Sep 20, 2013, 11:40 am
Last edit by: philemer
Posts from 1/1/16 onward can be found here: http://www.flyertalk.com/forum/credit-card-programs/1739359-2016-onward-usa-emv-cards-availability-q-chip-pin-signature.html
EMV wikipost volunteers: kebosabi
What is EMV?
EMV is a defacto global standard of technology where there is a visible microchip on the front of the card. It looks like this:
Who issues them?
See Google Docs spreadsheet in Post #1
SFOAMS also has created a list of excellent webpage that shows US EMV cards in a more interactive interface
Another site, which lets you narrow the search for an EMV card by various parameters, is http://www.spotterswiki.com/emv/index.php.
Several credit unions issue some form of Chip-and-PIN credit cards or prepaid cards. Prepaid EMV cards however are not recommended due to junk fees. USAA (currently restricted to members of military) used to offer Chip-and-PIN cards, but as late has backtracked to Chip-and-Signature priority.
Hey that's a cool Google Docs list! I know others that aren't on that list. How can I help by adding them to the list?
My bad for not putting this into the wiki sooner. Right now, the Google Docs is locked out of editing and only in "read-only" view because there were instances in the past where people would just delete the rows not thinking that it affects others viewing the list.
If you promise not to delete any rows and input all the pertinent info (annual fee, rewards, FTF, etc.), I can provide you with edit access. Just shoot me a PM to kebosabi with your gmail address and I'll provide you edit access.
Thanks for helping out!
As of October 2014, no USA-based card issuer offers Chip-and-PIN priority cards except for BMO Harris (Diners Club) and UN Federal Credit Union. Other major USA-based banks such as BofA, Chase, Citi, as well as others issue Chip-and-Signature cards which may work at many automated kiosks. However, bear in mind the word may is used above is a context where there is no absolute certainty of success for certain environments such as automated kiosks due to different natures of offline and online transactions. It is highly recommended to read Post #3 which lists real life FTer examples on how Chip-and-Signature worked and did not work at various transaction environments.
Can I upgrade it right now?
If it's listed on that Google Docs spreadsheet or SFOAMS' Silk page, wouldn't hurt to call/twitter them for a free upgrade. If you get the response you don't like, hang up, try again.
What is the difference between Chip-and-Signature and Chip-and-PIN?
You insert the chipped card into the slot. The physical contact terminal will read the EMV chip and the terminal will automatically read the preferred cardholder verification methods (called CVM) for that card.
Chip-and-Signature means that the terminal will printout a receipt for you to sign. This is the most prevalent authentication for most US issued EMV cards. Chip-and-Signature helps in a way that it will get through to face-to-face merchant transactions where you and the merchant do not speak the same language.
Chip-and-PIN means that the terminal will prompt you to input a PIN for authentication. Some credit union issued credit cards will have this CVM as secondary if Chip-and-Signature cannot be done. Chip-and-PIN is the more prevalent method of authentication used outside the US, especially in transaction environments where no human interaction is needed (i.e. automated gas pumps, toll roads, train kiosks, etc.).
The Google Docs spreadsheet will list which CVM are used in the EMV cards listed. Some cards can only do Chip-and-Signature. Other cards can do both Chip-and-Signature and Chip-and-PIN. And others might have a third option called No CVM (no authentication needed) which is reserved for low value transactions.
One chip can hold a lot more data, therefore it is capable of doing multiple verification methods. That's one of the great things about EMV over the mag-stripe which can hold very little data.
I want to know for sure what my EMV chip does. Is there anyway I can test out my own EMV card to see what the CVM list is?
alexmt has written up a nice step-by-step procedure on Post #3615.
If most of the EMV cards in the US is the Chip-and-Signature type, doesn't that mean it's still useless abroad?
Depends if you see it as glass half empty or glass half full. See Post #3 for further details on how Chip-and-Signature has worked both successfully and unsuccessfully depending on the merchant transaction environment and use your best judgment whether which one is right for you.
Are there any places in the US that are accepting transactions via the EMV chip?
tmiw has created a dedicated Google maps webpage to show where EMV has been proven to work here: http://emvacceptedhere.com/ Per his Post #4240, feel free to add any places with active EMV terminals if you come across one.
As of 2014/05, the EMV terminals in most Walmarts and Sam's Clubs are being turned on. Hence, the best place to try them out would be your local Walmart or Sam's Club. For other merchants, it's slowly being phased in.
I hope people will post them in the Post your receipt of your 1st EMV based transaction in the US thread. cvarming has shown us an EMV transaction receipt from Brooklyn, NY in Post #2380. I myself had my first EMV based (Chip-and-Signature) transaction in two stores in the Los Angeles area, as shown in detail in Post #2705 (courtesy of WhatWhatTech for pointing these two stores out)
I don't want a chip in my card. I heard horror stories all over the media saying hackers can steal my credit card info from a mile away.
There are two types of chips. One is contactless and the other is contact. Cards can be either one or the other, or both.
In the Google Docs spreadsheet, the cards that are capable of contactless payments are listed seperately under the "RFID or NFC contactless chip" column. If it says yes, then that means it has the ability to do contactless payments. If it says no, it doesn't have that feature.
The one that the media has overhyped about hackers "stealing your information wirelessly" was the contactless type like this:
You are worried about this happening, right?
You don't have to worry. EMV is a chip standard that can have both contact and contactless interfaces. With the traditional contact interface, this means you actually have to physically insert the chip into a POS terminal for it to be authorized, like this:
With the contact interface, nothing is wireless. No data is sent out in a stand-alone contact type EMV chip. With the EMV contactless interface, data is sent wirelessly.
Furthermore, contactless chip cards are required to show a symbol (looks like Wi-Fi symbol) somewhere on the card that to denote it's capability as a contactless card. For example, here's an example of a Discover Card with contactless capability (in which Discover calls "Discover ZIP") showing the contactless symbol on the back of the card:
Don't believe everything that the media says. Besides, millions of people all over the world from London to Singapore, uses contactless payments daily in extremely crowded subways and mass transit with nary any problems. There are multiple layers of encrypted securities and keys that are needed to break the code.
Frankly, giving your physical card to a waiter/waitress who takes the card out of your view is much more susceptible to fraud than contactless payments.
Why should I care?
If you are an international traveler, you will want this because majority of the world has or in the process of converting to this payment format.
In fact, in 2012, even North Korea moved to the EMV format, leaving the US as one of the countries in the world that hasn't done so.
In addition, VISA, MC, AMEX, and Discover have all agreed to incentivize the USA shifting to EMV payments by 2015 by shifting liability for fraudulent transactions to merchants if they do not have EMV equipment and the cardholder has an EMV card. So if you travel internationally or would like to get one before the others, you might be interested in getting one.
BS! I had no problems using my card in [insert whereever country], [insert whatever point in time]
If you stick to the tourist path where they have lots of visitors from the US, you should have no problems using your mag-stripe only card in hotels and restaurants, at least for now. But as things can change as things go forward.
However, consider that once you start taking the off-beaten path, go to non-touristy places where they are not familiar with mag-stripes, rent a car and use toll roads, fill up gas, or try to buy train tickets you might end up into a trouble of the machine not recognizing your card because it lacks the chip. Furthermore, a lot of toll roads, gas pumps, and automated ticket machines lack any human assistance to help you when you need it the most.
But [insert credit card company] told me all merchants that display their logo must accept them! All I have to do is report them for violating their agreements, right?
There are several factors against this.
1. You can only speak English. The merchant representative, most likely a part-time clerk earning minimum wage, speaks in a different language, let's say French. If you have no French language skills, how are you going to get your point across? Are you going to whip out your cell phone at exorbitant int'l roaming charges and hope the customer service is going to translate it for you on the spot? Or maybe you might actually know French. But how about Swahili, Farsi, Balinese, or the multiple languages in mainland China?
2. Just like US, the rest of the world's businesses uses part-time minimum wage workers as cashiers to cut down on labor costs. Most of their SOP training manuals are written by MBA types to not to do anything they are not familiar with. Do not expect them to understand the intricate details of credit card mumbo jumbo. You don't expect Taco Bell employees to understand the minute details of Discover-JCB-Union Pay agreements, right? Same thing the other way around: be respectful as a guest in their country, prepare in advance in their ways, avoid being an "ugly American" stereotype.
3. You are a guest in their country. You are a minority. If 99.9% of their country's people and other tourists from around the world uses EMV, do you really think they are going to accomodate the 0.1% of American tourists who only have mag-stripes credit cards?
4. Again, you are a guest in their country. How would you, as an American standing in line, react if a Chinese tourist was clogging up the lines at a local Taco Bell because the clerk doesn't understand the Discover-Union Pay agreement and has trouble communicating between Mandarin spoken by the tourist and English spoken by the Taco Bell clerk? Same way the other way around. You do not want to clog up the lines for everyone. The less hassle, the better.
5. VISA and MC make tons of money from merchants in that country. Say SNCF French Rail. It's a billion dollar company in France. Do you think VISA is going to pull the plug of their relationship with SNCF because SNCF refuses to do mag-stripe processing at their unmanned train station kiosk? Of course not. Be realistic.
6. And lastly, if you're up against an unstaffed toll kiosk, gas pump or train ticket machine, are you going to yell curses at the machine?
But I want my credit card to be able to be used in the US too!
No worries. They have not gotten rid of the mag-stripe on the back of the card for backward compatibility reasons, just like we still have embossed numbers on our cards for backwards compatibility to using those old carbon copy imprinters.
[insert own Hyatt card image front and back together with red arrows pointing to all the backward compatibility features]
You use the chip on the front of the card abroad (for now), and the mag-stripe just like any other card for the US. Basically, you're increasing your credit card's acceptance rate by getting a card that both via the chip and the mag-stripe. You're getting a better deal for free.
And when 2015 comes along and US switches to EMV, you'll be way ahead of everyone else too!
So why did the rest of the world and the US moved/moving toward EMV?
Primarily, due to fraud concerns. You see, the mag-stripe has been with us since the 1950s. It may have been the most high tech thing back in the day, but with the technology that is available today, any shmo can pick up a $100 USB magnetic card skimming device off of eBay and get your credit card info.
And unlike skimming off contactless cards which actually need the person to have l33t programming skills, skimming off a magnetic stripe has become so ubiquitous that nary a day goes about skimming fraud going on somewhere in America, from gas pumps, Michael's stores (2011), Target breaches (2013), restaurant waiters/waitresses, to even McDonald's drive thrus.
https://www.google.com/search?q=skimming+fraud
These type of fraud used to be prevalent in Europe. But once they started switching over to EMV starting over 2 decades ago, this type of fraud went elsewhere. It went over to Asia, Canada and Mexico, Latin America, etc. etc. until they too began implementing EMV to combat skimming fraud. The US is practically the only country left that hasn't done so, therefore all the fraud that used to take place elsewhere is now happening here.
But EMV is old and it's not fool proof. Shouldn't we just skip over it and do something new instead?
Yes, EMV is old. It was developed in the 1990s and its smart card payment predecessor was first introduced in France. But as of today, it has become the defacto global standard of payments.
But then, what else is there? There is no other de facto global standard of payments alternative. For example, if we decide to skip over it and do something new, hypothetically like DNA matching technology, it still means US int'l travelers will continue to have problems abroad with useless plastic acceptance because no other country is using this DNA matching technology except the US.
Besides, nothing is fool proof. You can say that the bank vault isn't fool proof because you can crack it open if enough C4 is used. But your average low-life scumbag isn't likely to get military grade C4 easily either. But the bank vault does make it harder to get the bank's money over say a petty cash box. That's the point here. EMV is akin to a security tight bank vault, the old mag-stripe is akin to a petty cash box lying around inside the drawer.
I'm a business owner and I don't think EMV is going to take off. I'm not going to spend extra hundreds of dollars to upgrade my credit card machine. Convince me other wise why I should.
I can understand the added extra cost to your business once this switchover takes place. But before even saying that, look at your existing POS terminal. Does it have a slot somewhere to insert a card?
Most likely, if you had replaced your POS terminal within the past five years, you already have an EMV capable terminal. EMV is basically just not turned on yet from the processor and acquirer side.
If you have an EMV capable terminal, then a best bet would be to contact your acquirer to have the EMV feature turned on. You did your end of the deal already by having an EMV capable terminal, it is now the acquirers' responsibility to turn it on in accordance to the EMV switchover mandate.
And if you don't, you are going to replace your POS terminal anyway from common wear and tear. It isn't a hard switch-over. You can continue to use your POS terminal until it dies out because EMV cardholders will still have the mag-stripe on the back. And by the time your non-EMV capable POS terminal is up for replacement the market will be full with these newer POS terminals that can accept the mag-stripe, EMV, as well as contactless payments.
In addition, you may also want to check with your acquirer or processor about EMV capable terminals. Some of them are willing to replace your terminal for free in preparation for the US EMV switchover. Call and ask for details.
But what's in it for me? I'm the one that has to pay for the upgrade.
All the major card networks have given incentives for merchants for the upcoming EMV switchover.
If 75% or more of your credit card transactions are done on an EMV contact and contactless terminal, they are going to waive your annual PCI-DSS fees, which usually costs you around $5.00-$19.95/month per terminal. The overall long term cost savings of those compliance fees will be larger than the cost of an one time upgrade for the terminal.
The downside is that once EMV switchover happens and if you do not have a POS terminal that is able to accept EMV, the fraud liability shifts over to the merchant.
I own several fast food franchises. If I upgrade my POS terminals at all of my restaurants, it's going to cost me thousands, if not millions. I don't think anyone is going to use a fake credit card to buy $5 burgers. And if they do, wouldn't it be cheaper for me to eat the fraud cost?
Remember also that fraud isn't just committed by dishonest customers using fraudulent cards. Fraud can also happen with dishonest employees skimming off credit card data from the mag-stripe as in the case of a teenage McDonald's drive thru employee skimming off $13,000 of customers' credit cards in Olympia, WA. Consider the public relations fall out that your business may have if this happens (i.e. the big Target breach of 2013, where someone used a mag stripe card to load malware INTO Target's system). Is it worth risking to take such a huge PR disaster?
EMV wikipost volunteers: kebosabi
What is EMV?
EMV is a defacto global standard of technology where there is a visible microchip on the front of the card. It looks like this:
Who issues them?
See Google Docs spreadsheet in Post #1
SFOAMS also has created a list of excellent webpage that shows US EMV cards in a more interactive interface
Another site, which lets you narrow the search for an EMV card by various parameters, is http://www.spotterswiki.com/emv/index.php.
Several credit unions issue some form of Chip-and-PIN credit cards or prepaid cards. Prepaid EMV cards however are not recommended due to junk fees. USAA (currently restricted to members of military) used to offer Chip-and-PIN cards, but as late has backtracked to Chip-and-Signature priority.
Hey that's a cool Google Docs list! I know others that aren't on that list. How can I help by adding them to the list?
My bad for not putting this into the wiki sooner. Right now, the Google Docs is locked out of editing and only in "read-only" view because there were instances in the past where people would just delete the rows not thinking that it affects others viewing the list.
If you promise not to delete any rows and input all the pertinent info (annual fee, rewards, FTF, etc.), I can provide you with edit access. Just shoot me a PM to kebosabi with your gmail address and I'll provide you edit access.
Thanks for helping out!
As of October 2014, no USA-based card issuer offers Chip-and-PIN priority cards except for BMO Harris (Diners Club) and UN Federal Credit Union. Other major USA-based banks such as BofA, Chase, Citi, as well as others issue Chip-and-Signature cards which may work at many automated kiosks. However, bear in mind the word may is used above is a context where there is no absolute certainty of success for certain environments such as automated kiosks due to different natures of offline and online transactions. It is highly recommended to read Post #3 which lists real life FTer examples on how Chip-and-Signature worked and did not work at various transaction environments.
Can I upgrade it right now?
If it's listed on that Google Docs spreadsheet or SFOAMS' Silk page, wouldn't hurt to call/twitter them for a free upgrade. If you get the response you don't like, hang up, try again.
What is the difference between Chip-and-Signature and Chip-and-PIN?
You insert the chipped card into the slot. The physical contact terminal will read the EMV chip and the terminal will automatically read the preferred cardholder verification methods (called CVM) for that card.
Chip-and-Signature means that the terminal will printout a receipt for you to sign. This is the most prevalent authentication for most US issued EMV cards. Chip-and-Signature helps in a way that it will get through to face-to-face merchant transactions where you and the merchant do not speak the same language.
Chip-and-PIN means that the terminal will prompt you to input a PIN for authentication. Some credit union issued credit cards will have this CVM as secondary if Chip-and-Signature cannot be done. Chip-and-PIN is the more prevalent method of authentication used outside the US, especially in transaction environments where no human interaction is needed (i.e. automated gas pumps, toll roads, train kiosks, etc.).
The Google Docs spreadsheet will list which CVM are used in the EMV cards listed. Some cards can only do Chip-and-Signature. Other cards can do both Chip-and-Signature and Chip-and-PIN. And others might have a third option called No CVM (no authentication needed) which is reserved for low value transactions.
One chip can hold a lot more data, therefore it is capable of doing multiple verification methods. That's one of the great things about EMV over the mag-stripe which can hold very little data.
I want to know for sure what my EMV chip does. Is there anyway I can test out my own EMV card to see what the CVM list is?
alexmt has written up a nice step-by-step procedure on Post #3615.
If most of the EMV cards in the US is the Chip-and-Signature type, doesn't that mean it's still useless abroad?
Depends if you see it as glass half empty or glass half full. See Post #3 for further details on how Chip-and-Signature has worked both successfully and unsuccessfully depending on the merchant transaction environment and use your best judgment whether which one is right for you.
Are there any places in the US that are accepting transactions via the EMV chip?
tmiw has created a dedicated Google maps webpage to show where EMV has been proven to work here: http://emvacceptedhere.com/ Per his Post #4240, feel free to add any places with active EMV terminals if you come across one.
As of 2014/05, the EMV terminals in most Walmarts and Sam's Clubs are being turned on. Hence, the best place to try them out would be your local Walmart or Sam's Club. For other merchants, it's slowly being phased in.
I hope people will post them in the Post your receipt of your 1st EMV based transaction in the US thread. cvarming has shown us an EMV transaction receipt from Brooklyn, NY in Post #2380. I myself had my first EMV based (Chip-and-Signature) transaction in two stores in the Los Angeles area, as shown in detail in Post #2705 (courtesy of WhatWhatTech for pointing these two stores out)
I don't want a chip in my card. I heard horror stories all over the media saying hackers can steal my credit card info from a mile away.
There are two types of chips. One is contactless and the other is contact. Cards can be either one or the other, or both.
In the Google Docs spreadsheet, the cards that are capable of contactless payments are listed seperately under the "RFID or NFC contactless chip" column. If it says yes, then that means it has the ability to do contactless payments. If it says no, it doesn't have that feature.
The one that the media has overhyped about hackers "stealing your information wirelessly" was the contactless type like this:
You are worried about this happening, right?
You don't have to worry. EMV is a chip standard that can have both contact and contactless interfaces. With the traditional contact interface, this means you actually have to physically insert the chip into a POS terminal for it to be authorized, like this:
With the contact interface, nothing is wireless. No data is sent out in a stand-alone contact type EMV chip. With the EMV contactless interface, data is sent wirelessly.
Furthermore, contactless chip cards are required to show a symbol (looks like Wi-Fi symbol) somewhere on the card that to denote it's capability as a contactless card. For example, here's an example of a Discover Card with contactless capability (in which Discover calls "Discover ZIP") showing the contactless symbol on the back of the card:
Don't believe everything that the media says. Besides, millions of people all over the world from London to Singapore, uses contactless payments daily in extremely crowded subways and mass transit with nary any problems. There are multiple layers of encrypted securities and keys that are needed to break the code.
Frankly, giving your physical card to a waiter/waitress who takes the card out of your view is much more susceptible to fraud than contactless payments.
Why should I care?
If you are an international traveler, you will want this because majority of the world has or in the process of converting to this payment format.
In fact, in 2012, even North Korea moved to the EMV format, leaving the US as one of the countries in the world that hasn't done so.
In addition, VISA, MC, AMEX, and Discover have all agreed to incentivize the USA shifting to EMV payments by 2015 by shifting liability for fraudulent transactions to merchants if they do not have EMV equipment and the cardholder has an EMV card. So if you travel internationally or would like to get one before the others, you might be interested in getting one.
BS! I had no problems using my card in [insert whereever country], [insert whatever point in time]
If you stick to the tourist path where they have lots of visitors from the US, you should have no problems using your mag-stripe only card in hotels and restaurants, at least for now. But as things can change as things go forward.
However, consider that once you start taking the off-beaten path, go to non-touristy places where they are not familiar with mag-stripes, rent a car and use toll roads, fill up gas, or try to buy train tickets you might end up into a trouble of the machine not recognizing your card because it lacks the chip. Furthermore, a lot of toll roads, gas pumps, and automated ticket machines lack any human assistance to help you when you need it the most.
But [insert credit card company] told me all merchants that display their logo must accept them! All I have to do is report them for violating their agreements, right?
There are several factors against this.
1. You can only speak English. The merchant representative, most likely a part-time clerk earning minimum wage, speaks in a different language, let's say French. If you have no French language skills, how are you going to get your point across? Are you going to whip out your cell phone at exorbitant int'l roaming charges and hope the customer service is going to translate it for you on the spot? Or maybe you might actually know French. But how about Swahili, Farsi, Balinese, or the multiple languages in mainland China?
2. Just like US, the rest of the world's businesses uses part-time minimum wage workers as cashiers to cut down on labor costs. Most of their SOP training manuals are written by MBA types to not to do anything they are not familiar with. Do not expect them to understand the intricate details of credit card mumbo jumbo. You don't expect Taco Bell employees to understand the minute details of Discover-JCB-Union Pay agreements, right? Same thing the other way around: be respectful as a guest in their country, prepare in advance in their ways, avoid being an "ugly American" stereotype.
3. You are a guest in their country. You are a minority. If 99.9% of their country's people and other tourists from around the world uses EMV, do you really think they are going to accomodate the 0.1% of American tourists who only have mag-stripes credit cards?
4. Again, you are a guest in their country. How would you, as an American standing in line, react if a Chinese tourist was clogging up the lines at a local Taco Bell because the clerk doesn't understand the Discover-Union Pay agreement and has trouble communicating between Mandarin spoken by the tourist and English spoken by the Taco Bell clerk? Same way the other way around. You do not want to clog up the lines for everyone. The less hassle, the better.
5. VISA and MC make tons of money from merchants in that country. Say SNCF French Rail. It's a billion dollar company in France. Do you think VISA is going to pull the plug of their relationship with SNCF because SNCF refuses to do mag-stripe processing at their unmanned train station kiosk? Of course not. Be realistic.
6. And lastly, if you're up against an unstaffed toll kiosk, gas pump or train ticket machine, are you going to yell curses at the machine?
But I want my credit card to be able to be used in the US too!
No worries. They have not gotten rid of the mag-stripe on the back of the card for backward compatibility reasons, just like we still have embossed numbers on our cards for backwards compatibility to using those old carbon copy imprinters.
[insert own Hyatt card image front and back together with red arrows pointing to all the backward compatibility features]
You use the chip on the front of the card abroad (for now), and the mag-stripe just like any other card for the US. Basically, you're increasing your credit card's acceptance rate by getting a card that both via the chip and the mag-stripe. You're getting a better deal for free.
And when 2015 comes along and US switches to EMV, you'll be way ahead of everyone else too!
So why did the rest of the world and the US moved/moving toward EMV?
Primarily, due to fraud concerns. You see, the mag-stripe has been with us since the 1950s. It may have been the most high tech thing back in the day, but with the technology that is available today, any shmo can pick up a $100 USB magnetic card skimming device off of eBay and get your credit card info.
And unlike skimming off contactless cards which actually need the person to have l33t programming skills, skimming off a magnetic stripe has become so ubiquitous that nary a day goes about skimming fraud going on somewhere in America, from gas pumps, Michael's stores (2011), Target breaches (2013), restaurant waiters/waitresses, to even McDonald's drive thrus.
https://www.google.com/search?q=skimming+fraud
These type of fraud used to be prevalent in Europe. But once they started switching over to EMV starting over 2 decades ago, this type of fraud went elsewhere. It went over to Asia, Canada and Mexico, Latin America, etc. etc. until they too began implementing EMV to combat skimming fraud. The US is practically the only country left that hasn't done so, therefore all the fraud that used to take place elsewhere is now happening here.
But EMV is old and it's not fool proof. Shouldn't we just skip over it and do something new instead?
Yes, EMV is old. It was developed in the 1990s and its smart card payment predecessor was first introduced in France. But as of today, it has become the defacto global standard of payments.
But then, what else is there? There is no other de facto global standard of payments alternative. For example, if we decide to skip over it and do something new, hypothetically like DNA matching technology, it still means US int'l travelers will continue to have problems abroad with useless plastic acceptance because no other country is using this DNA matching technology except the US.
Besides, nothing is fool proof. You can say that the bank vault isn't fool proof because you can crack it open if enough C4 is used. But your average low-life scumbag isn't likely to get military grade C4 easily either. But the bank vault does make it harder to get the bank's money over say a petty cash box. That's the point here. EMV is akin to a security tight bank vault, the old mag-stripe is akin to a petty cash box lying around inside the drawer.
I'm a business owner and I don't think EMV is going to take off. I'm not going to spend extra hundreds of dollars to upgrade my credit card machine. Convince me other wise why I should.
I can understand the added extra cost to your business once this switchover takes place. But before even saying that, look at your existing POS terminal. Does it have a slot somewhere to insert a card?
Most likely, if you had replaced your POS terminal within the past five years, you already have an EMV capable terminal. EMV is basically just not turned on yet from the processor and acquirer side.
If you have an EMV capable terminal, then a best bet would be to contact your acquirer to have the EMV feature turned on. You did your end of the deal already by having an EMV capable terminal, it is now the acquirers' responsibility to turn it on in accordance to the EMV switchover mandate.
And if you don't, you are going to replace your POS terminal anyway from common wear and tear. It isn't a hard switch-over. You can continue to use your POS terminal until it dies out because EMV cardholders will still have the mag-stripe on the back. And by the time your non-EMV capable POS terminal is up for replacement the market will be full with these newer POS terminals that can accept the mag-stripe, EMV, as well as contactless payments.
In addition, you may also want to check with your acquirer or processor about EMV capable terminals. Some of them are willing to replace your terminal for free in preparation for the US EMV switchover. Call and ask for details.
But what's in it for me? I'm the one that has to pay for the upgrade.
All the major card networks have given incentives for merchants for the upcoming EMV switchover.
If 75% or more of your credit card transactions are done on an EMV contact and contactless terminal, they are going to waive your annual PCI-DSS fees, which usually costs you around $5.00-$19.95/month per terminal. The overall long term cost savings of those compliance fees will be larger than the cost of an one time upgrade for the terminal.
The downside is that once EMV switchover happens and if you do not have a POS terminal that is able to accept EMV, the fraud liability shifts over to the merchant.
I own several fast food franchises. If I upgrade my POS terminals at all of my restaurants, it's going to cost me thousands, if not millions. I don't think anyone is going to use a fake credit card to buy $5 burgers. And if they do, wouldn't it be cheaper for me to eat the fraud cost?
Remember also that fraud isn't just committed by dishonest customers using fraudulent cards. Fraud can also happen with dishonest employees skimming off credit card data from the mag-stripe as in the case of a teenage McDonald's drive thru employee skimming off $13,000 of customers' credit cards in Olympia, WA. Consider the public relations fall out that your business may have if this happens (i.e. the big Target breach of 2013, where someone used a mag stripe card to load malware INTO Target's system). Is it worth risking to take such a huge PR disaster?
USA EMV cards: Availability, Q&A (Chip & PIN -or- Chip & Signature) [2012-2015]
May 28, 2014, 7:32 am
#4606
FlyerTalk Evangelist
Join Date: Jan 2014
Location: San Diego, CA
Programs: GE, Marriott Platinum
Posts: 15,507
I'm a tech junkie and couldn't wait to try it. I got it to work at just one place -- one McDonalds. Even at registers with Google Wallet logos on the screen I sit there tapping my phone at the screen looking like an idiot way too often and it just doesn't work. I even have the Wallet app opened, PIN entered, and NFC logo on my task bar. (the former two allegedly you don't need to do)
I don't know why these companies half-... roll out stuff like this where the hardware is in place with logos and marketing bits but they don't bother turning on some back-end support or software.
Sort of the same with all of these non-functioning EMV terminals but at least they will eventually tell you to dip the cards when they are turned on. But the contactless stuff won't have that sort of incentive, and I'm personally done experimenting with it and looking stupid in the process.
I don't know why these companies half-... roll out stuff like this where the hardware is in place with logos and marketing bits but they don't bother turning on some back-end support or software.
Sort of the same with all of these non-functioning EMV terminals but at least they will eventually tell you to dip the cards when they are turned on. But the contactless stuff won't have that sort of incentive, and I'm personally done experimenting with it and looking stupid in the process.
May 28, 2014, 7:36 am
#4607
Join Date: Feb 2010
Location: US
Programs: (PM)AA SPG (Marriott), Hilton
Posts: 1,040
An example of a non-PCI environment could be a small shop which has a separate CC terminal. The cash register totals the transaction, they run your card through the reader with the total, take the receipt, have you sign it, and put their copy in the drawer.
They hold no cardholder data, so do not have a cardholder data environment to be concerned about with regard to PCI.
Target is reported to be installing end to end encryption, where the swipe itself is encrypted at the reader, sent to the acquirer, then returned as just a token. It wouldn't have helped the last breach, but it'll help rehabilitate their image, and may make a lot of the PCI check list go 'N/A' Since they lost their CIO, CEO, and don't have a CSO I'm not sure who is directing their $100M spend, and ensuring they are going to get what they expect.
May 28, 2014, 10:07 am
#4608
Join Date: Jul 2007
Posts: 1,762
So a quick background. Last week I "upgraded" my USAA mastercard which is chip and pin to join their cash rewards program (why I didn't join the cash rewards program when I opened the account a year ago, I can't answer). Anyway, they said they would send me a new card with the same account number and everything which they did. No problem. Didn't send me a new pin so I assumed the pin had not changed. Am getting ready for my cruise/European vacation leaving Sunday. So I decided to test out the card at Walmart today. Yes I inserted the card and it gave me the Walmart messages (don't remove yada yada yada). Was all set to enter my pin when it said signature required. (The amount was $65). So I signed but now it leaves me uneasy to a slight degree.
1. Did Walmart want the signature because the amount was over $50 under which they usually don't require a signature.
2. Has USAA changed its policy and made the card now chip and signature preferred? (The original card worked as chip and pin in Europe at pos terminals last year).
I wonder if it's worthwhile to call customer service at USAA but now a new slight worry. (although even with the 1% cash rewards of USAA, I now break even on foreign transactions. If I use my no ftf BA cash rewards (the grandfathered card for the late Schwab card) I net 1% on all purchases and with my Fidelity Amex, I get2% but lose 1% on ftf som the USAA card is not my preferred card for foreign travel.
Decisions, decisions, decisions.
1. Did Walmart want the signature because the amount was over $50 under which they usually don't require a signature.
2. Has USAA changed its policy and made the card now chip and signature preferred? (The original card worked as chip and pin in Europe at pos terminals last year).
I wonder if it's worthwhile to call customer service at USAA but now a new slight worry. (although even with the 1% cash rewards of USAA, I now break even on foreign transactions. If I use my no ftf BA cash rewards (the grandfathered card for the late Schwab card) I net 1% on all purchases and with my Fidelity Amex, I get2% but lose 1% on ftf som the USAA card is not my preferred card for foreign travel.
Decisions, decisions, decisions.
May 28, 2014, 10:19 am
#4609
Join Date: Nov 2012
Posts: 3,537
Unfortunately that does sound like USAA quit being chip and PIN and is now chip and signature.
May 28, 2014, 10:23 am
#4610
FlyerTalk Evangelist
Join Date: Jan 2014
Location: San Diego, CA
Programs: GE, Marriott Platinum
Posts: 15,507
May 28, 2014, 10:24 am
#4611
Suspended
Join Date: Oct 2004
Location: Bay Area
Programs: DL SM, UA MP.
Posts: 12,729
Just to follow up, I was able to buy a multi day transport pass at Amsterdam Central Station using one of the cards which were repeatedly rejected at Schiphol.
And I've used these cards throughout the city, sometimes not even signing for smaller transactions.
I've put aside some coins for the return train to the airport though.
Oh and at the EYE museum there are signs about needing chip and PIN cards. They don't take cash. I bought a museum card, for which they scan the bar code. A client in front of me inserted the card on the terminal, which had the swipe slot covered with paper.
But it produced a receipt that she signed.
And I've used these cards throughout the city, sometimes not even signing for smaller transactions.
I've put aside some coins for the return train to the airport though.
Oh and at the EYE museum there are signs about needing chip and PIN cards. They don't take cash. I bought a museum card, for which they scan the bar code. A client in front of me inserted the card on the terminal, which had the swipe slot covered with paper.
But it produced a receipt that she signed.
May 28, 2014, 10:45 am
#4612
Join Date: Jul 2006
Location: LAX
Programs: AA EXP 1.5MM, Asiana Club Silver, KE Morning Calm, Hyatt Platinum, Amtrak Select
Posts: 7,161
I think this sums up what's at stake for EMV contactless in the US
The Great Migration: How EMV Will Overcome the Hurdles
The Great Migration: How EMV Will Overcome the Hurdles
Originally Posted by pymnts.com
While contact EMV can slow down the POS transaction time many countries have also included the migration to EMV contactless and mobile. UK and Australia integrated contactless card and mobile EMV in their deployment strategy as it made sense from a user perspective.
Contactless technology, however, has had a difficult past when it was first launched, so banks are hesitant to adopt it again. However, this time, the market is more developed and there now exists infrastructure to support this type of technology in addition to the EMV migration, which is creating a perfect opportunity for simultaneous contactless and mobile EMV migration that can reduce future costs to banks and merchants.
Contactless technology, however, has had a difficult past when it was first launched, so banks are hesitant to adopt it again. However, this time, the market is more developed and there now exists infrastructure to support this type of technology in addition to the EMV migration, which is creating a perfect opportunity for simultaneous contactless and mobile EMV migration that can reduce future costs to banks and merchants.
May 28, 2014, 10:45 am
#4613
Join Date: May 2010
Location: ORDwest
Posts: 332
So a quick background. Last week I "upgraded" my USAA mastercard which is chip and pin to join their cash rewards program (why I didn't join the cash rewards program when I opened the account a year ago, I can't answer). Anyway, they said they would send me a new card with the same account number and everything which they did. No problem. Didn't send me a new pin so I assumed the pin had not changed. Am getting ready for my cruise/European vacation leaving Sunday. So I decided to test out the card at Walmart today. Yes I inserted the card and it gave me the Walmart messages (don't remove yada yada yada). Was all set to enter my pin when it said signature required. (The amount was $65). So I signed but now it leaves me uneasy to a slight degree.
1. Did Walmart want the signature because the amount was over $50 under which they usually don't require a signature.
2. Has USAA changed its policy and made the card now chip and signature preferred? (The original card worked as chip and pin in Europe at pos terminals last year).
I wonder if it's worthwhile to call customer service at USAA but now a new slight worry. (although even with the 1% cash rewards of USAA, I now break even on foreign transactions. If I use my no ftf BA cash rewards (the grandfathered card for the late Schwab card) I net 1% on all purchases and with my Fidelity Amex, I get2% but lose 1% on ftf som the USAA card is not my preferred card for foreign travel.
Decisions, decisions, decisions.
1. Did Walmart want the signature because the amount was over $50 under which they usually don't require a signature.
2. Has USAA changed its policy and made the card now chip and signature preferred? (The original card worked as chip and pin in Europe at pos terminals last year).
I wonder if it's worthwhile to call customer service at USAA but now a new slight worry. (although even with the 1% cash rewards of USAA, I now break even on foreign transactions. If I use my no ftf BA cash rewards (the grandfathered card for the late Schwab card) I net 1% on all purchases and with my Fidelity Amex, I get2% but lose 1% on ftf som the USAA card is not my preferred card for foreign travel.
Decisions, decisions, decisions.
May 28, 2014, 11:01 am
#4614
Join Date: Jul 2006
Location: LAX
Programs: AA EXP 1.5MM, Asiana Club Silver, KE Morning Calm, Hyatt Platinum, Amtrak Select
Posts: 7,161
In my experience, Americans don't trust the government, but they have no problem being "spied" on by corporations. Some of them even consider it patriotic in the sense that it supports business and entrepreneurship. As long as it is clear that the EMV mandate is coming from Visa/MC and not the government, I don't think there will be much resistance from the tin foil crowd.
You own a cell phone, use a credit card (mag-stripe or EMV), use Google or Facebook, the government is spying on you. Unless one is a total recluse living out in the woods, everyone is on government radar.
It's all the matter of filtering out yottabytes of "junk data" to what's relevant. Just because one writes, say, "I hate Obama" or "I hate the GOP establishment" on the internet doesn't mean that the government is going to be knocking down their door soon.
May 28, 2014, 11:04 am
#4615
Join Date: Jul 2011
Posts: 1,133
I would call USAA and hope for some clarification. My "old" USAA card worked as Chip+PIN in Europe earlier this month, and as Chip+PIN yesterday at WM (small amount). You could also try a couple more WM charges, being sure to try different terminals and CSR-attended vs. unattended to see what happens, since my own experience with CSP VISA and USAA cards (above somewhere) shows what may be flaky behavior by card readers.
May 28, 2014, 11:09 am
#4616
Join Date: Jul 2007
Posts: 1,762
Which in itself is utterly ridiculous as Snowden leaks have shown that the government can indeed pluck out those informations from any private corporation as well.
You own a cell phone, use a credit card (mag-stripe or EMV), use Google or Facebook, the government is spying on you. Unless one is a total recluse living out in the woods, everyone is on government radar.
It's all the matter of filtering out yottabytes of "junk data" to what's relevant. Just because one writes, say, "I hate Obama" or "I hate the GOP establishment" on the internet doesn't mean that the government is going to be knocking down their door soon.
You own a cell phone, use a credit card (mag-stripe or EMV), use Google or Facebook, the government is spying on you. Unless one is a total recluse living out in the woods, everyone is on government radar.
It's all the matter of filtering out yottabytes of "junk data" to what's relevant. Just because one writes, say, "I hate Obama" or "I hate the GOP establishment" on the internet doesn't mean that the government is going to be knocking down their door soon.
Of course in our country, especially on the Fascist News Channel, we are constantly bombarded with fascist commentators like Rove, Krauthamer, Hannity and the like about big government as they crusade against the affordable care act and warns of the perils of government controlled medical cares (despite the fact it works well everywhere else in the world) and of course the second amendment and the like and unfortunately if you repeat a lie often enough, it begins to become plausible to many.
Nothing surprises me any more.
May 28, 2014, 11:26 am
#4617
FlyerTalk Evangelist
Join Date: Jan 2005
Location: home = LAX
Posts: 25,933
There are people around with these hang ups. I have a friend who simply will not get an ez pass (ez pass for those outside the northeast USA is a tag you attach to your windshield to pay tolls on our many tolled highways in this here part of the country. In many cases, you get a discount and the ez pass lanes are almost always much faster than personneled lanes where people pay cash) because he's afraid the government can use it either to track his movements or use it at some point in the future to write speeding tickets. He's a rational person but he believes it.
Isn't EZ Pass issued by a private company? But aren't license plates issued by a government (state)?
Thee is no one such thing as "the government" in the US. There is the federal government, then there are state governments, then there a county / parish / whatever governments, and in cities there are city governments. And these different governemts keep suing each other, so they're obviously not all the same thing!
(I don't know which government is doing the tracking by license plates, I saw a teaser for a TV news story about it but didn't see the actual story.)
And, btw, aren't license plates recorded at most toll booths, as a backup (in case someone doesn't pay the toll, etc)? (In some places in the US, for infrequent users of a toll system, in fact, license plates are an official way of paying your toll! The Golden Gate Bridge is one example of that.)
Last edited by sdsearch; May 28, 2014 at 11:32 am
May 28, 2014, 11:44 am
#4618
Join Date: Jul 2006
Location: LAX
Programs: AA EXP 1.5MM, Asiana Club Silver, KE Morning Calm, Hyatt Platinum, Amtrak Select
Posts: 7,161
Here in LA, we have a public transit contactless card system called TAP. It's kinda like London's OysterCard where one taps to get on board the Metro bus or the rail system.
However, a vast majority of Metro riders refuse to get them and still pays by cash because they fear that the government is out to get them for fare evasion or track them where ever they go or irrational fear of hackers stealing their fares wirelessly.
Which is utterly ridiculous because this is coming from one of the most liberal populace who are avidly pro-mass transit, and there's no way for the "government" to know where one is going because unlike London, there is no tap-out process (tap-in only with flat rate fares, fare gets deducted upon boarding, not upon reaching the destination like London's zonal system), and even if it did, how is that any different from tweeting or FB posting of where one is at any given time from their smartphones?
And there's no point in talking to these folks that contactless cards for mass transits are used all over the world from London to Tokyo, from Boston to Hong Kong with nary any problems. Heck, there was all the commotion going on last year that they didn't want locked gates. They use any excuse on the book "contactless cards slow down the process," or "this is Los Angeles, not London" or whatever. Yet they are the liberal types who support bigger government and idolize mass transit oriented cities like New York, London and Tokyo.
IMO sadly, the way it is today, Murica is not yet ready for contactless payments. There's just too much misinformation being spread around, and the media both left and right are equally guilty of this. Perhaps when the more technologically adept Millennials take over yes, but I don't expect retiring and politically powerful Baby Boomer generation to die off anytime soon.
Last edited by kebosabi; May 28, 2014 at 11:56 am
May 28, 2014, 12:52 pm
#4619
Join Date: Feb 2010
Location: US
Programs: (PM)AA SPG (Marriott), Hilton
Posts: 1,040
(Disclaimer: we get back on topic at the end here)
Not as far as I know. They are, and always have been 'sponsored' (same way sports arenas are)
Many. It's a $50,000 machine that is fed 'plates of interest' and can make the machine go 'ping' when the the car with the machine drives by a car of interest. Used by cities to go after people that don't pay vehicle taxes, and also for stolen vehicle recovery. Data retention and off-the-book-use issues probably aren't consistent or constant over time. For a city with $500,000 in uncollected excise taxes, a $50,000 machine could be a good investment. It may be even cheaper now.
For EZ-Pass, it would seem that they only do so for vtolls, or at least only use it for that. There are also data retention questions here.
And growing, with many areas wanting to move off the Mark IV transponders in favor of directly reading the plate.
Before we return you back to the EMV thread from this off topic digression: 1) Kids got back at their teacher by taking the parental car, which was the same make/model/color, and printing a copy of the teacher's plate sticking it on the parental car, then running it through a stop light camera several times, running up a bunch of moving violation tickets. Teacher in mucho hot water and not believed that it wasn't his car, until one of the kids confessed; 2) Similar reported to happen in London where time-based tolling based on the license plate exists. People steal plates from similar cars and use them to let someone else get the toll bill. Cloning doesn't just effect cards.
The Mark IV radio transponders may be better than license plates, in the same ways that EMV can be better than magtripe with regard to how not easy they are to clone
(at least we wound up back on topic)
[1] http://www.dailytech.com/Students+Us...ticle13749.htm
[2] https://www.mycarcheck.com/news/2007...er-been-there/
Not as far as I know. They are, and always have been 'sponsored' (same way sports arenas are)
(I don't know which government is doing the tracking by license plates, I saw a teaser for a TV news story about it but didn't see the actual story.)
And, btw, aren't license plates recorded at most toll booths, as a backup (in case someone doesn't pay the toll, etc)?
(In some places in the US, for infrequent users of a toll system, in fact, license plates are an official way of paying your toll! The Golden Gate Bridge is one example of that.)
Before we return you back to the EMV thread from this off topic digression: 1) Kids got back at their teacher by taking the parental car, which was the same make/model/color, and printing a copy of the teacher's plate sticking it on the parental car, then running it through a stop light camera several times, running up a bunch of moving violation tickets. Teacher in mucho hot water and not believed that it wasn't his car, until one of the kids confessed; 2) Similar reported to happen in London where time-based tolling based on the license plate exists. People steal plates from similar cars and use them to let someone else get the toll bill. Cloning doesn't just effect cards.
The Mark IV radio transponders may be better than license plates, in the same ways that EMV can be better than magtripe with regard to how not easy they are to clone
(at least we wound up back on topic)
[1] http://www.dailytech.com/Students+Us...ticle13749.htm
[2] https://www.mycarcheck.com/news/2007...er-been-there/
May 28, 2014, 12:55 pm
#4620
Join Date: Jul 2007
Posts: 1,762
Here it is sort of from the horse's mouth (on usaa.com/creditcard)
Your new card will have both the new chip technology and the magnetic stripe which will allow it to still be swiped, if needed. Merchants that accept your card today will be able to accept your card in the future. A PIN will be needed to withdraw cash at an ATM and some merchants may request one to complete your transaction. You may personalize your PIN at usaa.com, on our mobile app or by calling 1-800-531-8722.
My interpretation and my experience this morning with my re-issued USAA emv equippped mc is that USAA is abandoning its chip and pin priority and is joining the American main stream which lends even more support to my theory, and it's just a theory, that the die has been cast and when emv cards become the norm in this country, they will be chip and signature with chip and pin online capabilities. At least, this is the way it seems.
Any thoughts?
Your new card will have both the new chip technology and the magnetic stripe which will allow it to still be swiped, if needed. Merchants that accept your card today will be able to accept your card in the future. A PIN will be needed to withdraw cash at an ATM and some merchants may request one to complete your transaction. You may personalize your PIN at usaa.com, on our mobile app or by calling 1-800-531-8722.
My interpretation and my experience this morning with my re-issued USAA emv equippped mc is that USAA is abandoning its chip and pin priority and is joining the American main stream which lends even more support to my theory, and it's just a theory, that the die has been cast and when emv cards become the norm in this country, they will be chip and signature with chip and pin online capabilities. At least, this is the way it seems.
Any thoughts?