Hm, Question!

Is there grounds for a class action lawsuit against card issuers for failing to perform best-practices against identity theft by upgrading cards to chip and pin?
posted by kaibutsu at 11:10 AM on January 17, 2014 [1 favorite]

There has been an increase in card-related fraud here recently because the U.S. is now the last major nation in the world that is not onboard with the EMV (Europay/Mastercard/Visa) standard, or "chip-and-PIN." Fraud is migrating here because it is now easier, and it is going to get worse before it gets better unless banks and payment processors start getting realistic, and getting scared.
posted by jbickers at 11:11 AM on January 17, 2014 [2 favorites]

so ...
Nearly half of all card losses in 2012 occurred in the U.S.
What percent of the card volume is done in the US ?

ATM skimmers steal PIN numbers already, thought it *seems* the value is in the chip, not the PIN .. And wiki seems to indicate they aren't invulnerable to hacking either.. So it's still an arms race, with slightly higher barrier to entry.
posted by k5.user at 11:11 AM on January 17, 2014

Related: There's no hope for our payment systems [ZDNet]

Getting Americans to use something like Chip and PIN would be really hard. It would require an enormous capital investment by retail businesses and banks and processors and create a large support burden. The better 2FA systems, which use one-time-codes delivered through a separate device, would be even harder to push through. And don't even think of suggesting biometrics!

This episode is another example of what seems to be a law of human nature: there is a general trade-off between security and convenience. The more security you want, the less convenience you can expect; the more convenience you want, the less security you can expect.
posted by ryanshepard at 11:12 AM on January 17, 2014 [1 favorite]

MasterCard, Visa Moving U.S. Credit Cards to 'Chip-and-PIN' by 2013

MasterCard followed Visa's lead this week, stating that it too intends to move U.S. consumers onto so-called chip-and-PIN technology by April 2013. MasterCard said that it was working with acquirers to move the United States onto the so-called "EMV" standard, ensuring that the payment infrastructure would be in place by the deadline.

In August 2011, Visa also put forward its own EMV timetable with April 2013 as the date by which its U.S. acquirer processors and sub-processor service providers must support merchant transactions using chip-based cards.

Looks at calendar.
Looks in wallet.
Hmmm. 2 of 6 cards here have chip and signature, 0/6 have chip+PIN.
posted by RedOrGreen at 11:15 AM on January 17, 2014 [5 favorites]

It's the same reason the USA hasn't adopted the metric system: inertia.
posted by blue_beetle at 11:15 AM on January 17, 2014 [19 favorites]

I think chip-and-pin is more a infrastructure cost than a conveineince-vs-security trade-off. It's not like you (or the retailer) have to do headstands to get a payment through once it's in place; there's just a significant investment needed to make the switch. Regulatory push or massive lawsuits are probably the main ways forward...
posted by kaibutsu at 11:16 AM on January 17, 2014 [2 favorites]

Chips and PINs, as I understand it, can do a lot to make card skimming harder---now the attacker has to do a man-in-the-middle attack, rather than just take a passive copy. There's a discussion at the end of this Ars article.

Canada has just switched/is still switching to PIN+chip. According to the company that manages the debt card network, fraud is down 73% in just three years. They largely attribute this to the switch to chip cards.
posted by bonehead at 11:19 AM on January 17, 2014 [2 favorites]

It's the same reason the USA hasn't adopted the metric system:

"Americans can always be counted on to do the right thing...after they have exhausted all other possibilities."

posted by entropicamericana at 11:19 AM on January 17, 2014 [29 favorites]

The card issuers don't have much incentive to move to a better system when they can pass all of the costs of any fraudulent transactions off to the merchant. The merchants don't have much incentive to get chip-and-pin readers when almost* no one in the U.S. has a chip-and-pin card.

*I do. You can get a card with a chip from BOA, and they'll give you a PIN, but the card just works like a regular mag-stripe card, even in chip-and-pin systems, so it's really a chip without pin card. But you can get a chip-and-pin card from USAA if you call them and ask.
posted by still_wears_a_hat at 11:19 AM on January 17, 2014

See also our discussion of the Target data theft with me ranting uselessly about how stupid US credit card processors are. I have a US credit card with a chip, to make travelling in Europe easier, but it's this fucking stupid thing where it doesn't really have the full system. Paying in person I still have to sign, and at a machine I just enter any random PIN and it works. Genius!

Does the chip-and-PIN system have a solution for more secure Internet payments as well? I skimmed the excellent EMV Wikipedia article but didn't see anything. I know some European banks were requiring two factor authentication for Internet payments, but I believe that didn't catch on.
posted by Nelson at 11:20 AM on January 17, 2014 [1 favorite]

Vendors periodically upgrade their hardware.

Yeah, that's the rub - they don't do it often enough, and they try to go as cheap as possible when they do. But the hammer largely starts to come down in late 2015, when the liability starts shifting to them for any fraud.
posted by jbickers at 11:21 AM on January 17, 2014

As I understand it, the main difference between the mag stripe cards of North America and the chip-and-PIN cards of the rest of the world is the concept of multi-factor authentication. Multi-factor authentication means having multiple differing means of authentication. A mag stripe card has one means, which is the card itself. If you have the card (or a different physical card with the same info), you can charge things.

On the other hand, chip-and-PIN is a multi-factor authentication system. It's at least two factors, one is something you have (the physical card) and one is something you know (the PIN). If you have just one factor, you can't charge anything. PIN without the matching card doesn't do you any good, and card without the PIN doesn't do you any good.

With mag stripe cards, it's trivial to steal / purchase stolen card numbers and write them to a blank card. Or even easier, go online and use the card information without the physical card. Chip-and-PIN requires much more sophistication to write a valid crypto signature to the chip, plus you have to steal the PIN in some manner too.
posted by ensign_ricky at 11:23 AM on January 17, 2014

Funny though, Europeans (especially Germans) will lecture you if you try to pay with a card without a signature on the back. I don't know the German translation for "Are you a handwriting specialist?" so I wasn't able to articulate properly how useless signatures are for enforcing security.
posted by RobotVoodooPower at 11:25 AM on January 17, 2014 [4 favorites]

Getting Americans to use something like Chip and PIN would be really hard. It would require an enormous capital investment by retail businesses and banks and processors and create a large support burden.

Note that this excuse slyly equates "Americans" with business interests. I don't think there would be any trouble getting "Americans" (i.e. consumers) to adapt Chin-and-PIN cards. It's just a new card to them. This is entirely an issue with businesses and banks and card companies.
posted by Thorzdad at 11:25 AM on January 17, 2014 [19 favorites]

It's the same reason the USA hasn't adopted the metric system: inertia.

That's a really misleading comparison, though. Hundreds of millions of Americans think of speeds in miles-per-hour, think of their weight in pounds, dress themselves based on degrees Farenheit. The change requires basically retraining 300 million people in how they go about a hundred different daily tasks, plus relabelling enormous amounts of signage and rewriting laws that reference non-metric values. It's a cultural inertia, not just a financial one.

By contrast, switching to card-and-pin is a matter of replacing "Sign here" with "Tap in a PIN, just like you do when you use your ATM card, and just like you already do with a debit transaction." No new concepts for anyone.
posted by Tomorrowful at 11:25 AM on January 17, 2014 [9 favorites]

I wasn't able to articulate properly how useless signatures are for enforcing security.

I always fill in the space with "SEE ID." Cashiers have been very good about asking for my ID.
posted by the man of twists and turns at 11:27 AM on January 17, 2014 [4 favorites]

What's funny is that our check clearing system works well and is free for the users, unlike in Europe. Because it's done by the Federal Reserve.
posted by wuwei at 11:29 AM on January 17, 2014 [1 favorite]

American business is schizo. They'll blithely put up with fraud on this scale, but fire hundreds of people the second they lose a nickel because, you know, shareholders and profit and fiduciary responsibility.
posted by Benny Andajetz at 11:30 AM on January 17, 2014 [19 favorites]

switching to card-and-pin is a matter of replacing "Sign here" with "Tap in a PIN, just like you do when you use your ATM card, and just like you already do with a debit transaction."

But consumer behavior is not the "cost" that's holding companies back. It's this:

The cost of upgrading the U.S.-based ATM market is pegged at nearly $500 million and the cost of upgrading U.S.-based POS terminals is estimated to be nearly $6.8 billion.

(Source)
posted by jbickers at 11:30 AM on January 17, 2014

This article left out my favorite use of the chip and pin system, which is being able to tap in the amount you want to put on your dinner tab AND the tip AND sign for it at the table which made dinner outings in England approximately 0% math-filled as opposed to the absolute quagmire of American receipts for large parties.

I miss that. And never having to use a check ever.
posted by jetlagaddict at 11:30 AM on January 17, 2014

The card issuers don't have much incentive to move to a better system when they can pass all of the costs of any fraudulent transactions off to the merchant.

Costs are passed on to the merchant only in the form of higher fees, spread across the issuer's entire merchant base. It's getting harder for issuers to charge back individual fraud transactions to merchants directly. As of April 20, 2013, Visa changed chargeback rules to eliminate chargeback rights on fraud-related transactions where there is evidence that the card was electronically read.
posted by ogooglebar at 11:35 AM on January 17, 2014

95% of ATMS use Windows XP.
posted by Artw at 11:37 AM on January 17, 2014 [5 favorites]

American business is schizo. They'll blithely put up with fraud on this scale, but fire hundreds of people the second they lose a nickel because, you know, shareholders and profit and fiduciary responsibility.

As long as there's no liability, fraud most likely comes out of their insurance - the worst they get is a small premium hike. The system is not set up to make companies care about fraud, so why would they?
posted by graymouser at 11:37 AM on January 17, 2014

My American credit card actually has a chip. However, you have to specifically ask to learn the PIN so clearly they're not expecting you to actually use it. And they're right, since when I use the chip when in other countries, I always need to sign and have never managed to use the PIN.
posted by carolr at 11:38 AM on January 17, 2014

The cost of upgrading the U.S.-based ATM market is pegged at nearly $500 million and the cost of upgrading U.S.-based POS terminals is estimated to be nearly $6.8 billion.

In 2009, a study put the annual cost to merchants of credit card fraud at $190 billion.

I don't understand why they're not rushing to make the change.
posted by mr_roboto at 11:39 AM on January 17, 2014 [5 favorites]

Pay for everything with cash.
posted by koavf at 11:42 AM on January 17, 2014 [1 favorite]

I wasn't able to articulate properly how useless signatures are for enforcing security.

I always fill in the space with "SEE ID." Cashiers have been very good are TERRIBLE about asking for my ID.


And when I use my Amex card, they ask a lot now for the top four numbers to the right of the card. In store. In my presence. Not happy about what point there is of those numbers for no card transactions if they are needed for yes card transactions.
posted by tilde at 11:43 AM on January 17, 2014 [1 favorite]

I honestly don't think that the problem will be fixed, and in a few years smartphone tap payment systems will be ubiquitous.

I am sure the smartphone systems will be entirely exploit proof.
posted by Steely-eyed Missile Man at 11:45 AM on January 17, 2014 [9 favorites]

Chip and Pin is completely pointless because the attackers already attack the pinpad equipment. Chip and Pin doesn't treat the pinpad as a potential hostile device. The second you enter your pin the card happily dumps all of your banking details onto the device which now also has your pin.

Congratulations, gangsters now have a simple way of stealing your shit. All they have to do is bribe/distract some minimum wage peon long enough to fuck with the pad.

The proper way would be to do it mobile phone style with a cryptoprocessor and a Ki known only to the card and the payment processor. The card's cryptoprocessor would sign the payment and send it to the payment processor. The merchant's equipment would only facilitate the transfer of that transaction and would never get your banking details at all. Protect that with a PIN instead.

But in its current form, Chip and Pin is absolutely fucking useless.
posted by Talez at 11:48 AM on January 17, 2014 [4 favorites]

So it's still an arms race, with slightly higher barrier to entry.

Building and deploying an ATM-type PIN skimmer is significantly harder than just ripping off credit card numbers.

Anybody can steal credit card numbers; it's trivial. There was a restaurant not far from me where they (allegedly without the owner's knowledge, but pffft) put a second card-stripe reader below the main one on the register, running into a computer under the counter. Every card that got swiped, got stolen. Totally passive, very hard to detect, no using a camera or having to review video to figure out somebody's PIN.

Granted, a huge part of the problem is the lack of enforcement. It took those morons months before they finally got in any sort of trouble. It was a running joke in town — "don't go to that restaurant unless you want your card ripped off" — but nothing got done. My understanding is the cops finally showed up, the restaurant owner acted surprised, and nobody got arrested. Last I heard they're back at it again.

Not only do the police not really have much motivation to go after credit card fraud (it's a sort of "victimless crime"), but much more surprisingly the credit card processors and banks didn't decide to stop doing business with a place that clearly had a fraud problem. I mean, you wouldn't have had to be a genius data analyst to see that everyone who used their card at this one Thai joint had fraudulent charges with 48 hours, and put two and two together; presumably they knew that and decided (apparently) to keep letting people use their cards there.

I think the solution has to be from several angles. First, we need to go to chip+PIN, and get rid of the back-of-the-restaurant credit card swipe. Make the waiter bring the little scanner out to the table, like they do in Europe, so you can put your PIN into it. Much harder (no, not impossible, but a lot harder) to casually skim numbers that way. At the same time, there needs to be better enforcement, and the cost of fraud needs to be assigned to those who have the means to stop it.
posted by Kadin2048 at 11:49 AM on January 17, 2014 [5 favorites]

What's funny is that our check clearing system works well and is free for the users, unlike in Europe.

Isn't that because a lot of American workers still get paid that way? As in an actual paper check you've got to deposit at the bank?
posted by derbs at 11:50 AM on January 17, 2014 [1 favorite]

Chicago has a new touchcard system for transit called Ventra. The Ventra cards use the same chip that credit cards use so if you try to touch your wallet to the card reader and you have a card with a chip, it will charge your Ventra AND your chipped card.
posted by melissam at 11:51 AM on January 17, 2014 [1 favorite]

Isn't that because a lot of American workers still get paid that way? As in an actual paper check you've got to deposit at the bank?

A lot of Americans don't have bank accounts. They get paid with an actual paper check you've got to cash (for a fee) at a check-cashing business, or pre-loaded debit cards (with fees).
posted by stopgap at 11:52 AM on January 17, 2014 [1 favorite]

In Canada we already used debit cards all the time so maybe that sped up our transition to chip and pin credit cards? You're still occasionally asked to sign things are restaurants and whatnot, but it's rare.
posted by maledictory at 11:52 AM on January 17, 2014 [1 favorite]

Chicago has a new touchcard system for transit called Ventra. The Ventra cards use the same chip that credit cards use so if you try to touch your wallet to the card reader and you have a card with a chip, it will charge your Ventra AND your chipped card.

That's a contactless payment card, which is a totally different technology from chip-and-PIN.
posted by stopgap at 11:54 AM on January 17, 2014 [2 favorites]

A lot of Americans don't have bank accounts. They get paid with an actual paper check you've got to cash (for a fee) at a check-cashing business, or pre-loaded debit cards (with fees).

Is there a cite for this? Genuinely curious. I've done direct deposit for decades. Never found it hard to set up an account or set up the deposits.
posted by Blazecock Pileon at 11:57 AM on January 17, 2014 [1 favorite]

wuwei: "What's funny is that our check clearing system works well and is free for the users, unlike in Europe."

What's funny is that checks are still being used in the US.
posted by Hairy Lobster at 11:57 AM on January 17, 2014 [16 favorites]

It's the same reason the USA hasn't adopted the metric system: inertia

I would just like to state for the record that I wholeheartedly endorse the metric system.
posted by inertia at 12:00 PM on January 17, 2014 [63 favorites]

A lot of Americans don't have bank accounts. They get paid with an actual paper check you've got to cash (for a fee) at a check-cashing business, or pre-loaded debit cards (with fees).

Ah ok. Just curious, but why don't they have bank accounts?
posted by derbs at 12:00 PM on January 17, 2014

the man of twists and turns: "I always fill in the space with "SEE ID." Cashiers have been very good about asking for my ID."

My Capital One card has my picture on it. I don't know why every CC company doesn't offer this as an option.
posted by IAmBroom at 12:00 PM on January 17, 2014

My Capital One card has my picture on it. I don't know why every CC company doesn't offer this as an option.

Because when they upload your swiped details onto a new card with its own magstripe and/or use it at the Safeway self-checkout it doesn't mean shit.
posted by Talez at 12:03 PM on January 17, 2014 [3 favorites]

What's funny is that our check clearing system works well and is free for the users, unlike in Europe. Because it's done by the Federal Reserve.

When I tell friends abroad that we still use paper checks here, they think I'm joking. Being proud of this is like being proud of a payment system that used gold bricks or Yapese giant stone coins. We have come up with a very efficient way of doing something stupid and pointless.

People in developed countries use online bank transfers. Paper checks are crazy.
posted by 1adam12 at 12:05 PM on January 17, 2014 [8 favorites]

What's funny is that checks are still being used in the US.

People who write checks at the grocery store are the worst people on earth. I seriously do not understand their mentality.
posted by desjardins at 12:06 PM on January 17, 2014 [9 favorites]

What's funny is that our check clearing system works well and is free for the users, unlike in Europe.

Isn't this rather like saying "our telegraph operators are remarkably inexpensive"? The US focus on che[ck|que]s is due to there being no sensible way to electronically transfer money to another person.
posted by zamboni at 12:06 PM on January 17, 2014 [4 favorites]

Some quick cites:

"more than 68 million Americans live day to day in a cash-only economy. . . . . In 2012 alone, more than $34 billion was loaded onto 4.6 million active payroll cards"

"The FDIC recently reported that 48.7 percent of the Latino households and 55.3 percent of African-American households in the U.S. have little or no access to mainstream financial services."

posted by stopgap at 12:06 PM on January 17, 2014 [5 favorites]

Ah ok. Just curious, but why don't they have bank accounts?

Generally, because bank accounts require a minimum balance.

It's a cycle. You don't have the money to open a bank account, so you have to cash your paycheck at a check cashing place, which charges you fees, and you pay for what you need for the next two weeks....and then still don't have enough to open a bank account.
posted by inertia at 12:08 PM on January 17, 2014 [2 favorites]

Blazecock Pileon: "A lot of Americans don't have bank accounts. They get paid with an actual paper check you've got to cash (for a fee) at a check-cashing business, or pre-loaded debit cards (with fees).

Is there a cite for this? Genuinely curious. I've done direct deposit for decades. Never found it hard to set up an account or set up the deposits."

YOU have decent credit. The abysmally poor, and a non-zero number of people even into the middle class don't have checking accounts because banks won't trust them. IF they have an account at all, it's savings, and they find it just as easy to cash the check and pay everything in cash, cutting out the trips to the ATM.

Unfortunately, this then tempts them to use the paycheck-advance thieving systems.
posted by IAmBroom at 12:08 PM on January 17, 2014 [4 favorites]

I die a little inside every time I have to mail a paper check in an envelope to pay a bill that could be trivially settled online.
posted by Skorgu at 12:09 PM on January 17, 2014 [2 favorites]

Wow that's interesting, stopgap. I'd not heard about payroll cards before. Do banks in the US not offer just a basic account? Like with no overdraft or chequebook, or credit cards or anything... just a bank account with a cash card that you can't overspend on?
posted by derbs at 12:12 PM on January 17, 2014

I always fill in the space with "SEE ID."

Doesn't that invalidate your card?
posted by ODiV at 12:13 PM on January 17, 2014

From what I can gather, the "See ID" is actually an invalid signature according to the credit card companies, and does not compel merchants to check your ID -- except if you try to pay without a real signature, and then they only have to check ID that one time.
posted by RobotVoodooPower at 12:14 PM on January 17, 2014 [1 favorite]

So "chip and pin" isn't something made up by Mitchell and Webb?

Is Numberwang a real thing too?
posted by Xalf at 12:14 PM on January 17, 2014 [9 favorites]

(So the signature is a legal CYA for the credit card company, not a security measure.)
posted by RobotVoodooPower at 12:16 PM on January 17, 2014 [2 favorites]

Do banks in the US not offer just a basic account? Like with no overdraft or chequebook, or credit cards or anything... just a bank account with a cash card that you can't overspend on?

There are lots of places in the U.S. -- in heavily populated cities -- that simply don't have bank branches because they'd be patronized primarily by people who just want those basic accounts, and there isn't enough money in them for the banks to bother. (Pay)Check-cashing services fill these voids because they can make money a few percent at a time and don't have to worry about providing all the other banking services.
posted by Etrigan at 12:19 PM on January 17, 2014

I die a little inside every time I have to mail a paper check in an envelope to pay a bill that could be trivially settled online.

My credit union (Navy Federal) lets you set up a bill pay online that mails a physical check to whomever you specify. (No postage costs!) I automatically paid my rent this way for years.
posted by desjardins at 12:19 PM on January 17, 2014

desjardins: "People who write checks at the grocery store are the worst people on earth. I seriously do not understand their mentality."

You've obviously never been hungry on a Wednesday when payday isn't until Friday.
posted by double block and bleed at 12:21 PM on January 17, 2014 [18 favorites]

Canada used to use just the magnetic stripe. Over a few years, we've migrated to cards that have both a chip and a stripe. It's not all that hard. As your cards expire or wear out, you replace them with chip cards. Vendors periodically upgrade their hardware. It doesn't take that long to transition everyone.

But border towns like Windsor or vacation destinations like Whistler, where there are businesses that want (or even rely on) the custom of US citizens*, are still going to be beholden to the older insecure tech until the US industries step up to the plate.

*For serious, there's a reason there's 1-2 drugstores per block right past the checkpoint on the Ambassador Bridge.
posted by Lentrohamsanin at 12:29 PM on January 17, 2014

The metric system is the tool of the devil! My car gets 40 rods to the hogshead and that's the way I likes it.
posted by BinaryApe at 12:29 PM on January 17, 2014 [3 favorites]

stopgap, IAmBroom, and stoneweaver: Thanks for teaching me something new.
posted by Blazecock Pileon at 12:29 PM on January 17, 2014 [2 favorites]

You've obviously never been hungry on a Wednesday when payday isn't until Friday.

AFAIK, the check deducts itself from the owner's checking account the minute it goes through the store's check reader, so the money still needs to be in the account regardless. It's just an extra slow and laborious way of paying for something that could be done faster and more courteously by using cash or a card.

Outside of cases where you're forced to pay a bill by mail, checks are pretty much an antiquated technology at this point.
posted by Strange Interlude at 12:30 PM on January 17, 2014 [2 favorites]

Do banks in the US not offer just a basic account? Like with no overdraft or chequebook, or credit cards or anything... just a bank account with a cash card that you can't overspend on?

Some banks do; some banks don't. Big banks with lots of local branches typically charge fees for all sort of things like not keeping a minimum balance (!) and even for talking to a human teller instead of using an ATM. Credit unions are generally pretty good, but not available everywhere or to everyone. I personally switched to USAA and bank by mail and mobile app since my in-person options are all so terrible.
posted by stopgap at 12:32 PM on January 17, 2014

I don't know, this chip thing sounds a lot like the Mark of the Beast to me.
posted by Legomancer at 12:32 PM on January 17, 2014 [3 favorites]

The only accounts my bank (which is a large bank with branches all over the country) offer that do not require a minimum balance also require monthly maintenance fees.

If you go below your minimum balance on the other accounts, you're hit with a $15-25 fee. My bank is not unusual. Credit unions are better, but not available to everyone.
posted by inertia at 12:34 PM on January 17, 2014

I still send paper checks through the mail to settle my debts with big organizations. I like getting the statements in the mail and sitting down and reviewing the physical paper and then filing away the important bits in my filing cabinet. The only thing that's really on autopay and electronic statements is my student loan-and guess which financial matter I don't have a good feel for? Well, I do, but only because my wife asked me how much was left on it and I had absolutely no idea, so I looked it up the other day.

I think those little barriers force me to consider the statements more carefully, and to physically acknowledge the money that I'm spending on the service or investing or whatever and consider whether its worth it. I also like to read the little tertiary materials which often have useful information-oh, the city does christmas tree pickup and here's how to do that, great!

I'm sure that I would adjust if I were forced to adjust.
posted by Kwine at 12:34 PM on January 17, 2014 [2 favorites]

As someone who worked in the construction arena for more than 25 years, I have to defend our current measurement system. If you are in need of doubling or halving distances, then sixteenths are a VERY sensible system. Metric works, of course, but I think our existing system is more intuitive. YMMV, of course.
posted by Benny Andajetz at 12:35 PM on January 17, 2014

As I understand it, the main difference between the mag stripe cards of North America and the chip-and-PIN cards of the rest of the world is the concept of multi-factor authentication.

Don't forget about CVV2.

The newer POS are multi-factor using the CVV2 security code printed on the card and I've seen the cashier flip over my card to enter it. While merchants don't need to use it I think they have higher processing costs if they opt out.

Granted, someone who steals your wallet can use your card very quickly but on such occasions the card has a very short life before the credit card company identifies suspect purchases and/or you call to cancel the card.

CVV2, however, is effective when used remotely over the phone or internet. Stolen card numbers are not useful for transactions that require CVV2 and these codes are not stored by the merchant.
posted by linux at 12:38 PM on January 17, 2014 [4 favorites]

This is not to say we shouldn't bother with EMV, as clearly the CC companies are moving towards it as noted above.
posted by linux at 12:40 PM on January 17, 2014

This is really easy. Credit Card companies do the cost-benefit analysis between requiring chip and pin and getting more transactions with easy swiping mag strip cards. As long as the added revenue from that plus the amortized cost of upgrading cards and POS terminals is greater than the higher fraud costs associated with a less secure system they aren't going to upgrade.

There was more consumer & regulator demand for chip and pin in Europe because the consumer is traditionally much less protected from fraud than in the US.
posted by JPD at 12:44 PM on January 17, 2014 [2 favorites]

Cheque fees in Europe? Not in the UK, unless I've been quite stupid for years. I actually used a cheque for the first time in several years yesterday, it was weird.
posted by knapah at 12:44 PM on January 17, 2014

YOU have decent credit. The abysmally poor, and a non-zero number of people even into the middle class don't have checking accounts because banks won't trust them.

This works in reverse, also.

Say what you will about CC scammers and muggers - the only time I've ever had real money stolen from me, it was a bank that did it.
posted by Pogo_Fuzzybutt at 12:47 PM on January 17, 2014 [4 favorites]

Some states require banks to offer a no-frills checking account without a credit check. IME its much harder opening a bank account in Europe than it is in the US.
posted by JPD at 12:48 PM on January 17, 2014

checks are pretty much an antiquated technology at this point

But still the favorite thing to find in a Birthday Card from Grandma.
posted by achrise at 12:53 PM on January 17, 2014 [6 favorites]

Some banks do; some banks don't. Big banks with lots of local branches typically charge fees for all sort of things like not keeping a minimum balance (!) and even for talking to a human teller instead of using an ATM

It's interesting learning about US vs UK banking systems. Our chip and pin handover, for example, took place over a few years, and went pretty smoothly. And now, I couldn't imagine not typing a PIN in for a purchase. I also think we tend to forget quite how big the US is, and the logistics of doing the same over there.
posted by derbs at 12:56 PM on January 17, 2014

Your Credit Card Has a Dangerous Flaw That the Banks Refuse to Fix

Dangerous to whom?
I've had a (physical) card stolen twice. Both times, removing the charges was the work of a 5 minute phone call, which I had to make to replace the card anyway.

So from a consumer perspective, how does help me, other than giving me one more number to remember?

(Please don't say 'You'll save money, because the savings from reduced fraud will be passed on to you!", because, well, we all know that's not going to happen.)
posted by madajb at 12:57 PM on January 17, 2014

It helps consumers by keeping them safer from identity theft, which is something that the US handles really badly. I will use this as an excuse to link to a sketch from That Mitchell and Webb sound about identity theft in the UK.
posted by Going To Maine at 1:00 PM on January 17, 2014

I was relieved during a recent vacation in the UK to find that every establishment I went to was in fact able to use my pathetic US swipe and sign credit card, and no one even gave me any attitude about it. (There were a few B&Bs that we needed cash for, but they didn't take any credit cards, even Eurpoean chip and PIN style.)
posted by aught at 1:01 PM on January 17, 2014

I was just told over the phone by a customer service person at the issuing bank (literally, just now) that there has been a breach at MasterCard itself and that one of my credit cards has been cancelled as a precaution.

My personal take on this: the US has become a big, sitting mark for anyone around the world wanting to do any sort of credit card fraud at all. Want to score? Hit a US bank, processor, cardholder, whoever, they're pushovers. Yes, I'm a little grouchy at the moment.
posted by gimonca at 1:03 PM on January 17, 2014

If the banks are refusing to change the system, that's because they've done the math and figured out that it would cost them more to change the system than they would gain by reducing fraud.

Under U.S. law, if my card is stolen I am liable for a maximum of $50, and the one time my card was stolen they just reversed the charges and I wasn't even charged that. So, if the bank doesn't want to fix the system, and is willing to cover or insure against the costs of fraud, then that's their call.
posted by memophage at 1:04 PM on January 17, 2014 [2 favorites]

Your Credit Card Has a Dangerous Flaw That the Banks Refuse to Fix

Dangerous to whom?

Yeah. "Your Credit Card Sas a Flaw That May Be Slightly Annoying and Involve You Having to Change the Account Numbers on Your Various Utility AutoPay Settings But Not Actually Cost You Anything," is so much less effective as linkbait.
posted by aught at 1:04 PM on January 17, 2014 [5 favorites]

I was in England and France this fall. We constantly had to say "no chip" when doing transactions. Most places were able to swipe my card but a few had to manually enter the number. . .the scary part was how often the transaction did not include me needing to enter a PIN.
posted by Danf at 1:08 PM on January 17, 2014

I still have to write a paper check every two weeks, to pay my lawn guy, because I can't pay him electronically (and I'm not going to leave cash in an envelope out on a table on my front porch). EVERYTHING else I can pay online, as of 2-3 years ago finally.

It's kinda sad that some of my Bitcoin transactions are more secure (with 2FA) than stuff involving my normal bank account and bank-issued debit card.
posted by mrbill at 1:11 PM on January 17, 2014

Back to ERV again:

The US is the last, stupid dinosaur holdout on this. It's damn embarrassing.

Around the Twin Cities, if you look closely, many credit card terminals are already set up to take the chipped card. Look for terminals with a card-sized insert slot, possibly with an ERV chip graphic next to it. I'm fairly sure I saw one at, yes, Target within the last couple of weeks.

Over the last couple of years, I've read in various discussions that the few U.S. banks that do issue chipped cards may not be doing it in synch with the rest of the world. Not entirely sure what's involved, but it sounds like they might save skipped bits of the ERV standard, might not be handling the PIN itself correctly, or something else. I've read stories of US cardholders saying "I've got a chipped card, why can't I buy train tickets from the machine in Amsterdam?" and the like. (On the other hand, in some cases, it sounds like the merchant might not be accepting any foreign-issued cards at all, that would be a separate issue from ERV itself.)

For me, mag-stripe cards still get me around Europe, although it's becoming more common for me to have to explain to younger salespeople and clerks that you have to swipe the card, and a bit of paper will magically spit out the other end.

Even Canada is moving to ERV, for cripes sake.
posted by gimonca at 1:17 PM on January 17, 2014

Do chip and PIN make online payments more secure? I worry far more about thieves using my credit card online than running around town buying things in brick and mortar retail stores.
posted by Triplanetary at 1:27 PM on January 17, 2014

Do chip and PIN make online payments more secure? I worry far more about thieves using my credit card online than running around town buying things in brick and mortar retail stores.

Same here and for the internet the CVV2 is essentially a PIN and so already extant.

I don't use debit cards precisely because it directly accesses my actual funds. Sure, the bank will cover it, eventually, but I have the privilege of having credit cards (I realize there are many who do not have this luxury and rely on debit cards for transactions that require VISA/MC) and therefore every four years shred the debit card and ask the bank to send me an ATM card instead (it's amazing that they don't remember my preferences and I have had to do this three times now).

Chip and pin may be going backwards, in terms of convenience. While a PIN is faster and less silly than a signature, many in-person POS transactions don't even require me to sign if it is under a certain amount (this seems to be merchant-based, being under $10, $25 or even $50). The convenience of simply swiping and doing nothing else is just that: a fantastic convenience that probably outweighs the fraud costs to the industry.
posted by linux at 1:40 PM on January 17, 2014

The main problem I've had in Europe is that while restaurants and hotels can handle the US-variant signature required credit cards, places where there is no human around (e.g., waiter, hotelier) are another story. If you need to go through a toll booth, buy gas at an automated station late at night, or train/subway tickets, you may be out of luck.

PIN-based debit cards work at some places, but they have drawbacks, too. They'll typically pre-authorize a payment as a "hold" or insurance that may be significantly larger than the actual amount finally billed, and that "hold" may not clear for several days, needlessly depressing your apparent bank balance.
posted by CheeseDigestsAll at 1:41 PM on January 17, 2014

Do chip and PIN make online payments more secure?

Chip and pin are irrelevant to on-line (or over the phone) puchases. In Canada, we revert to the CVV2 system ("number on the back of the card"), exactly the same as a US cardholder would experince.

A number of banks however, also have a seperate CC password which may or may not pop-up as an intermediate screen in on-line CC transactions. Whether or not you need to enter the CC password seems to depend on how often you make a transaction, in my experience. Ordering a pair of shoes for the first time from a website? You get the password prompt. Ordering your regular on pizza night from the same joint you've used for years? No password prompt.
posted by bonehead at 1:41 PM on January 17, 2014 [1 favorite]

Canadian cards are just now also getting an NFC tap-to-pay system too (with no pin), for low-dollar puchases. It's under $25 or $50 for many places. Makes going to the coffeeshop a lot easier.
posted by bonehead at 1:43 PM on January 17, 2014

CVV2 is a form of two factor, but it's not particularly good. I don't have a reference handy (Planet Money?) but black market credit cards come with CVVs and zip codes and all that other weak nonsecret stuff at only a marginally higher price than the basic number.
posted by Nelson at 1:49 PM on January 17, 2014

Once the cost of fraud exceeds the cost to change, change will happen. I personally am hoping that something really disruptive comes along. Transaction fees for credit cards are ripe for competitive disruption. I'm really encouraged by what dwolla is doing.
posted by dgran at 1:56 PM on January 17, 2014

CVV2 is a form of two factor, but it's not particularly good. I don't have a reference handy (Planet Money?) but black market credit cards come with CVVs and zip codes and all that other weak nonsecret stuff at only a marginally higher price than the basic number.

Those were most likely obtained through phishing sites or directly intercepted mail and for that even chip and pin is vulnerable except for use at brick and mortar POS with the actual card.

My AMEX card has a PIN if I really need to use it, so those no-human situations are surmountable. Problem is I haven't had the occasion to encounter this particular scenario in the last ten years (I travel abroad quite often) and I've pretty much forgotten the PIN.

I think my Chase VISA also has one if I need it. I suppose I should call and get those PINs just in case... but honestly, it just never occurred to me to bother as I've never been inconvenienced... yet.
posted by linux at 2:00 PM on January 17, 2014

In August 2011, Visa also put forward its own EMV timetable with April 2013 as the date by which its U.S. acquirer processors and sub-processor service providers must support merchant transactions using chip-based cards.

The real cutover is when the liability shift happens -- that is, when they just push all charges back on any suspicion of fraud, because you're not using the current standard payment method.

For AMEX, MC and Visa, that date is 1-Oct-2015 for point-of-sale terminals, and 1-Oct-2017 for pay-at-the-pump. MC is also shifting liability on ATM transactions on 1-Oct-2016, Visa on 1-Oct-2017.

I expect to see terminals show up around the end of 2014.

Once the cost of fraud exceeds the cost to change, change will happen.

Companies yelled about paying for online swipe terminals for instant approval. They refused to buy the gear -- right up until the liability was shifted to them. It took them about no time whatsoever after that to get the terminals in.
posted by eriko at 2:01 PM on January 17, 2014 [3 favorites]

Chip and pin will happen soon enough but it's not going to stop phishing. There the consumer has to be educated versus overbuilding security.

I also think that at least for the US the new paradigm of having a threshold for requiring a PIN/signature will stay. So fraud at low amounts (under $25 per transaction, for instance) will go up -- but then, repeated low amount transactions will raise the CC company's authorization heuristics and it won't last long.
posted by linux at 2:05 PM on January 17, 2014

Here in Australia we have stuff like tap-n-go and PINless transactions, or you just kind of wave your card around. Mine is so advanced it sometimes automatically pays for stuff I didn't even know I needed.
posted by turbid dahlia at 2:12 PM on January 17, 2014

Are tap to pay cards available in the US? They're an even easier version of the no signature required procedure. You just touch your card to a plastic reader and you're done. It's faster by a long way than even swiping used to be.
posted by bonehead at 2:13 PM on January 17, 2014

But border towns like Windsor or vacation destinations like Whistler, where there are businesses that want (or even rely on) the custom of US citizens*, are still going to be beholden to the older insecure tech until the US industries step up to the plate.

Yes, and here in Australia all our chip-and-pin or tap-and-go units also accept a swipe.
posted by raena at 2:16 PM on January 17, 2014

But in its current form, Chip and Pin is absolutely fucking useless.

Except for that 73% reduction in card fraud. Other than that massive reduction, why, yes, it is absolutely fucking useless.
posted by five fresh fish at 2:22 PM on January 17, 2014 [11 favorites]

IAmBroom: My Capital One card has my picture on it. I don't know why every CC company doesn't offer this as an option.

That only really protects you against the card itself being stolen (and only if a store actually pays attention to the photo). If someone steals your credit card's information and copies it onto a new magstripe card, they could just as easily put their photo on the card they made.

I have a friend who, as an experiment, copied the magstripe from her credit card to a blank, white, featureless card. She used it all over for a week or two without any significant trouble. On the rare occasion that someone questioned the card she just said it was a "secure card," and it was then accepted. With all the different security features cards have (photos, transparent sections, cards where the number isn't embossed on the front, but only printed on the back, …), who's to say that not having the number visible at all isn't a new feature?
posted by JiBB at 2:24 PM on January 17, 2014 [1 favorite]

Chip and Pin is completely pointless because the attackers already attack the pinpad equipment. Chip and Pin doesn't treat the pinpad as a potential hostile device. The second you enter your pin the card happily dumps all of your banking details onto the device which now also has your pin.

That's not really how those transactions work.

The proper way would be to do it mobile phone style with a cryptoprocessor and a Ki known only to the card and the payment processor. The card's cryptoprocessor would sign the payment and send it to the payment processor. The merchant's equipment would only facilitate the transfer of that transaction and would never get your banking details at all. Protect that with a PIN instead

I don't know much about mobile phones, but the card making an encrypted request and receiving one in return from the issuer is exactly how it works now.

Many exploits around cards are usually doing things like skimming the magstripe and pin, and then using the dodgy cards in places that accept magstripes as a fallback.
posted by raena at 2:51 PM on January 17, 2014 [1 favorite]

Getting Americans to use something like Chip and PIN would be really hard. It would require an enormous capital investment by retail businesses and banks and processors and create a large support burden.
Not really - systems are updated all the time and can be simply replaced with the chip-enabled devices (and cards with chips issued as new or replacement) up to where things reach critical mass where it becomes feasible or even necessary for the rest to be changed. That's the way it happened here (Australia) and it's been a painless transition. It's also enabled the contactless systems that let you wave your card over a scanner and walk away a couple of seconds later, for purchases under $100 (no cash withdrawals). I find it quite odd that such a technologically advanced nation as the US still clings so fiercely to such antiquated methods of paying for things. Cheques? Really? In 2014?
posted by dg at 3:37 PM on January 17, 2014

Are tap to pay cards available in the US? They're an even easier version of the no signature required procedure. You just touch your card to a plastic reader and you're done. It's faster by a long way than even swiping used to be.

You can do that if you have a higher-end smartphone with NFC and can find a compatible reader. You get a receipt on the phone, Google gets more data. I live in NYC though don't particularly go to stores that much, readers still seem relatively uncommon & clerks occasionally surprised when I do it. I have paid by phone at Duane Reade, Whole Foods, Macy's & a taxi. I have to imagine big chains like Macy's have the readers more often but I definitely don't go to stores like that too often.

Paying is shortly obsolete tho. In the future when you feel like going to a store instead of waiting for the drone you will just pile stuff into your bags and pockets like a shoplifter and the computer will see everything and handle it.
posted by save alive nothing that breatheth at 3:58 PM on January 17, 2014

I recommend against using any smartphone tap payment system because smartphones are about as secure as a poptart in the pig pin. And app stores will happily push your cash syphoning program out to millions.
posted by jeffburdges at 5:51 PM on January 17, 2014 [1 favorite]

I've recently seen notices from my Australian bank saying that they're phasing our signing credit cards and moving everyone to chip-and-pin. The transition has been in the works for a while, and for a couple of years now the sales person has had to ask "PIN or sign".

I origionally got a PIN for my card three years ago. We were about to spend a month in the UK, so advised the bank so we wouldn't trip the fraud things. The bank teller actually advised us that chip-and-pin was used in the UK and that it would be worthwhile getting a PIN on our cards. For some reason we still usually ended up having to swipe the cards, but we've obviously stuck with the PIN since we got back.

Weirdly the credit card I have for work has a chip but will allow you to sign or use a PIN even when you're using the chip. I'm pretty sure my personal card will only let you use a PIN.

And even with chip-and-PIN, when you pay in a restaurant they'll usually take your card away and give you a receipt to sign, rather than brining a terminal to the table, so obviously it's not all or none.
posted by damonism at 6:17 PM on January 17, 2014

they'll usually take your card away and give you a receipt to sign, rather than brining a terminal to the tabl

So not my experience, and I live in a small town in BC. Surely other places are equally sophisticated.
posted by five fresh fish at 6:49 PM on January 17, 2014

Here is a list of chipped credit cards that are available in the US, maintained by some folks at FlyerTalk. Especially useful is the info about which cards support chip-and-signature, and which ones support chip-and-pin. Spoiler alert: there are very few cards that support chip-and-pin.
posted by Quiscale at 8:43 PM on January 17, 2014 [4 favorites]

Google Wallet NFC on Android uses the same pads as tap to pay cards, of which there are many. Chase and Amex ran some promotions back in the middle 2000s trying to get people to use the chips they had just embedded in most of their cards, but NFC readers were pretty sparse then.

They're significantly more common today (every McDonald's has one, most of the large pharmacy chains have them, etc.), but still far from universal. And even when they are installed, the NFC-reading portion often doesn't work, either with phones or plastic cards with an NFC chip. I have about a 40% success rate.

There's no dollar limit on them here, BTW. You just have to sign if it's over $25.
posted by wierdo at 12:20 AM on January 18, 2014

I should have gotten here earlier, because now I have to cherry pick what I respond to.

The CVV2 can be stored in Track 1 data on your credit card. And so can your PIN. This means that this two methods are completely useless against attacks that rip your full Track 1 data, such as the attacks used against Target.

Stealing Track 1 data is basically stealing a CC in the US, regardless of the countermeasures. Yes, I guess a picture on the CC will help, but it can easily be used for online purchases as well.

Of course, stealing Track 1 data is difficult. It mostly requires inserting hardware in-between the customer and the POS device, and then finding a way to extract that data (by physical or network access to this confederate hardware). Scammers are remarkably innovative, and I've seen fake PIN pads placed over real PIN pads that would have fooled me.

And to add a bit of calm to what might be panic, the general public is not allowed access to POS hardware. As was pointed out above, in the US a diner is not allowed to swipe their card and enter their pin or in any way touch the machine that takes CC data and whisks it away. In fact, you even have to face a credit check to own or rent it. All that is changing, but new systems generally have new hardware that is more robust and mostly impervious to tampering. Mostly.

How is chip and pin better? Well, for one, they don't have track data, so you can't just vroom and suck all the bits off a card and then duplicate it. That should be enough.

Countries that use chip and pin regularly will bring the POS terminal to you because they don't know the PIN (that they normally could get from just swiping). This is good, but it also leaves the terminal open to the customer planting a device. I've seen some videos of people who were surprisingly good at this.

So what is the solution? I don't know. But the attacks to companies like Target will continue to get more intense. It is probably a good idea to overhaul the CC system.

Also, one last note. The US has a high level of fraud. But compared to the rest of the world, it's pretty low. If you think 5% is bad, you should see what processors see in BRIC countries with more secure systems.
posted by chemoboy at 12:26 AM on January 18, 2014 [1 favorite]

Speaking as a Brit who occasionally visits the US, it always seems very odd to be faced with an old-fashioned "sign the receipt" credit card transaction there. Chip & Pin's been the norm here in the UK since 2004, so from our perspective using the signature system feels like stepping back in time by ten years.
posted by Paul Slade at 1:06 AM on January 18, 2014 [2 favorites]

How is chip and pin better? Well, for one, they don't have track data, so you can't just vroom and suck all the bits off a card and then duplicate it. That should be enough.

In practice, though, the cards are generally issued with a magstripe-and-pin as well as the chip-and-pin. You use the magstripe in terminals that don't do chips, or you can use the magstripe as a fallback (if this is accepted by the terminal) when the chip doesn't work. That means there's still loads of scope for skimming abuse, even if practically speaking we rarely use those magstripe tracks.

Some retailers won't accept a card transaction on a chip card when the chip doesn't work, which is sensible, but most seem really blase about it (as I noticed when my favourite chip card began to wear out).

Equally, I'm sure there are some customers who aren't too fussed when there's "a problem" with the chip reader and "sorry ma'am you'll need to swipe". That's worrisome.
posted by raena at 1:56 AM on January 18, 2014

And to add a bit of calm to what might be panic, the general public is not allowed access to POS hardware. As was pointed out above, in the US a diner is not allowed to swipe their card and enter their pin or in any way touch the machine that takes CC data and whisks it away. In fact, you even have to face a credit check to own or rent it.

Where would you even get this idea? First, in nearly every situation *other* than a restaurant, the customer swipes their own card, sometimes in front of a human cashier, but also at self-service checkouts in grocery stores and gas stations.

And to your other point, I guess Square is the most recent and well-known example of a POS sold directly to the public, but they're certainly not the only one. Anyone can buy POS hardware, including credit card readers, without any kind of credit or background check. Even if a particular manufacturer restricted sales for some reason, that restriction would be useless once the merchant went out of business and the hardware hit craigslist or eBay.
posted by bradf at 6:52 AM on January 18, 2014

Here is a list of chipped credit cards that are available in the US, maintained by some folks at FlyerTalk. Especially useful is the info about which cards support chip-and-signature, and which ones support chip-and-pin. Spoiler alert: there are very few cards that support chip-and-pin.

With some little gems in there like:

"must apply in-person at a Commerce Bank branch"

"must work for State of NC"

"Offered through Wells Fargo Advisers for those who have $1 million or more in their Wells Fargo accounts" (!)

I have a BoA chip-and-signature card. It's worse than just a magstripe when travelling--it never works the first time, and you end up having to ask the clerk to swipe the magstripe in spite of the visible chip in the card.

I had one of the Travelex cards mentioned in that list, too. It's no longer offered. I got a note from Travelex early last year that it was being discontinued, and that I needed to cash in a little remaining amount that I had on it.

The Travelex card was chip-and-pin, but it didn't have the full functionality that you needed. It worked in stores, restaurants, post offices, any brick-and-mortar location. But at the places where you were required to have chip-and-pin, it never worked: vending, gas pumps, toll booths, anything unstaffed and automated. (This was in France.)

The explanation I got (not from Travelex) was that standalone vending and similar machines tended not to have a live connection out 24/7 so that they could contact a payment processor for approval in real time. Instead, the machine would batch transactions and send them out maybe once a day. If your chip-and-pin card is set up correctly so that the PIN can be validated against the card itself, it works. If your chip-and-pin card needs to have the PIN validated in the cloud (or over a POTS line, or whatever), the machine can't process the transaction. No métro tickets for you!
posted by gimonca at 7:09 AM on January 18, 2014 [1 favorite]

Where would you even get this idea?

I should have said "traditional hardware." I think I was wandering last night.
posted by chemoboy at 9:39 AM on January 18, 2014

eBay: Point of Sale terminals. Here's a $19 one that claims to read all tracks. If that doesn't work any college level EE student could wire one up for you. Magstripes are not secrets.

Wikipedia has a good description of EMV verification methods. Turns out there's a whole lot of options – signature, PIN, etc – and it's up to the terminal to decide which to use. I imagine payment processors have a policy, too.

Anyway, all this discussion of physical security of an actual credit card seems sort of charmingly retro. I'd think the real problem worth solving is secure online payments. The current US system of online CC verification is terribly bad and AFAICT the European systems aren't better.
posted by Nelson at 9:47 AM on January 18, 2014

Having just moved from the US to Canada, I am pretty shocked at how bad chip and pin systems are. The "security" is a compete scam and they completely destroy the flow a transaction.

1. They add at least 20 seconds of awkwardness to any retail transaction.

2. They require a great deal of interaction, a common usage scenario has these steps:

"Hand the Device to the Customer"
"This is the price press 'Ok'"
"Would you like to add a tip? Yes / No"
"Add Tip by $ / %"
"Tip amount"
"New Total is this 'Ok'"
"Which account would you like to use: Chq/ Savings"
"Enter your PIN and press ok"
"PIN Ok, Return Device to Cashier"

It should be noted that after many of the steps is a 1-2 second pause: "Please Wait".
Many of the devices use a phone connection so they have to dial out after the last step.
I've become very accustomed to humming hold music to keep myself amused while I check out.

3. They suffer innumerable faults because of bad connections between the reader and the card, so much so that you end up having the salesperson swipe the backup magnetic strip at least once a month. If you accidentally bump the card while working your way through the dialog you have to hand the device back to the clerk who has to clear the transaction and start over.

4. They completely inhibit any innovations like Square by imposing requirements for expensive security theater. When I first moved here I couldn't believe it wasn't some corruption scheme between the Canadian government and the incumbent POS companies to make sure they didn't have any competition.

5. The UX is obscenely bad. Every POS has a different set of buttons and onscreen symbology. Some are touch screens, some are like an atm with buttons beside the screen, some you have to use the numberpad for everything. They are often awkward handheld units with the form factor a 1970s calculator, but a bit bigger and heavier.

I utterly hate using my debit card in Canada.
posted by ethansr at 11:01 AM on January 18, 2014

That is all so dumb that I'm led to wonder if there should be some sort of skills testing before allowing Americans into Canada.

Suffice to say I find your claims to be grossly exaggerated and atypical of my years of C&P card use.
posted by five fresh fish at 11:18 AM on January 18, 2014 [1 favorite]

The Ventra cards use the same chip that credit cards use so if you try to touch your wallet to the card reader and you have a card with a chip, it will charge your Ventra AND your chipped card.

The instructions for the Ventra system say explicitly to remove the card you want to use from your wallet.
posted by one more dead town's last parade at 11:36 AM on January 18, 2014

As an American, I don't have a chip and pin card, but the Canadian portable terminals work with American cards' magstripes as well. I haven't had anything like ethansr's bad experiences, even in some kinda divey places, though I'll give him some points on bad UX. The tip functions are distilled awesome.
posted by ROU_Xenophobe at 11:47 AM on January 18, 2014

People in developed countries use online bank transfers. Paper checks are crazy.

It's easy when your developed countries have only a handful of banks, rather than thousands.

In Canada, writing someone a check costs you a maximum of 75¢ (or nothing at all if you know what you're doing), but sending someone an instant payment via e-mail costs $1.50, even though it costs the banks much less than processing a check. Why? Because there are only six banks and you'll pay what they tell you to.

I find your claims to be grossly exaggerated

There's no question that chip-and-PIN for small purchases, where a signature wouldn't usually be required, takes too long and slows down checkout lines. A lot of merchants are too cheap to invest in card readers that allow for contactless payment, though.
posted by one more dead town's last parade at 11:59 AM on January 18, 2014

They completely inhibit any innovations like Square by imposing requirements for expensive security theater.

What? Square is perfectly usable in Canada.
posted by one more dead town's last parade at 12:02 PM on January 18, 2014

Square is usable in the States so long as your partner hasn't beaten you to signing up for an account using your shared credit card. Harumph.
posted by The corpse in the library at 3:21 PM on January 18, 2014

I've recently seen notices from my Australian bank saying that they're phasing our signing credit cards and moving everyone to chip-and-pin. The transition has been in the works for a while, and for a couple of years now the sales person has had to ask "PIN or sign".

I have visited Australia every few years with UK cards, and maybe 3-4 years ago, they switched on Chip and Pin for foreign cards which have it. For a while, it worked with MasterCard and Visa but not AmEx, though.
posted by acb at 8:37 AM on January 19, 2014

There's no question that chip-and-PIN for small purchases, where a signature wouldn't usually be required, takes too long and slows down checkout lines.

Well, this literally makes no sense at all. C&P is much faster than writing a cheque or handing over cash and waiting for change - if you know what you're doing. In Australia, where I've been paying via debit card with PIN for probably 15 years now, it's second nature.

The only faster way is contactless, which I'm just not in the habit of using yet.
posted by crossoverman at 1:41 PM on January 19, 2014

They meant that chip and PIN would be slower than a swiped credit card transaction where a signature is not required.
posted by ODiV at 2:34 PM on January 19, 2014

They meant that chip and PIN would be slower than a swiped credit card transaction where a signature is not required.

Okay, so punching a four-digit PIN into the pinpad takes a couple of seconds. Slowing down the line how?
posted by crossoverman at 2:41 PM on January 19, 2014

Well, this literally makes no sense at all. C&P is much faster than writing a cheque or handing over cash and waiting for change - if you know what you're doing.

It's faster than a check, but if you're spending, say, $6.35 on lunch, chip-and-PIN transactions take about twice as long as cash transactions, because it usually takes more than five seconds after you put in your PIN before the transaction is actually approved. If you're paying for your lunch with chip and PIN, and the person behind you is paying with cash, their transaction is sometimes complete before yours is.
posted by one more dead town's last parade at 3:32 PM on January 19, 2014

Ah, I thought you meant no-signature swipes, which is what fast food places around here did before credit cards had PINs.
posted by ODiV at 5:34 PM on January 19, 2014

Of course, stealing Track 1 data is difficult. It mostly requires inserting hardware in-between the customer and the POS device, and then finding a way to extract that data (by physical or network access to this confederate hardware). Scammers are remarkably innovative, and I've seen fake PIN pads placed over real PIN pads that would have fooled me.

This just makes the use of CVV2 about as safe as chip and pin, since both require a PIN of some sort that is entered by the customer and therefore can be intercepted by an in-between device.

A lot of debit card fraud/theft occurs at gas stations because of these devices. It makes for a lot of evening news fodder.
posted by linux at 10:58 AM on January 20, 2014

if you're spending, say, $6.35 on lunch, chip-and-PIN transactions take about twice as long as cash transactions

C&P takes about thrity seconds to a minute to complete, in my experience. However, for low value transations, the tap system takes a second or two, five if you need to tap twice. Much faster than waiting for someone to count change.

ethansr is right about much of the process (and the horrible UIs on most of them), but I still notice delays for cash or cheque if someone chooses that over C&P. The tip percentage calculation is only included for restaurants/bars (or cabs), and not for groceries or whatnot.

C&Ps greatest increase in convenience is for food and beverage service, arguably. The C&P remote terminals has really sped up the process in restaurant table service, in my experience. Processing is done right at the table, rather than the server having to run off with the card to swipe then return. Instant verification (and recepit) is more secure for the customer and the restaurant too. Also, it makes cheque-splitting (and separate tipping) totally transparent.

I don't think C&P is perfect by any means, but it's a faster system generally than the old swipe or paper rubbing days, IMO, and faster still than cheques.
posted by bonehead at 11:37 AM on January 20, 2014

I don't think I've seen someone pay with a check at a point of sale in nearly a decade.

But I really do like contactless payments. At my grocery store, I tap my card on the reader, it goes "bloop," and the cash drawer pops open and the receipt starts printing in less than a second. You can't really make it appreciably faster than that.

Much better than some of the places I buy lunch, where the cashier has to enter the amount of the transaction manually on the card reader, I have to approve it, then I enter my PIN, and it still takes another 5-10 seconds after I've done that before the transaction is complete.
posted by one more dead town's last parade at 12:34 PM on January 20, 2014

Can somebody clear something up for me? I've heard that chip&pin was used by the banks to move the liability for fraud to the customer. So if your card info gets stolen at a shop or something you are still liable for the monetary loss because chip&pin is "supposedly" unhackable. Is this true? Or was this true and now isn't?
posted by I-baLL at 8:22 AM on January 21, 2014

The liability is already on the merchants in the U.S.
posted by I-baLL at 9:03 AM on January 21, 2014

AFAIK the liability was always on the consumer in Europe. I think its because of that though that consumers were more keen on better safety measures.

I believe the same applies to many financial transactions in Europe.

In the US the one outlier is Debit + Pin where the consumer is liable. Signature Debit is like a CC
posted by JPD at 11:17 AM on January 21, 2014

I don't think I've seen someone pay with a check at a point of sale in nearly a decade.

I wish I could say that.

At the slightly down-at-heel supermarket near my house, about twice a month I get behind an elderly person who starts digging for their checkbook when the cashier has finished scanning items and totalled up their sale. Back in the day (that is, when I still wrote checks pre-1992-ish) it seemed like polite protocol was to get the check all filled out except for the amount while the cashier is scanning items, then finish it up when you are told the total.

Now at the schmancy Wegmans across town, where we and twenty thousand of our yuppie friends do our regular shopping, I don't ever recall getting behind a check writer. Another social class differentiator, I guess.
posted by aught at 12:13 PM on January 21, 2014

JPD, many to most banks have limited liability policies on PIN transactions as well, although they are rarely as generous as what Visa and Mastercard (and federal law for CCs) require.
posted by wierdo at 11:13 PM on January 27, 2014