Sep 20, 2013, 11:40 am
Last edit by: philemer
Posts from 1/1/16 onward can be found here: http://www.flyertalk.com/forum/credit-card-programs/1739359-2016-onward-usa-emv-cards-availability-q-chip-pin-signature.html
EMV wikipost volunteers: kebosabi
What is EMV?
EMV is a defacto global standard of technology where there is a visible microchip on the front of the card. It looks like this:
Who issues them?
See Google Docs spreadsheet in Post #1
SFOAMS also has created a list of excellent webpage that shows US EMV cards in a more interactive interface
Another site, which lets you narrow the search for an EMV card by various parameters, is http://www.spotterswiki.com/emv/index.php.
Several credit unions issue some form of Chip-and-PIN credit cards or prepaid cards. Prepaid EMV cards however are not recommended due to junk fees. USAA (currently restricted to members of military) used to offer Chip-and-PIN cards, but as late has backtracked to Chip-and-Signature priority.
Hey that's a cool Google Docs list! I know others that aren't on that list. How can I help by adding them to the list?
My bad for not putting this into the wiki sooner. Right now, the Google Docs is locked out of editing and only in "read-only" view because there were instances in the past where people would just delete the rows not thinking that it affects others viewing the list.
If you promise not to delete any rows and input all the pertinent info (annual fee, rewards, FTF, etc.), I can provide you with edit access. Just shoot me a PM to kebosabi with your gmail address and I'll provide you edit access.
Thanks for helping out!
As of October 2014, no USA-based card issuer offers Chip-and-PIN priority cards except for BMO Harris (Diners Club) and UN Federal Credit Union. Other major USA-based banks such as BofA, Chase, Citi, as well as others issue Chip-and-Signature cards which may work at many automated kiosks. However, bear in mind the word may is used above is a context where there is no absolute certainty of success for certain environments such as automated kiosks due to different natures of offline and online transactions. It is highly recommended to read Post #3 which lists real life FTer examples on how Chip-and-Signature worked and did not work at various transaction environments.
Can I upgrade it right now?
If it's listed on that Google Docs spreadsheet or SFOAMS' Silk page, wouldn't hurt to call/twitter them for a free upgrade. If you get the response you don't like, hang up, try again.
What is the difference between Chip-and-Signature and Chip-and-PIN?
You insert the chipped card into the slot. The physical contact terminal will read the EMV chip and the terminal will automatically read the preferred cardholder verification methods (called CVM) for that card.
Chip-and-Signature means that the terminal will printout a receipt for you to sign. This is the most prevalent authentication for most US issued EMV cards. Chip-and-Signature helps in a way that it will get through to face-to-face merchant transactions where you and the merchant do not speak the same language.
Chip-and-PIN means that the terminal will prompt you to input a PIN for authentication. Some credit union issued credit cards will have this CVM as secondary if Chip-and-Signature cannot be done. Chip-and-PIN is the more prevalent method of authentication used outside the US, especially in transaction environments where no human interaction is needed (i.e. automated gas pumps, toll roads, train kiosks, etc.).
The Google Docs spreadsheet will list which CVM are used in the EMV cards listed. Some cards can only do Chip-and-Signature. Other cards can do both Chip-and-Signature and Chip-and-PIN. And others might have a third option called No CVM (no authentication needed) which is reserved for low value transactions.
One chip can hold a lot more data, therefore it is capable of doing multiple verification methods. That's one of the great things about EMV over the mag-stripe which can hold very little data.
I want to know for sure what my EMV chip does. Is there anyway I can test out my own EMV card to see what the CVM list is?
alexmt has written up a nice step-by-step procedure on Post #3615.
If most of the EMV cards in the US is the Chip-and-Signature type, doesn't that mean it's still useless abroad?
Depends if you see it as glass half empty or glass half full. See Post #3 for further details on how Chip-and-Signature has worked both successfully and unsuccessfully depending on the merchant transaction environment and use your best judgment whether which one is right for you.
Are there any places in the US that are accepting transactions via the EMV chip?
tmiw has created a dedicated Google maps webpage to show where EMV has been proven to work here: http://emvacceptedhere.com/ Per his Post #4240, feel free to add any places with active EMV terminals if you come across one.
As of 2014/05, the EMV terminals in most Walmarts and Sam's Clubs are being turned on. Hence, the best place to try them out would be your local Walmart or Sam's Club. For other merchants, it's slowly being phased in.
I hope people will post them in the Post your receipt of your 1st EMV based transaction in the US thread. cvarming has shown us an EMV transaction receipt from Brooklyn, NY in Post #2380. I myself had my first EMV based (Chip-and-Signature) transaction in two stores in the Los Angeles area, as shown in detail in Post #2705 (courtesy of WhatWhatTech for pointing these two stores out)
I don't want a chip in my card. I heard horror stories all over the media saying hackers can steal my credit card info from a mile away.
There are two types of chips. One is contactless and the other is contact. Cards can be either one or the other, or both.
In the Google Docs spreadsheet, the cards that are capable of contactless payments are listed seperately under the "RFID or NFC contactless chip" column. If it says yes, then that means it has the ability to do contactless payments. If it says no, it doesn't have that feature.
The one that the media has overhyped about hackers "stealing your information wirelessly" was the contactless type like this:
You are worried about this happening, right?
You don't have to worry. EMV is a chip standard that can have both contact and contactless interfaces. With the traditional contact interface, this means you actually have to physically insert the chip into a POS terminal for it to be authorized, like this:
With the contact interface, nothing is wireless. No data is sent out in a stand-alone contact type EMV chip. With the EMV contactless interface, data is sent wirelessly.
Furthermore, contactless chip cards are required to show a symbol (looks like Wi-Fi symbol) somewhere on the card that to denote it's capability as a contactless card. For example, here's an example of a Discover Card with contactless capability (in which Discover calls "Discover ZIP") showing the contactless symbol on the back of the card:
Don't believe everything that the media says. Besides, millions of people all over the world from London to Singapore, uses contactless payments daily in extremely crowded subways and mass transit with nary any problems. There are multiple layers of encrypted securities and keys that are needed to break the code.
Frankly, giving your physical card to a waiter/waitress who takes the card out of your view is much more susceptible to fraud than contactless payments.
Why should I care?
If you are an international traveler, you will want this because majority of the world has or in the process of converting to this payment format.
In fact, in 2012, even North Korea moved to the EMV format, leaving the US as one of the countries in the world that hasn't done so.
In addition, VISA, MC, AMEX, and Discover have all agreed to incentivize the USA shifting to EMV payments by 2015 by shifting liability for fraudulent transactions to merchants if they do not have EMV equipment and the cardholder has an EMV card. So if you travel internationally or would like to get one before the others, you might be interested in getting one.
BS! I had no problems using my card in [insert whereever country], [insert whatever point in time]
If you stick to the tourist path where they have lots of visitors from the US, you should have no problems using your mag-stripe only card in hotels and restaurants, at least for now. But as things can change as things go forward.
However, consider that once you start taking the off-beaten path, go to non-touristy places where they are not familiar with mag-stripes, rent a car and use toll roads, fill up gas, or try to buy train tickets you might end up into a trouble of the machine not recognizing your card because it lacks the chip. Furthermore, a lot of toll roads, gas pumps, and automated ticket machines lack any human assistance to help you when you need it the most.
But [insert credit card company] told me all merchants that display their logo must accept them! All I have to do is report them for violating their agreements, right?
There are several factors against this.
1. You can only speak English. The merchant representative, most likely a part-time clerk earning minimum wage, speaks in a different language, let's say French. If you have no French language skills, how are you going to get your point across? Are you going to whip out your cell phone at exorbitant int'l roaming charges and hope the customer service is going to translate it for you on the spot? Or maybe you might actually know French. But how about Swahili, Farsi, Balinese, or the multiple languages in mainland China?
2. Just like US, the rest of the world's businesses uses part-time minimum wage workers as cashiers to cut down on labor costs. Most of their SOP training manuals are written by MBA types to not to do anything they are not familiar with. Do not expect them to understand the intricate details of credit card mumbo jumbo. You don't expect Taco Bell employees to understand the minute details of Discover-JCB-Union Pay agreements, right? Same thing the other way around: be respectful as a guest in their country, prepare in advance in their ways, avoid being an "ugly American" stereotype.
3. You are a guest in their country. You are a minority. If 99.9% of their country's people and other tourists from around the world uses EMV, do you really think they are going to accomodate the 0.1% of American tourists who only have mag-stripes credit cards?
4. Again, you are a guest in their country. How would you, as an American standing in line, react if a Chinese tourist was clogging up the lines at a local Taco Bell because the clerk doesn't understand the Discover-Union Pay agreement and has trouble communicating between Mandarin spoken by the tourist and English spoken by the Taco Bell clerk? Same way the other way around. You do not want to clog up the lines for everyone. The less hassle, the better.
5. VISA and MC make tons of money from merchants in that country. Say SNCF French Rail. It's a billion dollar company in France. Do you think VISA is going to pull the plug of their relationship with SNCF because SNCF refuses to do mag-stripe processing at their unmanned train station kiosk? Of course not. Be realistic.
6. And lastly, if you're up against an unstaffed toll kiosk, gas pump or train ticket machine, are you going to yell curses at the machine?
But I want my credit card to be able to be used in the US too!
No worries. They have not gotten rid of the mag-stripe on the back of the card for backward compatibility reasons, just like we still have embossed numbers on our cards for backwards compatibility to using those old carbon copy imprinters.
[insert own Hyatt card image front and back together with red arrows pointing to all the backward compatibility features]
You use the chip on the front of the card abroad (for now), and the mag-stripe just like any other card for the US. Basically, you're increasing your credit card's acceptance rate by getting a card that both via the chip and the mag-stripe. You're getting a better deal for free.
And when 2015 comes along and US switches to EMV, you'll be way ahead of everyone else too!
So why did the rest of the world and the US moved/moving toward EMV?
Primarily, due to fraud concerns. You see, the mag-stripe has been with us since the 1950s. It may have been the most high tech thing back in the day, but with the technology that is available today, any shmo can pick up a $100 USB magnetic card skimming device off of eBay and get your credit card info.
And unlike skimming off contactless cards which actually need the person to have l33t programming skills, skimming off a magnetic stripe has become so ubiquitous that nary a day goes about skimming fraud going on somewhere in America, from gas pumps, Michael's stores (2011), Target breaches (2013), restaurant waiters/waitresses, to even McDonald's drive thrus.
https://www.google.com/search?q=skimming+fraud
These type of fraud used to be prevalent in Europe. But once they started switching over to EMV starting over 2 decades ago, this type of fraud went elsewhere. It went over to Asia, Canada and Mexico, Latin America, etc. etc. until they too began implementing EMV to combat skimming fraud. The US is practically the only country left that hasn't done so, therefore all the fraud that used to take place elsewhere is now happening here.
But EMV is old and it's not fool proof. Shouldn't we just skip over it and do something new instead?
Yes, EMV is old. It was developed in the 1990s and its smart card payment predecessor was first introduced in France. But as of today, it has become the defacto global standard of payments.
But then, what else is there? There is no other de facto global standard of payments alternative. For example, if we decide to skip over it and do something new, hypothetically like DNA matching technology, it still means US int'l travelers will continue to have problems abroad with useless plastic acceptance because no other country is using this DNA matching technology except the US.
Besides, nothing is fool proof. You can say that the bank vault isn't fool proof because you can crack it open if enough C4 is used. But your average low-life scumbag isn't likely to get military grade C4 easily either. But the bank vault does make it harder to get the bank's money over say a petty cash box. That's the point here. EMV is akin to a security tight bank vault, the old mag-stripe is akin to a petty cash box lying around inside the drawer.
I'm a business owner and I don't think EMV is going to take off. I'm not going to spend extra hundreds of dollars to upgrade my credit card machine. Convince me other wise why I should.
I can understand the added extra cost to your business once this switchover takes place. But before even saying that, look at your existing POS terminal. Does it have a slot somewhere to insert a card?
Most likely, if you had replaced your POS terminal within the past five years, you already have an EMV capable terminal. EMV is basically just not turned on yet from the processor and acquirer side.
If you have an EMV capable terminal, then a best bet would be to contact your acquirer to have the EMV feature turned on. You did your end of the deal already by having an EMV capable terminal, it is now the acquirers' responsibility to turn it on in accordance to the EMV switchover mandate.
And if you don't, you are going to replace your POS terminal anyway from common wear and tear. It isn't a hard switch-over. You can continue to use your POS terminal until it dies out because EMV cardholders will still have the mag-stripe on the back. And by the time your non-EMV capable POS terminal is up for replacement the market will be full with these newer POS terminals that can accept the mag-stripe, EMV, as well as contactless payments.
In addition, you may also want to check with your acquirer or processor about EMV capable terminals. Some of them are willing to replace your terminal for free in preparation for the US EMV switchover. Call and ask for details.
But what's in it for me? I'm the one that has to pay for the upgrade.
All the major card networks have given incentives for merchants for the upcoming EMV switchover.
If 75% or more of your credit card transactions are done on an EMV contact and contactless terminal, they are going to waive your annual PCI-DSS fees, which usually costs you around $5.00-$19.95/month per terminal. The overall long term cost savings of those compliance fees will be larger than the cost of an one time upgrade for the terminal.
The downside is that once EMV switchover happens and if you do not have a POS terminal that is able to accept EMV, the fraud liability shifts over to the merchant.
I own several fast food franchises. If I upgrade my POS terminals at all of my restaurants, it's going to cost me thousands, if not millions. I don't think anyone is going to use a fake credit card to buy $5 burgers. And if they do, wouldn't it be cheaper for me to eat the fraud cost?
Remember also that fraud isn't just committed by dishonest customers using fraudulent cards. Fraud can also happen with dishonest employees skimming off credit card data from the mag-stripe as in the case of a teenage McDonald's drive thru employee skimming off $13,000 of customers' credit cards in Olympia, WA. Consider the public relations fall out that your business may have if this happens (i.e. the big Target breach of 2013, where someone used a mag stripe card to load malware INTO Target's system). Is it worth risking to take such a huge PR disaster?
EMV wikipost volunteers: kebosabi
What is EMV?
EMV is a defacto global standard of technology where there is a visible microchip on the front of the card. It looks like this:
Who issues them?
See Google Docs spreadsheet in Post #1
SFOAMS also has created a list of excellent webpage that shows US EMV cards in a more interactive interface
Another site, which lets you narrow the search for an EMV card by various parameters, is http://www.spotterswiki.com/emv/index.php.
Several credit unions issue some form of Chip-and-PIN credit cards or prepaid cards. Prepaid EMV cards however are not recommended due to junk fees. USAA (currently restricted to members of military) used to offer Chip-and-PIN cards, but as late has backtracked to Chip-and-Signature priority.
Hey that's a cool Google Docs list! I know others that aren't on that list. How can I help by adding them to the list?
My bad for not putting this into the wiki sooner. Right now, the Google Docs is locked out of editing and only in "read-only" view because there were instances in the past where people would just delete the rows not thinking that it affects others viewing the list.
If you promise not to delete any rows and input all the pertinent info (annual fee, rewards, FTF, etc.), I can provide you with edit access. Just shoot me a PM to kebosabi with your gmail address and I'll provide you edit access.
Thanks for helping out!
As of October 2014, no USA-based card issuer offers Chip-and-PIN priority cards except for BMO Harris (Diners Club) and UN Federal Credit Union. Other major USA-based banks such as BofA, Chase, Citi, as well as others issue Chip-and-Signature cards which may work at many automated kiosks. However, bear in mind the word may is used above is a context where there is no absolute certainty of success for certain environments such as automated kiosks due to different natures of offline and online transactions. It is highly recommended to read Post #3 which lists real life FTer examples on how Chip-and-Signature worked and did not work at various transaction environments.
Can I upgrade it right now?
If it's listed on that Google Docs spreadsheet or SFOAMS' Silk page, wouldn't hurt to call/twitter them for a free upgrade. If you get the response you don't like, hang up, try again.
What is the difference between Chip-and-Signature and Chip-and-PIN?
You insert the chipped card into the slot. The physical contact terminal will read the EMV chip and the terminal will automatically read the preferred cardholder verification methods (called CVM) for that card.
Chip-and-Signature means that the terminal will printout a receipt for you to sign. This is the most prevalent authentication for most US issued EMV cards. Chip-and-Signature helps in a way that it will get through to face-to-face merchant transactions where you and the merchant do not speak the same language.
Chip-and-PIN means that the terminal will prompt you to input a PIN for authentication. Some credit union issued credit cards will have this CVM as secondary if Chip-and-Signature cannot be done. Chip-and-PIN is the more prevalent method of authentication used outside the US, especially in transaction environments where no human interaction is needed (i.e. automated gas pumps, toll roads, train kiosks, etc.).
The Google Docs spreadsheet will list which CVM are used in the EMV cards listed. Some cards can only do Chip-and-Signature. Other cards can do both Chip-and-Signature and Chip-and-PIN. And others might have a third option called No CVM (no authentication needed) which is reserved for low value transactions.
One chip can hold a lot more data, therefore it is capable of doing multiple verification methods. That's one of the great things about EMV over the mag-stripe which can hold very little data.
I want to know for sure what my EMV chip does. Is there anyway I can test out my own EMV card to see what the CVM list is?
alexmt has written up a nice step-by-step procedure on Post #3615.
If most of the EMV cards in the US is the Chip-and-Signature type, doesn't that mean it's still useless abroad?
Depends if you see it as glass half empty or glass half full. See Post #3 for further details on how Chip-and-Signature has worked both successfully and unsuccessfully depending on the merchant transaction environment and use your best judgment whether which one is right for you.
Are there any places in the US that are accepting transactions via the EMV chip?
tmiw has created a dedicated Google maps webpage to show where EMV has been proven to work here: http://emvacceptedhere.com/ Per his Post #4240, feel free to add any places with active EMV terminals if you come across one.
As of 2014/05, the EMV terminals in most Walmarts and Sam's Clubs are being turned on. Hence, the best place to try them out would be your local Walmart or Sam's Club. For other merchants, it's slowly being phased in.
I hope people will post them in the Post your receipt of your 1st EMV based transaction in the US thread. cvarming has shown us an EMV transaction receipt from Brooklyn, NY in Post #2380. I myself had my first EMV based (Chip-and-Signature) transaction in two stores in the Los Angeles area, as shown in detail in Post #2705 (courtesy of WhatWhatTech for pointing these two stores out)
I don't want a chip in my card. I heard horror stories all over the media saying hackers can steal my credit card info from a mile away.
There are two types of chips. One is contactless and the other is contact. Cards can be either one or the other, or both.
In the Google Docs spreadsheet, the cards that are capable of contactless payments are listed seperately under the "RFID or NFC contactless chip" column. If it says yes, then that means it has the ability to do contactless payments. If it says no, it doesn't have that feature.
The one that the media has overhyped about hackers "stealing your information wirelessly" was the contactless type like this:
You are worried about this happening, right?
You don't have to worry. EMV is a chip standard that can have both contact and contactless interfaces. With the traditional contact interface, this means you actually have to physically insert the chip into a POS terminal for it to be authorized, like this:
With the contact interface, nothing is wireless. No data is sent out in a stand-alone contact type EMV chip. With the EMV contactless interface, data is sent wirelessly.
Furthermore, contactless chip cards are required to show a symbol (looks like Wi-Fi symbol) somewhere on the card that to denote it's capability as a contactless card. For example, here's an example of a Discover Card with contactless capability (in which Discover calls "Discover ZIP") showing the contactless symbol on the back of the card:
Don't believe everything that the media says. Besides, millions of people all over the world from London to Singapore, uses contactless payments daily in extremely crowded subways and mass transit with nary any problems. There are multiple layers of encrypted securities and keys that are needed to break the code.
Frankly, giving your physical card to a waiter/waitress who takes the card out of your view is much more susceptible to fraud than contactless payments.
Why should I care?
If you are an international traveler, you will want this because majority of the world has or in the process of converting to this payment format.
In fact, in 2012, even North Korea moved to the EMV format, leaving the US as one of the countries in the world that hasn't done so.
In addition, VISA, MC, AMEX, and Discover have all agreed to incentivize the USA shifting to EMV payments by 2015 by shifting liability for fraudulent transactions to merchants if they do not have EMV equipment and the cardholder has an EMV card. So if you travel internationally or would like to get one before the others, you might be interested in getting one.
BS! I had no problems using my card in [insert whereever country], [insert whatever point in time]
If you stick to the tourist path where they have lots of visitors from the US, you should have no problems using your mag-stripe only card in hotels and restaurants, at least for now. But as things can change as things go forward.
However, consider that once you start taking the off-beaten path, go to non-touristy places where they are not familiar with mag-stripes, rent a car and use toll roads, fill up gas, or try to buy train tickets you might end up into a trouble of the machine not recognizing your card because it lacks the chip. Furthermore, a lot of toll roads, gas pumps, and automated ticket machines lack any human assistance to help you when you need it the most.
But [insert credit card company] told me all merchants that display their logo must accept them! All I have to do is report them for violating their agreements, right?
There are several factors against this.
1. You can only speak English. The merchant representative, most likely a part-time clerk earning minimum wage, speaks in a different language, let's say French. If you have no French language skills, how are you going to get your point across? Are you going to whip out your cell phone at exorbitant int'l roaming charges and hope the customer service is going to translate it for you on the spot? Or maybe you might actually know French. But how about Swahili, Farsi, Balinese, or the multiple languages in mainland China?
2. Just like US, the rest of the world's businesses uses part-time minimum wage workers as cashiers to cut down on labor costs. Most of their SOP training manuals are written by MBA types to not to do anything they are not familiar with. Do not expect them to understand the intricate details of credit card mumbo jumbo. You don't expect Taco Bell employees to understand the minute details of Discover-JCB-Union Pay agreements, right? Same thing the other way around: be respectful as a guest in their country, prepare in advance in their ways, avoid being an "ugly American" stereotype.
3. You are a guest in their country. You are a minority. If 99.9% of their country's people and other tourists from around the world uses EMV, do you really think they are going to accomodate the 0.1% of American tourists who only have mag-stripes credit cards?
4. Again, you are a guest in their country. How would you, as an American standing in line, react if a Chinese tourist was clogging up the lines at a local Taco Bell because the clerk doesn't understand the Discover-Union Pay agreement and has trouble communicating between Mandarin spoken by the tourist and English spoken by the Taco Bell clerk? Same way the other way around. You do not want to clog up the lines for everyone. The less hassle, the better.
5. VISA and MC make tons of money from merchants in that country. Say SNCF French Rail. It's a billion dollar company in France. Do you think VISA is going to pull the plug of their relationship with SNCF because SNCF refuses to do mag-stripe processing at their unmanned train station kiosk? Of course not. Be realistic.
6. And lastly, if you're up against an unstaffed toll kiosk, gas pump or train ticket machine, are you going to yell curses at the machine?
But I want my credit card to be able to be used in the US too!
No worries. They have not gotten rid of the mag-stripe on the back of the card for backward compatibility reasons, just like we still have embossed numbers on our cards for backwards compatibility to using those old carbon copy imprinters.
[insert own Hyatt card image front and back together with red arrows pointing to all the backward compatibility features]
You use the chip on the front of the card abroad (for now), and the mag-stripe just like any other card for the US. Basically, you're increasing your credit card's acceptance rate by getting a card that both via the chip and the mag-stripe. You're getting a better deal for free.
And when 2015 comes along and US switches to EMV, you'll be way ahead of everyone else too!
So why did the rest of the world and the US moved/moving toward EMV?
Primarily, due to fraud concerns. You see, the mag-stripe has been with us since the 1950s. It may have been the most high tech thing back in the day, but with the technology that is available today, any shmo can pick up a $100 USB magnetic card skimming device off of eBay and get your credit card info.
And unlike skimming off contactless cards which actually need the person to have l33t programming skills, skimming off a magnetic stripe has become so ubiquitous that nary a day goes about skimming fraud going on somewhere in America, from gas pumps, Michael's stores (2011), Target breaches (2013), restaurant waiters/waitresses, to even McDonald's drive thrus.
https://www.google.com/search?q=skimming+fraud
These type of fraud used to be prevalent in Europe. But once they started switching over to EMV starting over 2 decades ago, this type of fraud went elsewhere. It went over to Asia, Canada and Mexico, Latin America, etc. etc. until they too began implementing EMV to combat skimming fraud. The US is practically the only country left that hasn't done so, therefore all the fraud that used to take place elsewhere is now happening here.
But EMV is old and it's not fool proof. Shouldn't we just skip over it and do something new instead?
Yes, EMV is old. It was developed in the 1990s and its smart card payment predecessor was first introduced in France. But as of today, it has become the defacto global standard of payments.
But then, what else is there? There is no other de facto global standard of payments alternative. For example, if we decide to skip over it and do something new, hypothetically like DNA matching technology, it still means US int'l travelers will continue to have problems abroad with useless plastic acceptance because no other country is using this DNA matching technology except the US.
Besides, nothing is fool proof. You can say that the bank vault isn't fool proof because you can crack it open if enough C4 is used. But your average low-life scumbag isn't likely to get military grade C4 easily either. But the bank vault does make it harder to get the bank's money over say a petty cash box. That's the point here. EMV is akin to a security tight bank vault, the old mag-stripe is akin to a petty cash box lying around inside the drawer.
I'm a business owner and I don't think EMV is going to take off. I'm not going to spend extra hundreds of dollars to upgrade my credit card machine. Convince me other wise why I should.
I can understand the added extra cost to your business once this switchover takes place. But before even saying that, look at your existing POS terminal. Does it have a slot somewhere to insert a card?
Most likely, if you had replaced your POS terminal within the past five years, you already have an EMV capable terminal. EMV is basically just not turned on yet from the processor and acquirer side.
If you have an EMV capable terminal, then a best bet would be to contact your acquirer to have the EMV feature turned on. You did your end of the deal already by having an EMV capable terminal, it is now the acquirers' responsibility to turn it on in accordance to the EMV switchover mandate.
And if you don't, you are going to replace your POS terminal anyway from common wear and tear. It isn't a hard switch-over. You can continue to use your POS terminal until it dies out because EMV cardholders will still have the mag-stripe on the back. And by the time your non-EMV capable POS terminal is up for replacement the market will be full with these newer POS terminals that can accept the mag-stripe, EMV, as well as contactless payments.
In addition, you may also want to check with your acquirer or processor about EMV capable terminals. Some of them are willing to replace your terminal for free in preparation for the US EMV switchover. Call and ask for details.
But what's in it for me? I'm the one that has to pay for the upgrade.
All the major card networks have given incentives for merchants for the upcoming EMV switchover.
If 75% or more of your credit card transactions are done on an EMV contact and contactless terminal, they are going to waive your annual PCI-DSS fees, which usually costs you around $5.00-$19.95/month per terminal. The overall long term cost savings of those compliance fees will be larger than the cost of an one time upgrade for the terminal.
The downside is that once EMV switchover happens and if you do not have a POS terminal that is able to accept EMV, the fraud liability shifts over to the merchant.
I own several fast food franchises. If I upgrade my POS terminals at all of my restaurants, it's going to cost me thousands, if not millions. I don't think anyone is going to use a fake credit card to buy $5 burgers. And if they do, wouldn't it be cheaper for me to eat the fraud cost?
Remember also that fraud isn't just committed by dishonest customers using fraudulent cards. Fraud can also happen with dishonest employees skimming off credit card data from the mag-stripe as in the case of a teenage McDonald's drive thru employee skimming off $13,000 of customers' credit cards in Olympia, WA. Consider the public relations fall out that your business may have if this happens (i.e. the big Target breach of 2013, where someone used a mag stripe card to load malware INTO Target's system). Is it worth risking to take such a huge PR disaster?
USA EMV cards: Availability, Q&A (Chip & PIN -or- Chip & Signature) [2012-2015]
Jul 22, 2014, 2:35 am
#5596
Join Date: Jul 2012
Location: Canada
Programs: BA Gold (OWE), Star Alliance Gold, Hilton Diamond
Posts: 2,194
I have long wondered whether fraudsters could simply change the flag on the magstripe that marks the card has having a chip.
I can only presume that there IS additional checking.
I've had one or two transactions in the UK fall back to magstripe (with signature) because of a fault with the retailer's terminal.
I can only presume that there IS additional checking.
I've had one or two transactions in the UK fall back to magstripe (with signature) because of a fault with the retailer's terminal.
Jul 22, 2014, 3:16 am
#5597
FlyerTalk Evangelist
Join Date: Dec 2009
Location: HaMerkaz/Exit 145
Programs: UA, LY, BA, AA
Posts: 13,167
I received an e-mail from Citi today instructing how to perform a chip-and-signature transaction:
Now that you have a Citi® Platinum Select® / AAdvantage® Card with Chip you may begin noticing chip enabled terminals at some of your favorite retailers. Paying with your Chip Card is simple, convenient, and it offers enhanced security protecting you from counterfeit fraud when you use your card at chip enabled terminals.
1. Insert your card into the chip enabled terminal and press the green button to accept the amount (no PIN required)
2. Be sure to leave your card in the terminal and wait for authorization before removing your card
3. Sign the receipt – and off you go!
Remember, you can still use your card like you normally would at merchants without chip terminals and for online purchases too.
The e-mail even has a link to this video showing an EMV transaction.
Now that you have a Citi® Platinum Select® / AAdvantage® Card with Chip you may begin noticing chip enabled terminals at some of your favorite retailers. Paying with your Chip Card is simple, convenient, and it offers enhanced security protecting you from counterfeit fraud when you use your card at chip enabled terminals.
1. Insert your card into the chip enabled terminal and press the green button to accept the amount (no PIN required)
2. Be sure to leave your card in the terminal and wait for authorization before removing your card
3. Sign the receipt – and off you go!
Remember, you can still use your card like you normally would at merchants without chip terminals and for online purchases too.
The e-mail even has a link to this video showing an EMV transaction.
And that's what grinds my gears
Glass Driverless Cars Ad Blocker Plugin?
Jul 22, 2014, 4:15 am
#5598
FlyerTalk Evangelist
Join Date: Dec 2009
Location: HaMerkaz/Exit 145
Programs: UA, LY, BA, AA
Posts: 13,167
Wow - the Coin FAQ page is shockingly incorrect. Chip&Sign is hybrid because it maintains magnetic stripe? 
Jul 22, 2014, 5:52 am
#5599
Join Date: Feb 2010
Location: US
Programs: (PM)AA SPG (Marriott), Hilton
Posts: 1,040
The pieces of the next gen card payment authentication systems are here today. Likely biometrics. The state of Texas is now taking the same 10 fingerprints for RMV renewals, that used to be only taken from those arrested.
Like EMV PIN changes, that can only happen at special terminals, you'll probably go to a bank to swipe your thumb to activate the card. EMV with biometrics with, or instead of, PIN or Signature. Problems and complaints will still exist.
To quote William Gibson: The future is here. It's just not evenly distributed.
With EMV rollout, it's the same, it's here, just not everywhere.
Jul 22, 2014, 7:33 am
#5600
Join Date: Jul 2007
Posts: 1,762
Glass and Uber are here today, driverless cars exist, but haven't passed the 'gut' check yet: legislative permission to operate on regular roads. Even Uber is having growing pains in certain areas. The technology for hoverboards seems to still be in the future.
The pieces of the next gen card payment authentication systems are here today. Likely biometrics. The state of Texas is now taking the same 10 fingerprints for RMV renewals, that used to be only taken from those arrested.
Like EMV PIN changes, that can only happen at special terminals, you'll probably go to a bank to swipe your thumb to activate the card. EMV with biometrics with, or instead of, PIN or Signature. Problems and complaints will still exist.
To quote William Gibson: The future is here. It's just not evenly distributed.
With EMV rollout, it's the same, it's here, just not everywhere.
The pieces of the next gen card payment authentication systems are here today. Likely biometrics. The state of Texas is now taking the same 10 fingerprints for RMV renewals, that used to be only taken from those arrested.
Like EMV PIN changes, that can only happen at special terminals, you'll probably go to a bank to swipe your thumb to activate the card. EMV with biometrics with, or instead of, PIN or Signature. Problems and complaints will still exist.
To quote William Gibson: The future is here. It's just not evenly distributed.
With EMV rollout, it's the same, it's here, just not everywhere.
Let's not forget. The banks make lots of money on their plastic payment systems and a small amount of fraud and despite its increase recently, it's still relatively small in the scheme of things, is the price of doing business. To the banks, why try to fix somehting they don't consider broke?
The reality and you can see it clearly they didn't want to go into emv. Target finally got to them thinking the government is going to intervene if they don't do something. Obviously that's one of the reasons they went chip and signature instead of chip and pin perhaps.
Jul 22, 2014, 8:05 am
#5601
Join Date: Jul 2009
Location: SJC
Programs: AA, AS, Marriott
Posts: 6,060
All this might be true but what about the costs of implementing such a system. And how many people will refuse for whatever the reason, valid or not. I know people, for example around here, who won't get an EZ Pass for toll payments because they're afraid the government will use it to track them.
...
The reality and you can see it clearly they didn't want to go into emv. Target finally got to them thinking the government is going to intervene if they don't do something. Obviously that's one of the reasons they went chip and signature instead of chip and pin perhaps.
...
The reality and you can see it clearly they didn't want to go into emv. Target finally got to them thinking the government is going to intervene if they don't do something. Obviously that's one of the reasons they went chip and signature instead of chip and pin perhaps.
I think you're right that there was a reluctance to move to EMV before the Target breach. However, certain issuers such as Citi, Chase, AmEx, and BoA had started to roll out EMV cards prior to the Target breach. I think we still would have seen a push for the October 2015 liability shift because of this. While the card issuers have willingly eaten the fraud costs so far, the fact that some big issuers started coming out with EMV cards meant that the standoff had been broken. Smaller merchants (and probably some of the larger ones too) would have been forced into changing over to an EMV POS terminal after the liability shift. While large retailers can absorb some fraud costs, smaller retailers have less of an ability to do this. Imagine a mom and pop convenience store getting smacked with $2,000 in chargebacks due to cloned credit cards. If your store's profit is only $50,000/year, that's a huge hit.
I also think this is why the US will eventually move to chip-and-PIN. Do you notice how everyone outside of the US seems to scrutinize the card signature with the receipt, trying to act like a handwriting recognition expert? I think the same thing will start to happen here after businesses will no longer be able to pass the buck as easily back to the issuer. I believe we will see more chargeback situations since presumably EMV will slash card present fraud. For example, in the case where the cardholder says, "I didn't make that purchase." for an EMV card present transaction, then the issuer is likely to file a chargeback. (We assume with EMV chip-and-signature that a fraudulent card present transaction wouldn't happen unless the card were lost or stolen.) Without EMV, there's a little more defense for the merchant if the card was a clone since the merchant would compare the signature on the cloned card to the person making the purchase, and they'd match. After awhile, issuers, merchants, and customers will grow tired of this and come to the conclusion that signature verification isn't really the best way to go and at that point signature-based verification will fall out of favor.
Jul 22, 2014, 9:05 am
#5602
Join Date: Jul 2006
Location: LAX
Programs: AA EXP 1.5MM, Asiana Club Silver, KE Morning Calm, Hyatt Platinum, Amtrak Select
Posts: 7,161
Instead, more heat would come from the labor unions whose jobs would take a nose-dive when Google driverless cars happen: taxis cab drivers, airport shuttle drivers, public transit bus drivers, Teamsters, etc.
Think about it, if driverless cars can happen, sooner or later, it would evolve to the point of driverless vans, package delivery trucks, buses and 18-wheelers. And if you're the head of a taxi cab company, a board member of UPS, the chief head of the NYC Metro bus, or own a company fleet of freight trucks, wouldn't it be heck of a savings to gut the entire union demands because now their entire job can be done by a computer?
Put the act of handing over a credit card to the waiter or clerk so they can check if the signature matches with the receipt in an era of Google Glass and you have a total security nightmare.
"Oh gee, I have the cardholder's card in my possession for a few seconds, I can take a picture of it with my Glass!"
The way we're at the dawn of wearable devices, sooner or later it has to go the way of never, ever, letting go of your credit card to anyone even for a split second. With that, even handing over the card to the clerk so that they can check if the signature matches with the receipt will also become a no-no.
Last edited by kebosabi; Jul 22, 2014 at 9:25 am
Jul 22, 2014, 10:00 am
#5603
Join Date: Jul 2007
Posts: 1,762
The people who don't want to get an EZ Pass are likely the same who still pay cash for almost everything.
I think you're right that there was a reluctance to move to EMV before the Target breach. However, certain issuers such as Citi, Chase, AmEx, and BoA had started to roll out EMV cards prior to the Target breach. I think we still would have seen a push for the October 2015 liability shift because of this. While the card issuers have willingly eaten the fraud costs so far, the fact that some big issuers started coming out with EMV cards meant that the standoff had been broken. Smaller merchants (and probably some of the larger ones too) would have been forced into changing over to an EMV POS terminal after the liability shift. While large retailers can absorb some fraud costs, smaller retailers have less of an ability to do this. Imagine a mom and pop convenience store getting smacked with $2,000 in chargebacks due to cloned credit cards. If your store's profit is only $50,000/year, that's a huge hit.
I also think this is why the US will eventually move to chip-and-PIN. Do you notice how everyone outside of the US seems to scrutinize the card signature with the receipt, trying to act like a handwriting recognition expert? I think the same thing will start to happen here after businesses will no longer be able to pass the buck as easily back to the issuer. I believe we will see more chargeback situations since presumably EMV will slash card present fraud. For example, in the case where the cardholder says, "I didn't make that purchase." for an EMV card present transaction, then the issuer is likely to file a chargeback. (We assume with EMV chip-and-signature that a fraudulent card present transaction wouldn't happen unless the card were lost or stolen.) Without EMV, there's a little more defense for the merchant if the card was a clone since the merchant would compare the signature on the cloned card to the person making the purchase, and they'd match. After awhile, issuers, merchants, and customers will grow tired of this and come to the conclusion that signature verification isn't really the best way to go and at that point signature-based verification will fall out of favor.
I think you're right that there was a reluctance to move to EMV before the Target breach. However, certain issuers such as Citi, Chase, AmEx, and BoA had started to roll out EMV cards prior to the Target breach. I think we still would have seen a push for the October 2015 liability shift because of this. While the card issuers have willingly eaten the fraud costs so far, the fact that some big issuers started coming out with EMV cards meant that the standoff had been broken. Smaller merchants (and probably some of the larger ones too) would have been forced into changing over to an EMV POS terminal after the liability shift. While large retailers can absorb some fraud costs, smaller retailers have less of an ability to do this. Imagine a mom and pop convenience store getting smacked with $2,000 in chargebacks due to cloned credit cards. If your store's profit is only $50,000/year, that's a huge hit.
I also think this is why the US will eventually move to chip-and-PIN. Do you notice how everyone outside of the US seems to scrutinize the card signature with the receipt, trying to act like a handwriting recognition expert? I think the same thing will start to happen here after businesses will no longer be able to pass the buck as easily back to the issuer. I believe we will see more chargeback situations since presumably EMV will slash card present fraud. For example, in the case where the cardholder says, "I didn't make that purchase." for an EMV card present transaction, then the issuer is likely to file a chargeback. (We assume with EMV chip-and-signature that a fraudulent card present transaction wouldn't happen unless the card were lost or stolen.) Without EMV, there's a little more defense for the merchant if the card was a clone since the merchant would compare the signature on the cloned card to the person making the purchase, and they'd match. After awhile, issuers, merchants, and customers will grow tired of this and come to the conclusion that signature verification isn't really the best way to go and at that point signature-based verification will fall out of favor.
Then, as they say, along came Target. Although you and I know cloning has been going on for years, well people still don't know the difference between credit card fraud and identity theft. In the scheme of things, I think you would agree with me, that the no liability policies of the bank make credit card fraud for the most part an inconvenience (yes it was a pain to change all my credit card accounts with various utilities and the like but then again I have to do the same whenver the expiration date changes every 3 years and although it's inconvenient, in an hour or so it's all done. What I wish is somebody can devise software to handle all these automatic payees, the card account and have the ability to notify all the merchants of a changed number. All you software developers, something to work on, eh). Identity theft of course is a horse of a different color and while the data breaches at Target could lead to an increase in credit card fraud, in and of itself it probably would not lead to identity theft. But I digress.
Anyway along came Target and the pressure began to increase and, as I said, I believe that visa, mastercard and the banks really feared government intervention. They may have even feared being pushed into chip and pin which obviously most have decided might prove to be costly both in terms of back office operations and in discouraging some from using their cards. Their bean counters are very good at this sort of thing and we here, having people probably of above average inteligence and experience with these things, are not the typical Americans.
For that reason, after spending whatevr it's going to cost for the changeover I don't see another changeover for at least a decade. I could be wrong but that's my opinion and certainly I know nothing more than anybody else here but that seems to be what the evidence here suggests.
Jul 22, 2014, 10:12 am
#5604
Join Date: Jul 2009
Location: SJC
Programs: AA, AS, Marriott
Posts: 6,060
Originally Posted by kebosabi
Legislative permission is a non-issue. Google driverless cars is legal for testing in CA and NV. If Google driverless cars is good enough for CA (major test will be in car-culture LA), I'm sure it would be good enough for the rest of the US.
Instead, more heat would come from the labor unions whose jobs would take a nose-dive when Google driverless cars happen: taxis cab drivers, airport shuttle drivers, public transit bus drivers, Teamsters, etc.
Instead, more heat would come from the labor unions whose jobs would take a nose-dive when Google driverless cars happen: taxis cab drivers, airport shuttle drivers, public transit bus drivers, Teamsters, etc.
I was telling my insurance agent out here about things like Lyft and Airbnb, and he was shaking his head at the insurance implications of such an arrangement. What's interesting is that with Airbnb it's simple because insurance companies have a provision boarder rider on most renter or home owner policies. With Lyft, even though the company gives you liability insurance iirc, it still opens the door of who's primary in that case. I'm sure these things will be worked out over time, but like EMV the established players will be dragging their heels the whole way.
Originally Posted by kebosabi
The way we're at the dawn of wearable devices, sooner or later it has to go the way of never, ever, letting go of your credit card to anyone even for a split second. With that, even handing over the card to the clerk so that they can check if the signature matches with the receipt will also become a no-no.
Jul 22, 2014, 10:24 am
#5605
Join Date: Jul 2009
Location: SJC
Programs: AA, AS, Marriott
Posts: 6,060
Anyway along came Target and the pressure began to increase and, as I said, I believe that visa, mastercard and the banks really feared government intervention. They may have even feared being pushed into chip and pin which obviously most have decided might prove to be costly both in terms of back office operations and in discouraging some from using their cards. Their bean counters are very good at this sort of thing and we here, having people probably of above average inteligence and experience with these things, are not the typical Americans.
For that reason, after spending whatevr it's going to cost for the changeover I don't see another changeover for at least a decade. I could be wrong but that's my opinion and certainly I know nothing more than anybody else here but that seems to be what the evidence here suggests.
For that reason, after spending whatevr it's going to cost for the changeover I don't see another changeover for at least a decade. I could be wrong but that's my opinion and certainly I know nothing more than anybody else here but that seems to be what the evidence here suggests.
Jul 22, 2014, 11:06 am
#5606
FlyerTalk Evangelist
Join Date: Jan 2014
Location: San Diego, CA
Programs: GE, Marriott Platinum
Posts: 15,507
I do think banks feared government intervention, but it's hard to say definitively that the changeover wouldn't have happened without the Target breach. I think the Target breach was a conversation starter, and it got a lot of the talking heads in the payment industry pointing out EMV as an option. I still think we'll see a changeover to chip-and-PIN as it's not as big of a jump like from swipe-and-sign to chip-and-signature. The acquirers already have to support PIN-based transactions if they support EMV, so it would simply be a matter of reprogramming the CVM on the card itself.
Jul 22, 2014, 11:45 am
#5607
Join Date: Feb 2010
Location: US
Programs: (PM)AA SPG (Marriott), Hilton
Posts: 1,040
EUR, US, everyone does some things different. If EUR had their way at one point, we'll be all on X.25 instead of IP. In the end, when two different technologies do the same task, the features eventually converge. In the US, it might become instead of requesting a EMV card, or keeping a magstripe, you can request an EMV card, but choose the first CVM: Signature or PIN. Done this way, after the initial rollout, issuers would get an idea for real demand for one or the other flavor.
The goal of EMV is to make it too expensive to clone a chip and buy time. While people are trying to figure out how to cheaply clone or bypass EMV, researchers are working out the next big thing. In the end, it's an ongoing race that never ends.
Jul 22, 2014, 12:44 pm
#5608
Join Date: Jul 2006
Location: LAX
Programs: AA EXP 1.5MM, Asiana Club Silver, KE Morning Calm, Hyatt Platinum, Amtrak Select
Posts: 7,161
The problem beyond the labor issues is who is liable when the inevitable happens? So the driverless car isn't supposed to get into accidents, but what happens when one does. Most accidents right now are attributable to driver error and have a clear driver at fault. However, if a computer is driving the car at the time and is deemed to be at fault in an accident, is the human "driver" of that car liable? Is the manufacturer of the autopilot? There's too much in the way of legal precedent, actuarial statistics, insurance regulations, laws, etc. that have to change.
My guess: Google will come out strong, change the entire game and say "we stand by that driverless cars are so safe, that in the inevitable case where an accident happens and deemed that we are at fault, Google will pay for everything!"
EUR, US, everyone does some things different. If EUR had their way at one point, we'll be all on X.25 instead of IP. In the end, when two different technologies do the same task, the features eventually converge. In the US, it might become instead of requesting a EMV card, or keeping a magstripe, you can request an EMV card, but choose the first CVM: Signature or PIN. Done this way, after the initial rollout, issuers would get an idea for real demand for one or the other flavor.
As you stated, that would be the most ideal compromise. Get an EMV card, set it up online through online banking website to what CVM you prefer, auto-updates the CVM list the next time you stick your card into the reader.
Last edited by kebosabi; Jul 22, 2014 at 12:51 pm
Jul 22, 2014, 12:48 pm
#5609
Join Date: Jul 2007
Posts: 1,762
As I've said, there's no problem in doing things differently as long as they are compatible. Frankly, it really shouldn't matter one way or the other whether we go chip and signature or chip and pin or even have retained magnetic strip despite the fact obviously having an emv chip is somewhat more secure for card is present transactions. We all get that, I think even the most ardent devotee of emv. And it should make even less difference, quite frankly, if we go chip and signature as opposed to chip and pin PROVIDED...
We can be assured that our credit cards will work 100% of the time whether at home or in Canada or in Europe or wherever. To me, 99.7% is not good enough if I need to get something and I'm dealing with one of the 0.3% who just will not process a pos transaction without a pin. What is visa, mc or amex doing about that? And they readilly admit, there will be times at unpersonneled kiosks where cards will not work and nobody can assure 100% compatibility which is simply not true. That is visa and mc and amex's job to assure. And whether it's the best method or not, you're far less likely to run into this problem if you have a chip and pin card with offline pin capabilities and provide a mechanism for getting the cvm on the chip to allow cardholder selection which they are not doing. Therein lies the rub!
We can be assured that our credit cards will work 100% of the time whether at home or in Canada or in Europe or wherever. To me, 99.7% is not good enough if I need to get something and I'm dealing with one of the 0.3% who just will not process a pos transaction without a pin. What is visa, mc or amex doing about that? And they readilly admit, there will be times at unpersonneled kiosks where cards will not work and nobody can assure 100% compatibility which is simply not true. That is visa and mc and amex's job to assure. And whether it's the best method or not, you're far less likely to run into this problem if you have a chip and pin card with offline pin capabilities and provide a mechanism for getting the cvm on the chip to allow cardholder selection which they are not doing. Therein lies the rub!
Jul 22, 2014, 2:49 pm
#5610
Join Date: Jan 2014
Location: The UK
Posts: 154
I received a US HSBC MC. It is indeed C&S with C&P as backup. Not sure about full CVM order and whether its online or offline PIN. I am so sick of chip and signature. I had a nightmare that UNFCU changed their CVM to C&S preferred. I seriously have problems.