Please sign in to post.

Chip and PIN on the way in 2015, sort of

From the WSJ:

This year, firms ranging from J.P. Morgan Chase & Co. to Discover Financial Services Inc. are expected to roll out more than a half-billion new credit cards embedded with computer chips that create a unique code for each transaction, making counterfeiting much more difficult.

In a retreat for the industry, however, the new cards don’t use some technology that could prevent fraud if a card is lost or stolen.

Instead of requiring customers to put in a personal identification number, or PIN, the new cards need users to authenticate credit-card transactions the same way they often do now, with a signature. PINs are widely considered to be more secure than signatures, which can be easily copied.

http://www.wsj.com/articles/why-new-credit-cards-may-fall-short-on-fraud-control-1420423917

Posted by
20632 posts

While we are trying to copy the new technology of Europe, wonder what the really new technology on the horizon is? Apple pay seems to be very, very good. I am sure there are ways to beat it but for the moment it is impressive how it works.

Posted by
9361 posts

That's not really new news. Companies have been gearing up for the switch, putting out chip cards that require a signature, not a PIN. That's why there are so many questions when someone mentions getting a chip and PIN card - is it really C&P, or is it just chip and signature? People have received cards that they believed to be chip and PIN, but did not work in automated situations. According to at least one poster here, though, the method by which a transaction is authenticated is determined by the institution - the technology is there for the use of a PIN, but the bank or whoever has the card set to accept a signature as default. I would assume that when PIN is more prevalent, the institutions will change the default to PIN.

Posted by
6047 posts

Apple Pay looks great but not for everyone. There are still many many travelers without smart phones or ipads. Or is the new technology of paying going to require us luddites to purchase and carry expensive devices we may not want or need.

Posted by
901 posts

My husband and I have a US Bank Credit card with a chip. It also has a PIN, but to use it in the US we are always asked for signature. Is there a way to test out whether the chip and PIN feature will work on our upcoming Italy trip before we leave? The customer service folks at US Bank are somewhat vague about this when questioned.

Posted by
8906 posts

IMO the next big thing is going to be the contunuing spread of paypass style RFID payments which Apple Pay falls into the same category. I was in Sydney last month, and payass was the default method at most all merchants I went to. Most only had terminals that only read RFID cards. If you wanted to use a magnetic strip or chip & pin card. They had to drag a seperate terminal from under the counter.

Posted by
4822 posts

Instead of requiring customers to put in a personal identification number, or PIN, the new cards need users to authenticate credit-card transactions the same way they often do now, with a signature. PINs are widely considered to be more secure than signatures, which can be easily copied.

Actually, a signature is no form of authentication or validation. The only way it can prevent a transaction is if the clerk intervenes, but I can't recall the last time any clerk ever compared signatures and the electronic pad signatures rarely are even close to your signature.

Posted by
2081 posts

@ Patricia,

"My husband and I have a US Bank Credit card with a chip. It also has a PIN, but to use it in the US we are always asked for signature. Is there a way to test out whether the chip and PIN feature will work on our upcoming Italy trip before we leave? The customer service folks at US Bank are somewhat vague about this when questioned."

Ive been using the spreadsheet to get most of my info. If you want to readup on years worth of a thread, its will take some time, but you can look for your card on the list. Its updated every so often too.

flyertalk emv cards

In the end, you will have to test and find out for yourself. I got one from BOA but it hasn't worked as i have liked. I may dump it soon and get a different one, a real CnP card (at least until it gets changed).

happy trails.

Posted by
693 posts

Michael S is correct. Just about every merchant here in Australia will accept Paywave. There is a limit of $100 Australian for a 'tap and go' transaction. For purchases above that you are also required to enter a pin.

To use Paywave you use a normal Australian credit card. The RFID is in the chip.

Posted by
507 posts

Should one have a chip 'n signature card w/no PIN. contact your bank for a PIN which will be sent via USPS.

Thx to a previous poster's question on how to check the PIN before going overseas. It is on my 'to do' list for Tuesday.

Posted by
5504 posts

The WSJ article explanation as to the chip and signature is Americans are not as sharp as Europeans, Australians and Canadians when it comes to remembering a PIN.

Posted by
507 posts

" . . . Americans are not as sharp as Europeans, Australians and Canadians when it comes to remembering a PIN."

To that I say. " :-P ~ ~ ~ "

That is one heck of a generalization!

{Add-on . . . To Paul I heartily agree with you on checking signatures! The only two companies that check my signature against my state ID throughout the year are Staples office supply & Fry's electronics. There are a few more during Christmas. USPS just checks that the card is signed -- no validation.}

Posted by
5504 posts

Collette,
You need to read the full WSJ article. I read it at the gym and don't have a copy to properly quote. The gist of the decision to go with chip and signature is test runs showed that a significant portion of Americans in trials had problems with PINs. Merchants feared that PIN failures would result in customers not completing their purchase. Hence the American CC companies going with chip and signatue while the rest of the developed world uses PIN.

Perhaps phred can post the full quote re why no PINs.

Posted by
222 posts

Will the CnP include the bank cash withdrawal/ATM machines in Europe? I have gotten CnP credit cards for my Visa and American Express accounts but nothing from my bank for the Visa debit cards.
Barb

Posted by
693 posts

In Australia you receive an assigned PIN number with your credit card. You are then able to change it via internet banking (if you have this set up for your account) or in a branch (with appropriate ID). You cannot select a PIN like 1234. This pretty much removes the possibility of people forgetting their PIN as they can select a number that it is memorable to them (eg.2814 might be chosen by a person whose children were born on the 28th and 14th of their respective months). I find it surprising that US banks can't just do something similar.

Posted by
750 posts

If the American merchants think they'll lose sales because people can't remember their PIN's, I guess they could send them to an ATM to get cash. Oh, wait.....

Posted by
693 posts

Eric, in your own amusing way, I think you have summed up the rather silly nature of this issue. Apparently Americans can use ATMs with PINs but cannot be trusted to remember a PIN for a credit card. As i said above, in Australia you can choose your credit card PIN so I just have the same PIN for my credit and debit cards.

Posted by
507 posts

In 1996 I rec'd a Discover Card with a pin (not requested) under separate cover.

Barb,
I will be at the bank tomorrow asking for a chip debit card. If we use our CC C'nP cards to retrieve $$ from an ATM we will be charged for a cash advance, for which the fees are far more than 3% of the dollar amount withdrawn.

Now I am wondering if banks are hoping traveling Americans will use their C'nP CC's for ATM's? Hmmmmm!

Posted by
10831 posts

Last night I landed in Houston as part of my return from Budapest. Upon landing I turned on my cell phone to find an email from my bank asking if all those charges at the Walmart in Pasadena, Texas earlier that day were legitimate. Hmmmm, just landed, hmmm, Pasadena Walmart, that same morning..... hmmmm; doubt it. Someone has to come up with a better way. I guess someday something like IPay will become a standard, but that scares me too. I have a PayPal account that got hacked by a Chinese company and PayPal knowing it was fraud attempted to draw the money off my account, then threatened me when they found the account closed (hey, I'm no dummy). They promised they would only keep the money temporarily until the fraud was investigated then they would give me my money back. Naaaaaaaaa don't think so. I also have a Chip and Signature card; why? It really serves no purpose beyond that of a conventional magnetic strip card. I spend a month or so each year in Europe and I have never had one of my American magnetic strip cards rejected in shops or restaurants. I do understand that there are some restrictions with Kiosk services but I haven't encountered the problem yet. Once in Romania the shop did insist that i put in a PIN so i just pushed 4 random buttons and the transaction went through. My old fashion magnetic strip ATM card has also worked flawlessly. I also have a European issued ATM card that is a true chip and pin card and I guess if everything else was rejected I could use that, but haven't had to yet.

Posted by
9361 posts

American credit cards have (or can have) an associated PIN, but that doesn't make them chip and PIN cards. Most PINs exist to allow you to use your credit card in an ATM, for a cash advance - a very costly idea, and something we only recommend in an emergency. A card with a chip and an associated PIN can still be only a chip and signature card, depending on how the issuer set it up. As far as I know, there is no way to know if your card will work in truly automated situations until you try it in one. (The PIN could work in an ATM but not in a gas pump.) I have recently used my old fashioned mag stripe credit cards and debit cards in three different countries with absolutely no problem.

Posted by
693 posts

Nancy. PINS for credit cards do not primarily exist so that you can withdraw cash at ATMs. They exist because they provide a higher level of security than a sgnature noone checks! In Australia you must have a pin to use a credit card for purchases (except where you are purchasing a smaller item and you just tap the card on the merchant's machine). You CANNOT sign.

Posted by
507 posts

mph,
Going back to my last post RE receiving a pin with my Discover Card, I was able to use the card in Paris w/the pin to obtain money from an ATM when I ran out of money. At that time I did not own a debit card & learned my lesson about cash advances.

So the question remains, will CCs w/PIN give out cash advances to cardholders who use them like debit cards? It will be a windfall of income for financial institutions.

Posted by
3263 posts

The patronizing attitudes of the banks about the intelligence of consumers is truly insulting and one of the reasons why I only have credit union accounts.

I recently talked to my credit union about the chip and pin credit cards. I was told that they would start issuing them in the fall. I mentioned that it was probably going to be very expensive to replace all the cards. The rep said they believe it will pay for itself quite quickly IF the change truly cuts down on fraudulent activity. She said it costs them (therefore me as a CU member) tons of money dealing with the rampant hacking and fraud issues these days. She also said it was the merchants who were dragging their heels on the change, but that the CU believed that when the merchants had to start dealing with fraud issues more directly, or lost business, they would come around.

The reason I was talking to her in the first place was that I got caught in the Home Depot hacking debacle. Like someone else mentioned, just as we were getting home this past fall, I started getting fake email messages phishing for information. They supposedly came from FedEx, Costco and others. I also got some in German telling me how much I owed on my mobile phone and then my landline accounts.

Thinking that things were now straightened out, I bought poinsettias at Home Depot using my credit card on December 19th. On the 21st a charge for some kind of online business marketing thing hit my card. I discovered it on the 28th and my CU promptly canceled my card. I'm now waiting for another one. My husband got hit a little over a year ago in the Harbor Freight hacking thing and our CU replaced his card. Needless to say, those two stores will not get any business from us in the future unless we pay cash.

We both had pins for our old cards. I don't know if my husband's card has a chip in it or not or if my new one will have a chip. I did request that, but I don't think they are quite ready to do it yet. I was told that my pin will remain the same. I have never used it, but I'm sure I would have no problem remembering it if I needed to use it for every CC transaction.

Posted by
4500 posts

I may be able to address some of the questions and mis-conceptions in this thread.

The first thing is that this is an issue for credit cards (point-of-sale transactions) and not for ATM cards/use. ATM machines still allow for magnetic strips and that won't change for some time. If you have a magnetic strip credit card with a PIN, the PIN is generally only usable for cash advances in an ATM (as Nancy stated, that was the purpose of a PIN in US cards). Debit cards without a chip often cannot be used as credit cards in Europe, though it depends on the bank issuer. But they will work in ATM machines.

All emv (chip) cards use the same technology for the card and chip. The differences are in the validation protocols established by the issuing banks. A PIN validation requires the user to know the PIN or the card cannot be used (the security is provided by the card/user). A signature validation only requires the user to sign their name (the "security" is provided by merchant). A chip card can have a primary validation and a secondary. In the US, most banks will be choosing the signature as the primary validation. Some banks will allow for PINs to be used as a secondary validation. That means if the transaction is automated and a signature isn't possible, the PIN will be requested. You'll have to check with your card issuer as to their protocols, but if you are given a PIN it will probably work in automated machines. And many banks also allow for transactions (usually) under $50 to be automatically approved (no signature or PIN required). So even if your card only allows for signature validation, you may still be able to use it in machines if the transaction is less than $50.

The reason commonly given for US banks to have signatures as the primary validation is to avoid confusing the public. If you don't remember your PIN, you can't use the card. It may not make much sense given that most people have an ATM/debit card with a PIN, but there probably is some validity to the idea that many people will forget their PINs (at least initially). A lot of people have only one ATM or debit card, but several credit cards. The chip&sig cards will provide much greater security against the creation of fraudulent cards (they are nearly impossible to replicate even by organized crime). But it won't do much to stem fraudulent use of card numbers or if your card is stolen.

My guess is that most banks will soon allow for a PIN as a secondary validation. There seems to be no good reason not to. So for the most part, the issues of using US credit cards in Europe will be mostly gone by 2016.

Posted by
2081 posts

@ Phil,

"It's hard to believe just how far behind the 8-ball, the US banks are, in the use of PINs. Australia, Canada, and quite a portion of Europe have long been on PayWave/Tap-n-Go - I can't even remember the last time I saw someone sign a CC receipt - the US seems to be 2 iterations behind the "rest" of the world"

From what i understand the USA is behind because of many reasons, but the one i have read about is that there has been a lot of $$ spent for the infrastructure for our system and how it works. Our system is based off or REAL TIME transactions and so when you make that purchase its being processed and validated or not, real time.

Also, it will depend on what system you want to end up with in the end. Will you be doing "upgrades" or system changes every so many years? Who will pay for those changes?

the CnP/CnS cards are nice, but what about using your smartphone to pay for things. There is some country in Africa? where the locals use their smart phones to make their purchases. They protect the SIM like nothing else since thats their "bank".

I can see a benefit of the USA doing the "wait n see" approach especially if several options are available for the future use of credit cards - or not. Im sure the credit card may have its day numbered.

happy trails.

Posted by
1406 posts

Ray, what I read a while back is that of the 3 parties involved (merchants, processors, banks) no one wanted to pull the trigger first because of cost. So they all stared at each other for a while, hoping one would blink and/or hoping the government would force them so then that could be their excuse.

Posted by
4500 posts

^^ phred pretty much sums up the reasons why. It has nothing to do with technology; it was always about money.

Merchants didn't want to spend the massive amounts of money to convert the POS machines since they were rarely on the hook for fraudulent charges.

Credit card issuers didn't want to spend the money because the cost of fraud was less than the cost to convert.

Consumers didn't demand it because they were never on the hook for fraudulent charges.

Politicians didn't want to make businesses spend all that money because consumers weren't demanding it.

And keep in mind that while Europe as a whole is pretty darn big, many US states have larger economies than most European countries. For the entire US, it is a very, very large amount of money to convert to emv. And I'd venture to say that big box retailers in the US have far more invested in POS machines than most any business in Europe.

Posted by
693 posts

From what i understand the USA is behind because of many reasons, but the one i have read about is that there has been a lot of $$ spent for the infrastructure for our system and how it works. Our system is based off or REAL TIME transactions and so when you make that purchase its being processed and validated or not, real time.

Ray, that is exactly how the system in Australia works. Your transaction, using either Paywave/paypass for purchases under $100 or a PIN for those over $100, is processed and validated (or not) in real time!

And Collette, of course a bank is going to charge you interest on a credit card cash advance for money that is not in the account. But you can do a cash advance at the counter of a foreign bank as well as at an ATM so I don't know why having a PIN is the issue. A cash advance is effectively a form of loan. If I wanted to use my cc to get money and avoid interest then (at least in Australia) I could put money into my credit card account ahead of a trip and get it into credit - I can then draw against this money and not be charged interest. Or, I can just use my debit card which is what I do.

Posted by
507 posts

http://www.npr.org/blogs/alltechconsidered/2015/01/05/375164839/u-s-credit-cards-tackle-fraud-with-embedded-chips-but-no-pins?utm_medium=RSS&utm_campaign=business

". . . The U.S. has been slow to accept chip-encoded cards until now because most retailers didn't have the machines that could read them, and they didn't want to pay for them. But later this year, retailers that don't accept cards with chips will be responsible for any fraud that occurs as a result. . ."

". . . Mallory Duncan of the National Retail Federation says the new cards won't be as safe as they could be. He blames the big banks. . ."

E>"In essence, U.S. consumers aren't used
X>to punching in a PIN when they buy
C>something with their credit cards.
U> . . .card companies did marketing
S>studies and found out that requiring PINs

E>would actually turn off U.S. customers."

Reason CC companies use signature over. PIN
"The banks want to make sure that cardholders use their card, and so they want to make it as easy for the cardholder. And so until they see adoption of PIN across the system, no bank wants to be the only one with a PIN-only-enabled credit card."
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IMO
After researching several articles regarding a Chip & Pin cc, the reason Americans did not get the rollout of the EMV card sooner can be summed up in four words --
The God Almighty Dollar.

The merchants hesitate to incur the cost of new terminals, while financial institutions do not want the cost of making new credit cards if the slightest doubt exists that Americans will not embrace the new system. Example: New cards would be placed in the terminal for the duration of the payment transaction. One lady in a field study refused to let go of her card, which raised the question, "How many people would forget to take their card out of the terminal once the transaction was complete?"

"Americans will forget their pin" is plain stupid. (O.K. If a man cannot remember his wedding anniversary date, or a woman as to where she placed her keys does not mean either is incapable of remembering another PIN.)

People employed by the government in high security areas, subcontractors of the same, or medical professionals within a hospital need to remember how many access codes to enter secured areas? How many passwords does one memorize to various websites?

The reason we do not have EMV credit cards is because the American public has not demanded them of their financial institutions. Most people are willing to go along with the status quo until their credit card is one of many that is hacked.

Until the American public demands its financial institutions change our system of how we use credit cards in a way that the information is totally secure, banks will not issue EMV cards & merchants will not purchase the new terminals to read the cards.

In the end merchants, financial institutions, & the American public need to view EMV cards as a win-win situation for everyone involved.

Posted by
693 posts

Interesting link Collette. The issue of people forgetting a PIN is a ridiculous smoke screen by the banks and merchants. As I previously posted, if you can change your PIN in Australia to something you can remember there is no reason this could not be done in the US.

Posted by
507 posts

mph,

If the USA financial institutions issued a true EMV credit card we could change our PIN online. Bank of America, my bank, issues a EMV debit card at this time. I just went online & read that the only reason a PIN is issued to a BoA credit card is to be able to obtain cash (advance). A BoA CC is a chip & signature card at this time.

Posted by
9361 posts

Mph, every card I have has a PIN that can be changed at my request. Many can be done online, some also by phone.

Posted by
2081 posts

one thing that i forgot to add.

my credit union VISA is not a CnP card, but when i was in Europe last year i was able to withdrawal money out of my savings/checking account since my card is linked. I forgot where i did the transaction. I can easily do it in the states, but i noticed that in Europe that option is hidden or not available. I will need to check my statements to see if there were any charges associated with that withdrawal.

Im figuring since its like a "debit card' transaction, there shouldn't be any fees, but again, i will have to see.

happy trails.

Posted by
693 posts

Well if you can change your PIN this makes the banks' claims that Americans would have trouble with a PIN even more ridiculous. And I stand by my statement. Having a PIN is about security and not about cash advances - well at least everywhere except in the US apparently.

Posted by
4822 posts

For those wondering about a PIN issued for your card and if it is a true chip and pin, you really need to investigate that with your cardholder. As part of the EMV (chip) technology, the card issuer establishes a list of multiple means of Card Validation Methods (CVM) ranking from top to bottom. Based on the terminal in which you use your card, it will choose the highest level CVM it is capable of.

As an example, if my card has as it's highest level "signature" then "online PIN" then "Offline Pin" and then "none", if the terminal can use both signature and PIN, I will be asked for signature. If the terminal does not support signature, and I have a true PIN, then it will ask for the PIN, on some low dollar transactions, if none of the above are supported (like a Kiosk), then the transaction may go through without any validation, using the "none" CVM.

Real life experience, I have an ATT mastercard issued by Citibank with an EMV chip. In London last year, I was usually asked for a signature, since that likely was the highest level CMV on my card and all terminals I used had that capability. I do have a PIN, but have never been asked for it and my card may not even list that option. I was also able to use the card in Kiosks in the Underground to top up my Oyster card with no validation, so it does have that CVM as a lower option.

So, it is very possible that if you get a US issued "Chip and Pin", your card may still rank "signature" as a higher level validation, and you will be asked for a signature in Europe. Good news is though, at an unattended terminal where no signature is possible, you may be asked for the PIN and able to complete the transaction...just depends on the options the card has.

Posted by
1094 posts

I have had a true Chip and Pin card for about 1 year issued by my bank (USAA). I had to ask for it because I was going to Europe. It did work in train station kiosks in Italy.
One quick was to check your card in the US is to go to a store that has the option to use pin and chip. In my area the Sam's Club has that option. The POS machines have the usual slide for magnetic cards but they also have a slot for pin and chip cards. If your card will work in one of these POS machines using your PIN (without a signature) you have a true pin and chip card. The big surprise was that one of our local diners has a pin and chip POS.

Posted by
4500 posts

^^ Bob - Those machines will work for either chip and signature or chip and PIN. If someone has a emv card with signature as the primary validation, they will be prompted to sign (usually electronically). You won't be asked for a PIN unless PIN is the primary validation. Everyone will know which is their primary validation (and for most it will be signature). The question many people will are having is whether their chip and signature card will work in an automated transaction where signature validation is not allowed (such as a ticket kiosk). The only way to find that out is to try it on such a machine or read the fine print in the agreement. But most likely, if you are given a PIN, it will probably work as a secondary validation with an emv card.

Posted by
1406 posts

When my restaurant host in Paris was running my card through the little machine he brought to the table, I said this is all new to us, in the US they take your card to the machine and not the other way around. He shook his head and said Imagine letting your card out of your sight .........

Posted by
9361 posts

Several of our local restaurants either have POS machines on the table or they bring the machine to the table. This is not unheard of in the US - and I don't even live in a big city.