Sep 20, 2013, 11:40 am
Last edit by: philemer
Posts from 1/1/16 onward can be found here: http://www.flyertalk.com/forum/credit-card-programs/1739359-2016-onward-usa-emv-cards-availability-q-chip-pin-signature.html
EMV wikipost volunteers: kebosabi
What is EMV?
EMV is a defacto global standard of technology where there is a visible microchip on the front of the card. It looks like this:
Who issues them?
See Google Docs spreadsheet in Post #1
SFOAMS also has created a list of excellent webpage that shows US EMV cards in a more interactive interface
Another site, which lets you narrow the search for an EMV card by various parameters, is http://www.spotterswiki.com/emv/index.php.
Several credit unions issue some form of Chip-and-PIN credit cards or prepaid cards. Prepaid EMV cards however are not recommended due to junk fees. USAA (currently restricted to members of military) used to offer Chip-and-PIN cards, but as late has backtracked to Chip-and-Signature priority.
Hey that's a cool Google Docs list! I know others that aren't on that list. How can I help by adding them to the list?
My bad for not putting this into the wiki sooner. Right now, the Google Docs is locked out of editing and only in "read-only" view because there were instances in the past where people would just delete the rows not thinking that it affects others viewing the list.
If you promise not to delete any rows and input all the pertinent info (annual fee, rewards, FTF, etc.), I can provide you with edit access. Just shoot me a PM to kebosabi with your gmail address and I'll provide you edit access.
Thanks for helping out!
As of October 2014, no USA-based card issuer offers Chip-and-PIN priority cards except for BMO Harris (Diners Club) and UN Federal Credit Union. Other major USA-based banks such as BofA, Chase, Citi, as well as others issue Chip-and-Signature cards which may work at many automated kiosks. However, bear in mind the word may is used above is a context where there is no absolute certainty of success for certain environments such as automated kiosks due to different natures of offline and online transactions. It is highly recommended to read Post #3 which lists real life FTer examples on how Chip-and-Signature worked and did not work at various transaction environments.
Can I upgrade it right now?
If it's listed on that Google Docs spreadsheet or SFOAMS' Silk page, wouldn't hurt to call/twitter them for a free upgrade. If you get the response you don't like, hang up, try again.
What is the difference between Chip-and-Signature and Chip-and-PIN?
You insert the chipped card into the slot. The physical contact terminal will read the EMV chip and the terminal will automatically read the preferred cardholder verification methods (called CVM) for that card.
Chip-and-Signature means that the terminal will printout a receipt for you to sign. This is the most prevalent authentication for most US issued EMV cards. Chip-and-Signature helps in a way that it will get through to face-to-face merchant transactions where you and the merchant do not speak the same language.
Chip-and-PIN means that the terminal will prompt you to input a PIN for authentication. Some credit union issued credit cards will have this CVM as secondary if Chip-and-Signature cannot be done. Chip-and-PIN is the more prevalent method of authentication used outside the US, especially in transaction environments where no human interaction is needed (i.e. automated gas pumps, toll roads, train kiosks, etc.).
The Google Docs spreadsheet will list which CVM are used in the EMV cards listed. Some cards can only do Chip-and-Signature. Other cards can do both Chip-and-Signature and Chip-and-PIN. And others might have a third option called No CVM (no authentication needed) which is reserved for low value transactions.
One chip can hold a lot more data, therefore it is capable of doing multiple verification methods. That's one of the great things about EMV over the mag-stripe which can hold very little data.
I want to know for sure what my EMV chip does. Is there anyway I can test out my own EMV card to see what the CVM list is?
alexmt has written up a nice step-by-step procedure on Post #3615.
If most of the EMV cards in the US is the Chip-and-Signature type, doesn't that mean it's still useless abroad?
Depends if you see it as glass half empty or glass half full. See Post #3 for further details on how Chip-and-Signature has worked both successfully and unsuccessfully depending on the merchant transaction environment and use your best judgment whether which one is right for you.
Are there any places in the US that are accepting transactions via the EMV chip?
tmiw has created a dedicated Google maps webpage to show where EMV has been proven to work here: http://emvacceptedhere.com/ Per his Post #4240, feel free to add any places with active EMV terminals if you come across one.
As of 2014/05, the EMV terminals in most Walmarts and Sam's Clubs are being turned on. Hence, the best place to try them out would be your local Walmart or Sam's Club. For other merchants, it's slowly being phased in.
I hope people will post them in the Post your receipt of your 1st EMV based transaction in the US thread. cvarming has shown us an EMV transaction receipt from Brooklyn, NY in Post #2380. I myself had my first EMV based (Chip-and-Signature) transaction in two stores in the Los Angeles area, as shown in detail in Post #2705 (courtesy of WhatWhatTech for pointing these two stores out)
I don't want a chip in my card. I heard horror stories all over the media saying hackers can steal my credit card info from a mile away.
There are two types of chips. One is contactless and the other is contact. Cards can be either one or the other, or both.
In the Google Docs spreadsheet, the cards that are capable of contactless payments are listed seperately under the "RFID or NFC contactless chip" column. If it says yes, then that means it has the ability to do contactless payments. If it says no, it doesn't have that feature.
The one that the media has overhyped about hackers "stealing your information wirelessly" was the contactless type like this:
You are worried about this happening, right?
You don't have to worry. EMV is a chip standard that can have both contact and contactless interfaces. With the traditional contact interface, this means you actually have to physically insert the chip into a POS terminal for it to be authorized, like this:
With the contact interface, nothing is wireless. No data is sent out in a stand-alone contact type EMV chip. With the EMV contactless interface, data is sent wirelessly.
Furthermore, contactless chip cards are required to show a symbol (looks like Wi-Fi symbol) somewhere on the card that to denote it's capability as a contactless card. For example, here's an example of a Discover Card with contactless capability (in which Discover calls "Discover ZIP") showing the contactless symbol on the back of the card:
Don't believe everything that the media says. Besides, millions of people all over the world from London to Singapore, uses contactless payments daily in extremely crowded subways and mass transit with nary any problems. There are multiple layers of encrypted securities and keys that are needed to break the code.
Frankly, giving your physical card to a waiter/waitress who takes the card out of your view is much more susceptible to fraud than contactless payments.
Why should I care?
If you are an international traveler, you will want this because majority of the world has or in the process of converting to this payment format.
In fact, in 2012, even North Korea moved to the EMV format, leaving the US as one of the countries in the world that hasn't done so.
In addition, VISA, MC, AMEX, and Discover have all agreed to incentivize the USA shifting to EMV payments by 2015 by shifting liability for fraudulent transactions to merchants if they do not have EMV equipment and the cardholder has an EMV card. So if you travel internationally or would like to get one before the others, you might be interested in getting one.
BS! I had no problems using my card in [insert whereever country], [insert whatever point in time]
If you stick to the tourist path where they have lots of visitors from the US, you should have no problems using your mag-stripe only card in hotels and restaurants, at least for now. But as things can change as things go forward.
However, consider that once you start taking the off-beaten path, go to non-touristy places where they are not familiar with mag-stripes, rent a car and use toll roads, fill up gas, or try to buy train tickets you might end up into a trouble of the machine not recognizing your card because it lacks the chip. Furthermore, a lot of toll roads, gas pumps, and automated ticket machines lack any human assistance to help you when you need it the most.
But [insert credit card company] told me all merchants that display their logo must accept them! All I have to do is report them for violating their agreements, right?
There are several factors against this.
1. You can only speak English. The merchant representative, most likely a part-time clerk earning minimum wage, speaks in a different language, let's say French. If you have no French language skills, how are you going to get your point across? Are you going to whip out your cell phone at exorbitant int'l roaming charges and hope the customer service is going to translate it for you on the spot? Or maybe you might actually know French. But how about Swahili, Farsi, Balinese, or the multiple languages in mainland China?
2. Just like US, the rest of the world's businesses uses part-time minimum wage workers as cashiers to cut down on labor costs. Most of their SOP training manuals are written by MBA types to not to do anything they are not familiar with. Do not expect them to understand the intricate details of credit card mumbo jumbo. You don't expect Taco Bell employees to understand the minute details of Discover-JCB-Union Pay agreements, right? Same thing the other way around: be respectful as a guest in their country, prepare in advance in their ways, avoid being an "ugly American" stereotype.
3. You are a guest in their country. You are a minority. If 99.9% of their country's people and other tourists from around the world uses EMV, do you really think they are going to accomodate the 0.1% of American tourists who only have mag-stripes credit cards?
4. Again, you are a guest in their country. How would you, as an American standing in line, react if a Chinese tourist was clogging up the lines at a local Taco Bell because the clerk doesn't understand the Discover-Union Pay agreement and has trouble communicating between Mandarin spoken by the tourist and English spoken by the Taco Bell clerk? Same way the other way around. You do not want to clog up the lines for everyone. The less hassle, the better.
5. VISA and MC make tons of money from merchants in that country. Say SNCF French Rail. It's a billion dollar company in France. Do you think VISA is going to pull the plug of their relationship with SNCF because SNCF refuses to do mag-stripe processing at their unmanned train station kiosk? Of course not. Be realistic.
6. And lastly, if you're up against an unstaffed toll kiosk, gas pump or train ticket machine, are you going to yell curses at the machine?
But I want my credit card to be able to be used in the US too!
No worries. They have not gotten rid of the mag-stripe on the back of the card for backward compatibility reasons, just like we still have embossed numbers on our cards for backwards compatibility to using those old carbon copy imprinters.
[insert own Hyatt card image front and back together with red arrows pointing to all the backward compatibility features]
You use the chip on the front of the card abroad (for now), and the mag-stripe just like any other card for the US. Basically, you're increasing your credit card's acceptance rate by getting a card that both via the chip and the mag-stripe. You're getting a better deal for free.
And when 2015 comes along and US switches to EMV, you'll be way ahead of everyone else too!
So why did the rest of the world and the US moved/moving toward EMV?
Primarily, due to fraud concerns. You see, the mag-stripe has been with us since the 1950s. It may have been the most high tech thing back in the day, but with the technology that is available today, any shmo can pick up a $100 USB magnetic card skimming device off of eBay and get your credit card info.
And unlike skimming off contactless cards which actually need the person to have l33t programming skills, skimming off a magnetic stripe has become so ubiquitous that nary a day goes about skimming fraud going on somewhere in America, from gas pumps, Michael's stores (2011), Target breaches (2013), restaurant waiters/waitresses, to even McDonald's drive thrus.
https://www.google.com/search?q=skimming+fraud
These type of fraud used to be prevalent in Europe. But once they started switching over to EMV starting over 2 decades ago, this type of fraud went elsewhere. It went over to Asia, Canada and Mexico, Latin America, etc. etc. until they too began implementing EMV to combat skimming fraud. The US is practically the only country left that hasn't done so, therefore all the fraud that used to take place elsewhere is now happening here.
But EMV is old and it's not fool proof. Shouldn't we just skip over it and do something new instead?
Yes, EMV is old. It was developed in the 1990s and its smart card payment predecessor was first introduced in France. But as of today, it has become the defacto global standard of payments.
But then, what else is there? There is no other de facto global standard of payments alternative. For example, if we decide to skip over it and do something new, hypothetically like DNA matching technology, it still means US int'l travelers will continue to have problems abroad with useless plastic acceptance because no other country is using this DNA matching technology except the US.
Besides, nothing is fool proof. You can say that the bank vault isn't fool proof because you can crack it open if enough C4 is used. But your average low-life scumbag isn't likely to get military grade C4 easily either. But the bank vault does make it harder to get the bank's money over say a petty cash box. That's the point here. EMV is akin to a security tight bank vault, the old mag-stripe is akin to a petty cash box lying around inside the drawer.
I'm a business owner and I don't think EMV is going to take off. I'm not going to spend extra hundreds of dollars to upgrade my credit card machine. Convince me other wise why I should.
I can understand the added extra cost to your business once this switchover takes place. But before even saying that, look at your existing POS terminal. Does it have a slot somewhere to insert a card?
Most likely, if you had replaced your POS terminal within the past five years, you already have an EMV capable terminal. EMV is basically just not turned on yet from the processor and acquirer side.
If you have an EMV capable terminal, then a best bet would be to contact your acquirer to have the EMV feature turned on. You did your end of the deal already by having an EMV capable terminal, it is now the acquirers' responsibility to turn it on in accordance to the EMV switchover mandate.
And if you don't, you are going to replace your POS terminal anyway from common wear and tear. It isn't a hard switch-over. You can continue to use your POS terminal until it dies out because EMV cardholders will still have the mag-stripe on the back. And by the time your non-EMV capable POS terminal is up for replacement the market will be full with these newer POS terminals that can accept the mag-stripe, EMV, as well as contactless payments.
In addition, you may also want to check with your acquirer or processor about EMV capable terminals. Some of them are willing to replace your terminal for free in preparation for the US EMV switchover. Call and ask for details.
But what's in it for me? I'm the one that has to pay for the upgrade.
All the major card networks have given incentives for merchants for the upcoming EMV switchover.
If 75% or more of your credit card transactions are done on an EMV contact and contactless terminal, they are going to waive your annual PCI-DSS fees, which usually costs you around $5.00-$19.95/month per terminal. The overall long term cost savings of those compliance fees will be larger than the cost of an one time upgrade for the terminal.
The downside is that once EMV switchover happens and if you do not have a POS terminal that is able to accept EMV, the fraud liability shifts over to the merchant.
I own several fast food franchises. If I upgrade my POS terminals at all of my restaurants, it's going to cost me thousands, if not millions. I don't think anyone is going to use a fake credit card to buy $5 burgers. And if they do, wouldn't it be cheaper for me to eat the fraud cost?
Remember also that fraud isn't just committed by dishonest customers using fraudulent cards. Fraud can also happen with dishonest employees skimming off credit card data from the mag-stripe as in the case of a teenage McDonald's drive thru employee skimming off $13,000 of customers' credit cards in Olympia, WA. Consider the public relations fall out that your business may have if this happens (i.e. the big Target breach of 2013, where someone used a mag stripe card to load malware INTO Target's system). Is it worth risking to take such a huge PR disaster?
EMV wikipost volunteers: kebosabi
What is EMV?
EMV is a defacto global standard of technology where there is a visible microchip on the front of the card. It looks like this:
Who issues them?
See Google Docs spreadsheet in Post #1
SFOAMS also has created a list of excellent webpage that shows US EMV cards in a more interactive interface
Another site, which lets you narrow the search for an EMV card by various parameters, is http://www.spotterswiki.com/emv/index.php.
Several credit unions issue some form of Chip-and-PIN credit cards or prepaid cards. Prepaid EMV cards however are not recommended due to junk fees. USAA (currently restricted to members of military) used to offer Chip-and-PIN cards, but as late has backtracked to Chip-and-Signature priority.
Hey that's a cool Google Docs list! I know others that aren't on that list. How can I help by adding them to the list?
My bad for not putting this into the wiki sooner. Right now, the Google Docs is locked out of editing and only in "read-only" view because there were instances in the past where people would just delete the rows not thinking that it affects others viewing the list.
If you promise not to delete any rows and input all the pertinent info (annual fee, rewards, FTF, etc.), I can provide you with edit access. Just shoot me a PM to kebosabi with your gmail address and I'll provide you edit access.
Thanks for helping out!
As of October 2014, no USA-based card issuer offers Chip-and-PIN priority cards except for BMO Harris (Diners Club) and UN Federal Credit Union. Other major USA-based banks such as BofA, Chase, Citi, as well as others issue Chip-and-Signature cards which may work at many automated kiosks. However, bear in mind the word may is used above is a context where there is no absolute certainty of success for certain environments such as automated kiosks due to different natures of offline and online transactions. It is highly recommended to read Post #3 which lists real life FTer examples on how Chip-and-Signature worked and did not work at various transaction environments.
Can I upgrade it right now?
If it's listed on that Google Docs spreadsheet or SFOAMS' Silk page, wouldn't hurt to call/twitter them for a free upgrade. If you get the response you don't like, hang up, try again.
What is the difference between Chip-and-Signature and Chip-and-PIN?
You insert the chipped card into the slot. The physical contact terminal will read the EMV chip and the terminal will automatically read the preferred cardholder verification methods (called CVM) for that card.
Chip-and-Signature means that the terminal will printout a receipt for you to sign. This is the most prevalent authentication for most US issued EMV cards. Chip-and-Signature helps in a way that it will get through to face-to-face merchant transactions where you and the merchant do not speak the same language.
Chip-and-PIN means that the terminal will prompt you to input a PIN for authentication. Some credit union issued credit cards will have this CVM as secondary if Chip-and-Signature cannot be done. Chip-and-PIN is the more prevalent method of authentication used outside the US, especially in transaction environments where no human interaction is needed (i.e. automated gas pumps, toll roads, train kiosks, etc.).
The Google Docs spreadsheet will list which CVM are used in the EMV cards listed. Some cards can only do Chip-and-Signature. Other cards can do both Chip-and-Signature and Chip-and-PIN. And others might have a third option called No CVM (no authentication needed) which is reserved for low value transactions.
One chip can hold a lot more data, therefore it is capable of doing multiple verification methods. That's one of the great things about EMV over the mag-stripe which can hold very little data.
I want to know for sure what my EMV chip does. Is there anyway I can test out my own EMV card to see what the CVM list is?
alexmt has written up a nice step-by-step procedure on Post #3615.
If most of the EMV cards in the US is the Chip-and-Signature type, doesn't that mean it's still useless abroad?
Depends if you see it as glass half empty or glass half full. See Post #3 for further details on how Chip-and-Signature has worked both successfully and unsuccessfully depending on the merchant transaction environment and use your best judgment whether which one is right for you.
Are there any places in the US that are accepting transactions via the EMV chip?
tmiw has created a dedicated Google maps webpage to show where EMV has been proven to work here: http://emvacceptedhere.com/ Per his Post #4240, feel free to add any places with active EMV terminals if you come across one.
As of 2014/05, the EMV terminals in most Walmarts and Sam's Clubs are being turned on. Hence, the best place to try them out would be your local Walmart or Sam's Club. For other merchants, it's slowly being phased in.
I hope people will post them in the Post your receipt of your 1st EMV based transaction in the US thread. cvarming has shown us an EMV transaction receipt from Brooklyn, NY in Post #2380. I myself had my first EMV based (Chip-and-Signature) transaction in two stores in the Los Angeles area, as shown in detail in Post #2705 (courtesy of WhatWhatTech for pointing these two stores out)
I don't want a chip in my card. I heard horror stories all over the media saying hackers can steal my credit card info from a mile away.
There are two types of chips. One is contactless and the other is contact. Cards can be either one or the other, or both.
In the Google Docs spreadsheet, the cards that are capable of contactless payments are listed seperately under the "RFID or NFC contactless chip" column. If it says yes, then that means it has the ability to do contactless payments. If it says no, it doesn't have that feature.
The one that the media has overhyped about hackers "stealing your information wirelessly" was the contactless type like this:
You are worried about this happening, right?
You don't have to worry. EMV is a chip standard that can have both contact and contactless interfaces. With the traditional contact interface, this means you actually have to physically insert the chip into a POS terminal for it to be authorized, like this:
With the contact interface, nothing is wireless. No data is sent out in a stand-alone contact type EMV chip. With the EMV contactless interface, data is sent wirelessly.
Furthermore, contactless chip cards are required to show a symbol (looks like Wi-Fi symbol) somewhere on the card that to denote it's capability as a contactless card. For example, here's an example of a Discover Card with contactless capability (in which Discover calls "Discover ZIP") showing the contactless symbol on the back of the card:
Don't believe everything that the media says. Besides, millions of people all over the world from London to Singapore, uses contactless payments daily in extremely crowded subways and mass transit with nary any problems. There are multiple layers of encrypted securities and keys that are needed to break the code.
Frankly, giving your physical card to a waiter/waitress who takes the card out of your view is much more susceptible to fraud than contactless payments.
Why should I care?
If you are an international traveler, you will want this because majority of the world has or in the process of converting to this payment format.
In fact, in 2012, even North Korea moved to the EMV format, leaving the US as one of the countries in the world that hasn't done so.
In addition, VISA, MC, AMEX, and Discover have all agreed to incentivize the USA shifting to EMV payments by 2015 by shifting liability for fraudulent transactions to merchants if they do not have EMV equipment and the cardholder has an EMV card. So if you travel internationally or would like to get one before the others, you might be interested in getting one.
BS! I had no problems using my card in [insert whereever country], [insert whatever point in time]
If you stick to the tourist path where they have lots of visitors from the US, you should have no problems using your mag-stripe only card in hotels and restaurants, at least for now. But as things can change as things go forward.
However, consider that once you start taking the off-beaten path, go to non-touristy places where they are not familiar with mag-stripes, rent a car and use toll roads, fill up gas, or try to buy train tickets you might end up into a trouble of the machine not recognizing your card because it lacks the chip. Furthermore, a lot of toll roads, gas pumps, and automated ticket machines lack any human assistance to help you when you need it the most.
But [insert credit card company] told me all merchants that display their logo must accept them! All I have to do is report them for violating their agreements, right?
There are several factors against this.
1. You can only speak English. The merchant representative, most likely a part-time clerk earning minimum wage, speaks in a different language, let's say French. If you have no French language skills, how are you going to get your point across? Are you going to whip out your cell phone at exorbitant int'l roaming charges and hope the customer service is going to translate it for you on the spot? Or maybe you might actually know French. But how about Swahili, Farsi, Balinese, or the multiple languages in mainland China?
2. Just like US, the rest of the world's businesses uses part-time minimum wage workers as cashiers to cut down on labor costs. Most of their SOP training manuals are written by MBA types to not to do anything they are not familiar with. Do not expect them to understand the intricate details of credit card mumbo jumbo. You don't expect Taco Bell employees to understand the minute details of Discover-JCB-Union Pay agreements, right? Same thing the other way around: be respectful as a guest in their country, prepare in advance in their ways, avoid being an "ugly American" stereotype.
3. You are a guest in their country. You are a minority. If 99.9% of their country's people and other tourists from around the world uses EMV, do you really think they are going to accomodate the 0.1% of American tourists who only have mag-stripes credit cards?
4. Again, you are a guest in their country. How would you, as an American standing in line, react if a Chinese tourist was clogging up the lines at a local Taco Bell because the clerk doesn't understand the Discover-Union Pay agreement and has trouble communicating between Mandarin spoken by the tourist and English spoken by the Taco Bell clerk? Same way the other way around. You do not want to clog up the lines for everyone. The less hassle, the better.
5. VISA and MC make tons of money from merchants in that country. Say SNCF French Rail. It's a billion dollar company in France. Do you think VISA is going to pull the plug of their relationship with SNCF because SNCF refuses to do mag-stripe processing at their unmanned train station kiosk? Of course not. Be realistic.
6. And lastly, if you're up against an unstaffed toll kiosk, gas pump or train ticket machine, are you going to yell curses at the machine?
But I want my credit card to be able to be used in the US too!
No worries. They have not gotten rid of the mag-stripe on the back of the card for backward compatibility reasons, just like we still have embossed numbers on our cards for backwards compatibility to using those old carbon copy imprinters.
[insert own Hyatt card image front and back together with red arrows pointing to all the backward compatibility features]
You use the chip on the front of the card abroad (for now), and the mag-stripe just like any other card for the US. Basically, you're increasing your credit card's acceptance rate by getting a card that both via the chip and the mag-stripe. You're getting a better deal for free.
And when 2015 comes along and US switches to EMV, you'll be way ahead of everyone else too!
So why did the rest of the world and the US moved/moving toward EMV?
Primarily, due to fraud concerns. You see, the mag-stripe has been with us since the 1950s. It may have been the most high tech thing back in the day, but with the technology that is available today, any shmo can pick up a $100 USB magnetic card skimming device off of eBay and get your credit card info.
And unlike skimming off contactless cards which actually need the person to have l33t programming skills, skimming off a magnetic stripe has become so ubiquitous that nary a day goes about skimming fraud going on somewhere in America, from gas pumps, Michael's stores (2011), Target breaches (2013), restaurant waiters/waitresses, to even McDonald's drive thrus.
https://www.google.com/search?q=skimming+fraud
These type of fraud used to be prevalent in Europe. But once they started switching over to EMV starting over 2 decades ago, this type of fraud went elsewhere. It went over to Asia, Canada and Mexico, Latin America, etc. etc. until they too began implementing EMV to combat skimming fraud. The US is practically the only country left that hasn't done so, therefore all the fraud that used to take place elsewhere is now happening here.
But EMV is old and it's not fool proof. Shouldn't we just skip over it and do something new instead?
Yes, EMV is old. It was developed in the 1990s and its smart card payment predecessor was first introduced in France. But as of today, it has become the defacto global standard of payments.
But then, what else is there? There is no other de facto global standard of payments alternative. For example, if we decide to skip over it and do something new, hypothetically like DNA matching technology, it still means US int'l travelers will continue to have problems abroad with useless plastic acceptance because no other country is using this DNA matching technology except the US.
Besides, nothing is fool proof. You can say that the bank vault isn't fool proof because you can crack it open if enough C4 is used. But your average low-life scumbag isn't likely to get military grade C4 easily either. But the bank vault does make it harder to get the bank's money over say a petty cash box. That's the point here. EMV is akin to a security tight bank vault, the old mag-stripe is akin to a petty cash box lying around inside the drawer.
I'm a business owner and I don't think EMV is going to take off. I'm not going to spend extra hundreds of dollars to upgrade my credit card machine. Convince me other wise why I should.
I can understand the added extra cost to your business once this switchover takes place. But before even saying that, look at your existing POS terminal. Does it have a slot somewhere to insert a card?
Most likely, if you had replaced your POS terminal within the past five years, you already have an EMV capable terminal. EMV is basically just not turned on yet from the processor and acquirer side.
If you have an EMV capable terminal, then a best bet would be to contact your acquirer to have the EMV feature turned on. You did your end of the deal already by having an EMV capable terminal, it is now the acquirers' responsibility to turn it on in accordance to the EMV switchover mandate.
And if you don't, you are going to replace your POS terminal anyway from common wear and tear. It isn't a hard switch-over. You can continue to use your POS terminal until it dies out because EMV cardholders will still have the mag-stripe on the back. And by the time your non-EMV capable POS terminal is up for replacement the market will be full with these newer POS terminals that can accept the mag-stripe, EMV, as well as contactless payments.
In addition, you may also want to check with your acquirer or processor about EMV capable terminals. Some of them are willing to replace your terminal for free in preparation for the US EMV switchover. Call and ask for details.
But what's in it for me? I'm the one that has to pay for the upgrade.
All the major card networks have given incentives for merchants for the upcoming EMV switchover.
If 75% or more of your credit card transactions are done on an EMV contact and contactless terminal, they are going to waive your annual PCI-DSS fees, which usually costs you around $5.00-$19.95/month per terminal. The overall long term cost savings of those compliance fees will be larger than the cost of an one time upgrade for the terminal.
The downside is that once EMV switchover happens and if you do not have a POS terminal that is able to accept EMV, the fraud liability shifts over to the merchant.
I own several fast food franchises. If I upgrade my POS terminals at all of my restaurants, it's going to cost me thousands, if not millions. I don't think anyone is going to use a fake credit card to buy $5 burgers. And if they do, wouldn't it be cheaper for me to eat the fraud cost?
Remember also that fraud isn't just committed by dishonest customers using fraudulent cards. Fraud can also happen with dishonest employees skimming off credit card data from the mag-stripe as in the case of a teenage McDonald's drive thru employee skimming off $13,000 of customers' credit cards in Olympia, WA. Consider the public relations fall out that your business may have if this happens (i.e. the big Target breach of 2013, where someone used a mag stripe card to load malware INTO Target's system). Is it worth risking to take such a huge PR disaster?
USA EMV cards: Availability, Q&A (Chip & PIN -or- Chip & Signature) [2012-2015]
Aug 14, 2014, 10:48 am
#6136
FlyerTalk Evangelist
Join Date: Jul 2003
Location: Florida
Posts: 29,740
That's all any of us really want. We want to make sure our card will work 100% of the time when we use it. Most people to this day don't have any problems with magstripe only cards even overseas. Fewer people encounter unmanned kiosks that require offline PIN capability. Even fewer encounter merchants that balk at a signature purchase on an EMV card. Perhaps we could define some terminology:
I would prefer true chip-and-PIN cards too since I think a PIN is more secure than a signature, and it would effectively make a lost/stolen credit card useless. Is PIN verification perfect with the EMV standard? It's not, but it is certainly another layer of defense beyond a regular signature. It will also stop the scrutiny overseas when using a credit card in countries where issuers have switched to chip-and-PIN.
- Chip-and-signature cards are EMV cards that have no ability to do offline PIN verifications.
- Chip-and-signature with offline PIN capability cards will work in unmanned kiosks that do offline PIN verification.
- Chip-and-PIN cards will ask for a PIN over a signature in any situation where a PIN can be entered and will only use signature verification as a fallback method.
I would prefer true chip-and-PIN cards too since I think a PIN is more secure than a signature, and it would effectively make a lost/stolen credit card useless. Is PIN verification perfect with the EMV standard? It's not, but it is certainly another layer of defense beyond a regular signature. It will also stop the scrutiny overseas when using a credit card in countries where issuers have switched to chip-and-PIN.
If with PIN being a mandate, and with that, eventually it SHIFTS the responsibility / liability to the cardholders, then you would hope you never have wanted this chip card!
Let me tell you what happened to our friend in Canada (that is before the Chip Card conversion). They lived in Ottawa, and their son lived in Toronto. His wife often made short trips to Toronto for shopping and visiting their son. His wife's card was cloned in Toronto and there were thousands $ fraudulent charges put on his wife's card. He reported the fraudulent charges to the bank. His bank (forgot the name but it was one of the biggies in Canada) claimed the charges were all from his wife and the claim had to be brought up to a court trial. The bank lost of course. But that is how VERY LITTLE consumer protection on card usage in countries OUTSIDE US. In many countries the cardholders have very hard time to dispute fraudulent charges, precisely because it requires a PIN and the assumption is, you must either make those transactions yourself or give your PIN to the frauster to make those transactions. Hence you are responsible for those not the bank...
All our relatives in Canada, do NOT use the pay-at-pump with inserting your card to the reader that we Americans are so used to, due to the high risk of frauds and the HUGE hassle one may have to go thru should fraudulent charges happened.
Do you really want US to eventually become like other countries when we are switching to the "perceived" more secured Chip cards?
Last edited by Happy; Aug 14, 2014 at 10:54 am
Aug 14, 2014, 10:58 am
#6137
Join Date: Jul 2007
Posts: 1,762
Happy...good point. Correct me, though, if I'm wrong. Most of the protection is built into federal law, except for the last $50. So credit cards that claim zero liability, and they all do, really are only providing $50 of coverage (and of course we know all banks in the country do indeed not bother with the $50). There would have to be federal legislation to switch the liability totally; it has nothing to do with chip and pin or whatever. I would hope Congress would stick up for the people and now allow the banks to push this shift in liability here. I would hope. Am I convinced? No of course. But still...
Aug 14, 2014, 11:09 am
#6138
FlyerTalk Evangelist
Join Date: Mar 2006
Location: DFW
Programs: AA 1M
Posts: 31,473
Be careful on what you wish for. Currently US personal cardholders enjoy TREMENDOUS fraud protection. There is virtually no one ever has to pay for a fraudulent charge as long as it is reported on a timely manner. All one ever experiences is some inconveniences.
If with PIN being a mandate, and with that, eventually it SHIFTS the responsibility / liability to the cardholders, then you would hope you never have wanted this chip card!
Let me tell you what happened to our friend in Canada (that is before the Chip Card conversion). They lived in Ottawa, and their son lived in Toronto. His wife often made short trips to Toronto for shopping and visiting their son. His wife's card was cloned in Toronto and there were thousands $ fraudulent charges put on his wife's card. He reported the fraudulent charges to the bank. His bank (forgot the name but it was one of the biggies in Canada) claimed the charges were all from his wife and the claim had to be brought up to a court trial. The bank lost of course. But that is how VERY LITTLE consumer protection on card usage in countries OUTSIDE US. In many countries the cardholders have very hard time to dispute fraudulent charges, precisely because it requires a PIN and the assumption is, you must either make those transactions yourself or give your PIN to the frauster to make those transactions. Hence you are responsible for those not the bank...
All our relatives in Canada, do NOT use the pay-at-pump with inserting your card to the reader that we Americans are so used to, due to the high risk of frauds and the HUGE hassle one may have to go thru should fraudulent charges happened.
Do you really want US to eventually become like other countries when we are switching to the "perceived" more secured Chip cards?
If with PIN being a mandate, and with that, eventually it SHIFTS the responsibility / liability to the cardholders, then you would hope you never have wanted this chip card!
Let me tell you what happened to our friend in Canada (that is before the Chip Card conversion). They lived in Ottawa, and their son lived in Toronto. His wife often made short trips to Toronto for shopping and visiting their son. His wife's card was cloned in Toronto and there were thousands $ fraudulent charges put on his wife's card. He reported the fraudulent charges to the bank. His bank (forgot the name but it was one of the biggies in Canada) claimed the charges were all from his wife and the claim had to be brought up to a court trial. The bank lost of course. But that is how VERY LITTLE consumer protection on card usage in countries OUTSIDE US. In many countries the cardholders have very hard time to dispute fraudulent charges, precisely because it requires a PIN and the assumption is, you must either make those transactions yourself or give your PIN to the frauster to make those transactions. Hence you are responsible for those not the bank...
All our relatives in Canada, do NOT use the pay-at-pump with inserting your card to the reader that we Americans are so used to, due to the high risk of frauds and the HUGE hassle one may have to go thru should fraudulent charges happened.
Do you really want US to eventually become like other countries when we are switching to the "perceived" more secured Chip cards?
Aug 14, 2014, 11:17 am
#6139
Join Date: Jul 2009
Location: SJC
Programs: AA, AS, Marriott
Posts: 6,056
Be careful on what you wish for. Currently US personal cardholders enjoy TREMENDOUS fraud protection. There is virtually no one ever has to pay for a fraudulent charge as long as it is reported on a timely manner. All one ever experiences is some inconveniences.
If with PIN being a mandate, and with that, eventually it SHIFTS the responsibility / liability to the cardholders, then you would hope you never have wanted this chip card!
If with PIN being a mandate, and with that, eventually it SHIFTS the responsibility / liability to the cardholders, then you would hope you never have wanted this chip card!
I would contend that consumer pressure would keep in place zero liability protections. The last thing credit card issuers want is for the public to get misinformation about "if your PIN is compromised you are responsible for all of the charge". Then cue the erroneous reports of people stealing PINs off of the cards remotely using a reader while in a checkout line. People would be too scared to carry credit cards and go back to using cash. Even with the introduction of PIN, mark my words, the zero liability protections will remain.
Aug 14, 2014, 11:22 am
#6140
FlyerTalk Evangelist
Join Date: Jul 2003
Location: Florida
Posts: 29,740
Happy...good point. Correct me, though, if I'm wrong. Most of the protection is built into federal law, except for the last $50. So credit cards that claim zero liability, and they all do, really are only providing $50 of coverage (and of course we know all banks in the country do indeed not bother with the $50). There would have to be federal legislation to switch the liability totally; it has nothing to do with chip and pin or whatever. I would hope Congress would stick up for the people and now allow the banks to push this shift in liability here. I would hope. Am I convinced? No of course. But still...
Banks eat those fraudulent charges, NOT your government which only gives you the law that the banks have to comply.
Precisely the Federal Law is protecting the PERSONAL cards (your business cards do NOT enjoy such protection from the government), for the CURRENT State of the Mag cards.
Do you really feel the banksters would not take up the golden opportunity to lobby the government to modify the law under the premise (falsely) that "Chip and PIN card is so much more secured because it requires a PIN?"
Look at how much your tax money is handed out to the banks to bail them out during 2008-2009, you think the government would not "listen" to the banks and then initiate a modification of existing laws in the name to "reduce the costs of doing business" that the banks inevitably would use?
Some of you folks are quite naive and wishful thinking is all I could say.
Aug 14, 2014, 11:34 am
#6141
FlyerTalk Evangelist
Join Date: Jan 2014
Location: San Diego, CA
Programs: GE, Marriott Platinum
Posts: 15,502
I would contend that consumer pressure would keep in place zero liability protections. The last thing credit card issuers want is for the public to get misinformation about "if your PIN is compromised you are responsible for all of the charge". Then cue the erroneous reports of people stealing PINs off of the cards remotely using a reader while in a checkout line. People would be too scared to carry credit cards and go back to using cash. Even with the introduction of PIN, mark my words, the zero liability protections will remain.
Anyway, my ideal CVM list would be as follows:
- No CVM if purchase amount < US$50 (basically how it is in practice now)
- Enciphered PIN verified by ICC
- Plaintext PIN verified by ICC
- Online PIN
- No CVM
- Signature
Aug 14, 2014, 11:35 am
#6142
Join Date: Aug 2014
Posts: 6
Update (denied chip)
Fidelity Amex cardholder since 2009. I attempted to order the chip card and they told me that the Fidelity Amex w/chip was not available for me without reapplying due to the fact that I had a "grandfathered" account with features not available to new accountholders. Which is strange because I have had the original Fidelity Mastercard (NOT Visa) since 2005 and when my last mastercard expired they sent me one with a chip without me asking. I have since used the mastercard at Walmart in a chip reader without issues.
After some complaining, the manager said that he would ask for an exception and I could call back in five days to see if it went through...
After some complaining, the manager said that he would ask for an exception and I could call back in five days to see if it went through...
Please let me know if you are able to get a Fidelity AMEX chip card since August 10, 2014.
Aug 14, 2014, 11:37 am
#6143
Join Date: Jul 2007
Posts: 1,762
We've been all through this. Banks are willing to eat a certain amount of fraud because their profits on their plastic is humongeous. That is one of the reasons, of course, why emv has been still born in this country until now' and I really do believe that if Target had not occurred, the October 2015 deadline would have been pushed back (although obviously we can't prove that). Sure banks may try to use the introduction of emv to try to do something about the liability question but then again that's why we need consumer lobbyists to protect our interests.
What will the final outcome be? Well the banks have sort of settled that by not going to "pure" chip and pin cards in this country either by the issuers or the merchants. Whether one of the reasons for this is the liability question or whether we Americans are too lazy to memorizea bunch of pins or the shift to "pure" chip and pin will be more expensive than the amount of fraud it might stymie or for whatever the reason, it is whatn it is. The USA will be a chip and signature country for the foreseeable future. Just how much inconvenience it will cause we will, as Nancy Pelosi would say, embrace the roll out of emv as it is to find out.
What will the final outcome be? Well the banks have sort of settled that by not going to "pure" chip and pin cards in this country either by the issuers or the merchants. Whether one of the reasons for this is the liability question or whether we Americans are too lazy to memorizea bunch of pins or the shift to "pure" chip and pin will be more expensive than the amount of fraud it might stymie or for whatever the reason, it is whatn it is. The USA will be a chip and signature country for the foreseeable future. Just how much inconvenience it will cause we will, as Nancy Pelosi would say, embrace the roll out of emv as it is to find out.
Aug 14, 2014, 11:48 am
#6144
FlyerTalk Evangelist
Join Date: Jan 2014
Location: San Diego, CA
Programs: GE, Marriott Platinum
Posts: 15,502
We've been all through this. Banks are willing to eat a certain amount of fraud because their profits on their plastic is humongeous. That is one of the reasons, of course, why emv has been still born in this country until now' and I really do believe that if Target had not occurred, the October 2015 deadline would have been pushed back (although obviously we can't prove that). Sure banks may try to use the introduction of emv to try to do something about the liability question but then again that's why we need consumer lobbyists to protect our interests.
What will the final outcome be? Well the banks have sort of settled that by not going to "pure" chip and pin cards in this country either by the issuers or the merchants. Whether one of the reasons for this is the liability question or whether we Americans are too lazy to memorizea bunch of pins or the shift to "pure" chip and pin will be more expensive than the amount of fraud it might stymie or for whatever the reason, it is whatn it is. The USA will be a chip and signature country for the foreseeable future. Just how much inconvenience it will cause we will, as Nancy Pelosi would say, embrace the roll out of emv as it is to find out.
What will the final outcome be? Well the banks have sort of settled that by not going to "pure" chip and pin cards in this country either by the issuers or the merchants. Whether one of the reasons for this is the liability question or whether we Americans are too lazy to memorizea bunch of pins or the shift to "pure" chip and pin will be more expensive than the amount of fraud it might stymie or for whatever the reason, it is whatn it is. The USA will be a chip and signature country for the foreseeable future. Just how much inconvenience it will cause we will, as Nancy Pelosi would say, embrace the roll out of emv as it is to find out.
If I was in charge of card issuance at a major bank I could easily make a case that my proposed CVM list above would increase security against lost/stolen fraud while not making my cards inconvenient to use. You'd need a PIN for anything over $50 and when overseas, two of the higher risk transaction categories. Plus, it could be easily marketed to the general public as something that increases cardholder confidence or whatever the buzzword is now.
Unfortunately though, I'm not in charge of anything at any bank.
Aug 14, 2014, 12:43 pm
#6145
Join Date: Jul 2006
Location: LAX
Programs: AA EXP 1.5MM, Asiana Club Silver, KE Morning Calm, Hyatt Platinum, Amtrak Select
Posts: 7,161
So come in less than 14 months from now, it's not the government, it's not the banks, the fraud cost goes to the merchants. If they don't like it, the incentive is to move to EMV. Furthermore, moving to EMV will also reduce merchant's PCI-DSS fees so in the long run
Do you really feel the banksters would not take up the golden opportunity to lobby the government to modify the law under the premise (falsely) that "Chip and PIN card is so much more secured because it requires a PIN?"
Look at how much your tax money is handed out to the banks to bail them out during 2008-2009, you think the government would not "listen" to the banks and then initiate a modification of existing laws in the name to "reduce the costs of doing business" that the banks inevitably would use?
Some of you folks are quite naive and wishful thinking is all I could say.
Look at how much your tax money is handed out to the banks to bail them out during 2008-2009, you think the government would not "listen" to the banks and then initiate a modification of existing laws in the name to "reduce the costs of doing business" that the banks inevitably would use?
Some of you folks are quite naive and wishful thinking is all I could say.
Put it another way, credit cards existed since the 1950s. There were no laws against fraud protection until the Fair Credit Billing Act was passed in 1974. So for 24 years, between 1950 and 1974, banks enjoyed freedom and lobbied Congress heavily against consumer protection laws, until the American consumers said no more.
In the long term, American consumers have the voting power that is stronger than the bank lobby. Politicians, in the end, no matter which side of the aisle, are baby kissers. They want to keep being re-elected.
My view is that even if we go to Chip & PIN, the consumer protection laws will remain. Banks can levy heavily to get rid of it, but in the end, it's the voters that counts. Of course, if people don't vote, and sadly most of my Millennial generation don't really put that much effort into thinking about politics, it may not happen.
Last edited by kebosabi; Aug 14, 2014 at 12:50 pm
Aug 14, 2014, 2:29 pm
#6146
Join Date: Jul 2006
Location: LAX
Programs: AA EXP 1.5MM, Asiana Club Silver, KE Morning Calm, Hyatt Platinum, Amtrak Select
Posts: 7,161
Added a part in the wiki so that anyone who wants to help out with the Google Docs spreadsheet can just PM me with their gmail address to grant them edit access.
Aug 14, 2014, 4:04 pm
#6147
Join Date: Jul 2014
Location: United Kingdom
Posts: 93
As already noted, the law gives you a large degree of protection (i.e. the $50 limit). I don't see issuers lobbying to get anything changed if PIN is adopted in the US.
It just wouldn't happen often enough for issuers or cardholders to worry about.
Aug 14, 2014, 4:17 pm
#6148
Join Date: Jul 2012
Location: Canada
Programs: BA Gold (OWE), Star Alliance Gold, Hilton Diamond
Posts: 2,194
Issuers won't generally decline fallback transactions because sometimes their are valid reasons for them (I.e. Chip or chip reader is dirty, the chip reader does not support the networks application used common with Amex in Canada, an EMV backward compatibility issue has occurred etc.).
Here is an example of a genuine fallback transaction (either the chip on my cards was dirty or the reader was as I've used the card at the same merchant before just fine via the chip). I've probably had 3 or 4 over the last month (Admittedly this is a very high amount, I've just been unlucky with card machines).
Edit: here's another one I literally had 5 minutes after making this post haha!
Last edited by reclusive46; Aug 14, 2014 at 4:31 pm
Aug 14, 2014, 4:48 pm
#6149
Join Date: Jul 2009
Location: DCA/IAD
Programs: AS, US, Hilton, BA, DL, SPG, AA, VS
Posts: 1,628
They probably will try. But if they do, there is close to zero chance that they will be successful.
Aug 14, 2014, 4:57 pm
#6150
Join Date: May 2010
Location: ORDwest
Posts: 332
IMO this is a very odd argument.
As already noted, the law gives you a large degree of protection (i.e. the $50 limit). I don't see issuers lobbying to get anything changed if PIN is adopted in the US.
It just wouldn't happen often enough for issuers or cardholders to worry about.
As already noted, the law gives you a large degree of protection (i.e. the $50 limit). I don't see issuers lobbying to get anything changed if PIN is adopted in the US.
It just wouldn't happen often enough for issuers or cardholders to worry about.
In the US, federal consumer protection law imposes the $50 maximum consumer liability, and competitive market pressure effectively reduces that to zero. The liability shift coming in 2015 will be to whichever party in the transaction sequence cannot process an EMV transaction when presented with an EMV-capable card. The merchants - not the banks - are most likely to be the ones on the hook if they have not updated their POS terminals to handle EMV. And their lobbying is much less centralized and therefore less effective than financial interests. None of this makes any mention of PIN or PINless cards.
In the 40+ years (OK, ++ if you want more accuracy) that I have used credit cards, I have never once had a bank tell me I was on the hook for even the occasional late fee, not to mention a very small handful of fraudulent charge cases. The bank was always willing to resolve any of these situations in my favor. In a couple cases where I called to fuss about late payment fees and they pushed back, I gave the bank a real simple choice: forgive the fee, or lose all my future business to another card issuer. Of course I'm relying mostly on competitive pressure and not legal protection. No matter what the technology, I don't see the US banks' multi-decade quest for more credit card customers changing any time soon.