AmEx recently notified me that they would be sending a new card that included chip technology, making it somehow more secure.
So how does the chip technology help? Right now I swipe my credit card through the reader at the store, and it reads the magnetic stripe, and nothing else. What’s the chip for?
Moreover, doesn’t internet commerce do an end run around the chip? Every time I punch in my card #, expiration date and CVC, I’m handing that info over to someone else who doesn’t care whether my card has a chip in it or not.
I’m surprised you didn’t look at the AMEX web site about the technology being used.
The concept is based on two-factor authentication - something you have and something you know. In this case, you have physical possession of the credit card (something you have) and are required to enter a PIN to complete the transaction (something you know). Without both, there is no transaction. How it’s supposed to work for online transactions remains a mystery.
Is the chip you’re referring to imbedded in card, enabling you to simply “wave” the card in front of a scanner, rather than swiping it? I believe that’s what you’re talking about.
If that’s the case, it could be more secure (at least, for the time-being), because credit card skimmers are used by thieves to steal your credit card information when it’s scanned.
As far as I know, there are no such devices that thieves have devised to read those chips (yet). They may be out there, but they would most likely be much less prevalent then typical credit card skimmers.
The chip can generate a one-time-code for each transaction that is only valid for that transaction. Even if you read and store all of the data output by the chip in a given transaction, all you can do is replicate an invalid code. So not only do skimmers not work currently with chips, they can’t work with chips.
Contrast with magnetic stripe cars where there is just a constant data set which can be replicated.
As already mentioned, there are several types. Chip-and-pin is sort of secure-ish. (The readers are notoriously holey.)
But the most common type in the US is the simple tap or wave forms. Several of these are ridiculously not secure. Much worse than the mag stripe form. It was a shame they were introduced in the first place as they are going to be replaced soon by chip-and-pin ones. All adding more costs for the equipment, software, training, etc. (And let me tell you, the software is the major cost by far.)
One thing to keep in mind with the next roll-out: the goal is to make the vendors eat a bigger share of the fraud costs. Security has little to do with it. The battle between the banks and vendors over all the credit/debit fees is monumental.
I have had absurd arguments with phone-support people asking for a non-chip credit card. They read their script. I tell them about my research credentials. (I’m in the freakin’ textbooks!)
Security Theater just keeps getting worse and worse.
Amex uses the Chip and PIN. That is definitely what the OP os talking about. Their cards in Europe have had this for several years already. When I was in Europe, I asked Amex if they could send me a card like that, and I was told that only the Europe Amex cards had it, so I couldn’t get one. This was odd to me, because it is supposed to be a travel card, and Chip n PIN seems to be preferred on Europe.
Last year, as my expired card was replaced, the new card came with a Chip. I called Amex and told them that I was glad they finally started doing Chip n PIN, and asked how to go about setting or receiving my PIN. The rep apologized as she explained that while the cards had a chip, the system was not set up for the cards, so they were basically useless. I think it was just cheaper for Amex to issue the same physical cards to every country instead of having some with chips and some without. Sounds cheaper and simpler logistically. But the chips on the US cards don’t do anything at all. (that’s the genius of it)
That’s not true (at least not for my Visa card).
I have a chip card that doesn’t have a PIN. I had no problems using it to buy things in Europe - they could read the chip, and then their machine would spit out a receipt I had to sign.
I think that every time I’ve had to have a card replaced, it’s been because of a security breach on the merchant, or the bank’s part. I can’t think of a single time it’s been because someone physically did something with a card.
So I’m not seeing chip and pin, even if it was fully implemented in the US, doing a darn thing for me.
Chip and PIN (EMV or EuroPay Mastercard Visa) is scheduled for widespread adoption in the US by October of this year. On October 1, 2015, all US retailers are on the hook for chargebacks made on magstripe transactions. If you have an EMV reader at point of sale, chargebacks are still disputable by the merchant. Any chargeback on a magstripe card transaction is an automatic loss to the merchant, so the transaction processing companies (MC/Visa/Amex/Discover) have seriously put the ball into the merchant’s court.
Back when credit cards in the US started, even magstripe was optional. There were books of deadbeat cardholders and knuckle busting carbon copy impression machines. In the late 1980’s, the processing companies forced merchants to adopt magstripe with a big stick and no carrot. Basically, they added an additional transaction fee to all non-swipe transactions.
EMV is the biggest change in credit card processing since then and this time, the processing companies are not imposing the stick, per se, but chargebacks are an automatic loss without EMV on October 1. NFC services like Apple Pay, Google Wallet, etc. are supported as equivalent to EMV transactions.
2015 is a big year of change in Point of Sale transactions and I don’t know if we’re there yet. I sell POS equipment (among other things) and there is no equivalent to the cheap and easy $50 magstripe reader that plugs into a USB port and talks to your POS application.
True EMV is also a big cultural change. You don’t just swipe your card, put it away and then enter your PIN like a debit card. The card goes in a reader and stays there while you enter your PIN. How is that going to work at say, a restaurant? They’re going to need expensive mobile devices to make that happen.
PCI (Payment Card Industry) 3.0 standards became mandatory on January 1, 2015 and I’m quite sure there are countless merchants not in compliance.
It’s a tough year to be a small retailer, that’s for sure.
The chip may have been useless as a security feature but not totally useless as the machine can still read it to get your card information. You just have to sign to verify transaction, instead of having the chip generate a one-time transaction verification code. Once the chip verification system is in place, you’ll just need to punch in your PIN to complete transaction.
One question I have is about PIN issuance in the USA or Europe. Are they issued by the banks automatically? In Japan, we choose our own PIN when applying for a credit card.
If all merchants are set up for chip and pin system, using fake cards made from lifted numbers will be very very difficult, (although I’ll refrain from saying impossible). It will do nothing in terms of security for internet transactions since the chip doesn’t come into play.
In the US, bank account debit cards include a PIN. For a new account the PIN will be sent by mail, separate from the physical card. The PIN stays with the account, even when a new card is issued. I’ve never had an option to choose a PIN before the card is issued. Credit cards may do the same, or some will require you to specifically set up a PIN for ATM cash withdrawals only. PIN for credit card purchase transactions (as opposed to ATM cash withdrawal) has not been required to date. Presumably, that will change by October. In either case, you can change your PIN to your own preference, usually by an automated phone system or secure web site.
I have yet to encounter EMV in the US, even at the largest of retailers who are probably prepared for change this year. Only two of my four cards even have a chip in them right now.
Ah, so they are issued by the bank automatically but you can change them later. I wonder why they don’t let you set your own PIN from the beginning when you apply for the card. It would save both the customer and banks from having to reissue a new card for a new PIN.
Why does this seem challenging to you or expensive? Even in Africa, both the sub-saharan and the north africa we have implemented mobile devices and it is not too expensive except for the tiniest shop whose customers do not use any cards. Even in the cafe a small mobile reader can read the card. and this is too expensive for americans but not in Africa??
With magstripe (only) cards, this isn’t an issue. You could change your PIN every day on the same card. If the PIN is hard coded onto the chip, it makes sense to give users a choice before it’s issued.
Of the two cards I have with chips in them, one is an ATM card. Presumably it will use the same PIN that has always been associated with the card on that account. The other is a corporate American Express card that has never had a PIN associated with it. If one is hard coded into the chip, I assume they will mail me the PIN when it becomes necessary at most US locations. If I don’t like it and want a different one, I don’t know.
It’s not challenging, per se. It just requires an adjustment of attitude and expectations on a massive scale. An enormous change of habit, I guess.
As for expense, I guess I was making an uneducated guess that was wrong. If mobile card readers are inexpensive, great. There are none yet on the market in traditional POS hardware distribution channels that I know of in the US, so I guess I plead ignorance.
I eat at a lot of restaurants where you pay at the cash register on the way out. In fact, I did so at lunch, using my old AmEx card, then came home to find my new one had arrived in the mail.
For the most part, the United States will NOT be implementing Chip & PIN. The United States will be implementing a weaker system called Chip & Signature.
Chip & Signature uses the same EMV chip that the European Chip & PIN cards use, but a field in the data a Chip & Signature card sends to the terminal will say that either Signature takes preference over PIN or even that PIN is not available. The only difference most people will see is that they have to stick their card in a slot rather than slide their card through the magnetic stripe reader.
The PIN that your ATM or debit card uses is not related to the PIN that the chip uses. Even though your debit card will have a chip, that chip will not be set up to work with a PIN. You will still be able to press the “credit” button (rather than the “debit” button) on the terminal at the grocery store and have your purchase go through without a PIN. You will continue to need to use a PIN at ATMs or when you select “debit” on a terminal at the cash register.
There are a few US banks that are sending out true Chip & PIN cards. International travelers are seeking these out.
What this is about is that there are offline (not connected to the banking network in real time) kiosks in Europe. The most-often cited examples are train station ticket machines, unattended gas pumps, and toll collection points. Since these machines are not connected, they cannot verify the validity of the credit card. As a precaution, they require a PIN on all cards. Since most Chase cards are Chip & Signature-only, they do not have a PIN and you may find yourself at a remote unattended train station somewhere unable to buy a ticket with your credit card.
Additionally, some foreign travelers have reported confusion when they try to use their US-issued Chip & Signature cards at small merchants away from areas that tourists frequent. Shop clerks may not understand what is happening when a PIN is not requested by their payment system and may assume that there is some problem.
As for contactless cards – the kind you wave in front of the terminal instead of sticking or sliding inside the terminal – those also use a chip, but not the same kind of chip as the EMV chip. There are dual-ported EMV chips available. Many non-US banks use the dual-port EMV chips in their cards to allow their cardholders to just wave their cards in front of a reader. No US bank issues card with dual ports yet. The old contactless cards have basically been a flop in the United States and the banks are phasing them out. However, the banks still hope that contactless smart phone technologies (like Apple Pay and Google Wallet) will take off and are pinning all their hope on smart phones rather than cards.
In my city, it is becoming increasingly common to find, at the restarount, when I pay at the cash register on my way out, that the card machine is mobile, disconnected, wireless.
You may be interested to know that magnetic-strip cards aren’t being discontinued just because they are less secure: A design fault in the chip system means that it is possible for the system to be tricked into using the magnetic stripe system when you, the shop, and the bank all thing that the chip & pin system is in use.
That is, the magnetic strip system isn’t just less secure: it subverts the security ot the chip & pin system.
Of course, one solution to this problem would be to replace the chip & pin system with a new, better chip & pin system, but instead the decision has been made to just get rid of the magnetic strip system faster, because it was on the way out anyway.