, including "Chip and PIN" style payment, contactless (NFC) and CAP (Chip Authentication Program - a two factor system where users are given self-contained challenge/response card readers with which virtually every EMV card is compatible).
For small, repeated transactions you just hold the card to the reader and are done in 1-3 seconds. The first transaction on each reader and random transactions every 20-50$ (and all transactions above a $20 limit) will require chip+PIN verification, which seems to cut down fraudulent transactions for now.