There have been a lot of posts about chip and signature/PIN, and I thought this article about a lawsuit involving Home Depot and MCV/VISA would interest some people: http://www.pressherald.com/2016/06/15/home-depot-sues-visa-and-mastercard-over-credit-card-security/
I'm not clear on the financial loss to Home Depot (grounds for the suit). If Home Depot is using the chip readers, then VISA/MCA is supposed to be responsible for fraudulent transactions. Merchants are only on the hook for fraudulent transactions if they don't have activated chip readers. The article doesn't explain the lawsuit rationale - though it does cover the other issues pretty well.
And of course the irony is that Home Depot's lax security allowed millions of customer's cards to be hacked and duplicated. I'm glad it pushed them and the industry to move to EMV technology, but they don't really have the high ground here.
And of course the irony is that Home Depot's lax security allowed millions of customer's cards to be hacked and duplicated.
That was the first thing I thought of when I saw the article.
That Home Depot chose not to buy the hardware and thereby not
implement new chip readers is their responsibility.
Yet the article states: "Home Depot pushed hard to activate chip-enabled checkout terminals at all of its stores after the 2014 attack."
So it appears that Home Depot HAS replaced the old terminals with chip-enabled ones. It seems they just want the companies to implement PINs, which is what we as consumers want as well.
Well, one can sue a ham sandwich as the saying goes. Good luck with that.
True. In law school, one of the first things we learned is that the answer to the question: "So, under these facts, can you sue?" is Yes, you can always sue. But the real question is, does the suit have merit; or can you win?
I have no idea of the merits of this case, nor do I really care. It's Goliath vs. Goliath.
Visa/MC/AMEX have terminals that do NOT require signatures. I see them in businesses including my local Dunkin' Donuts. They aren't as prevalent as they should be because businesses won't pay for them. Many stores have chip/signature merchant processing equipment but not chip/pin. That Home Depot chose not to buy the hardware and thereby not implement new chip readers is their responsibility.
I don't understand any of this. How would a US chip reader not allow signatures for verification? US EMV credit cards are almost all chip and signature and everyone knew they would be well before merchants invested in the readers.
Many banks and merchants do allow for transactions under a certain dollar limit without verification - usually about $50. It speeds up transactions and has a low fraud liability exposure.
All of the EMV readers that I have seen in large businesses are a combination signature/PIN terminals. They need to be so that debit cards, which will still use PINs, can be used.
It is my understnading that Home Depot has converted to EMV terminals. That is why the basis for the lawsuit is questionable: they should no longer be on the hook for fraudulent usage.
Well, it is true that a credit or debit transaction authorized with a signature does cost the merchant more than a debit card transaction authorized through the PIN and debit cards can be authorized like credit where the merchant gets charged for them as if they were credit cards. This might be part of the basis of the complaint although it is not clearly explained in the article. Walmart has a similar suit in which it is asking to be allowed to force all debit transactions to be done only with a PIN and to deny debit transaction the customers want to run as credit to reduce its overall processing costs. Debit is capped at around 25 cents a transaction for merchant fees while credit is an unlimited amount based on a percentage of the total transaction.
It was actually the card issuing banks in the US, not Visa/MasterCard, that refused to go to the Chip & PIN option for credit cards as they for whatever reason felt US cardholders would not be able to adjust to using a PIN (and many of their computer systems that deal with credit cards have been hard coded to see any transaction with a PIN as a cash advance [the networks filter out the PINs on credit transactions that are not actually cash advances so they don't see them which is why entering a PIN number on a purchase in Europe is never treated as an advance]). All this decision seems to have done is produce more confusion over what card might work where.
Went to Home Depot just this afternoon and they have chip reading terminals. They were one of the first major companies to spend the money and install them and activate them in the US (at least around where I live). If you use a card that is Chip & PIN, it will ask for your PIN and not let you sign. But since most US issued cards are NOT PIN, it does them no good to have these terminals that require PIN primarily.
Most terminals do not require a signature or a PIN for credit cards if the transaction is under $50. That is why your Dunkin Donuts and many other small shops where you buy small dollar's worth of items do not require a signature. They also don't ask for a PIN on credit. This is an option called "floor limit" that merchants can subscribe to in order to speed up processing of most of their transactions at the checkout terminal -- if they are willing to accept the risk that some of those transactions will be fraud. Anything over that limit still requires a signature (or PIN if it is that type of card).
Many businesses that have so far chosen not to upgrade to the chip reader terminals are now finding out how expensive that decision was because they are being charged for every fraudulent transaction they get approval for when the card had a chip and their terminal did not read it. Previously, the card networks would absorb the fraudulent charges as long as an approval code was received from them for those transactions, now they only do so for chip cards if a chip reader was used in the transaction.
Thanks Mark. MrsEB isn't understanding the systems and options. And I wonder if you are right about the differences in charges to the merchant between processing credit and debit cards is the basis of the lawsuit. That would make some sense and maybe the article's author didn't understand it.
For all- I actually have been at my local Home Despot twice recently, with my Chip CapOne card. The terminal requires it be used in the chip reader, it will not accept it via swipe ( I missed that this was a chip terminal). I do not know whether it knows that there is no PIN, or it just let it go as both purchases were under %50.
Thank you, Mark! You explained it better than I would have.