Sep 20, 2013, 11:40 am
Last edit by: philemer
Posts from 1/1/16 onward can be found here: http://www.flyertalk.com/forum/credit-card-programs/1739359-2016-onward-usa-emv-cards-availability-q-chip-pin-signature.html
EMV wikipost volunteers: kebosabi
What is EMV?
EMV is a defacto global standard of technology where there is a visible microchip on the front of the card. It looks like this:
Who issues them?
See Google Docs spreadsheet in Post #1
SFOAMS also has created a list of excellent webpage that shows US EMV cards in a more interactive interface
Another site, which lets you narrow the search for an EMV card by various parameters, is http://www.spotterswiki.com/emv/index.php.
Several credit unions issue some form of Chip-and-PIN credit cards or prepaid cards. Prepaid EMV cards however are not recommended due to junk fees. USAA (currently restricted to members of military) used to offer Chip-and-PIN cards, but as late has backtracked to Chip-and-Signature priority.
Hey that's a cool Google Docs list! I know others that aren't on that list. How can I help by adding them to the list?
My bad for not putting this into the wiki sooner. Right now, the Google Docs is locked out of editing and only in "read-only" view because there were instances in the past where people would just delete the rows not thinking that it affects others viewing the list.
If you promise not to delete any rows and input all the pertinent info (annual fee, rewards, FTF, etc.), I can provide you with edit access. Just shoot me a PM to kebosabi with your gmail address and I'll provide you edit access.
Thanks for helping out!
As of October 2014, no USA-based card issuer offers Chip-and-PIN priority cards except for BMO Harris (Diners Club) and UN Federal Credit Union. Other major USA-based banks such as BofA, Chase, Citi, as well as others issue Chip-and-Signature cards which may work at many automated kiosks. However, bear in mind the word may is used above is a context where there is no absolute certainty of success for certain environments such as automated kiosks due to different natures of offline and online transactions. It is highly recommended to read Post #3 which lists real life FTer examples on how Chip-and-Signature worked and did not work at various transaction environments.
Can I upgrade it right now?
If it's listed on that Google Docs spreadsheet or SFOAMS' Silk page, wouldn't hurt to call/twitter them for a free upgrade. If you get the response you don't like, hang up, try again.
What is the difference between Chip-and-Signature and Chip-and-PIN?
You insert the chipped card into the slot. The physical contact terminal will read the EMV chip and the terminal will automatically read the preferred cardholder verification methods (called CVM) for that card.
Chip-and-Signature means that the terminal will printout a receipt for you to sign. This is the most prevalent authentication for most US issued EMV cards. Chip-and-Signature helps in a way that it will get through to face-to-face merchant transactions where you and the merchant do not speak the same language.
Chip-and-PIN means that the terminal will prompt you to input a PIN for authentication. Some credit union issued credit cards will have this CVM as secondary if Chip-and-Signature cannot be done. Chip-and-PIN is the more prevalent method of authentication used outside the US, especially in transaction environments where no human interaction is needed (i.e. automated gas pumps, toll roads, train kiosks, etc.).
The Google Docs spreadsheet will list which CVM are used in the EMV cards listed. Some cards can only do Chip-and-Signature. Other cards can do both Chip-and-Signature and Chip-and-PIN. And others might have a third option called No CVM (no authentication needed) which is reserved for low value transactions.
One chip can hold a lot more data, therefore it is capable of doing multiple verification methods. That's one of the great things about EMV over the mag-stripe which can hold very little data.
I want to know for sure what my EMV chip does. Is there anyway I can test out my own EMV card to see what the CVM list is?
alexmt has written up a nice step-by-step procedure on Post #3615.
If most of the EMV cards in the US is the Chip-and-Signature type, doesn't that mean it's still useless abroad?
Depends if you see it as glass half empty or glass half full. See Post #3 for further details on how Chip-and-Signature has worked both successfully and unsuccessfully depending on the merchant transaction environment and use your best judgment whether which one is right for you.
Are there any places in the US that are accepting transactions via the EMV chip?
tmiw has created a dedicated Google maps webpage to show where EMV has been proven to work here: http://emvacceptedhere.com/ Per his Post #4240, feel free to add any places with active EMV terminals if you come across one.
As of 2014/05, the EMV terminals in most Walmarts and Sam's Clubs are being turned on. Hence, the best place to try them out would be your local Walmart or Sam's Club. For other merchants, it's slowly being phased in.
I hope people will post them in the Post your receipt of your 1st EMV based transaction in the US thread. cvarming has shown us an EMV transaction receipt from Brooklyn, NY in Post #2380. I myself had my first EMV based (Chip-and-Signature) transaction in two stores in the Los Angeles area, as shown in detail in Post #2705 (courtesy of WhatWhatTech for pointing these two stores out)
I don't want a chip in my card. I heard horror stories all over the media saying hackers can steal my credit card info from a mile away.
There are two types of chips. One is contactless and the other is contact. Cards can be either one or the other, or both.
In the Google Docs spreadsheet, the cards that are capable of contactless payments are listed seperately under the "RFID or NFC contactless chip" column. If it says yes, then that means it has the ability to do contactless payments. If it says no, it doesn't have that feature.
The one that the media has overhyped about hackers "stealing your information wirelessly" was the contactless type like this:
You are worried about this happening, right?
You don't have to worry. EMV is a chip standard that can have both contact and contactless interfaces. With the traditional contact interface, this means you actually have to physically insert the chip into a POS terminal for it to be authorized, like this:
With the contact interface, nothing is wireless. No data is sent out in a stand-alone contact type EMV chip. With the EMV contactless interface, data is sent wirelessly.
Furthermore, contactless chip cards are required to show a symbol (looks like Wi-Fi symbol) somewhere on the card that to denote it's capability as a contactless card. For example, here's an example of a Discover Card with contactless capability (in which Discover calls "Discover ZIP") showing the contactless symbol on the back of the card:
Don't believe everything that the media says. Besides, millions of people all over the world from London to Singapore, uses contactless payments daily in extremely crowded subways and mass transit with nary any problems. There are multiple layers of encrypted securities and keys that are needed to break the code.
Frankly, giving your physical card to a waiter/waitress who takes the card out of your view is much more susceptible to fraud than contactless payments.
Why should I care?
If you are an international traveler, you will want this because majority of the world has or in the process of converting to this payment format.
In fact, in 2012, even North Korea moved to the EMV format, leaving the US as one of the countries in the world that hasn't done so.
In addition, VISA, MC, AMEX, and Discover have all agreed to incentivize the USA shifting to EMV payments by 2015 by shifting liability for fraudulent transactions to merchants if they do not have EMV equipment and the cardholder has an EMV card. So if you travel internationally or would like to get one before the others, you might be interested in getting one.
BS! I had no problems using my card in [insert whereever country], [insert whatever point in time]
If you stick to the tourist path where they have lots of visitors from the US, you should have no problems using your mag-stripe only card in hotels and restaurants, at least for now. But as things can change as things go forward.
However, consider that once you start taking the off-beaten path, go to non-touristy places where they are not familiar with mag-stripes, rent a car and use toll roads, fill up gas, or try to buy train tickets you might end up into a trouble of the machine not recognizing your card because it lacks the chip. Furthermore, a lot of toll roads, gas pumps, and automated ticket machines lack any human assistance to help you when you need it the most.
But [insert credit card company] told me all merchants that display their logo must accept them! All I have to do is report them for violating their agreements, right?
There are several factors against this.
1. You can only speak English. The merchant representative, most likely a part-time clerk earning minimum wage, speaks in a different language, let's say French. If you have no French language skills, how are you going to get your point across? Are you going to whip out your cell phone at exorbitant int'l roaming charges and hope the customer service is going to translate it for you on the spot? Or maybe you might actually know French. But how about Swahili, Farsi, Balinese, or the multiple languages in mainland China?
2. Just like US, the rest of the world's businesses uses part-time minimum wage workers as cashiers to cut down on labor costs. Most of their SOP training manuals are written by MBA types to not to do anything they are not familiar with. Do not expect them to understand the intricate details of credit card mumbo jumbo. You don't expect Taco Bell employees to understand the minute details of Discover-JCB-Union Pay agreements, right? Same thing the other way around: be respectful as a guest in their country, prepare in advance in their ways, avoid being an "ugly American" stereotype.
3. You are a guest in their country. You are a minority. If 99.9% of their country's people and other tourists from around the world uses EMV, do you really think they are going to accomodate the 0.1% of American tourists who only have mag-stripes credit cards?
4. Again, you are a guest in their country. How would you, as an American standing in line, react if a Chinese tourist was clogging up the lines at a local Taco Bell because the clerk doesn't understand the Discover-Union Pay agreement and has trouble communicating between Mandarin spoken by the tourist and English spoken by the Taco Bell clerk? Same way the other way around. You do not want to clog up the lines for everyone. The less hassle, the better.
5. VISA and MC make tons of money from merchants in that country. Say SNCF French Rail. It's a billion dollar company in France. Do you think VISA is going to pull the plug of their relationship with SNCF because SNCF refuses to do mag-stripe processing at their unmanned train station kiosk? Of course not. Be realistic.
6. And lastly, if you're up against an unstaffed toll kiosk, gas pump or train ticket machine, are you going to yell curses at the machine?
But I want my credit card to be able to be used in the US too!
No worries. They have not gotten rid of the mag-stripe on the back of the card for backward compatibility reasons, just like we still have embossed numbers on our cards for backwards compatibility to using those old carbon copy imprinters.
[insert own Hyatt card image front and back together with red arrows pointing to all the backward compatibility features]
You use the chip on the front of the card abroad (for now), and the mag-stripe just like any other card for the US. Basically, you're increasing your credit card's acceptance rate by getting a card that both via the chip and the mag-stripe. You're getting a better deal for free.
And when 2015 comes along and US switches to EMV, you'll be way ahead of everyone else too!
So why did the rest of the world and the US moved/moving toward EMV?
Primarily, due to fraud concerns. You see, the mag-stripe has been with us since the 1950s. It may have been the most high tech thing back in the day, but with the technology that is available today, any shmo can pick up a $100 USB magnetic card skimming device off of eBay and get your credit card info.
And unlike skimming off contactless cards which actually need the person to have l33t programming skills, skimming off a magnetic stripe has become so ubiquitous that nary a day goes about skimming fraud going on somewhere in America, from gas pumps, Michael's stores (2011), Target breaches (2013), restaurant waiters/waitresses, to even McDonald's drive thrus.
https://www.google.com/search?q=skimming+fraud
These type of fraud used to be prevalent in Europe. But once they started switching over to EMV starting over 2 decades ago, this type of fraud went elsewhere. It went over to Asia, Canada and Mexico, Latin America, etc. etc. until they too began implementing EMV to combat skimming fraud. The US is practically the only country left that hasn't done so, therefore all the fraud that used to take place elsewhere is now happening here.
But EMV is old and it's not fool proof. Shouldn't we just skip over it and do something new instead?
Yes, EMV is old. It was developed in the 1990s and its smart card payment predecessor was first introduced in France. But as of today, it has become the defacto global standard of payments.
But then, what else is there? There is no other de facto global standard of payments alternative. For example, if we decide to skip over it and do something new, hypothetically like DNA matching technology, it still means US int'l travelers will continue to have problems abroad with useless plastic acceptance because no other country is using this DNA matching technology except the US.
Besides, nothing is fool proof. You can say that the bank vault isn't fool proof because you can crack it open if enough C4 is used. But your average low-life scumbag isn't likely to get military grade C4 easily either. But the bank vault does make it harder to get the bank's money over say a petty cash box. That's the point here. EMV is akin to a security tight bank vault, the old mag-stripe is akin to a petty cash box lying around inside the drawer.
I'm a business owner and I don't think EMV is going to take off. I'm not going to spend extra hundreds of dollars to upgrade my credit card machine. Convince me other wise why I should.
I can understand the added extra cost to your business once this switchover takes place. But before even saying that, look at your existing POS terminal. Does it have a slot somewhere to insert a card?
Most likely, if you had replaced your POS terminal within the past five years, you already have an EMV capable terminal. EMV is basically just not turned on yet from the processor and acquirer side.
If you have an EMV capable terminal, then a best bet would be to contact your acquirer to have the EMV feature turned on. You did your end of the deal already by having an EMV capable terminal, it is now the acquirers' responsibility to turn it on in accordance to the EMV switchover mandate.
And if you don't, you are going to replace your POS terminal anyway from common wear and tear. It isn't a hard switch-over. You can continue to use your POS terminal until it dies out because EMV cardholders will still have the mag-stripe on the back. And by the time your non-EMV capable POS terminal is up for replacement the market will be full with these newer POS terminals that can accept the mag-stripe, EMV, as well as contactless payments.
In addition, you may also want to check with your acquirer or processor about EMV capable terminals. Some of them are willing to replace your terminal for free in preparation for the US EMV switchover. Call and ask for details.
But what's in it for me? I'm the one that has to pay for the upgrade.
All the major card networks have given incentives for merchants for the upcoming EMV switchover.
If 75% or more of your credit card transactions are done on an EMV contact and contactless terminal, they are going to waive your annual PCI-DSS fees, which usually costs you around $5.00-$19.95/month per terminal. The overall long term cost savings of those compliance fees will be larger than the cost of an one time upgrade for the terminal.
The downside is that once EMV switchover happens and if you do not have a POS terminal that is able to accept EMV, the fraud liability shifts over to the merchant.
I own several fast food franchises. If I upgrade my POS terminals at all of my restaurants, it's going to cost me thousands, if not millions. I don't think anyone is going to use a fake credit card to buy $5 burgers. And if they do, wouldn't it be cheaper for me to eat the fraud cost?
Remember also that fraud isn't just committed by dishonest customers using fraudulent cards. Fraud can also happen with dishonest employees skimming off credit card data from the mag-stripe as in the case of a teenage McDonald's drive thru employee skimming off $13,000 of customers' credit cards in Olympia, WA. Consider the public relations fall out that your business may have if this happens (i.e. the big Target breach of 2013, where someone used a mag stripe card to load malware INTO Target's system). Is it worth risking to take such a huge PR disaster?
EMV wikipost volunteers: kebosabi
What is EMV?
EMV is a defacto global standard of technology where there is a visible microchip on the front of the card. It looks like this:
Who issues them?
See Google Docs spreadsheet in Post #1
SFOAMS also has created a list of excellent webpage that shows US EMV cards in a more interactive interface
Another site, which lets you narrow the search for an EMV card by various parameters, is http://www.spotterswiki.com/emv/index.php.
Several credit unions issue some form of Chip-and-PIN credit cards or prepaid cards. Prepaid EMV cards however are not recommended due to junk fees. USAA (currently restricted to members of military) used to offer Chip-and-PIN cards, but as late has backtracked to Chip-and-Signature priority.
Hey that's a cool Google Docs list! I know others that aren't on that list. How can I help by adding them to the list?
My bad for not putting this into the wiki sooner. Right now, the Google Docs is locked out of editing and only in "read-only" view because there were instances in the past where people would just delete the rows not thinking that it affects others viewing the list.
If you promise not to delete any rows and input all the pertinent info (annual fee, rewards, FTF, etc.), I can provide you with edit access. Just shoot me a PM to kebosabi with your gmail address and I'll provide you edit access.
Thanks for helping out!
As of October 2014, no USA-based card issuer offers Chip-and-PIN priority cards except for BMO Harris (Diners Club) and UN Federal Credit Union. Other major USA-based banks such as BofA, Chase, Citi, as well as others issue Chip-and-Signature cards which may work at many automated kiosks. However, bear in mind the word may is used above is a context where there is no absolute certainty of success for certain environments such as automated kiosks due to different natures of offline and online transactions. It is highly recommended to read Post #3 which lists real life FTer examples on how Chip-and-Signature worked and did not work at various transaction environments.
Can I upgrade it right now?
If it's listed on that Google Docs spreadsheet or SFOAMS' Silk page, wouldn't hurt to call/twitter them for a free upgrade. If you get the response you don't like, hang up, try again.
What is the difference between Chip-and-Signature and Chip-and-PIN?
You insert the chipped card into the slot. The physical contact terminal will read the EMV chip and the terminal will automatically read the preferred cardholder verification methods (called CVM) for that card.
Chip-and-Signature means that the terminal will printout a receipt for you to sign. This is the most prevalent authentication for most US issued EMV cards. Chip-and-Signature helps in a way that it will get through to face-to-face merchant transactions where you and the merchant do not speak the same language.
Chip-and-PIN means that the terminal will prompt you to input a PIN for authentication. Some credit union issued credit cards will have this CVM as secondary if Chip-and-Signature cannot be done. Chip-and-PIN is the more prevalent method of authentication used outside the US, especially in transaction environments where no human interaction is needed (i.e. automated gas pumps, toll roads, train kiosks, etc.).
The Google Docs spreadsheet will list which CVM are used in the EMV cards listed. Some cards can only do Chip-and-Signature. Other cards can do both Chip-and-Signature and Chip-and-PIN. And others might have a third option called No CVM (no authentication needed) which is reserved for low value transactions.
One chip can hold a lot more data, therefore it is capable of doing multiple verification methods. That's one of the great things about EMV over the mag-stripe which can hold very little data.
I want to know for sure what my EMV chip does. Is there anyway I can test out my own EMV card to see what the CVM list is?
alexmt has written up a nice step-by-step procedure on Post #3615.
If most of the EMV cards in the US is the Chip-and-Signature type, doesn't that mean it's still useless abroad?
Depends if you see it as glass half empty or glass half full. See Post #3 for further details on how Chip-and-Signature has worked both successfully and unsuccessfully depending on the merchant transaction environment and use your best judgment whether which one is right for you.
Are there any places in the US that are accepting transactions via the EMV chip?
tmiw has created a dedicated Google maps webpage to show where EMV has been proven to work here: http://emvacceptedhere.com/ Per his Post #4240, feel free to add any places with active EMV terminals if you come across one.
As of 2014/05, the EMV terminals in most Walmarts and Sam's Clubs are being turned on. Hence, the best place to try them out would be your local Walmart or Sam's Club. For other merchants, it's slowly being phased in.
I hope people will post them in the Post your receipt of your 1st EMV based transaction in the US thread. cvarming has shown us an EMV transaction receipt from Brooklyn, NY in Post #2380. I myself had my first EMV based (Chip-and-Signature) transaction in two stores in the Los Angeles area, as shown in detail in Post #2705 (courtesy of WhatWhatTech for pointing these two stores out)
I don't want a chip in my card. I heard horror stories all over the media saying hackers can steal my credit card info from a mile away.
There are two types of chips. One is contactless and the other is contact. Cards can be either one or the other, or both.
In the Google Docs spreadsheet, the cards that are capable of contactless payments are listed seperately under the "RFID or NFC contactless chip" column. If it says yes, then that means it has the ability to do contactless payments. If it says no, it doesn't have that feature.
The one that the media has overhyped about hackers "stealing your information wirelessly" was the contactless type like this:
You are worried about this happening, right?
You don't have to worry. EMV is a chip standard that can have both contact and contactless interfaces. With the traditional contact interface, this means you actually have to physically insert the chip into a POS terminal for it to be authorized, like this:
With the contact interface, nothing is wireless. No data is sent out in a stand-alone contact type EMV chip. With the EMV contactless interface, data is sent wirelessly.
Furthermore, contactless chip cards are required to show a symbol (looks like Wi-Fi symbol) somewhere on the card that to denote it's capability as a contactless card. For example, here's an example of a Discover Card with contactless capability (in which Discover calls "Discover ZIP") showing the contactless symbol on the back of the card:
Don't believe everything that the media says. Besides, millions of people all over the world from London to Singapore, uses contactless payments daily in extremely crowded subways and mass transit with nary any problems. There are multiple layers of encrypted securities and keys that are needed to break the code.
Frankly, giving your physical card to a waiter/waitress who takes the card out of your view is much more susceptible to fraud than contactless payments.
Why should I care?
If you are an international traveler, you will want this because majority of the world has or in the process of converting to this payment format.
In fact, in 2012, even North Korea moved to the EMV format, leaving the US as one of the countries in the world that hasn't done so.
In addition, VISA, MC, AMEX, and Discover have all agreed to incentivize the USA shifting to EMV payments by 2015 by shifting liability for fraudulent transactions to merchants if they do not have EMV equipment and the cardholder has an EMV card. So if you travel internationally or would like to get one before the others, you might be interested in getting one.
BS! I had no problems using my card in [insert whereever country], [insert whatever point in time]
If you stick to the tourist path where they have lots of visitors from the US, you should have no problems using your mag-stripe only card in hotels and restaurants, at least for now. But as things can change as things go forward.
However, consider that once you start taking the off-beaten path, go to non-touristy places where they are not familiar with mag-stripes, rent a car and use toll roads, fill up gas, or try to buy train tickets you might end up into a trouble of the machine not recognizing your card because it lacks the chip. Furthermore, a lot of toll roads, gas pumps, and automated ticket machines lack any human assistance to help you when you need it the most.
But [insert credit card company] told me all merchants that display their logo must accept them! All I have to do is report them for violating their agreements, right?
There are several factors against this.
1. You can only speak English. The merchant representative, most likely a part-time clerk earning minimum wage, speaks in a different language, let's say French. If you have no French language skills, how are you going to get your point across? Are you going to whip out your cell phone at exorbitant int'l roaming charges and hope the customer service is going to translate it for you on the spot? Or maybe you might actually know French. But how about Swahili, Farsi, Balinese, or the multiple languages in mainland China?
2. Just like US, the rest of the world's businesses uses part-time minimum wage workers as cashiers to cut down on labor costs. Most of their SOP training manuals are written by MBA types to not to do anything they are not familiar with. Do not expect them to understand the intricate details of credit card mumbo jumbo. You don't expect Taco Bell employees to understand the minute details of Discover-JCB-Union Pay agreements, right? Same thing the other way around: be respectful as a guest in their country, prepare in advance in their ways, avoid being an "ugly American" stereotype.
3. You are a guest in their country. You are a minority. If 99.9% of their country's people and other tourists from around the world uses EMV, do you really think they are going to accomodate the 0.1% of American tourists who only have mag-stripes credit cards?
4. Again, you are a guest in their country. How would you, as an American standing in line, react if a Chinese tourist was clogging up the lines at a local Taco Bell because the clerk doesn't understand the Discover-Union Pay agreement and has trouble communicating between Mandarin spoken by the tourist and English spoken by the Taco Bell clerk? Same way the other way around. You do not want to clog up the lines for everyone. The less hassle, the better.
5. VISA and MC make tons of money from merchants in that country. Say SNCF French Rail. It's a billion dollar company in France. Do you think VISA is going to pull the plug of their relationship with SNCF because SNCF refuses to do mag-stripe processing at their unmanned train station kiosk? Of course not. Be realistic.
6. And lastly, if you're up against an unstaffed toll kiosk, gas pump or train ticket machine, are you going to yell curses at the machine?
But I want my credit card to be able to be used in the US too!
No worries. They have not gotten rid of the mag-stripe on the back of the card for backward compatibility reasons, just like we still have embossed numbers on our cards for backwards compatibility to using those old carbon copy imprinters.
[insert own Hyatt card image front and back together with red arrows pointing to all the backward compatibility features]
You use the chip on the front of the card abroad (for now), and the mag-stripe just like any other card for the US. Basically, you're increasing your credit card's acceptance rate by getting a card that both via the chip and the mag-stripe. You're getting a better deal for free.
And when 2015 comes along and US switches to EMV, you'll be way ahead of everyone else too!
So why did the rest of the world and the US moved/moving toward EMV?
Primarily, due to fraud concerns. You see, the mag-stripe has been with us since the 1950s. It may have been the most high tech thing back in the day, but with the technology that is available today, any shmo can pick up a $100 USB magnetic card skimming device off of eBay and get your credit card info.
And unlike skimming off contactless cards which actually need the person to have l33t programming skills, skimming off a magnetic stripe has become so ubiquitous that nary a day goes about skimming fraud going on somewhere in America, from gas pumps, Michael's stores (2011), Target breaches (2013), restaurant waiters/waitresses, to even McDonald's drive thrus.
https://www.google.com/search?q=skimming+fraud
These type of fraud used to be prevalent in Europe. But once they started switching over to EMV starting over 2 decades ago, this type of fraud went elsewhere. It went over to Asia, Canada and Mexico, Latin America, etc. etc. until they too began implementing EMV to combat skimming fraud. The US is practically the only country left that hasn't done so, therefore all the fraud that used to take place elsewhere is now happening here.
But EMV is old and it's not fool proof. Shouldn't we just skip over it and do something new instead?
Yes, EMV is old. It was developed in the 1990s and its smart card payment predecessor was first introduced in France. But as of today, it has become the defacto global standard of payments.
But then, what else is there? There is no other de facto global standard of payments alternative. For example, if we decide to skip over it and do something new, hypothetically like DNA matching technology, it still means US int'l travelers will continue to have problems abroad with useless plastic acceptance because no other country is using this DNA matching technology except the US.
Besides, nothing is fool proof. You can say that the bank vault isn't fool proof because you can crack it open if enough C4 is used. But your average low-life scumbag isn't likely to get military grade C4 easily either. But the bank vault does make it harder to get the bank's money over say a petty cash box. That's the point here. EMV is akin to a security tight bank vault, the old mag-stripe is akin to a petty cash box lying around inside the drawer.
I'm a business owner and I don't think EMV is going to take off. I'm not going to spend extra hundreds of dollars to upgrade my credit card machine. Convince me other wise why I should.
I can understand the added extra cost to your business once this switchover takes place. But before even saying that, look at your existing POS terminal. Does it have a slot somewhere to insert a card?
Most likely, if you had replaced your POS terminal within the past five years, you already have an EMV capable terminal. EMV is basically just not turned on yet from the processor and acquirer side.
If you have an EMV capable terminal, then a best bet would be to contact your acquirer to have the EMV feature turned on. You did your end of the deal already by having an EMV capable terminal, it is now the acquirers' responsibility to turn it on in accordance to the EMV switchover mandate.
And if you don't, you are going to replace your POS terminal anyway from common wear and tear. It isn't a hard switch-over. You can continue to use your POS terminal until it dies out because EMV cardholders will still have the mag-stripe on the back. And by the time your non-EMV capable POS terminal is up for replacement the market will be full with these newer POS terminals that can accept the mag-stripe, EMV, as well as contactless payments.
In addition, you may also want to check with your acquirer or processor about EMV capable terminals. Some of them are willing to replace your terminal for free in preparation for the US EMV switchover. Call and ask for details.
But what's in it for me? I'm the one that has to pay for the upgrade.
All the major card networks have given incentives for merchants for the upcoming EMV switchover.
If 75% or more of your credit card transactions are done on an EMV contact and contactless terminal, they are going to waive your annual PCI-DSS fees, which usually costs you around $5.00-$19.95/month per terminal. The overall long term cost savings of those compliance fees will be larger than the cost of an one time upgrade for the terminal.
The downside is that once EMV switchover happens and if you do not have a POS terminal that is able to accept EMV, the fraud liability shifts over to the merchant.
I own several fast food franchises. If I upgrade my POS terminals at all of my restaurants, it's going to cost me thousands, if not millions. I don't think anyone is going to use a fake credit card to buy $5 burgers. And if they do, wouldn't it be cheaper for me to eat the fraud cost?
Remember also that fraud isn't just committed by dishonest customers using fraudulent cards. Fraud can also happen with dishonest employees skimming off credit card data from the mag-stripe as in the case of a teenage McDonald's drive thru employee skimming off $13,000 of customers' credit cards in Olympia, WA. Consider the public relations fall out that your business may have if this happens (i.e. the big Target breach of 2013, where someone used a mag stripe card to load malware INTO Target's system). Is it worth risking to take such a huge PR disaster?
USA EMV cards: Availability, Q&A (Chip & PIN -or- Chip & Signature) [2012-2015]
May 30, 2014, 9:40 am
#4681
Join Date: Jul 2006
Location: LAX
Programs: AA EXP 1.5MM, Asiana Club Silver, KE Morning Calm, Hyatt Platinum, Amtrak Select
Posts: 7,161
This goes along with MC being in favor of PIN-based verification. What's interesting though is does this mean I'm currently liable for any PIN use of my card? I could think of a number of scenarios where people could set or find out a cash advance PIN and use it for nefarious purposes with a cloned mag stripe card.
the vast majority of Americans don't have an opinion on EMV or even know what it is. However, you are unlikely to sway someone who is steadfast in an opinion of some topic, so by using some of these examples of why the US should use EMV you will end up turning more people off to the idea who could have been persuaded.
In the past, the EMV issue was more viewed as a problem for those who traveled internationally. At that time, many arguments were made like "but only 30% of Americans hold US Passports so there's not much demand for it" etc. etc. It was more viewed as a "the rich who can afford to travel internationally, boo hoo, I feel sooo sorry for them" so it didn't click with the most Americans.
Nevermind that "travelling internationally" can also mean a 2 hour drive from LA to Mexico, someone living in the border states with Canada, or a poor fresh-out-of-college backpacker staying at cheap $5 youth hostels in SE Asia; the notion of "going abroad" for most Americans tend equate with the image of being rich enough to visit Europe. It just doesn't click that way.
But what happened to Target and the media storm that followed, pretty much opened up the issue to a lot more people. And unlike past breaches that hit Heartland or TJ Maxx (which affected more people), the "Target thing" keeps back over and over again as some sort of pivotal point. The EMV landscape is a lot different in 2014 than it was just a year ago. And ironically, we have to thank the hackers who hit Target for that.
Last edited by kebosabi; May 30, 2014 at 10:11 am
May 30, 2014, 10:14 am
#4682
Join Date: Jul 2007
Posts: 1,762
I know I've been guilty of straying off topic too, but can we please not use this thread to touch on topics suited for OMNI/PR? Stick to the merits of EMV.
You lose people when you use pejorative terms or try to bundle in analogies that people feel passionately about such as single-payer healthcare, 2A, etc. You have to keep in mind that the vast majority of Americans don't have an opinion on EMV or even know what it is. However, you are unlikely to sway someone who is steadfast in an opinion of some topic, so by using some of these examples of why the US should use EMV you will end up turning more people off to the idea who could have been persuaded.
While I would like to take you on point by point in OMNI/PR, it's like the line from the movie War Games. The only winning move is not to play.
You lose people when you use pejorative terms or try to bundle in analogies that people feel passionately about such as single-payer healthcare, 2A, etc. You have to keep in mind that the vast majority of Americans don't have an opinion on EMV or even know what it is. However, you are unlikely to sway someone who is steadfast in an opinion of some topic, so by using some of these examples of why the US should use EMV you will end up turning more people off to the idea who could have been persuaded.
While I would like to take you on point by point in OMNI/PR, it's like the line from the movie War Games. The only winning move is not to play.
May 30, 2014, 10:24 am
#4683
Join Date: Jul 2007
Posts: 1,762
$2 bills are mostly collector's items. I don't think I've seen one for at least a few years.
Back on topic though, I remember you saying upthread that you were okay with C&S as long as acceptance wasn't impacted. Considering that people haven't had problems lately with their C&S cards being rejected (that we know about), you should be okay for your trip.
EDIT: also, I prefer C&P, but it's what it is. At this point, we just need to make sure we can easily switch to C&P later on if that's what we as a country want. As in, don't do what Brazil did and install C&S only terminals everywhere
Back on topic though, I remember you saying upthread that you were okay with C&S as long as acceptance wasn't impacted. Considering that people haven't had problems lately with their C&S cards being rejected (that we know about), you should be okay for your trip.
EDIT: also, I prefer C&P, but it's what it is. At this point, we just need to make sure we can easily switch to C&P later on if that's what we as a country want. As in, don't do what Brazil did and install C&S only terminals everywhere
But yes, throughout recent posts, I have been saying it looks like the die is cast and the USA will be going c&s primarily when emv takes hold if indeed it does in October 2015. I also said I could understand why the banks might think there will be some resistance to pins (matching up each pin with the right card might not be as easy as some people think if you regularly use 3 or 4 different cards). But if you put me against a wall and ask my opinion, as it stands today, I prefer c&p. If I could be assured c&s will just about (I understand nothing is 100%) always work properly then it wouldn't really matter. N'est ce pas.
JJ
May 30, 2014, 10:29 am
#4684
FlyerTalk Evangelist
Join Date: Jan 2014
Location: San Diego, CA
Programs: GE, Marriott Platinum
Posts: 15,507
May 30, 2014, 11:26 am
#4685
FlyerTalk Evangelist
Join Date: Jan 2014
Location: San Diego, CA
Programs: GE, Marriott Platinum
Posts: 15,507
http://www.bankinfosecurity.com/blog...ons-emv-p-1674
I'm not sure why he even thought he could get an EMV-only card (without the magstripe) from Amex right now. Other than that, he's saying pretty much what others have said.
I'm not sure why he even thought he could get an EMV-only card (without the magstripe) from Amex right now. Other than that, he's saying pretty much what others have said.
May 30, 2014, 1:12 pm
#4686
Join Date: Nov 2012
Posts: 3,537
The fantastic Courtney at the Amex social media team is replacing my card again, this time with a new account number. Hopefully that should fix the Walmart acceptance once and for all.
I find the replacement reasons so funny, as they're so unconnected to reality. The last one was "magnetic strip" and this one is "my card is lost" - but I guess that's what needs to happen to force a new number! LOL, hopefully it doesn't mess with my sign-up bonus. She promised it wouldn't. She also gave me some free Delta miles for the inconvenience. Fantastic service, back to loving Amex (I really do think this will fix the issue, I can't imagine how it wouldn't).
I find the replacement reasons so funny, as they're so unconnected to reality. The last one was "magnetic strip" and this one is "my card is lost" - but I guess that's what needs to happen to force a new number! LOL, hopefully it doesn't mess with my sign-up bonus. She promised it wouldn't. She also gave me some free Delta miles for the inconvenience. Fantastic service, back to loving Amex (I really do think this will fix the issue, I can't imagine how it wouldn't).
May 30, 2014, 3:37 pm
#4687
FlyerTalk Evangelist
Join Date: Dec 2002
Location: Danville, CA, USA;
Programs: UA 1MM, WN CP, Marriott LT Plat, Hilton Gold, IC Plat
Posts: 15,720
Not sure where the usage info is being compiled (wiki?) but I have another data point for Japan.
Used my Chase chip+sig cards everywhere in Japan - never rejected. Sometimes swiped, sometimes at Chip terminal.
Used my Chase chip+sig cards everywhere in Japan - never rejected. Sometimes swiped, sometimes at Chip terminal.
May 30, 2014, 3:40 pm
#4688
Join Date: Jul 2006
Location: LAX
Programs: AA EXP 1.5MM, Asiana Club Silver, KE Morning Calm, Hyatt Platinum, Amtrak Select
Posts: 7,161
https://messe.nikkei.co.jp/nf/column...end/84278.html
The Japanese article (2011-05) states that compared to the EU started its conversion in 2001 and completed EMV conversion by 2010, Japan is still at 50%. Several points in that article mentions that as EMV is a defacto global standard, the Japanese payments industry should do more to speed up EMV conversion to 100% much as the EU has done. However, one of the issues raised is that the Japanese payments industry seems to focus more on NFC payments, which most Japanese tend to have through their phones and proprietary payment cards over credit cards (which is true; credit card utilization in Japan is low).
The map on that page also notes that the US isn't on EMV yet (at 2010), stating "in sharp contrast, the US, largest payments market in the world, is still not on EMV per the stance by their issuers that they can achieve security perfectly fine through the magnetic strip which conflicts with the EMV stances of VISA and Mastercard. Hence as shown in this map, the US is not on EMV yet and will likely remain so for the foreseeable future."
Last edited by kebosabi; May 30, 2014 at 3:52 pm
May 30, 2014, 10:43 pm
#4689
Join Date: Nov 2008
Location: Portland, OR
Programs: Alaska MVP, Hilton Diamond, Hyatt Explorist, Marriott Gold Elite
Posts: 129
After signing in to my USAA account, I sent a similar (though not as comprehensive or "vigorous") email to USAA customer service and received a response that suggested the agent knew virtually nothing about EMV enabled cards. I didn't even bother to reply to that response. So, I wouldn't get my hopes very high for an appropriate response.
May 31, 2014, 12:15 am
#4690
FlyerTalk Evangelist
Join Date: Jan 2014
Location: San Diego, CA
Programs: GE, Marriott Platinum
Posts: 15,507
The American Express EMV implementation guide is pretty interesting (https://www209.americanexpress.com/m...al%20Guide.pdf). A few tidbits:
- "American Express mandates that the Terminal be capable of supporting both plaintext and enciphered PIN." (pg. 10)
- "If the PIN try counter = 0, the Terminal shall continue the transaction, having set the applicable bits in the Terminal Verification Results (TVR), indicating that the PIN try counter has been exceeded." (pg. 11)
- "The introduction of the Offline PIN capability provided by EMV greatly increases the potential for Cardholder Verification at UPTs. CVM Fallback shall not be supported at UPTs (i.e., if the highest supported CVM in both card and Terminal is PIN, PIN must be used or the transaction must be declined)." (pg. 29)
May 31, 2014, 12:23 am
#4691
FlyerTalk Evangelist
Join Date: Jan 2014
Location: San Diego, CA
Programs: GE, Marriott Platinum
Posts: 15,507
Also, even though this was posted a year ago, it has some interesting stats. On C&S vs. C&P:
On contactless:
Entering a PIN on a credit card transaction is practically unknown in the U.S., and the majority of debit transactions also use signature verification.
“I think we are going to see a lot of consumer confusion,” says Conroy, a research director at Boston-based Aite Group.
...
Hoping to avoid that confusion, seven of the 14 U.S. card issuers willing to state their preferences to Aite said they planned on using chip-and-signature verification for their coming EMV cards. Three preferred chip-and-PIN, three others were undecided, and one plans to first use chip-and-signature but then migrate its cards to chip-and-PIN.
“I think we are going to see a lot of consumer confusion,” says Conroy, a research director at Boston-based Aite Group.
...
Hoping to avoid that confusion, seven of the 14 U.S. card issuers willing to state their preferences to Aite said they planned on using chip-and-signature verification for their coming EMV cards. Three preferred chip-and-PIN, three others were undecided, and one plans to first use chip-and-signature but then migrate its cards to chip-and-PIN.
In a separate set of interviews with executives from 66 financial institutions attending a First Data Corp. conference in May, 58% of respondents said they were undecided about the types of chip cards they would issue. Some 9% of respondents said they planned to issue contact-only EMV cards while 33% said they would issue so-called dual-interface cards. Such cards are slightly more expensive than contact chip cards but support contactless transactions that facilitate fast payments in high-volume locations.
May 31, 2014, 1:22 am
#4692
Join Date: Jan 2014
Location: Cambridge, MA, US
Programs: Hyatt, Amtrak
Posts: 26
Anyway, I just got my Barclays Arrival+ card in the mail the other day, and was digging through the fine print of the PIN-related stuff. The printed literature that came with my card was stating that, while abroad, I had to first use my card one time in a signature EMV transaction with a live person before the PIN would work for subsequent transactions, which seemed kind of bizarre—but it wasn’t worded very well. When I started digging more deeply into my online account, I came across the info below, which seems somewhat more clearly-written. It looks like the one-time signature EMV transaction requirement is only relevant whenever you change your PIN—presumably as an extra authentication step (despite the usual shortcomings of using a signature as authentication)—and isn’t required to be done while abroad, assuming you can actually find a place to do an EMV transaction in the US.
In any case, I called the auto-support menu system to have my PIN “verified” and sent to me via mail, although I’m still not 100% sure if that means that this PIN is the original PIN when my card was activated, and thus will “just work” automatically, or if they auto-reset my PIN before mailing it to me, and thus I would still need to do the one-time signature EMV transaction to activate the PIN. Regardless--for those interested, here are some details on the PIN:
Using your card internationally.
When you use your card at a chip-enabled terminal abroad, you’ll insert it into a slot rather than swipe it. Most of the time, you’ll sign for your transactions. But in some cases, such as at unattended kiosks or gas pumps, you’ll be prompted to enter your 4-digit PIN.
Receiving your PIN.
Your card was assigned a 4-digit PIN when the account was created. When activating your card, you'll have the option of receiving your assigned PIN through the mail or customizing it to a number that's easier to remember. If you've already activated your card, and you do not know or want to customize your PIN, visit the Manage your PIN section on the customer service website or call the number on the back of your card.
Customizing your PIN.
If you choose to customize your PIN, your new PIN will not take effect for foreign transactions until you use your chip card at a chip-card terminal with a cashier. This first transaction will activate your customized PIN. You'll then be able to use the chip-and-PIN feature at unattended terminals overseas.
ATM transactions.
Don't forget, you can also use your PIN to withdraw cash at ATMs in the U.S. and worldwide. Please note that there is only one PIN issued to your account—for cash advances at ATMs and purchases at unattended PIN terminals. As the primary cardmember, you may share your PIN with authorized users at your discretion.
May 31, 2014, 1:31 am
#4693
Join Date: Nov 2012
Posts: 3,537
If you choose to customize your PIN, your new PIN will not take effect for foreign transactions until you use your chip card at a chip-card terminal with a cashier. This first transaction will activate your customized PIN. You'll then be able to use the chip-and-PIN feature at unattended terminals overseas.
Anyway, I'd love to see what they're doing. It sounds to me as if they're using an offline PIN and updating it by issuer script, which is something I understood to be a bit of a "no-no" (because in a point of sale terminal, you can't guarantee the card will remain in the terminal for the entire transaction, thus changing data by issuer script is risky; unlike an ATM which captures the card). I suppose the risk of corrupting a card could be seen as worth it for the convenience.
If so, there's no reason this couldn't be used for a true chip and PIN card also. Simply have a temporary PIN you use for the first transaction, at which point your permanent PIN is downloaded.
I'm not at all sure on this, but it may even be possible to switch a card to chip-and-PIN by issuer script, though I've never heard of this happening so I'm not sure if the CVM list can be re-written. If it can, this could be an ideal compromise, where people could opt-in to true chip and PIN and have it pushed at the next transaction.
May 31, 2014, 2:19 am
#4694
Join Date: Jan 2014
Location: Cambridge, MA, US
Programs: Hyatt, Amtrak
Posts: 26
Anyway, I'd love to see what they're doing. It sounds to me as if they're using an offline PIN and updating it by issuer script, which is something I understood to be a bit of a "no-no" (because in a point of sale terminal, you can't guarantee the card will remain in the terminal for the entire transaction, thus changing data by issuer script is risky; unlike an ATM which captures the card). I suppose the risk of corrupting a card could be seen as worth it for the convenience.
What I'm not clear on is: What exactly happens during that one-time EMV signature transaction? Is it just a purely normal signature transaction and all this happens transparently, or will the POS terminal do something special, like also ask you to type your PIN to verify the "update"? They specifically say in both the online description and in my printed docs that the transaction needs to be with a cashier present, so I'm not sure if that is because a human needs to be present to handle "special" steps?
Last edited by blue2000; May 31, 2014 at 2:26 am Reason: Added last paragraph
May 31, 2014, 2:29 am
#4695
Join Date: Nov 2012
Posts: 3,537
That was my take on it too. I first thought, "Wait--is this just a server-based, online PIN?", and started Googling and finding that there were relatively recent technologies allowing users to change an EMV PIN without physically going to a bank. But if there is PIN synchronization happening at a simple POS terminal, it's somewhat disconcerting that things are being written to the chip (not just read from it) at any random POS.
Historically, however, these are only used at the POS to remote kill cards to prevent offline use. Why? Because updating information on the card with an issuer script has the potential to corrupt the data on the card if there is an implementation issue, or, more likely the cardholder pulls their card out early. Thus, normal updates are traditionally reserved for ATMs that capture the card.
Apparently, Barclay's is throwing this out the window, sacrificing some reliability for convenience.
There is, however, no reason that this couldn't be done with a true chip and PIN card - they'd just need to provide a temporary PIN for the first use of the card. Or, potentially, even prefer ONLINE PIN verification, and update the offline PIN for situations offline PIN is required.