Does the letter cite a particular law? Which one, exactly?
About a year-and-a-half ago I got a new Bank of America credit card and when they sent it to me, they also sent, at the same time, in a separate envelope, an NFC-contactless chip, as a separate little card that you snap out of a larger credit-card-sized card–like the way they sell SIMs. Here it is.
Notice the instructions: “Snap-Out Tag & Attach to Mobile Device.”
“What the hell? Why do I have to attach it to a mobile device?” Does it send data through your cell phone? I couldn’t figure out how that would work. The packet of paper instructions didn’t explain it at all. So I called them up and they seemed to be completely unaware that they were issuing these cards. They were confusing it with the EMV cards where a totally different kind of chip is in the credit card itself. I called various offices at Bank of America, and no one had any idea what I was talking about.
Finally, I made clear to one manager that this was something different, and he guessed what it was, but said that they were no longer using that system. (Huh? They had just sent it to me.) He also guessed that the reason it says “Attach to Mobile Device” was just a suggestion, as a convenient place to keep the little card. But maybe not. He just didn’t know. And he worked there.
Ultimately he said, “Forget about that thing we sent you. We’ll send you a new card with the new chip”–meaning the EMV card.
I was a little disappointed, because I wanted to at least try it out. It sounded so fast and easy. But the fact is that no one has readers for those cards anyway–not that I’ve seen.
The fact that something is against the terms of a contract (e.g. the contract allowing you to use your credit card) does not make it against the law, i.e. illegal. Banks don’t make laws; governments do.
This is the best answer so far, but I’ll add a few things. I’m not an expert but this is what I know.
There are actually three points of authentication in EMV. Those are between card/device to payment terminal, payment terminal to acquiring system (gateway) and gateway to card issuer (host). Magstripe tech is completely static, unencrypted, readable by a $50 magstripe reader and writable/re-writable onto another magstripe by a $200 magstripe read/write device. It’s all wide open and accessible to anyone with cheap readers, often covertly deployed (skimmers) in public terminals like ATMs or (more frequently, due to lower security) pay at the pump gas station terminals.
The EMV standard (which covers both chip cards and NFC payments like Apple Pay and Google Wallet, which is why I specify card/device rather than chip) is different. That little chip on your new cards is actually a tiny integrated circuit with a processor and memory, capable of running even tinier little applications that interact with the EMV system in real time, sending and receiving and storing data in the process.
That’s why with a magstripe, you swipe and put your card away. It’s static data that you send and wait for an approval. With EMV chip or NFC, you must keep your payment source connected. The transaction is challenged by the payment terminal, gateway and host, all having access (through private key or hidden public key encryption) to the data on your EMV card or device in real time.
Chip and signature is kind of a half-assed bridge to real two-factor authentication like chip and PIN, but it does prevent card duplication as Alley Dweller mentioned. It’s not foolproof, and also as mentioned, it does nothing for “card not present” (CNP) transactions, such that CNP merchants like internet and phone merchants are likely to see an increase in fraud attempts, but it’s a step in the right direction.
There is also an EMV protocol for offline transactions. What I described above in real time transaction of communication up and down the line from card/device to payment terminal to gateway to host and back can be avoided when necessary and agreed to by the host and payment terminal. The host can implement instructions and write those to the card/device so you can spend $x in offline mode (where $x is written to the card/device per transaction by separate payment terminals and affects the total available) until the next online reconciliation is available.
Anyway, it’s cool technology that the US is way overdue for and more than worthwhile for the few extra seconds it takes at checkout.
Excellent addition to the thread, Jake Jones. Two things: First, it’s not even chip and signature in most cases, at least for low value purchases. It’s just chip. Second, given the expected increase in CNP fraud, how long until we’re required to use a cell phone linked to the account to authorize/confirm CNP transactions? It seems like the next logical step.
Bank of America must not be too concerned. I just got a new VISA card the last week of September. No chip.
Were you due to get a new card about that time anyway? Maybe it was just in the pipeline. Maybe they’re just backlogged in getting all the new chipped cards out.
I got a new BofA card at about the same time – mid September or so. With chip. Also, they changed it from Visa to MasterCard now.
Not for all, not yet. For my credit union’s ATM cards, they randomly assign the PIN. For me to change the PIN (to match my other cards with the same PIN) they said they can do that but only at a branch office. I have to bring my card in. My CU is located in NC, and I live in CA and don’t have plans to be there anytime soon. So it ain’t happening. Not for a while anyway.
My new credit card has a chip but not my old debit card.
Problems?
Nah. As the OP implied, the target date didn’t happen. They can’t start phasing out mag strip yet.
Those are technologically the same. The card can tell the reader whether the bank requires a pin for this transaction or not.
I took my new chipped card to Europe this summer. A few places, like unmanned train ticket machines, required me to enter the pin. To the obvious surprise of many merchants, the standard card readers told the merchant to collect my signature rather than my pin.
As banks move more toward all-chip-and-PIN all-the-time, will they need to send us all new cards again? Or can they upgrade the existing chip-and-sig cards (or the readers? or the message protocol between the bank and the readers?) to make this next transition?
It’s October 8th, and my supermarket hasn’t changed yet. Last week, they had the equipment set up to do the insertion part, but not this week. (And it didn’t work last week.)