Walmart sues Visa for being too lax with protecting chip cards Retail giant Walmart has filed suit against Visa over the ability to force chip and PIN authorization for card purchases. In a suit filed to the New York State Court (PDF), Walmart claims that Visa is forcing it to accept customer signatures as authorization for payments when it wishes to mandate the use of PIN codes instead …
Australia now has a fully-non-signature credit card purchase system, and if you use paywave or simlar (NFC) *and* for less that AU$100 purchases, PINs are exempt.
Although this has changed the usage patterns of credit card thieves (fraudulent purchases are now only <$100) If I had to present a 12-digit PIN for *all* purchases, (most are sub-$100) I'd be rightly annoyed.
The credit card providers have forced tap-to-pay technologies on the Australian banking system, and there is no way to opt of it and demand that only a PIN be acceptable on a credit card.
We've gone from "low" security (a signature that placed the onus on the retailer to verify) to "some" security (a PIN) to no security (just tap here sir) for purchases below $100.
My wife's cards were stolen on a Friday night, the thieves racked up $250 worth of purchases in the followng four hours - mainly petrol, ciggies and late night Maccas - we cancelled the cards at 8am when we realised the cards had been stolen and it took us 6 weeks to get the charges reversed. And because one of the stolen cards was linked to her savings account, we were really out of pocket for that 6 weeks.
...not just the Aussies.
I suspect that a large percentage of those with an IT security background look at contactless and say "WTF!"
IMOit really is a solution that should never be applied to the area of payments.
RFID chips are fine for stock control, they are useful for tracking pets - but the committee* that thought they should be linked to things like passports and payment cards really should have been disbanded at first light.
Of course that would have stymied the perceived agenda to move society closer and closer to a cashless society.
“A committee is a life form with six or more legs and no brain.” – Lazarus Long
Functionally it is little different from having cash stolen. They set the limit at X as a parallel to how much money you might be carrying in a non-card world. £100 probably isn't that bad they think as you'll get it back eventually.
However, the system needs two things. One, the availability of cards without NFC payment enabled, and two - the ability to configure your own limits. (These can actually be the same thing given you could configure a limit of zero).
it took us 6 weeks to get the charges reversed
Indeed. What Walmart means by "best practices for fraud prevention" is, of course, "best opportunity for transferring risk to the customer".
That's the real driver behind EMV. It's much easier to dispute a signature.
12 digit PIN? Freaking hell! Show me a single person who wouldn't be onto their bank to reset the sodding thing every second day. 6 digits is good enough for most people....... Also AU$100 seems rather high for tap and pay- its EUR30 in Ireland- I think its entirely fair to set it at a far lower level........
I once suggested to my UK credit card company that they should find a way to assign a 5-digit PIN to people wishing to use their cards in the US which would allow them to work in petrol pumps and provide a bit of security while doing so.
You can normally use a foreign card, it just means you have to go in and see the cashier (and leave your card there, which is definitely dodgy) while you fill up, then go back in to complete the transaction afterwards. Or carry cash and use that.
Take your *debit* card. Find a US bank ATM that will accept it (ask your bank for locations first), withdraw the max (typically $300; the US bank rips per transaction not per amount so favours low transactions). Do this every day you are in the US. Pay cash. Cash is always welcome, up to $9,999.99 and in $20 bills and no more.
That's what we do, for far less valid reasons.
BTW I have to thank my mother and father (both UK) for this approach, so I can only assume that it was part of the standard advice given by whoever to older travelers from the UK. Finding the right bank can be a PITA but they both managed it, even in that benighted capital of dubious technology Seattle.
One day we will have security for everyday people but we will probably no longer be the USA.
John Bowler
It really comes to a head when trying to fill up the fuel tank of a rented car just before returning it. Lacking a Zip Code, one wanders in to negotiate a payment algorithm. Wait in line forever while all the vagabonds do their Lottery dealings. Explain to the clerk's brainstem about foreign countries. They might offer Prepay, "How much gasoline do you want?" "I want to fill the tank, it's a rental, I have no idea how much it needs." One should allow an hour (or eight) for this. Then the uneducated hillbilly in the huge truck waiting at the pumps, stuck behind your rental car, will then murder you.
NEVER attempt to fly out of the USA in the forenoon. It's impossible. If your flight is at 10AM, you'd have to set your wake-up alarm for 7PM the evening before, which ruins dinner. Any normal human should aim for a late-afternoon flight, but even that's risky.
You are exactly the type of git that would judge the whole country on the gas station next to the airport huh? Newsflash they suck ass even for the locals and in fact that one near Newark airport (including whole city and airport itself) is actually our worst face forward. As a foreigner on business travel you definitely want to go with the fuel option on car rentals which is often not that much more than DIY.
Yep. So here's a real story; my story. I live in a part of the US (SW Oregon) that one local musician's bumper sticker (a US custom) stated is "where Deliverance meets the Grateful Dead". So I don't buy gas in the Valley, I buy it in Grants Pass (seriously).
And I used to buy it in a gas station heading home.
One day I checked in and was, yeah, asked for the Zip code. 97531. Duly Bank of America charged the expected 18 gallons; I drive a Subaru . On the same day at the same time they charged me for another 24 gallons. Well, the Dude had a problem the first time he ran my card, I gave it to him again (you are permitted to call me a doofuss at this point; next time it happened at a different gas station in GP I gave everyone a really hard time, double checked transactions on my mobile and had the lead guy on the gas station give me a piece of paper - more so he remembered than any other reason).
So, originally, I disputed that 24 gallons. No luck; BofA told me I was there (yep, I think I said that) and that therefore the charge was valid.
Lesson; I will never go to that gas station again. My wife still insists on using the BofA card but I think I've managed to cut it to next-to-nothing per year.
Not very helpful, but if you visit the US ask your credit card company for a TEMPORARY CREDIT CARD for the purposes of the visit. It's pretty easy to provide these; Visa already do it for online transactions in the US.
John Bowler
The PAYG thing is insane, go to the trouble of getting your phone unlocked, manage to find a nano-SIM on a UK PAYG net, then find the only way to get more credit on it is buying a retail voucher - marked up massively compared with online. Seemed to be 4:1 last time I tried this, 2014 I think, I spent 100 quid on what online should have been 30.
I can confirm, if had to stay in Germany for longer than 10 days I'd die of starvation (I was trying to outsmart the system and withdraw cash at better exchange rate outside an airport only to find that nobody took US cards outside the hostel I stayed at, rather small town; I did not want to risk my return trip and hypermiled every commute - German "clean diesel" did well for that).
I could care less for C&P - mostly false security as far as I know and liability passed onto customer.
Regarding 300$ withdrawal limits - banks have better ways to nickel and dime their customers. This limit is to protect account holders as fraudulent cash withdrawals are next to impossible to dispute/reverse.
ZIP is not uniformly required at gas stations (no idea why), and has been - most likely - introduced to make it more difficult for crooks to test the card before buying big ticket items.
And that means that they do not accept foreign credit cards.
I've never had any problems when I've visited the US. I only ever keep $50 in my wallet for emergencies and never needed it. I've paid for taxis, food, car rentals and some general purchases with my card. I was asked for a zip code at a couple of petrol stations in California but I just typed '111111' and the transaction went ahead.
But it is odd how the US does sometimes lags behind in certain areas. Chip & PIN has been standard in the UK for a decade now. And of course there's still a lot of check (sic) transactions over there. I wonder if it's related to the fragmented nature of their banking system?
Lol. It appears that I may have accidentally entered a valid zip code. I mean, obviously not valid for me but I'm guessing it was enough to pass the UI validation to let the transaction proceed. Deeper into the system the code was presumably ignored because it had no way to check against a foreign issuer.
The advantage of being a software developer I reckon. I assumed that all zeros wouldn't be valid :)
I've had this issue with UK online stuff and Irish cards.
Enter your address
1 Fake Streer
Ballyfake
Co Fake
Ireland
Postcode : X11 1A1A (not my real code as they actually link to individual addresses in Ireland).
Your postcode is invalid
I try 00000
Your postcode is invalid
In the end I just end up putting in the code for Buckingham palace which works fine!
Apparently Americans can't cope with having to enter a PIN (despite needing to for debit cards). That's the gist of what I got when my US credit card company upgraded me to chip-carrying cards. Even now, most of the readers I use have the chip slot taped up and people are expected to swipe the mag strip, so clearly there's still a long way to go.
Last year the bank sent me a new VISA card with a chip... but no PIN. If asked for a PIN at the checkout, I'd have no clue. But I've never been asked. Can't even remember entering a ZIP code to buy gas recently.
Edit: our gas pumps probably only demand a ZIP when there's a red flag... like a foreign card.
Your card is probably chip & signature. The EMV spec allows this. If you use it with a working EMV reader, you should see a message telling you to withdraw the card after the transaction completes, and then you'll have to sign a slip as per normal.
Some of my (US-issued) cards are C&P, and some are C&S. I don't remember which is which; I just use the card I want to use and then complete the transaction however the reader instructs.
I blame this on the USA's over-reliance on cheques (checks for you over-the-ponder). It's made the concept of signing everything too ingrained. As for cash - I recently went to Europe (which, BTW, has a really lousy concept of ecommerce once you go beyond the multi-nationals) and even *there* I barely had to use cash.
As for the ski-trip in NZ, I never had to use cash in and around Queenstown - *all* the shops there were more than happy to take overseas credit-cards.
Not sure what you mean?
Pretty much every shop has an online store of somekind over here (well UK anyway), and you can get everything delivered...
But in the UK I often go months without spending cash.. Everything is paid for by credit card by me, from a pack of gum upto a car...
I have to say though things are changing rapidly when it comes to cheques in Ireland.
I work freelance and at least 95% of my invoices are paid by e-banking with the IBAN (BIC is gone)
Recently I was having work done on my house and I paid the builder, sparks, plumber and tiler the same way. All zapped through by electronic banking using IBANs
What would make even more sense though would to link a "paying in" address to your verified mobile number. That way you could send payment without giving away banking account details.
Transactions are free of charge and processed within 24h to any Eurozone bank account.
You can include long messages and my online banking is secured with three factor authentication.
(Log in ID, a security question, selected digits from a secret code and to actually transact anything you need to generate an authentication code using my debit card inserted into a little card reader. That also needs my chip and pin PIN)
So pretty rock solid.
@ Slx
Quote: 'What would make even more sense though would to link a "paying in" address to your verified mobile number. That way you could send payment without giving away banking account details.'
That already exists, at least in the UK, and I'm sure other places will have the same or similar systems, either now or in the future.
The UK system is called Paym. You only need to resister to receive money, to send money you just need your Bank to support the service and to use your Banks mobile app. The recipient needs to sign up for the service, usually via their Banks web site, and they register a phone number for the service (usually their mobile, or perhaps a business number).
The sender just uses their regular Bank mobile app, selects Paym, types in the phone number for the recipient (or selects them from their contact list), enter what account you want to send from and the amount (there are limits). And click 'Next', the phone number is then validated against registered Paym recipients, and displays their name, as it is registered at their Bank, as confirmation that you are sending to the right person, (and to make sure you've not mistyped the phone number!) Click to confirm, and within hours (usually just a couple of minutes) the money has been transferred.
No need for the recipient to provide any bank details to the sender at all.
Edit: Typo.
That's because NZ set up EFT-POS systems back in the 80's left, right and centre. A fairly unified banking system helped, as did having only two processing groups for the banks.
The only time I've used cash in the last two months, other than as a tooth fairy, was at a big field day for our local rescue chopper. The sausage sizzle and donations in a bucket still work better with cash. Normally, my wallet has no cash.
The US does not issue chip'n'PIN *credit* cards, only *debit* cards. So...
When a US debit card is run *without* the PIN it is billed as a credit card (for the store) and lots of steel-rice-bowl types (as my Chinese wife would refer to them) get humongous amounts of cut out of this. And the store gets Ripped.
For years issuers of US *debit* cards have encouraged their recipients (often with money) to run them as *credit* cards. This is Walmart's response; it has nothing to do with security and it doesn't change a single thing about US credit cards (which don't have a PIN, full stop, end.)
John Bowler
"The US does not issue chip'n'PIN *credit* cards, only *debit* cards."
Umm, yes they do.
My Andrews Federal Credit Union VISA credit card (most emphatically not a debit card) was specifically applied for before my last trip to Italy because it is a Chip & PIN, not Chip and signature.
Nobody wants the bleedin chips except the credit card companies. They are the only ones that benefit. It's purpose is to send fraudulent charges back to the merchant that accepted the card. The card companies are not interested in PINs as that might cause them to take liability.
The chip readers take much more time to process than magnetic swipers and they cost the retailer about $400 apiece. It's a win (credit card merchant) - lose (retailer) - loss (customer) situation. The only possible benefit for the user was that we'd finally have cards we could use at ATMs in Europe. But then they didn't give us PINs.
BTW every time I use a gas pump that asks for a zip code I feel massive empathy for foreign drivers that likely have no idea why the pump has stalled and can't read the f*ing screen in the bright sun even if they did know english.
I haven't yet been convinced that PIN is better for me than a signature (and yes, my cards are now Chip + Signature).
How difficult is it to obtain someone's PIN? With debit cards, a mirror or tiny camera or keypad overlay or just a nice viewing angle are enough.
My credit cards are signed "See ID" on the back. Sure, someone can steal the card and make some charges, but unless they also thought to obtain my signature, it shouldn't be too hard to show that the purchase was not made by me. And that assumes the clerk didn't ask for ID.
Given the choice between "less fraud, but I assume the risk" and "greater fraud but I am less liable" I prefer the lower liability.
What am I missing?
What am I missing?
That, as has been demonstrated many times in the past in many countries around the world including the US, you could probably sign as M.Mouse with a crayon gripped between your toes and a picture of your arse on your ID, and the average cashier would accept it without a second glance.
What I seem to be missing is why something like C&P that works so well elsewhere in the world, and has done for years now, causes such controversy solely within the USA.
I noticed that when I visited NY years ago, cashier didn't even look at my signature. I think the most likely reason is the one given by @JBolwer above:
"When a US debit card is run *without* the PIN it is billed as a credit card (for the store) and lots of steel-rice-bowl types (as my Chinese wife would refer to them) get humongous amounts of cut out of this. And the store gets Ripped."
"you could probably sign as M.Mouse with a crayon gripped between your toes and a picture of your arse on your ID, and the average cashier would accept it without a second glance."
Certainly. This is why I mentioned "Sure, someone can steal the card and make some charges, but unless they also thought to obtain my signature, it shouldn't be too hard to show that the purchase was not made by me." This is distinct from a PIN, which is easy to record and reproduce.
I am willing to accept higher risk of fraud, as long as that comes with lower risk that I'll actually have to pay for it.
I'm still curious what I'm missing. Or was your point that if someone signs as M. Mouse, that my credit card issuer will use that as proof that I was the purchaser?
Some years ago, my Building Society provided Credit Cards that not only had your photograph but your signature embedded on the back of tthe card, pretty good quality images too - then the organisation got taken over and the cards got supplied by MBNA so it went away - a pity really
A few years (4?) since I last visited the States but I don't recall any problems buying fuel or shopping with a UK credit card. Visited most of the West Coast.
Oh, and for drawing cash from an ATM you may be better off with a credit card.
Counter intuitive, but banks normally gouge you on the exchange rate and transaction charges.
There are some cards which don't charge for currency conversion, and only charge a small amount of interest on cash withdrawals which turns out to be cheaper than being gouged for using a debit card
US restaurant. Ask for the bill. Server comes with it in a little wallet thing. You put your card in it and pass it back who then goes off to process it. Comes back with ticket, you sign it, adding a tip as appropriate, take card back and hand folder back to server. Who has, at no point, actually seen your signature on the bill and your card.
What can possibly go wrong?
at the CN Tower in Toronto last year when the poor waitress was having to explain to baffled Yanks how to use the card reader...
I've seen the same thing in restaurants at Heathrow, US customers trying to persude the waitress just to take the card away & bring back a chit, and looking baffled when she tries to explain that she's not allowed to do that and has to bring the reader to the table. They just don't get that it's for their own protection!
That's changed - a lot of places in the US you're expected to swipe your own card in the reader, presumably for exactly the same reason. However, you often have to either show it to the cashier or hand it to them after swiping, it appears that they have to manually enter the last four digits of the card as some sort of proof that they've at least looked at the front.
Signing is good though as it means your fingerprints end up on a physical piece of paper and thus proof you signed it (and conversely proof you did not sign if someone nicks your card and forges your sig).
With PIN (as stated, easily acquired by should surf pre pick pocket, dodgy card readers in shops etc.), unless there happens to be CCTV of the transaction no way to prove who made the purchase..
This is like a discussion from the late 1980s!
France has been a successfully using chip and pin credit cards since 1992 with trials having been completed in tennis to late 1980s
I don't know why US banks are being so slow about rolling them out. It's really starting to look like some kind of weird technological backwardness at this stage.
That being said, banks are hardly shining examples of forward thinking and technologically savvy!
My sense is that there's a major opportunity for someone to just tie up with Google, Apple and the telcos and completely bypass the old payment card duopoly.
The whole concept of paying for things using largely trust based systems that mostly rely on a 16 digit card number and expiry and a few bits of fixed information crudely hacked on for security is beyond stupid.
We should be in complete control and pushing payments to retailers in realtime. They've absolutely no need to store people's payment card details and we've no need to be using 1960s tech in 2016 either !
The link is interesting, and there is a real vulnerability, but it's not a c&p one. It's a protocol downgrade issue..
Ie, the cashier asks for c&p, and you force it to accept magstripe. Except that works only if magstripe is allowed. In the Real World of chip-and-pin, ie, not the lab or the current US market or with Amex that has only recently switched to it, the transaction authorization systems would see a magstripe request for a c&p card on a c&p terminal, have red lights start flashing, and simply refuse it.
I heard that Aussie fraud just hit $300 million for the year.
The zip code is used on US petrol pumps because they had too much of a problem with people putting card skimmers on them and getting the real PIN.
The Tap and Pay less than $100 is also because of people installing PIN scanning devices. It is simply a bank risk thing and the dollar amount for the transaction can be adjusted by the banks, if they choose to.
As far as zip codes need for US systems, 99999 often works. Leading zeros sometimes work (Oz postcode 1234 would be 01234, SW1A0AA would be 00010). I expect most of the time when some trend works, it is because the foreign bank didn't bother to verify the data sent to it.
The PIN infrastructure needs to be redone. There needs to be a PIN for small amounts, large amounts and a "Don't give me any money PIN" for holdup uses.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
