Steps towards security
1) Keypad on the card.
2) Display the amount of money and the recipient's name on the card.
Can't see this happening any time soon. How much commission do the banks collect on uncancelled fraudulent payments?
MasterCard has published its roadmap for getting Americans to use chip-and-PIN cards in stores, following Visa's lead in proposing to replace swipe cards by April 2013. Over the next year, Americans will have to get used to entering a PIN when using a credit card, rather than scrawling a name (any name) as they do today. That' …
Making the cards more complex won't work, addition of screens and buttons requires the card also carry power and it will be significantly more expensive to manufacture, while also being more fragile. Also, buttons on the card would wear and reveal the characters that make up the pin. Anyway, the amount of cash in a transaction requires some sort of link back to the payment processor/bank, which would require similar infrastructure to that which is already in place and would preclude offline authentication by the card itself.
There were some prototypes of cards with keypads for security (sort of a combined keypad and card) that I saw a few years ago. Also had a little lcd display (about 16 characters I think). From what I remember it wasn't much thicker than a standard card.
Dunno why it got shelved, could have been poor potential take up, poor life span, cost or even poorer security overall.
AC 'cos of where I work...
I have a US bank account with Bank of America, and I can assure that for the most part when I use my debit card in a US store, I have to enter my PIN. Same is true of most gas stations too.
True, there's no chip on the card, so I guess it has to validate the PIN "online" so to speak, and I believe if you press the credit button on the keypad in say Walmart, it will ask for a signature, but the point is that our US cousins are already used to entering a PIN code for most debit card transactions - they've been doing it longer than we have!
I was going to say the same thing. I was in San Francisco for a couple of months last year with a British-issued chipped Visa Debit card and everywhere I went had me enter a PIN. If the facility wasn't already there, even in the absence of chips, then things like ticket machines would be impossible.
It gobsmacked me how many times I was asked to sign receipts in the States as recently as this Christmas - and virtually every cashier had the bad habit of handing my card back to me before I'd even signed.
In fact, thinking about it, the signature is long worn off my card, so not a single one checked it.
About bloody time - and the yanks like to think they're light years ahead of us... (Romney's anti-Europe comments recently are frankly offensive - a lot of them seem to think we're still in the dark ages over here)
In fairness to our American cousins, Romney is a particularly unexciting candidate from a below average collection vying for the nomination from a party that isn't known for its balanced world view. I'm not a Gingrich fan but his observation that Romney is "the man who lost to the man who lost to Obama" sums up the situation quite nicely.
Is written on the signature strip on the back of my cards. Not a damned one in 10 cashiers asks me for my ID. More like one every 100. Some might notice the mismatch, but they think it is a good idea that I wrote "ASK ME FOR MY ID". What the hell good is a signature anyway? Besides, i NEVER, EVER sign the say way all the time. Hardly ever, in fact.
And, since banks hardly ever do a "signature check" nor keep "signature cards on file" (showing some age here) what good is checking for signatures?
As for photos on cards, Wells Fargo and other banks don't bother since thieves hit the post boxes and do damage and then dump the exploited cards.
Who's more backwards, us for not _using_ the metric system, or the ignoramuses who haven't worked out that we adopted the metric system, in law, in 1866, with more recent legislation in the 1970s and just like to whinge instead about how we're not on the metric system.
Just because no one can get anyone here to use it only indicates that our ignoramuses are at least as common as yours. You still sell beer in pints after all.
Every box, can, and jar on supermarket shelves here is labeled in metric units. Every car made here is built with metric fasteners. (My dad's new car in 1977, a Cadillac, had all metric nuts and bolts.)
We're 11 years into the 21st century, time to edumacate yourself.
The US pint is only 473ml, and when I was last in one of the Gordon Biersch brewpubs their menu said that they served their beer (which is much more drinkable than the usual US offerings) in 500ml servings. It didn't seem to taste any the worse for that, and I checked several times.
Here in Canada, I had cause to use a Visa credit card in a gas, erm petrol pump the other day.
Stuck it in, swiped it, "OK, how much fuel to you want?"
I was flabbergasted. Literally swiping it was *all* I had to do. No checks, no PIN, no nothing. BTW it is a chip/pin Visa card, so I usually have to enter a PIN number in restaurants etc...
That's not the case.
At the pay at pump stations the very few which don't use Chip and PIN, they do an initial query with the bank/payment processor, to see if you have £50 or £100 available to spend. This transaction is then abandoned when you've filled up your car and another for the actual amount is placed and completed. This is the same what happens when they take an "impression" of your card in a hotel.
The banks/payment processors really don't like non-chip and PIN anyway, so they'll be going soon...
On smaller payments such as parking and traintickets you just put your card in and it doesn't ask for your PIN but generally this is for smaller amounts. I was surprised the first time too but I guess the amounts are acceptable to the banks as you would have to use it a lot of times to make it worthwhile before the card was presumably cancelled.
But surely if fraud has been MASSIVELY reduced as claimed here (and frankly I believe it as growing up I knew of people living off card fraud as it used to be easy when it was just a signature) why would the banks not want to make those savings? Are the hundreds of millions seen as an acceptable loss? And finally, most POS chip and pin machines cost £15 or so so it's hardly a massive investment and the savings to the business doing the selling in terms of man hours dealing with the police and paperwork etc should more than cover it.
I just can't believe people are opposed to it.
Down here where I buy gasoline in Texas we have to enter the postal zip code
where the credit card is registered in.
In fact, I see this sort of requirement on other CC swiping machines in some other
vendor machinery. One that comes to mind is the RedBox DVD,Blu-Ray dispensing
machines.
So that is sort of a primitive pin system already. The thief has to guess or know the
correct zip. Course it is a no brainer if they stole your wallet too.
Whatever pin system they use I hope it is at least one digit deeper than the
mere 4 numbers that is used today.
At the least the system should use a mix of numeric and alphabetic and be 6 chars in
length.
I just pulled the six chars in length out of my ass, but figure it is short enough to remember
and at least long enough to beat the mere 9,999 the current system allows. Less than that
when you consider so many idiots use 11111 and other common numeric sequences,
common ones that idiots use.
Same with DB train ticket machines here in Germany. I always expect the print-out to say 'payment failed' or something similar, but instead find myself holding the ticket.
You can also pay for airline tickets online (well Air Berlin at least) by just entering the bank account information (number, account holder, bank code), all of which can be found on every single German debit card.
It really is mind-boggling.
"I assume that it is because they can get your plates on CCTV so they can follow up if the charge is fraudulent."
I doubt there's any followup. I expect it's more profitable to get people into the store part of the gas station buying overpriced drinks and the like (gasoline itself is typically not a profit center for gas stations, according to what I've read) as fast as possible, than to slow them down in order to combat relatively rare fraud. So they put in pay-at-the-pump with no verification (or something to catch the low-hanging fruit, like the zip code challenge), in order to attract custom with convenience.
Meh. Not a lot of point in being anal about the redundancy when most people won't know what you're talking about if you say "P. I. number". And those people are unlikely to be reading these pages, having lives, so why comment here? Have a rant at the next stranger who delivers your groceries to your hideyhole and watch them glaze over with disinterest (not lack of understanding, which you'll assume it is,) and then walk off shaking their heads at how sad you are.
Every debit and credit card purchase I make has to be with a signature. I live in America, and it's possible it depends on the bank you are with how this works, but I believe in most cases a signature is always required. I don't know anyone where I live that has a chip and pin card.
When we come back to England to visit my family, our credit cards don't work here because they require a pin and we don't have a pin on the card. The stores don't accept the signature either, so we use my existing english bank account.
Some credit cards will ask me for a Zip code at the gas/petrol garage, but that is only exclusive to those places. Stores only require signatures.
I call bullshit.
Over here you have two choices with your debit card: 1) treat it like a credit card and have the merchant swipe it and collect your signature, and 2) treat it like a debit card and enter your PIN. Nobody has ever collected my signature when I use my PIN. If you really lived here, you'd know that.
I use my chipless credit cards in Europe all the time. Merchants accept the signature just fine, and have for years. If you'd ever really used your American issued credit cards in Europe, you'd know that too. (Heck, just the other day I used credit cards at three different shops in Terminal 5 at Heathrow, and in years past my wife and I have used our CCs at shops from Dover to Cardiff and countless places in between.)
...a number untrained checkout staff get snippy if they are handed a card without a chip.
I had this when I returned to the UK after a period living in the States. I had only got an old school mag-stripe card issued by my US bank and hadn't re-opened an account here and the number of retailers who refused to accept my card - without even *trying* to swipe - beggared belief.
And from my experience, a UK debit card with chip and pin doesn't work with the PIN in the US. Typically I've found you need to charge it as "Credit" and sign anyway. Add to that the fact that people are most definitely pushed towards using credit over debit anyway.
Either way, this move can only be a good thing for card security in the US and I applaud it.
Occasionally I see the cashier do a double take at the card to confirm that there's no chip. If it's a restaurant, and I've already eaten, they do have a bit of an incentive to take my card. Amazingly enough, I frequently find that if one merchant doesn't want my money, dozens of others do. I have no qualms about walking out of a store and into another that does want my custom.
And indeed, I can't use my debit card with the PIN anywhere outside the US, not even in Canada.
And it's not just American CCs that don't have the chip, but I suspect there are fewer tourists in Europe from those places.
Yes, there are some sorts of cards that work as both debit cards (requiring a pin), or as a credit card (needing a signature). While the cost to the consumer is the same in both instances, and the money comes from the same account (a demand deposit account or checking account), the difference to the merchant is quite a bit.
You see cards that are treated as "credit" cards (signature) get a discount fee (around 3%). Cards that are treated as "debit" cards (PINs) are charged a fixed fee (no more than $0.25, after a silly bill passed in congress a while ago). So, if you have a bill over $8.33 (or so) the merchant gets nicked for more. In addition, you can't get cash back from ANY credit card (signature) transaction.
Nicely for consumers, there ARE benefits for having a credit card, like the bank paying you 1% more more on each transaction (they still make $$$ by charging 3% to the merchant).
This "signature" stuff goes back to when the signed chits were returned back to the consumer (back before the 70's).
For the curious, the original slips that were signed were the size of either 51 or 80 column IBM punch cards, and when returned back actually had holes in them.
As for me: Signatures are enough, pins are a pain!
I have a French Mastercard. When inserting it into a payment machine it asks if I want to use it as Debit or Credit, but requires a PIN in either case.
If I were to use it as a credit card I would get charged extortionate interest, while being charged a derisory minimum monthly payment to drag out the pain. To clear it I need to send a cheque(!) to the bank, or go in and pay cash. I never use it as a credit card.
It works fine used elsewhere in Europe, even in the UK, although I sometimes have to react quickly when the assistant sees the French text asking to choose the operation and promptly cancels the transaction thinking that it has failed :(
In the US any attempt to use it chip & PIN in a machine barfs immediately, but if I tell the assistant it's a credit card and swipe it I get a slip to sign, and my bank processes it as a *debit* transaction. Go figure.
Last time work forced me to subjugate myself to the tender attentions of the TSA and cross the Atlantic, I was rather baffled to find that half the time my card just got swiped and handed back to me with the receipt. No PIN, no signature, no zip codes, nothing. Bam, transaction done, haveaveryniceinsincereday, nextcustomerplease.
Maybe it's just a manhattan thing, but at the time I did think that they would find it hard to sell NFC as much of a gain on 'swipe and you're done'.
It really shocked me the first time I visited the states and swiped my (chip and pin) card and nobody checked the signature, they didn't even check my id which they are supposed to do for non debit transactions. After moving here to live I have great fun with it. I quickly got bored with signing random names (m mouse, santa, tintin, gahdaffi) and found out you could actually draw on them. Nobody has yet to question the little pictures of houses, bunnies, palm trees, rocket ships and boobs either. There is little doubt that this relaxed attitude explains the amount of fraud.
Chip and pin is not foolproof, but it is a significant improvement over the complete lack of any security currently.
I don't actually sign my card here, I write 'See ID' on the back and take a picture of it for proof.
Sure a signature is required. But you can sign it "M Mouse" and walk out of there with your groceries. The assistant doesn't check it and the bank doesn't check it, so it doesn't do a damn thing for security. In the US, if someone's got your card then they have full and unrestricted access, which screws over the stores where the card thief uses it. In the UK we need two-point security of something you have (card) and something you know (PIN) for every in-person transaction on a card.
Sure a PIN doesn't work for internet transactions. But if you're ordering something on the internet then the store has a delivery address on file; and if the card is reported stolen then the delay in delivery means the store can probably retrieve the parcel and limit their losses.
This is not a US vs EU debate. Although, on this issue the EU has led the way.
Chip and PIN is an excellent system, if and only if it is used without backwards compatibility with magstripe.
The majority of credit, debit and ATM card fraud in Europe does not involve transactions with chips. Cards' magnetic stripes are skimmed by criminals and the PINs are captured at point of entry. Those cards are then cloned as magnetic stripe cards and used in ATMs elsewhere.
If the cards were issued without magstripe and with only chips they are almost impossible to clone and the only way of making a transaction would be to physically steal the card and know the PIN.
The banks are being ridiculously slow to phase out what is absolutely archaic technology. The PIN pads and card readers are not that expensive. In fact, the majority of POS terminals in the United State are probably the same basic models as those found in Europe. They simply need a software update and an EMV card reader/pin pad plugged in!
Most European customers also do not need magnetic stripe cards. I do not know why the banks continue to issue Chip and PIN cards with a stripe on the back. They should be chip-only and a second card with a magstripe could be issued if customers wish to travel to a technologically-backwards banking destination.
I suspect the problem with this is the banks have been able to simply cover the cost of fraud using insurance. That bottomless pool of funds is drying up fast and fraud levels are getting totally out of hand.
I agree re not being us vs eu, I had just become used to chip and pin and assumed the usa would use it.
Perhaps the reason for their slow uptake is the same reason they prefer checks here and still use them so much. The banks make money selling consumers check books (sure some banks do offer them free but in hawai'i that's only recently and only a few banks) and charging companies to bank checks. Identify theft products and insurance is extra profit. Plus educating stubborn customers on a whole new system would be a huge ballache and doubtless cause churn.
Plus it is very easy to underestimate the cost of changing everybody over. The cost of cards is unlikely to be an issue but changing millions of pos units, probably many tens of millions would cost a lot. Every till in every shop, many vending machines, most petrol pumps, huge atm networks (and atm's are not going to be as easy to upgrade as a pos terminal).
You are entirely correct re dumping the mag strip but then you end up with a chicken / egg scenario.
I just hope they hurry up, it will make visiting home a lot easier as many stores in the uk don't accept american cards due to the lack of a chip and pin and oftenn you only find out when its too late (like when you just filled the cars tank and don't have much cash).