I am aware that individual transactions using the chip are safer, since it uses a unique authentication with each transaction.
However, if the magnetic strips still work, and you can still make purchases with just card number and cvv code, I don’t it really makes the card itself safer to fraud.
I think the key to the question is “compared to what”.
The entire electronic system is, in important ways, far less secure than cash.
With cash, your bank is secure and your pocket is insecure. With cards, your pocket is safe but your whole bank is up for grabs. To me, that doesn’t sound like a good trade-off.
Chip cards reduce fraud for in person purchases, but do not reduce fraud for online (“card not present”) purchases.
When you use a chip, the credit card data is encrypted so it cannot captured by the merchant, reducing the exposure. Of course, if a waiter can take your card out of your sight, he could still use a skimmer on the stripe. It is true that there is still a hole as long as the stripe is still there, if someone can get physical access to your card.
Cash is all fine and good but if it is lost or stolen you suffer 100% of the loss and for all practical purposes it’s untraceable. Last year I had my wallet stolen abroad with $200 in it and it was gone forever, but I never lost a penny on the credit cards, which I cancelled. Give me a credit card where 100% of the liability is on my bank, except for a maximum of $50 mandated by federal law.
How is the whole bank up for grabs?
Chip cards take so much longer to check out, that you can’t get to as many stores in a day, and so can’t spend as much. That makes the consumer’s finances much safer.
So, I don’t get this. Most merchants I either tap my wallet (without having to remove my card first) or my phone, if it’s over $100, I insert my card, select a tip if I’m in a restaurant, and enter my PIN. I’m not typing a novel. It’s 4 digits.
Even o!d people seem to remember 4 digits aren’t digging to the bottom of their purse for exact change.
I’ve been looking for a cite, but not really able to, so I will go with what was explained to me by my bank manager.
The main part is is that if you don’t use chip and pin, if you swipe or do a manual entry, and the card is being used fraudulently, the merchant is on the hook. This is different from how it has been with the credit card company being the one who has to eat the cost.
So, it gets merchants to be more careful about people that swipe their cards or give their cc# over the phone.
Transitioning it to being the merchant’s problem increases security slightly, as the merchants now have a more vested interested in “knowing their customer.”
The chip and pin system sends more data over the line than the older systems, and so takes much longer to process. You can do them over the internet, rather than dial-up, so that speeds it up, but older retailers aren’t going to have the internet to hook it into, so are still using the dial-up process.
When my internet goes down, and I plug my machine into the phone line, it takes a fairly significant amount of time to process. I want to say about 20-30 seconds, but i’ve never timed it.
It also gives them incentive to upgrade their POS systems to take chips.
Many POS systems that have a chip reader won’t let you swipe a card that has a chip. I know this because I’ve several times tried to swipe my card and had it not work until I inserted it in the chip reader. I assume that’s configurable by the merchant.
You merchant services provider doesn’t always give you a choice on upgrades, either. I’m not exactly sure how much choice I had in the matter, they told me I needed this new piece of hardware ($1,500), and had to change my POS procedure. I am not sure what they would have said if I had tried to decline.
But yeah, if you have a chip, it won’t let you swipe, if you try, it beeps annoyingly and tells you to insert the chip.
Interesting thing though, if it can’t read the chip, it’ll let you swipe. Not all are configured that way. When I was at the grocery store, the chip readers were starting to go bad (they recently replaced them), and would sometimes take 5 or 6 tries to get it to take it. It would not let you swipe.
Some of my clients have intentionally damaged their chips, one claiming that it was being used to track his purchases. (Huh? If you are concerned about your purchases being tracked, don’t use a credit card.) I don’t know what they would do in a situation where the reader refuses to let them swipe.
One thing that does increase security, I guess, is that these machines have the customer do all the work. The merchant never touches the card. Many credit card fraudsters work in industries where they have access to credit cards, and will swipe them on their own reader to steal the info. If the merchant never touches the card, that is an improvement there. They have systems for servers to take to the table, rather than have the server take the card to a kiosk. Fast food still takes your card, though, IME.
Of course, nothing is as speedy as the U.S.'s favourite method of payment – the personal check.
That’s in Canada where all the cards have a chip and pin. Pins are not used in the US and the question is relevant. I just read that the US credit card companies will stop asking for signatures since they are never checked anyway. BTW, I find a chip and pin transaction a good bit faster than the old signature. And clearly safer since it is the machine that checks the pin. And the card never leaves my possession, so no one can skim the number.
My experience is that the difference is no more than 5 seconds. I know this seems like totally FOREVER these days, OMG, but it is really not material to the course of your day.
My wife mentioned her employer has issued a new policy (Canada also) that they will no longer swipe a card that has a chip. Apparently current fraud is to copy the mag stripe to a “fake” but real looking card with a dead chip - when it fails, the default was to swipe. Since it’s a faked-up card, the signature will match - if they actually check. Since almost anything in Canada has a chip, except IIRC the gift cards, that’s pretty safe.
When you switch a card reader from internet to phone, the problem is the device has to dial each time. If you watch (if you could listen) it’s like sending a fax or using a modem - it dials like any phone device, waits a ring or two for answer, handshakes, then does the transaction. The transaction itself is pretty fast.
Caution - there are still skimmers, and they are pretty clever. They range from simple inserts, to swapping out the units. My wife says policy is to check several times a day (and log it) that they have not had someone break the seal on the bottom screws to take the thing apart and insert additional circuit boards; the simplest ones read the mag stripe as it goes in; the fancier inserts also capture your pin from the keypad. Newer till-attached units are serialized so the device cannot be swapped. (Thieves would swap out the device, perform their magic, and swap it back in later in the day, while an accomplice distracted the cashier). The fancier skimmers can dump their contents with wifi. Where there’s money, someone will make an effort.
Of course, with chips, the whole setup is encrypted. I have not (yet) heard of anyone faking the public-key encryption handshakes required. But knowing magstripe contents and PIN allows someone to create a magstripe fake card usable in an ATM. So until ATM’s go chip, we are all at risk.
Plus, the card can be used online - but for that you need the security code. I saw a blog post once where someone showed they’d found an ATM (in Vienna, IIRC) where the skimmer had been inserted over the card slot, and there was a thin strip stick above the keypad that looked like part of the décor but actually included a camera to record keystrokes. I’m sure some clever fellow is also looking at how to capture security codes.
It’s an arms race…
Your whole banking system in the US seems to be 20 years behind.
I’m in the US and all the places I use my card have chip and pin. Admittedly, I mainly use them in only three or four places and it took them a while to all get to chip-and-pin, but they’re there now.
That’s a fair assessment.
Hey, don’t slag! It’s the most current bit of infrastructure we have!
Around here it’s chip and signature, not chip and pin. According to my CC company, the US doesn’t have chip and pin except the debit card version.
Are there any plans in the works to totally phase out the strip, leaving only the chip?
Well, that’s wrong. Or perhaps just out of date. I now have to enter my CC pin instead of signature when I use that card. Can’t remember exactly when it changed, but I’m pretty sure it was sometime in the last year.