Steps towards security
1) Keypad on the card.
2) Display the amount of money and the recipient's name on the card.
Can't see this happening any time soon. How much commission do the banks collect on uncancelled fraudulent payments?
MasterCard has published its roadmap for getting Americans to use chip-and-PIN cards in stores, following Visa's lead in proposing to replace swipe cards by April 2013. Over the next year, Americans will have to get used to entering a PIN when using a credit card, rather than scrawling a name (any name) as they do today. That' …
1) Keypad on the card.
2) Display the amount of money and the recipient's name on the card.
Can't see this happening any time soon. How much commission do the banks collect on uncancelled fraudulent payments?
Making the cards more complex won't work, addition of screens and buttons requires the card also carry power and it will be significantly more expensive to manufacture, while also being more fragile. Also, buttons on the card would wear and reveal the characters that make up the pin. Anyway, the amount of cash in a transaction requires some sort of link back to the payment processor/bank, which would require similar infrastructure to that which is already in place and would preclude offline authentication by the card itself.
There were some prototypes of cards with keypads for security (sort of a combined keypad and card) that I saw a few years ago. Also had a little lcd display (about 16 characters I think). From what I remember it wasn't much thicker than a standard card.
Dunno why it got shelved, could have been poor potential take up, poor life span, cost or even poorer security overall.
AC 'cos of where I work...
And restaurants to use those portable card readers so my card doesn't get whisked off somewhere where I can't see it.
I have a US bank account with Bank of America, and I can assure that for the most part when I use my debit card in a US store, I have to enter my PIN. Same is true of most gas stations too.
True, there's no chip on the card, so I guess it has to validate the PIN "online" so to speak, and I believe if you press the credit button on the keypad in say Walmart, it will ask for a signature, but the point is that our US cousins are already used to entering a PIN code for most debit card transactions - they've been doing it longer than we have!
They really haven't been using PIN longer than UK/EU, it's a pretty new thing. There is also the issue that if you're using magstripe and pin, your card is easily skimable and can be used anywhere, rather than a chip and pin card which isn't cloneable.
I was going to say the same thing. I was in San Francisco for a couple of months last year with a British-issued chipped Visa Debit card and everywhere I went had me enter a PIN. If the facility wasn't already there, even in the absence of chips, then things like ticket machines would be impossible.
It gobsmacked me how many times I was asked to sign receipts in the States as recently as this Christmas - and virtually every cashier had the bad habit of handing my card back to me before I'd even signed.
In fact, thinking about it, the signature is long worn off my card, so not a single one checked it.
About bloody time - and the yanks like to think they're light years ahead of us... (Romney's anti-Europe comments recently are frankly offensive - a lot of them seem to think we're still in the dark ages over here)
In fairness to our American cousins, Romney is a particularly unexciting candidate from a below average collection vying for the nomination from a party that isn't known for its balanced world view. I'm not a Gingrich fan but his observation that Romney is "the man who lost to the man who lost to Obama" sums up the situation quite nicely.
Is written on the signature strip on the back of my cards. Not a damned one in 10 cashiers asks me for my ID. More like one every 100. Some might notice the mismatch, but they think it is a good idea that I wrote "ASK ME FOR MY ID". What the hell good is a signature anyway? Besides, i NEVER, EVER sign the say way all the time. Hardly ever, in fact.
And, since banks hardly ever do a "signature check" nor keep "signature cards on file" (showing some age here) what good is checking for signatures?
As for photos on cards, Wells Fargo and other banks don't bother since thieves hit the post boxes and do damage and then dump the exploited cards.
Now they just need to go metric and we can finally welcome them to this century.
The metric system is the tool of the devil! My car gets forty rods to the hogshead and that's the way I likes it! </Grandpa Simpson>
Who's more backwards, us for not _using_ the metric system, or the ignoramuses who haven't worked out that we adopted the metric system, in law, in 1866, with more recent legislation in the 1970s and just like to whinge instead about how we're not on the metric system.
Just because no one can get anyone here to use it only indicates that our ignoramuses are at least as common as yours. You still sell beer in pints after all.
Every box, can, and jar on supermarket shelves here is labeled in metric units. Every car made here is built with metric fasteners. (My dad's new car in 1977, a Cadillac, had all metric nuts and bolts.)
We're 11 years into the 21st century, time to edumacate yourself.
Or the one before that.
Is the only measure that beer should be served in.
The US pint is only 473ml, and when I was last in one of the Gordon Biersch brewpubs their menu said that they served their beer (which is much more drinkable than the usual US offerings) in 500ml servings. It didn't seem to taste any the worse for that, and I checked several times.
The merchants are now required to pay to upgrade their POSes, but would Visa and Mastercard pass back to the merchants the savings from having less fraud? I didn't think so. US needs to break this duopoly.
The merchants actually win in this case. Right now, they are the ones who pay the most in cases of fraud.
Here in Canada, I had cause to use a Visa credit card in a gas, erm petrol pump the other day.
Stuck it in, swiped it, "OK, how much fuel to you want?"
I was flabbergasted. Literally swiping it was *all* I had to do. No checks, no PIN, no nothing. BTW it is a chip/pin Visa card, so I usually have to enter a PIN number in restaurants etc...
I can't speak for Canada, but in the UK there's a part of the authorisation that's invisible to the customer -- CCTV logging of your registration plate, often followed by a 10 second delay which is quite possibly long enough for an automated validity and/or reported stolen vehicle check.
That's not the case.
At the pay at pump stations the very few which don't use Chip and PIN, they do an initial query with the bank/payment processor, to see if you have £50 or £100 available to spend. This transaction is then abandoned when you've filled up your car and another for the actual amount is placed and completed. This is the same what happens when they take an "impression" of your card in a hotel.
The banks/payment processors really don't like non-chip and PIN anyway, so they'll be going soon...
On smaller payments such as parking and traintickets you just put your card in and it doesn't ask for your PIN but generally this is for smaller amounts. I was surprised the first time too but I guess the amounts are acceptable to the banks as you would have to use it a lot of times to make it worthwhile before the card was presumably cancelled.
But surely if fraud has been MASSIVELY reduced as claimed here (and frankly I believe it as growing up I knew of people living off card fraud as it used to be easy when it was just a signature) why would the banks not want to make those savings? Are the hundreds of millions seen as an acceptable loss? And finally, most POS chip and pin machines cost £15 or so so it's hardly a massive investment and the savings to the business doing the selling in terms of man hours dealing with the police and paperwork etc should more than cover it.
I just can't believe people are opposed to it.
Down here where I buy gasoline in Texas we have to enter the postal zip code
where the credit card is registered in.
In fact, I see this sort of requirement on other CC swiping machines in some other
vendor machinery. One that comes to mind is the RedBox DVD,Blu-Ray dispensing
So that is sort of a primitive pin system already. The thief has to guess or know the
correct zip. Course it is a no brainer if they stole your wallet too.
Whatever pin system they use I hope it is at least one digit deeper than the
mere 4 numbers that is used today.
At the least the system should use a mix of numeric and alphabetic and be 6 chars in
I just pulled the six chars in length out of my ass, but figure it is short enough to remember
and at least long enough to beat the mere 9,999 the current system allows. Less than that
when you consider so many idiots use 11111 and other common numeric sequences,
common ones that idiots use.
This is also how non-pin cards are handled at the chip and pin pumps.
Same with DB train ticket machines here in Germany. I always expect the print-out to say 'payment failed' or something similar, but instead find myself holding the ticket.
You can also pay for airline tickets online (well Air Berlin at least) by just entering the bank account information (number, account holder, bank code), all of which can be found on every single German debit card.
It really is mind-boggling.
This is pretty common here in the states. I haven't signed for gas for years. I assume that it is because they can get your plates on CCTV so they can follow up if the charge is fraudulent. Many merchants don't require a signature if the charge is small. Typically less than $20.
Just card in/out - no PIN
Spent ~£380 recently going Calais-Switzerland-Riviera-Auvergne-Calais with the largest single item ~£40 all without PIN or signature - I guess they have the reg. plate captured though.
Yup, the requirement to key in a (US) ZIP code is really useful for us Brits when we're visiting ...
So, if I was touring your state and wanted to buy petrol (gas) for my hire car, I wouldn't be able to use my credit card 'cause not every country in the world has ZIP codes?
"I assume that it is because they can get your plates on CCTV so they can follow up if the charge is fraudulent."
I doubt there's any followup. I expect it's more profitable to get people into the store part of the gas station buying overpriced drinks and the like (gasoline itself is typically not a profit center for gas stations, according to what I've read) as fast as possible, than to slow them down in order to combat relatively rare fraud. So they put in pay-at-the-pump with no verification (or something to catch the low-hanging fruit, like the zip code challenge), in order to attract custom with convenience.
For a card with a billing address that's not in the 'States, you go inside and pay in person, rather than paying at the pump.
No one ever said it was a *good* system. But it's not quite so stupid as to prevent visitors from other countries from paying at all.
IIRC, this is how immigrations and customs passport check-in counters work in some countries.
Similar things now need to be done for language testing centers and for SAT/GRE and other testing facilities, whether in person or online.
Redundant Acronym Syndrome
Redundant Acronym Syndrome Syndrome
Meh. Not a lot of point in being anal about the redundancy when most people won't know what you're talking about if you say "P. I. number". And those people are unlikely to be reading these pages, having lives, so why comment here? Have a rant at the next stranger who delivers your groceries to your hideyhole and watch them glaze over with disinterest (not lack of understanding, which you'll assume it is,) and then walk off shaking their heads at how sad you are.
That would make it RASS Syndrome
Yeah, right, a PIN with an easy to copy magnetic strip. Hopefully they learn from the mistakes the EU has done, such as not encrypting the PIN on the card and checking the console for transmitting devices sending card details to organised crime.
Every debit and credit card purchase I make has to be with a signature. I live in America, and it's possible it depends on the bank you are with how this works, but I believe in most cases a signature is always required. I don't know anyone where I live that has a chip and pin card.
When we come back to England to visit my family, our credit cards don't work here because they require a pin and we don't have a pin on the card. The stores don't accept the signature either, so we use my existing english bank account.
Some credit cards will ask me for a Zip code at the gas/petrol garage, but that is only exclusive to those places. Stores only require signatures.
I call bullshit.
Over here you have two choices with your debit card: 1) treat it like a credit card and have the merchant swipe it and collect your signature, and 2) treat it like a debit card and enter your PIN. Nobody has ever collected my signature when I use my PIN. If you really lived here, you'd know that.
I use my chipless credit cards in Europe all the time. Merchants accept the signature just fine, and have for years. If you'd ever really used your American issued credit cards in Europe, you'd know that too. (Heck, just the other day I used credit cards at three different shops in Terminal 5 at Heathrow, and in years past my wife and I have used our CCs at shops from Dover to Cardiff and countless places in between.)
...a number untrained checkout staff get snippy if they are handed a card without a chip.
I had this when I returned to the UK after a period living in the States. I had only got an old school mag-stripe card issued by my US bank and hadn't re-opened an account here and the number of retailers who refused to accept my card - without even *trying* to swipe - beggared belief.
And from my experience, a UK debit card with chip and pin doesn't work with the PIN in the US. Typically I've found you need to charge it as "Credit" and sign anyway. Add to that the fact that people are most definitely pushed towards using credit over debit anyway.
Either way, this move can only be a good thing for card security in the US and I applaud it.
Occasionally I see the cashier do a double take at the card to confirm that there's no chip. If it's a restaurant, and I've already eaten, they do have a bit of an incentive to take my card. Amazingly enough, I frequently find that if one merchant doesn't want my money, dozens of others do. I have no qualms about walking out of a store and into another that does want my custom.
And indeed, I can't use my debit card with the PIN anywhere outside the US, not even in Canada.
And it's not just American CCs that don't have the chip, but I suspect there are fewer tourists in Europe from those places.
Credit card companies pretending to be upset about CC fraud. lol
Yes, there are some sorts of cards that work as both debit cards (requiring a pin), or as a credit card (needing a signature). While the cost to the consumer is the same in both instances, and the money comes from the same account (a demand deposit account or checking account), the difference to the merchant is quite a bit.
You see cards that are treated as "credit" cards (signature) get a discount fee (around 3%). Cards that are treated as "debit" cards (PINs) are charged a fixed fee (no more than $0.25, after a silly bill passed in congress a while ago). So, if you have a bill over $8.33 (or so) the merchant gets nicked for more. In addition, you can't get cash back from ANY credit card (signature) transaction.
Nicely for consumers, there ARE benefits for having a credit card, like the bank paying you 1% more more on each transaction (they still make $$$ by charging 3% to the merchant).
This "signature" stuff goes back to when the signed chits were returned back to the consumer (back before the 70's).
For the curious, the original slips that were signed were the size of either 51 or 80 column IBM punch cards, and when returned back actually had holes in them.
As for me: Signatures are enough, pins are a pain!
I have a French Mastercard. When inserting it into a payment machine it asks if I want to use it as Debit or Credit, but requires a PIN in either case.
If I were to use it as a credit card I would get charged extortionate interest, while being charged a derisory minimum monthly payment to drag out the pain. To clear it I need to send a cheque(!) to the bank, or go in and pay cash. I never use it as a credit card.
It works fine used elsewhere in Europe, even in the UK, although I sometimes have to react quickly when the assistant sees the French text asking to choose the operation and promptly cancels the transaction thinking that it has failed :(
In the US any attempt to use it chip & PIN in a machine barfs immediately, but if I tell the assistant it's a credit card and swipe it I get a slip to sign, and my bank processes it as a *debit* transaction. Go figure.
Last time work forced me to subjugate myself to the tender attentions of the TSA and cross the Atlantic, I was rather baffled to find that half the time my card just got swiped and handed back to me with the receipt. No PIN, no signature, no zip codes, nothing. Bam, transaction done, haveaveryniceinsincereday, nextcustomerplease.
Maybe it's just a manhattan thing, but at the time I did think that they would find it hard to sell NFC as much of a gain on 'swipe and you're done'.
It really shocked me the first time I visited the states and swiped my (chip and pin) card and nobody checked the signature, they didn't even check my id which they are supposed to do for non debit transactions. After moving here to live I have great fun with it. I quickly got bored with signing random names (m mouse, santa, tintin, gahdaffi) and found out you could actually draw on them. Nobody has yet to question the little pictures of houses, bunnies, palm trees, rocket ships and boobs either. There is little doubt that this relaxed attitude explains the amount of fraud.
Chip and pin is not foolproof, but it is a significant improvement over the complete lack of any security currently.
I don't actually sign my card here, I write 'See ID' on the back and take a picture of it for proof.
Sure a signature is required. But you can sign it "M Mouse" and walk out of there with your groceries. The assistant doesn't check it and the bank doesn't check it, so it doesn't do a damn thing for security. In the US, if someone's got your card then they have full and unrestricted access, which screws over the stores where the card thief uses it. In the UK we need two-point security of something you have (card) and something you know (PIN) for every in-person transaction on a card.
Sure a PIN doesn't work for internet transactions. But if you're ordering something on the internet then the store has a delivery address on file; and if the card is reported stolen then the delay in delivery means the store can probably retrieve the parcel and limit their losses.
This is not a US vs EU debate. Although, on this issue the EU has led the way.
Chip and PIN is an excellent system, if and only if it is used without backwards compatibility with magstripe.
The majority of credit, debit and ATM card fraud in Europe does not involve transactions with chips. Cards' magnetic stripes are skimmed by criminals and the PINs are captured at point of entry. Those cards are then cloned as magnetic stripe cards and used in ATMs elsewhere.
If the cards were issued without magstripe and with only chips they are almost impossible to clone and the only way of making a transaction would be to physically steal the card and know the PIN.
The banks are being ridiculously slow to phase out what is absolutely archaic technology. The PIN pads and card readers are not that expensive. In fact, the majority of POS terminals in the United State are probably the same basic models as those found in Europe. They simply need a software update and an EMV card reader/pin pad plugged in!
Most European customers also do not need magnetic stripe cards. I do not know why the banks continue to issue Chip and PIN cards with a stripe on the back. They should be chip-only and a second card with a magstripe could be issued if customers wish to travel to a technologically-backwards banking destination.
I suspect the problem with this is the banks have been able to simply cover the cost of fraud using insurance. That bottomless pool of funds is drying up fast and fraud levels are getting totally out of hand.
Biting the hand that feeds IT © 1998–2017