Capital One mailed me a chip card last week, with a new credit card number for added security. I called them to ask if it was chip & signature and they said yes. No PIN unless I use it for cash withdrawals (cash advances) from ATMs. Are Chip & signature cards just as secure as chip & PIN, with regard to each transaction being unique?
No, chip and signature cards have no real advantages over magnetic stripe cards. They generally do not work in unmanned situations (though sometimes they do).
Sorry Nancy, Chip and Signature cards do have the added security with regard to each transaction being unique. You are correct in that they can not be used in stand alone kiosks in Europe where you need a PIN.
Everyone is getting new cards with visible chips, but it's window dressing. If you also get sent a PIN, it's for getting cash advances at ATMs and is not what the Europeans seek.
The correct answer is YES, a chip and signature card is as secure as chip & PIN in that each transaction is unique. The signature validation is not as secure as a PIN from the standpoint of someone actually stealing your card. But that is actually a minor cost of credit card fraud and you are not on the hook for any charges anyway. The chip (whether signature or PIN) is as secure from the standpoint of making fraudulent cards, which is the main culprit and why criminal organizations work so hard to hack credit card data and merchant systems.
A chip & signature card is also much more helpful when traveling, though not quite as good as chip & PIN. Many machines will automatically approve chip & signature transactions - and the credit card companies are pushing to get more of them to do so. And most bank cards allow un-validated approvals of transactions under $50. But machines are still hit or miss so always be prepared to use cash or a manned booth. Manned transactions are smoothed as staff are more familiar with how the chip cards work and most machines will automatically spit out the receipt to sign (if not just tell them "No PIN").
The CapitalOne Card is mentioned by Rick Steves in his EUROPE THROUGH THE BACK DOOR 2015 as being one of the best Credit Cards to use in Europe because of it's 0% Foreign Transaction Fee - so it should work well in most places. We got this card a few months ago after reading the book (which I HIGHLY recommend for everyone going to Europe) to use on our upcoming RS Venice, Florence, Rome Tour. I did call CapitalOne when our card arrived & we realized it was a chip & signature card, not a chip & pin card & they assured me that it is a very popular card for International Travel & they get no complaints with it from people who use it in Europe. We do have a chip & pin card from USAA as a backup, but it has a 1% Foreign Transaction Fee, so we hope not to need it at all.
I fail to see how a chip and signature card is any more secure than a mag stripe card. So each transaction is unique.... and the person with the card still only needs to know how to spell your name to use it. I really don't know what makes that more secure.
I have a chip and pin (not signature) from Andrews Federal CU which I've used successfully at unmanned ticket kiosks both in Paris and Italy. However, all I have to do is insert the card...not PIN is ever required. But when I've tried to use my Cap1 (not a chip card) in those same kiosks it failed. Just fyi
A magnetic strip card can be scanned and then easily copied into another magnetic strip card. So your card does not have to be stolen to be compromised.
The chip card is much more difficut to copy.
I fail to see how a chip and signature card is any more secure than a mag stripe card.
It is significantly harder to replicate the info stored on the chip than to replicate the info on the magnetic strip. There is a bigger problem with counterfeit fraud than there is with stolen cards; the chip reduces risk for counterfeit cards.
Chip and pin is more secure when a card is stolen.
I have read and participated in numerous discussions on the subject of chip cards and their verification by either signature and pin. I am still baffled by the U,S, adoption of signature, and have yet to see a convincing reason for it.
The pin method is well established outside the United States, and I have personally used it for about 10 years. The pin method requires no judgement on the part of the retailer as to whether the signature is acceptable; if the pin is wrong, the transaction is automatically refused by the card provider. Numbers are independent of language, culture and naming patterns. Without the correct pin, a card is useless for any retail transaction, and there are 10,000 possible pins. Once you have tried 3 or 4, no further attempts will be allowed by the card provider.
Can anyone explain?
Bob, the only explanation I've heard is that U.S. Card issuers - in their quest to save money and increase corporate profits - feel that with the advent of systems such as Apple Pay, chip and pin technology will become outdated in a "relatively" short time. Apparently signature is a cheaper technology than using a pin. Therefore, they've opted for the signature. Maybe this is the thinking that keeps us using CDMA cell technology and Imperial measurements?
@Bob - There are a number of reasons that the US banks are going with chip & signature cards for now and not chip & PIN. I'll outline a few of the major ones.
Whether validation is by PIN or signature, the EMV (chip) cards alone will significantly reduce credit card fraud. Most CC fraud is from stealing card info and then duplicating new cards that can be used until that card number is blocked. This is extremely easy to do with a magnetic strip card; it is extremely difficult to do with a chip card.
The cost to merchants in the US to convert to chip card readers is massive. More than any other nation or region in the world. The US has individual states with economies larger than most other nations in the world. This is also the main reason why it has taken so long to convert. To use chip cards, and especially to use chip & PIN cards, retailers, restaurants and merchants have to buy new card readers. It took a shift of liability and massive data breaches to get them to make that investment.
So people ask if merchants are buying the chip readers, why not make them all read PINs? The simple answer is that not all card readers are being replaced. This is an industry shift, not a regulatory one as it was in many countries. Merchants can install chip readers or not. Many small merchants will not for some time. Many small merchants rely on iPad attachments that you swipe your card through; these people cannot afford and have no interest in buying chip readers. Gas pumps will not be switched out until 2017 or later. Same with ATMs. Which means that signatures will still be necessary in many cases anyway.
And even for those merchants that invest in chip readers, they don't want to buy multiple readers and/or pay the network fees to allow PIN verifications. Consider restaurants. A sit-down restaurant can buy one chip reader to process all of its customer cards with signatures. But with PIN validation, a restaurant must buy a card reader for every waiter so they can process the transaction tableside as is done in Europe. Again, we are talking about a scale and cost far beyond that of any European nation given the scale of the US restaurant industry.
The credit card banks are afraid that transitioning to both chip cards and PINs will be difficult for many Americans. While many here scoff at the idea, I think there is some validity to that point. When you get an ATM/debit card, you choose the PIN and activate it when you receive the card. But credit cards are mailed to you and the PIN must be mailed separately for security. So it is reasonable to assume that a percentage of people will not get or open that PIN letter or understand that the PIN that is received will be needed to make purchases. Or they won't remember the PIN since they didn't set it. Yes, most people will get it and remember it (or change it), but enough will not that banks will lose money, merchants will lose sales and people will get frustrated. There were also rollout issues in other places like Canada. People got new chip cards and PINs but the readers weren't activated yet and so they forgot their PIN by the time they needed it. I can personally vouch for that - I have had a chip card for weeks now but have been unable to use it - none of the stores I go to have active card readers yet. So if my card were PIN, it might be weeks or months before I could actually use the PIN. They are also afraid of the confusion of sometimes needing a PIN and sometimes a signature in the years it will take to rollover to all chip readers in the industry.
Here is an article which provides some explanation for why US has been slow to adopt chip and pin:
They claim that the criminals adjust, learn to steal your pin and the the level of fraud eventually stays the same. So the company feels that the pin does not make a big difference in the end. Also, they claim that the consumers are too dumb or lazy to remember their pin and default to using an alternative card without the pin. So the card with the pin loses business to the card with a simple signature. So, in the US the credit card companies don't want to switch unless there is a demand or are forced to do so.
As stated, things like Apple Pay or other mobile payment methods could change everything.
I thought that the card readers by retailers might have been part of the problem in converting over to chip and pin. However, I believe that the chip and pin cards are backward compatible with the older card readers. I can use my Canadian chip and pin in the US without any problems (unless the gas pump requires that i punchnin a zip code!)
The above wikipedia article explains EMV technology and its implementation, including in US.
Chip and Pin are still backwards compatible. There is still magnetic stripe in the back of the card so retailers who still have older tech magnetic scanners will still work.
But note in the article that starting in about Oct 2015, most credit card cos will start to shift liability to the retailers if they are still using the old tech magnetic scanners. This will force most retailers to upgrade. Same thing with gas pumps which will shift liability in Oct 2017.
Another benefit of the pin is that it forces to the consumer to keep control of the card. Under the old way, the cardholder quite often handed the card off to be scanned and the server would then return the card and receipt to be signed. During that time the card is out of the cardholder's sight, the card could be cloned. Under the newer method, you are pretty well forced to be with the card the whole time because you have to be at the machine to enter the pin.
Another benefit of the pin is that it forces to the consumer to keep control of the card. Under the old way, the cardholder quite often handed the card off to be scanned and the server would then return the card and receipt to be signed. During that time the card is out of the cardholder's sight, the card could be cloned.
Cloning or cards or stealing the card data to sell them to outfits that clone them will be largely eliminated with EMV cards. So it won't matter that you hand off your card to a waiter.
EMV cards do have magnetic strips that will allow them to be used where chip readers are not yet available. That will remain a major security flaw with EMV cards until all US merchants and machines convert to chip readers. It is one reason listed as to why banks don't want to use PIN validation - as putting the PIN (purchase not cash advance) on the magnetic strip would make it available to anyone hacking the card data. I have read that after October, the main expected frauds will be clones that can be used in ATMs and gas pumps (but won't work in chip readers) and online fraud. After 2017 there will be almost no cloning fraud since ATMs and gas pumps will be all chip enabled. So by that point, banks and merchants will have reduced fraud so significantly, there may be little incentive to further reduce the minimal amount of stolen card use that would be curtailed by PIN validation.
I have a chip and pin (not signature) from Andrews Federal CU which I've used successfully at unmanned ticket kiosks both in Paris and Italy. However, all I have to do is insert the card...not PIN is ever required. But when I've tried to use my Cap1 (not a chip card) in those same kiosks it failed.
A couple of keys points regarding this ^^
Based on statements from those with the Andrews Federal card, it is a chip & signature with a PIN secondary validation. People have noted that whenever they use it with a person, it spits out a receipt to sign. That means it is chip & sig. What is good, and more banks may do this soon, is having the PIN as a secondary validation if the transaction is auto.
But your experience also shows why any chip & signature card will be helpful in Europe. If you used it in a machine and it didn't require a PIN, that means the machine was automatically set to approve chip & sig cards and/or your own card automatically approved a transaction less than $50. Both are becoming more common.
No magnetic strip card will work in machines in Europe.
Mag stripe cards WILL work in ATMs, though.
You make some good points and it sounds like you are familiar with the behind-the-scenes workings of the credit card industry.
But a couple corrections:
The PIN is NOT stored on the mag stripe on any credit card today. The PIN value entered by the user at the terminal is encrypted and then sent along with the other transaction information to your bank (or card processor if the bank does not do its own processing) where it is verified against what is on file. At no time other than when it is typed in by the user is the PIN available in a form that could be used for fraud.
I have been to multiple European restaurants where they have a single portable chip card reader shared by the entire wait staff. Each waiter brings the reader to your table as you pay. It is not required for waiters to have an individual card reader any more than they are now with mag stripe cards.
If you have a new card with a chip on it, you can use it just like your pervious card as long as it still has a mag stripe on it. No need to wait for the businesses around you to activate the chip reader. I have received several chip cards as replacements to the non chip versions and they all work fine even though none of the places I use them have activated their chip readers.
Chip and signature cards are not as secure as chip and PIN if the card itself gets stolen. The person with the card just has to sign for things with something that looks like it could be your signature. If a PIN was required, a stolen card would be useless in many cases unless the thief also got your PIN. Otherwise they are still more secure than a magnetic stripe where the physical card is used.
I am disappointed that US banks have chosen chip and signature. Not only are they less secure, they also create unnecessary issues in countries that have adopted the chip and PIN option. Their excuse that something more secure is coming in the near future (Apple pay type of transactions) makes no sense. That would be like a hotel saying that because locks keep changing so rapidly now they are going to give you a skeleton key for the medieval lock on your door instead of installing a current electronic lock because the current lock would be obsolete in a couple years!
There are some interesting comments here, although some I find unconvincing.
For example, while the total cost of conversion in the United States will obviously be greater than in a small country like Denmark, the individual cost per merchant is likely to be lower. There will be economies of scale, and electronic items are invariably cheaper in the U.S. than in Europe. For the banks, the cost will be greater, but only in proportion to their turnover.
Even with chip and signature, merchants will have to buy new terminals with a chip reader and a keypad. Larger stores will be spared the cost of those screens on which the customer is asked to sign his name. Will the difference in total cost of all this equipment be very significant? It could even be cheaper. In my experience, stores change their equipment at intervals of a few years anyway. I have not noticed any reluctance of European stores to buy or replace card readers; it is the transaction charges that have been the deterrent to card payment adoption.
There is always a changeover period when there is some mismatch between different technologies. In some cases, people will have chip cards before the retailers have chip card readers. Elsewhere, it will be the other way round. I saw contactless payment terminals for months before I had a contactless card. You cannot have change without some temporary inconveniences.
I sometimes wonder if anyone from the U.S. went to Europe (or even Canada!) to see how chip & pin works in everyday practice. It is hard to believe that anyone who did would conclude that chip & signature was a better system. In fact, one of my own U.K. credit cards is issued by MBNA, part of Bank of America. Why was a working system used by a subsidiary not adopted by the main organisation?
I have taken part in too many of these discussions to find any sense of resolution of the issues. My conclusion is that late adopters of any change quite often look for arguments that they have special situations which cannot be met by something which has already been accepted by everyone else. Or the Not Invented Here syndrome.
You are correct - Purchase PINs on chip & PIN chards are stored on the chip. But cash advance PINs are still stored on the magnetic strip. Almost no US ATMs are compatible with chip readers and it will take a few years to do so. This seems to be the root of a couple issues for the US role-out of EMV cards: The cash advance PIN remains a security flaw in that a clone card can be used to withdraw cash. It also means that card holders cannot change their EMV PIN without going to the bank - the ATM isn't enabled to allow you to change the chip's PIN because it can't read the chip. So people with multiple credit and debit cards will have to remember many PINs and may more easily forget them.
Agreed - EMV cards will work even when a business hasn't activated or purchased a chip reader. I probably wasn't clear on that before. What I meant was that I have not been able to use the chip in my card so far, it is as of now acting as a magnetic strip card only.
BTW - I am not arguing in favor on one system over another. I've read quite a bit on the topic and am just relating the rationale, whether reasonable or not, used by the banking and retail industry. And trying to correct mis-statements (like the one that chip & signature is no better than magnetic strip).
Because it came up again in other posts - I'll reiterate an earlier point: If your card is stolen, it doesn't really matter to you if your validation is by signature or PIN. Either way, you are not liable for the charges (I've never heard of a bank actually charging customers the $50 allowed by law). A stolen card will be replaced with a new card number no matter what, so there is no difference to you the consumer. The banks apparently have concluded that they will lose more money in lost sales with a PIN system than they will in fraudulent charges on stolen cards. Banks have sophisticated fraud detection systems now and most likely will detect and block a stolen card even before you report it. I'm guessing that they are counting on that.
With regard to stolen cards and thieves copying signatures, I agree that's a real problem. I don't sign my cards but write "Please see ID" on them, so there is no signature to copy. Not that that makes a difference. Maybe one in 20 clerks looks at the back of the card and asks to see my ID.
I almost always use cash in Europe, as well as at home, except for large purchases like paying for hotel stays. I would hate to be in a position where I had to use the card but the transaction wouldn't go through.
I got lucky with the Capital One card. I've had it since 2001, long before I learned they didn't charge foreign transaction fees.
And regarding requiring chip & PIN cardholders to remember their PIN: When Capital One posted information on its website telling customers of the switchover to chip & signature, there's a line that says: "Good news! No additional PIN to remember." Did they do any market research? Is this a sign that the average American doesn't want a chip & PIN card? Whether the average American also regularly travels to Europe and other countries that use this technology, is another matter...
I have had trouble with a chip and signature card in France, Spain and Holland to name three I can think of off the top of my head. In each case I ended up resorting to cash. I lost time and the banks lost whatever fees they would have collected. This is good?
If that were me I would direct that complaint to the bank that issued the card, it would seem the problem is at their end.
I just got notice from American Express that they are replacing my traditional green travel card (not a bank affiliated credit card) with a chip & signature version.
Agreed Larry, I have called the bank's customer service departments. But, it does no good. I don't get the feeling that the big US banks really care if their customers are negatively impacted when using their credit cards overseas. Just my 2 cents worth of opinion.
OTOH, when I have a good meal at a family run restaurant in Europe, I would rather have the owners keep all the profits rather than give a chunk of the profits to the credit card banks.
Agree with you barnstormer on paying cash to the little guys. Our rule of thumb is if we are in a big city we will iuse our credit card the same we we use it at home, which includes not making a small operation take it.
it is possible that you ran into a place that could no longer figure out how to do "signature" on their scanner, had this happen to us a couple times in smaller places.
But cash advance PINs are still stored on the magnetic strip.
Cash Advance PINs aren't stored on a magnetic strip card at all. Your bank's computer has the PIN so the ATM communicates with your bank to validate the entered PIN.
Barnstormer, exactly what kind of trouble did you have? The machines couldn't read the chip? The machine didn't allow you to sign?