Basically: the form of fraud it protects against is very rare in the US, and consumers find memorizing another number painful. Europe adopted chip+PIN not because anyone really wanted it but because it was mandated by law. It’s unclear that it has actually been effective.
They are, but people use their debit cards for ATMs and mostly use credit cards for other transactions (for those that do have credit cards, which is a majority of people). All of my credit cards same with some type of pin for using them at ATMs for cash advances. I couldn’t tell you a single one of them.
Maybe the difference is that more Americans have credit cards than Europeans.
This is particularly evident in East European countries, e.g. here in Poland credit cards are far less common than debit cards. And so people use them to pay in their grocery store as well as in ATMs.
I for example didn't had a credit card until recently, when I wanted to rent a car, it looks like credit card is (almost) mandatory and I use it only for that purpose.
So it just sits in my drawer until once a year I take it out when I go on vacation and rent a car there.
I know it's piss poor security, but I just have the same PIN for my debit and credit cards.
At one point, I actually just had a single, combined debit and credit card. It worked for both, so I could use it at an ATM, as well as use it as a CC.
> You have _much_ less fraud protection with a debit card.
Having had ~US$20K sucked out of my debit card (which was ~$10K more than I had), I can verify that you have essentially no recourse. Why the stupid bank authorized someone to go over by such a yuuge amount still baffles me...
Any idea how that happened? I have a combined credit/debit card, but debit is chip only so it can't be copied. I can't see how it could be misused except at gunpoint.
Sure ... it was a chip-less Visa debit card. My point is simply because it was routed to a DDA, not a credit line, the typical protections for a credit card don't apply. (This was the US). They are pretty clear about this in the contract. We even found footage of the malefactor checking out of a department store. Live and learn, I guess... This was some years ago. Now, I almost never leave the house with a debit card, and I have all my cards make my phone go bing! when they are used.
Assuming you can stomach $50 in the case that you do drop the ball notifying the issuer upon realizing your physical card was physically lost, how do the rules differ appreciably?
Also, how does not having a debit card significantly alter the exposure of a given deposit account (eg through the ACH network), besides just having one fewer network address? It seems like the better option is to get a feed of transactions in a convenient manner, whether tablet notifications or an ofx feed.
(Not that I don't want to stick it to the banks as hard as possible for perpetuating this negligent payment network and tricking customers with terms like "identity theft", but just pragmatically speaking)
Debit card fraud drains your checking account, creating a short-term emergency: legitimate transactions are then returned for insufficient funds or create overdrafts. Both carry punitive fees. The bank has to restore your funds eventually, but in the meantime, there could be an eviction notice on the door.
You generally share your bank account number with a small number of trusted parties: employer, landlord, creditors, utilities, tax man, etc. Exposure is low. When you start swiping a debit card around town, you hand out the same level of access to every merchant you buy anything from, and whomever might be skimming their terminals or stealing their databases.
Credit card fraud adds to your balance, but you don't have to pay it while the investigation is ongoing. Typically they revoke your card number and mail you a new one. During that time, you live off of a different credit card your debit card. Critical payments go straight to your bank account and are unaffected. When the investigation is over, the charges disappear. At no point are you deprived of actual money, you merely have an inflated short-term debt.
I agree, but these seem like operational concerns that you'd anticipate for each individual account in today's world of broken payment networks. It might even be nicer to have bank account disabled with a few hundred in it, than temporarily lose a credit card with a high limit that you funnel larger payments through for the rewards. You can't prevent this, so my comment was focused on how much you could actually lose after the dust settled.
Good point about a check bouncing though. I would think your bank should waive any charges (after all, you weren't defrauded nor did you write a bad check), but the recipient might complain about their bank's fee (for essentially a rejected ACH transaction, but I digress). Although speaking of checks, readily handing out a printed withdrawal key seems like a poor idea if your goal is avoiding surprises!
> You generally share your bank account number with a small number of trusted parties
Every second website I buy stuff at has my IBAN.
Looks like it's a vety different situation here in Europe.
Sadly, too many US websites don't allow this, I ended up having to get a CC (and pay for it!) just to deal with US bullshit websites demanding a CC. That CC cost me more in fees than I've ever kost in debit transactions.
Credit card is the same old debit card with additional "automatic loan issuance on insufficient funds" service. With debit, your risk is limited to whatever is in the account associated with the card. With credit it is the same risk plus your credit.
Your funds are not really at risk of permanent loss in either case. The difference is what happens in the short term. Also it’s not true at all that debit card losses are limited to your balance. Banks will approve transactions that put you well into negative balance and charge overdraft fees.
Each ___location you use a card increases the risk of the number getting copied. So using a debit card exposes tons of possible people with entry points into your account.
So once you assume whatever you use will get stolen, you determine what dealing with a stolen card number will be like. With debit cards it's your own cash locked up in a transaction dispute. With credit cards its the credit card companies credit balance and you have no money locked up.
In the US, your ATM card is (at least) often a debit card. Perhaps there's some way to flag them so they can be used only as an ATM card up to the usual daily limits. I agree with your basic point though. I have the card but essentially never use it except for withdrawing cash.
I had a debit card from Citibank but I had to call and specifically request only an ATM card as debit cards are absolutely horrendous. They were able to issue an ATM only card.
My standard Chase ATM card can be used at stores as either credit or debit. Some payment terminals say "enter PIN for debit, or press continue for credit". Some don't, but at at least one store, despite the prompt just saying "Enter PIN", I was able to pay by pressing continue without entering a PIN, so I think the terminal has the same functionality, just not advertised.
I have no reason to think it hoses your credit rating in the US if you pay your bill (or at least the minimum) on time. What it does do though AFAIK--it's been a long time since I've done it--is to start the clock on paying whatever extremely high interest rate your card has on the total balance on the card. Including your regular charges that would otherwise be carried interest-free until the payment due date.
So it's generally a very bad idea to get a cash advance on your credit card, especially a credit card that you also use to charge other purchases.
It does not hose your credit rating in the US (assuming you pay your CC bill on time). It doesn't even show up as an event on your credit rating, as the decision to extend credit up to your limit has already been approved.
It can actually, although perhaps a little indirectly. Off the top of my head, the credit card balance is a direct I put to both the Debt to Income Ratio (small affect), and Percentage of Revolving Credit Available (much larger affect). These are not deal breakers, but did lower the score at both places I worked where this mattered.
Well, certainly if your carried balance goes up as a percentage of revolving credit, that will affect the score. But this would hold true whether you did a cash-advance or bought a TV, no?
EDIT: IIRC, the Debt-to-Income ratio calculation (if you were to apply for a mortgage, for example), is based on your aggregate credit-card limits (used or not), on the assumption that you could be that exposed. I remember when I were a young lad, I had to kill a card (or two?) that I wasn't even using in order to get the mortgage rate I was looking for because of this effect.
Okay, so just to explain the way this works in the UK - a cash advance shows up directly against the card and month it was taken. Credit scorers typically treat it as a sign that you're living outside your means, and so it has a very serious effect on your ability to get credit.
There are certain types of payment which are also classed as a cash advance and sometimes catch people out, such as to gambling sites.
I simply solved this by using a prepaid credit card. Sadly they are less accepted but there is a significant amount of fraud protection and I can manually control how much damage can even exist in case the fraud protection somehow fails.
I only need it for american services though, all EU services I use accept SEPA pull or push, Sofort, giropay or Paypal with a bank account (strangely enough, some american services in the past declines to accept a paypal account without credit card, weird stuff)
My personal recommendation to US people is avoid connecting PayPal to your bank account. I don't know what protections they have in the EU but I doubt we have them so better safe than sorry. Use your credit card.
Paypal provides fraud protection against my bank account. And I can always revoke their SEPA Mandate and demand my money back as long as 6 weeks have not passed since the direct debit. (German law atleast) My bank ensures this by notifying me when I receive a bank statement on the online interface and mailing it me on my own cost via postal service if I don't mark it read (about 5€ IIRC) within a week.
Same goes for any SEPA DD based transactions. Everything else is secured via TAN, which depending on what generator method you choose (SMS, Optical, HBCI or Smartphone App) has varying levels of security (Optical and HBCI are highest atm, then App and SMS last, atleast according to my knowledge and understanding of the implementations).
The only bad part is when paypal fucks you over but that's a given risk when interacting with paypal anyway.
And debit cards don't use chip and pin? What's the distinction here?
I recently got a new debit card which has the usual (European) chip and pin - but also annoyingly has contactless payment (aka "leech my money"). Sadly the only way to opt out might be to switch banks...
Of course most Americans have both debit cards and credit cards. I think that debit cards (as opposed to cards that can only be used at ATMs) didn't really start to become common until the late 90s. I expect that you'll find that older people don't use them as often out of habit.
> Europe adopted chip+PIN not because anyone really wanted it but because it was mandated by law. It’s unclear that it has actually been effective.
At least in UK it was a sort of anti-consumer Trojan horse. Theft decreased by 80% or more, but now the responsibility of the remaining part lays on the user instead of the bank. I remember UK consumer groups quite upset about this ~12 years ago.
Not the banks, the vendors. It’s a great coup that banks have convinced customers they cover credit card fraud when really visa/MasterCard go and take the money back from the seller.
I can't see how that can be true. Prior to chip+pin, you could still withdraw money from an ATM with a card+pin, so how exactly did the security change?
In both cases, you can dispute transactions with the banks, and in both cases, the banks are going to open their defence with "but how did the thief know your PIN?" but that does not make it clear-cut, nor does it mean the banks will always win their argument.
Before Chip+PIN was introduced, card cloning or ‘skimming’ was a very common fraud method. An ATM would be modified with a device to copy the magnetic strip and register the associated PIN with a keypad overlay or a pinhole camera. This data could then be used to create a cloned card to withdraw money with, sometimes even in another continent.
Chip+PIN (EMV) prevents this because the chip cannot be cloned, and so it completely eliminates this form of fraud. However, banks also used the introduction of Chip+PIN to move liability of any fraud to the customer, whereas before the banks would fully refund any fraud.
Consumers remain fully protected from the cost of card fraud and are covered under The Lending Code. From 1 January 2005 there was a shift in liability for some types of card fraud from banks to retailers, but this will not affect cardholders in any way. If businesses have chip and PIN terminals in store, they are covered for the cost of card fraud whether customers enter their PIN or their signature, just so long as staff follow the on-screen prompts and carry out the routine checks to ensure cards have not already been reported lost or stolen. Banks will continue to be liable for the cost of card fraud committed on old-style non-chip and PIN cards, so by accepting them businesses are not putting themselves at risk in any way
So in what way has fraud liability shifted on to the customer?
Much as juries tend to believe a cop even though data suggests cops aren't very reliable even when they aren't actively lying, so they also tend to believe a smartly dressed bank official. Victims of fraud who end up on trial (either tacitly after they have to sue the bank for their money, or more rarely literally after the bank tells police they committed fraud) are disproportionally female, elderly and non-white, all factors that make them less believable to a jury, almost as if those trying this on know that...
Juries are rarely told, and bank officials would hardly volunteer that big frauds often involve a bank insider, and sometimes even an insider the bank has since caught and fired. You won't get the money back from an insider who was taking 10% but you can make a victim of the individual account holder rather than eat the loss at your multi-billion dollar bank. And all you have to do is pretend systems you know are all too fallible are instead perfect.
Ross Anderson has written about some of this on Light Blue Touchpaper
Again, I can't see how anything changed. You have a card and you needed a PIN to use it, before and after the chip was added. Smartly dressed bank officials were around in both times. In either situation/time period, banks would claim "how could someone possibly have got cash/goods without you disclosing your PIN? Our systems are secure!" whereas we know that the systems, before and after the chip, are not 100% secure. Ross Anderson has been instrumental in demonstrating this, for sure.
As I've quoted from the website, there was no change to the consumer protection in the introduction of the chip. Your description applies equally well to court cases before and after the technology changed.
"You have a card and you needed a PIN to use it, before and after the chip was added"
Er, no?
I guess it's possible you've actually forgotten what changed here.
It's 1995, I have stolen a VISA card issued to a nice old lady who lives across the street. I walk into a PC wholesaler which allows walk-in purchases, I hand over the card in the name "C. Smith" and walk out with two month's salary worth of Pentium CPUs that can be sold easily for almost their RRP. Did I know a PIN? Nope, just squiggled something that might be "C. Smith" on both the card and the receipt.
When her bank tells her she bought all those Pentiums, she's going to freak. And when she calms back down she'll say she never received that card. Has no idea where it is. Give her back her money.
The bank will of course insist that it's her card and surely she bought all those CPUs. But Ms Smith's lawyer doesn't need a Computer Science degree to understand what happened, and neither does the jury. Smart suit or not, "Her card was simply stolen from the post" is an easy argument to understand and she'll prevail.
Not so when the bank says her PIN was used. Who else could know her PIN? Those are secret. Aren't they?
Why didn't the store want a PIN back in 1995? Because they had no way to validate it, it would be useless to them. Only the _chip_ enables offline PIN verification, and in 1995 even some _ATMs_ were still doing offline transactions.
The transactions are not routinely On Line. Yes, I know, you had to wait 5 minutes the other day in an antique store because their card machine used a dial-up modem. Very annoying. And also quite possibly bogus, there's a good chance that wait was a charade. But why doesn't it have to be online, surely that's unavoidable?
Time for another brief lesson, this time not about history though, this all still true today:
Payment card transactions are really _two_ transactions, the banks make no real effort to correlate the two, and one is done entirely on the honour system.
1. Authorization: Does the card holder authorize this transaction? This is the one that has tightened up considerably due to fraud. But this doesn't move any money anywhere, and doesn't involve any real time interaction with a bank at all. Once upon a time this involved a machine that used carbon paper to take an "impression" of the 3D credit card, and collecting a signature. Today it's "Chip and PIN".
2. Settlement: Who should get paid, and how much, by who? This moves the actual money to the merchant. It's done entirely on the honour system, banks and merchants both routinely screw up, if your country's laws make them they'll eat the cost of fixing that, otherwise they'll probably blame you and make you suck it up. Hooray.
The first one has loads of serious technology thrown at it. Anti-replay for example. If I authorize one $14.99 payment, you can't just show that again to authorize another one.
And the second, which moves the money, undoes every benefit of the first, for example you needn't replay the authorization, just do settlement again for the extra $14.99 without any authorization at all. The bank will hand it over, the customer loses the money, unless they remember to explicitly complain about having $14.99 stolen you can just keep it. If they do complain, say it was a "mistake", you lose the $14.99 but so long as you don't do it too often you'll just get a slap on the wrist and can try ripping off other customers.
For all the words, I still don’t get your point. The banks introduced an improved system that we can all agree is more secure than the old one, and consumer protection did not change, but apparently you think this makes it worse for the consumer?
What on earth do you want banks to do? Make their systems less secure, so it’s easier for people to convince a court that their disputed transaction was fraudulent?
It’s natural and predictable that banks will argue that security improvements make it more difficult for thieves to make fraudulent transactions, but since these systems aren’t 100% secure, people will always be able to dispute these events and win their challenges.
Consumer protection effectively does change if its enforceability changes. If a system's security is improved (or at least the security theatre is improved), it's easier to disbelieve victims of fraud, and even accuse them themselves of fraud. This is especially true when existing known vulnerabilities are closed, and fraudsters begin using new vulnerabilities.
To use an analogy, it would be like if you improve the reliability of a product you make, then start saying those who RMA your product must have damaged or mishandled it for it to be broken, and deny them their warranty.
What you're missing is that once you have a PIN the deniability goes out the window, so you're now on the hook for the fraudulent purchases. So as a card user you're trading a high percentage of fraud with no liability for a low percentage of fraud with absolute liability. Things are better for the bank, not the customer.
Contrary to popular belief, merchants are responsible for frauduluent charges, big or small. They pay not only in any lost merchandise or services, but also in losing the payment.
This shifting of burden ultimately comes back to the consumer in higher costs and fees, and is just a cost of business for the merchants. The credit card company beneifts because they make money regardless of fraud, and they’ll make increased money from the detachment of the feedback loop from the consumer. Merchants don’t pursue fraud because they simply increase costs to cover it.
In this scenario merchants lose, consumers lose, credit card companies win from increased usage.
See the text I cited from the card association’s website. Merchants are only responsible for fraud (in the U.K. at least) if they did not use chip + PIN properly.
Who pays for fraud, in the end? Well, the customers pay, of course, since they are ultimately the only source of funds. Regardless of whether or not the merchant or bank eats the fraud, they are going to recoup the cost through their charges to customers.
I find shifting the burden to the merchant or card processor to be ultimately anti-consumer. It hides the true cost of financial crimes from consumers and ultimately manifests in increased costs, while to the merchants or banks it’s just a cost of business. In the end the consumer is shielded from fraud but ultimately pays for it.
The merchant/processor are better placed to take the burden though - it may increase the fees, but to me, an ongoing marginal increase is preferable to the risk of being cleaned out in the case of fraud.
It's also pro-consumer in that it lets you use your debit cards without much fear of fraud -- if I were liable for fraudulent charges, I would be _much_ more reluctant to use it anywhere (especially as the bank may not be as incentivised to provide as good a fraud protection), drastically reducing its utility.
The reason why I think it's anti-consumer is that by detaching the liability of fraud from the end consumer means detaching it from the whole system. No one really cares about the fraud if the consumer doesn't. The credit card company profits either way, but by removing any concern for fraud it makes more money.
I think a sensible solution is to split the liability between the merchant and consumer. Hiding it from the consumer hides it from the one party that would even care about prosecuting fraud.
I was under the impression this was used in case of a dispute, they could go back to the receipt to determine if it was your signature or not. Not sure how often that is actually used.
Apparently a lot of cards are dropping the requirement anyway. [1]
That’s correct. This new policy from the card brands begins this month for EMV transactions. My customers are excited to reduce check out time by dropping the signature requirement.
The signature signifies intent. You understand the charges on the receipt. You can't say "I didn't know I bought that" when the list of things you bought is right there and you signed your name.
Except you can literally draw a poop emoji as the signature and it’ll be happily accepted. How would that signify intent at a later dispute investigation?
No it doesn't signify intent. The signature on the slip should match the signature on the back of the card. This is how the retailer knows the purchaser is the authorised user of the card. So unless the card as a poop emoji in it the card holder can deny the transaction based on non-matching signatures.
They can refuse your transaction for whatever reason they want, it's their business. If you give off any vibe that the card might be stolen, then a business can turn you down whether or not what you were doing was technically correct.
Yeah if you sign a printed receipt that's true. Most POS devices I see now aren't displaying the individual charges anymore by the time the interface gets to the "really charge $X?" screen and the electronic signature screen. You have to wait until the receipt prints out, and then you can complain to the clerk.
The screen-signature POS terminals I've seen almost always have another screen showing a list of purchases being made. The only exception I can remember is very old pharmacies. In newer pharmacies, the list is on the signature screen.
Interesting. Everywhere I've been recently (mostly west coast, I'll admit), the grocery stories have the biggest tally screens. And at the bottom the biggest line is how much you "saved" by shopping there. (Yeah, right.)
You paying signifies intent. If I use Google Pay to pay for something, I've shown that I agree with the charge. The signature is just useless hassle. I've had to do it it twice in my life and they never seemed to be pens around just when you need them...
Moreover, if you think that retailers are making you sign a piece of paper because they want to hassle you and make you take your money elsewhere, you need to rethink the situation.
Signature has never been intent but a security measure, which is why it is matched with the signature on the card. It's an authorisation step, nothing else. You handing over the card is intent.
I've also heard before (anecdotal) that in general in the EU, people have far fewer credit cards. As someone with several chip+pin cards in the US, it can be a bit of a chore ensuring they all have the same pin, and I wouldn't even want to try having five different cards with five different pins.
Different cards offer different reward structures. I currently have sixteen (16) credit cards, but I'm certainly an outlier.
For everyday purchases I use one card for restaurants and gas, another card for groceries and yet another for everything else. Then two other of my cards have rotating bonus categories, so I may use one of those for gas one quarter and for restaurants next quarter.
And, at minimum, you should always have a backup, like a sibling comment points out. Especially when travelling, you don't want to be in the middle of nowhere trying to buy meal only to find out your card has fraudulent transactions and the new one has to be mailed to your house.
Depends entirely on the card! Annual fees can be either $0, as small as $30/year, or as high as $500/year (AMEX Platinum) and up. AMEX Centurion is invite only, it's for millionaire high spenders and has a $2,500/annual fee. Barclays Luxury Card is open to everyone and I believe it has a $900/year annual fee.
Some cards waive the annual fee the first year and some don't. It's whatever the card issuer decides makes them the most money.
Personally, I pay two annual fees and have a third one waived for now. Some of the cards I have I've downgraded to the less benefits no annual fee version of the card after collecting the annual fee version benefits for a year.
Many, many cards have no annual fee. The ones that do, are usually worth it for the right customers- e.g. a travel card that comes with a lot of actually-valuable travel perks for the frequent flyer.
Credit cards with an annual fee simply for the privilege of having a credit card, are mostly gone, chased out of the market much like the takeover of free checking.
It varies. I don't have anything like 16. But I have a couple of cards with specific reward benefits that I pay for plus a number of free ones for benefit and other reasons.
3) Restaurants. This is the only use-case where my card is out of my possession, and I try to isolate that.
4) MOST on-line purchases (Except for #5 below)
5) Online subscriptions. These are things like DO or AWS or month-to-month Jetbrains or Safari. This makes it easier to visually scan the statement for things that should not be there, or are wrong. (Billing mistakes are not infrequent).
6) Business expenses. This makes either submitting expenses and/or taxes easier, because it's all in one place.
Different cards offer different benefits. At a minimum, I want to have one backup in case I leave one at a restaurant or something wonky happens with fraud systems. So, yeah, I have multiple cards although I mostly only use two of them.
Basically: the form of fraud it protects against is very rare in the US, and consumers find memorizing another number painful. Europe adopted chip+PIN not because anyone really wanted it but because it was mandated by law. It’s unclear that it has actually been effective.