When you use a chip, the credit card data is encrypted so it cannot captured by the merchant, reducing the exposure. Of course, if a waiter can take your card out of your sight, he could still use a skimmer on the stripe. It is true that there is still a hole as long as the stripe is still there, if someone can get physical access to your card.
Cash is all fine and good but if it is lost or stolen you suffer 100% of the loss and for all practical purposes it’s untraceable. Last year I had my wallet stolen abroad with $200 in it and it was gone forever, but I never lost a penny on the credit cards, which I cancelled. Give me a credit card where 100% of the liability is on my bank, except for a maximum of $50 mandated by federal law.
So, I don’t get this. Most merchants I either tap my wallet (without having to remove my card first) or my phone, if it’s over $100, I insert my card, select a tip if I’m in a restaurant, and enter my PIN. I’m not typing a novel. It’s 4 digits.
Even o!d people seem to remember 4 digits aren’t digging to the bottom of their purse for exact change.
I’ve been looking for a cite, but not really able to, so I will go with what was explained to me by my bank manager.
The main part is is that if you don’t use chip and pin, if you swipe or do a manual entry, and the card is being used fraudulently, the merchant is on the hook. This is different from how it has been with the credit card company being the one who has to eat the cost.
So, it gets merchants to be more careful about people that swipe their cards or give their cc# over the phone.
Transitioning it to being the merchant’s problem increases security slightly, as the merchants now have a more vested interested in “knowing their customer.”
The chip and pin system sends more data over the line than the older systems, and so takes much longer to process. You can do them over the internet, rather than dial-up, so that speeds it up, but older retailers aren’t going to have the internet to hook it into, so are still using the dial-up process.
When my internet goes down, and I plug my machine into the phone line, it takes a fairly significant amount of time to process. I want to say about 20-30 seconds, but i’ve never timed it.
It also gives them incentive to upgrade their POS systems to take chips.
Many POS systems that have a chip reader won’t let you swipe a card that has a chip. I know this because I’ve several times tried to swipe my card and had it not work until I inserted it in the chip reader. I assume that’s configurable by the merchant.
You merchant services provider doesn’t always give you a choice on upgrades, either. I’m not exactly sure how much choice I had in the matter, they told me I needed this new piece of hardware ($1,500), and had to change my POS procedure. I am not sure what they would have said if I had tried to decline.
But yeah, if you have a chip, it won’t let you swipe, if you try, it beeps annoyingly and tells you to insert the chip.
Interesting thing though, if it can’t read the chip, it’ll let you swipe. Not all are configured that way. When I was at the grocery store, the chip readers were starting to go bad (they recently replaced them), and would sometimes take 5 or 6 tries to get it to take it. It would not let you swipe.
Some of my clients have intentionally damaged their chips, one claiming that it was being used to track his purchases. (Huh? If you are concerned about your purchases being tracked, don’t use a credit card.) I don’t know what they would do in a situation where the reader refuses to let them swipe.
One thing that does increase security, I guess, is that these machines have the customer do all the work. The merchant never touches the card. Many credit card fraudsters work in industries where they have access to credit cards, and will swipe them on their own reader to steal the info. If the merchant never touches the card, that is an improvement there. They have systems for servers to take to the table, rather than have the server take the card to a kiosk. Fast food still takes your card, though, IME.
That’s in Canada where all the cards have a chip and pin. Pins are not used in the US and the question is relevant. I just read that the US credit card companies will stop asking for signatures since they are never checked anyway. BTW, I find a chip and pin transaction a good bit faster than the old signature. And clearly safer since it is the machine that checks the pin. And the card never leaves my possession, so no one can skim the number.
My wife mentioned her employer has issued a new policy (Canada also) that they will no longer swipe a card that has a chip. Apparently current fraud is to copy the mag stripe to a “fake” but real looking card with a dead chip - when it fails, the default was to swipe. Since it’s a faked-up card, the signature will match - if they actually check. Since almost anything in Canada has a chip, except IIRC the gift cards, that’s pretty safe.
When you switch a card reader from internet to phone, the problem is the device has to dial each time. If you watch (if you could listen) it’s like sending a fax or using a modem - it dials like any phone device, waits a ring or two for answer, handshakes, then does the transaction. The transaction itself is pretty fast.
Caution - there are still skimmers, and they are pretty clever. They range from simple inserts, to swapping out the units. My wife says policy is to check several times a day (and log it) that they have not had someone break the seal on the bottom screws to take the thing apart and insert additional circuit boards; the simplest ones read the mag stripe as it goes in; the fancier inserts also capture your pin from the keypad. Newer till-attached units are serialized so the device cannot be swapped. (Thieves would swap out the device, perform their magic, and swap it back in later in the day, while an accomplice distracted the cashier). The fancier skimmers can dump their contents with wifi. Where there’s money, someone will make an effort.
Of course, with chips, the whole setup is encrypted. I have not (yet) heard of anyone faking the public-key encryption handshakes required. But knowing magstripe contents and PIN allows someone to create a magstripe fake card usable in an ATM. So until ATM’s go chip, we are all at risk.
Plus, the card can be used online - but for that you need the security code. I saw a blog post once where someone showed they’d found an ATM (in Vienna, IIRC) where the skimmer had been inserted over the card slot, and there was a thin strip stick above the keypad that looked like part of the décor but actually included a camera to record keystrokes. I’m sure some clever fellow is also looking at how to capture security codes.
Well, that’s wrong. Or perhaps just out of date. I now have to enter my CC pin instead of signature when I use that card. Can’t remember exactly when it changed, but I’m pretty sure it was sometime in the last year.