Sep 20, 2013, 11:40 am
Last edit by: philemer
Posts from 1/1/16 onward can be found here: http://www.flyertalk.com/forum/credit-card-programs/1739359-2016-onward-usa-emv-cards-availability-q-chip-pin-signature.html
EMV wikipost volunteers: kebosabi
What is EMV?
EMV is a defacto global standard of technology where there is a visible microchip on the front of the card. It looks like this:
Who issues them?
See Google Docs spreadsheet in Post #1
SFOAMS also has created a list of excellent webpage that shows US EMV cards in a more interactive interface
Another site, which lets you narrow the search for an EMV card by various parameters, is http://www.spotterswiki.com/emv/index.php.
Several credit unions issue some form of Chip-and-PIN credit cards or prepaid cards. Prepaid EMV cards however are not recommended due to junk fees. USAA (currently restricted to members of military) used to offer Chip-and-PIN cards, but as late has backtracked to Chip-and-Signature priority.
Hey that's a cool Google Docs list! I know others that aren't on that list. How can I help by adding them to the list?
My bad for not putting this into the wiki sooner. Right now, the Google Docs is locked out of editing and only in "read-only" view because there were instances in the past where people would just delete the rows not thinking that it affects others viewing the list.
If you promise not to delete any rows and input all the pertinent info (annual fee, rewards, FTF, etc.), I can provide you with edit access. Just shoot me a PM to kebosabi with your gmail address and I'll provide you edit access.
Thanks for helping out!
As of October 2014, no USA-based card issuer offers Chip-and-PIN priority cards except for BMO Harris (Diners Club) and UN Federal Credit Union. Other major USA-based banks such as BofA, Chase, Citi, as well as others issue Chip-and-Signature cards which may work at many automated kiosks. However, bear in mind the word may is used above is a context where there is no absolute certainty of success for certain environments such as automated kiosks due to different natures of offline and online transactions. It is highly recommended to read Post #3 which lists real life FTer examples on how Chip-and-Signature worked and did not work at various transaction environments.
Can I upgrade it right now?
If it's listed on that Google Docs spreadsheet or SFOAMS' Silk page, wouldn't hurt to call/twitter them for a free upgrade. If you get the response you don't like, hang up, try again.
What is the difference between Chip-and-Signature and Chip-and-PIN?
You insert the chipped card into the slot. The physical contact terminal will read the EMV chip and the terminal will automatically read the preferred cardholder verification methods (called CVM) for that card.
Chip-and-Signature means that the terminal will printout a receipt for you to sign. This is the most prevalent authentication for most US issued EMV cards. Chip-and-Signature helps in a way that it will get through to face-to-face merchant transactions where you and the merchant do not speak the same language.
Chip-and-PIN means that the terminal will prompt you to input a PIN for authentication. Some credit union issued credit cards will have this CVM as secondary if Chip-and-Signature cannot be done. Chip-and-PIN is the more prevalent method of authentication used outside the US, especially in transaction environments where no human interaction is needed (i.e. automated gas pumps, toll roads, train kiosks, etc.).
The Google Docs spreadsheet will list which CVM are used in the EMV cards listed. Some cards can only do Chip-and-Signature. Other cards can do both Chip-and-Signature and Chip-and-PIN. And others might have a third option called No CVM (no authentication needed) which is reserved for low value transactions.
One chip can hold a lot more data, therefore it is capable of doing multiple verification methods. That's one of the great things about EMV over the mag-stripe which can hold very little data.
I want to know for sure what my EMV chip does. Is there anyway I can test out my own EMV card to see what the CVM list is?
alexmt has written up a nice step-by-step procedure on Post #3615.
If most of the EMV cards in the US is the Chip-and-Signature type, doesn't that mean it's still useless abroad?
Depends if you see it as glass half empty or glass half full. See Post #3 for further details on how Chip-and-Signature has worked both successfully and unsuccessfully depending on the merchant transaction environment and use your best judgment whether which one is right for you.
Are there any places in the US that are accepting transactions via the EMV chip?
tmiw has created a dedicated Google maps webpage to show where EMV has been proven to work here: http://emvacceptedhere.com/ Per his Post #4240, feel free to add any places with active EMV terminals if you come across one.
As of 2014/05, the EMV terminals in most Walmarts and Sam's Clubs are being turned on. Hence, the best place to try them out would be your local Walmart or Sam's Club. For other merchants, it's slowly being phased in.
I hope people will post them in the Post your receipt of your 1st EMV based transaction in the US thread. cvarming has shown us an EMV transaction receipt from Brooklyn, NY in Post #2380. I myself had my first EMV based (Chip-and-Signature) transaction in two stores in the Los Angeles area, as shown in detail in Post #2705 (courtesy of WhatWhatTech for pointing these two stores out)
I don't want a chip in my card. I heard horror stories all over the media saying hackers can steal my credit card info from a mile away.
There are two types of chips. One is contactless and the other is contact. Cards can be either one or the other, or both.
In the Google Docs spreadsheet, the cards that are capable of contactless payments are listed seperately under the "RFID or NFC contactless chip" column. If it says yes, then that means it has the ability to do contactless payments. If it says no, it doesn't have that feature.
The one that the media has overhyped about hackers "stealing your information wirelessly" was the contactless type like this:
You are worried about this happening, right?
You don't have to worry. EMV is a chip standard that can have both contact and contactless interfaces. With the traditional contact interface, this means you actually have to physically insert the chip into a POS terminal for it to be authorized, like this:
With the contact interface, nothing is wireless. No data is sent out in a stand-alone contact type EMV chip. With the EMV contactless interface, data is sent wirelessly.
Furthermore, contactless chip cards are required to show a symbol (looks like Wi-Fi symbol) somewhere on the card that to denote it's capability as a contactless card. For example, here's an example of a Discover Card with contactless capability (in which Discover calls "Discover ZIP") showing the contactless symbol on the back of the card:
Don't believe everything that the media says. Besides, millions of people all over the world from London to Singapore, uses contactless payments daily in extremely crowded subways and mass transit with nary any problems. There are multiple layers of encrypted securities and keys that are needed to break the code.
Frankly, giving your physical card to a waiter/waitress who takes the card out of your view is much more susceptible to fraud than contactless payments.
Why should I care?
If you are an international traveler, you will want this because majority of the world has or in the process of converting to this payment format.
In fact, in 2012, even North Korea moved to the EMV format, leaving the US as one of the countries in the world that hasn't done so.
In addition, VISA, MC, AMEX, and Discover have all agreed to incentivize the USA shifting to EMV payments by 2015 by shifting liability for fraudulent transactions to merchants if they do not have EMV equipment and the cardholder has an EMV card. So if you travel internationally or would like to get one before the others, you might be interested in getting one.
BS! I had no problems using my card in [insert whereever country], [insert whatever point in time]
If you stick to the tourist path where they have lots of visitors from the US, you should have no problems using your mag-stripe only card in hotels and restaurants, at least for now. But as things can change as things go forward.
However, consider that once you start taking the off-beaten path, go to non-touristy places where they are not familiar with mag-stripes, rent a car and use toll roads, fill up gas, or try to buy train tickets you might end up into a trouble of the machine not recognizing your card because it lacks the chip. Furthermore, a lot of toll roads, gas pumps, and automated ticket machines lack any human assistance to help you when you need it the most.
But [insert credit card company] told me all merchants that display their logo must accept them! All I have to do is report them for violating their agreements, right?
There are several factors against this.
1. You can only speak English. The merchant representative, most likely a part-time clerk earning minimum wage, speaks in a different language, let's say French. If you have no French language skills, how are you going to get your point across? Are you going to whip out your cell phone at exorbitant int'l roaming charges and hope the customer service is going to translate it for you on the spot? Or maybe you might actually know French. But how about Swahili, Farsi, Balinese, or the multiple languages in mainland China?
2. Just like US, the rest of the world's businesses uses part-time minimum wage workers as cashiers to cut down on labor costs. Most of their SOP training manuals are written by MBA types to not to do anything they are not familiar with. Do not expect them to understand the intricate details of credit card mumbo jumbo. You don't expect Taco Bell employees to understand the minute details of Discover-JCB-Union Pay agreements, right? Same thing the other way around: be respectful as a guest in their country, prepare in advance in their ways, avoid being an "ugly American" stereotype.
3. You are a guest in their country. You are a minority. If 99.9% of their country's people and other tourists from around the world uses EMV, do you really think they are going to accomodate the 0.1% of American tourists who only have mag-stripes credit cards?
4. Again, you are a guest in their country. How would you, as an American standing in line, react if a Chinese tourist was clogging up the lines at a local Taco Bell because the clerk doesn't understand the Discover-Union Pay agreement and has trouble communicating between Mandarin spoken by the tourist and English spoken by the Taco Bell clerk? Same way the other way around. You do not want to clog up the lines for everyone. The less hassle, the better.
5. VISA and MC make tons of money from merchants in that country. Say SNCF French Rail. It's a billion dollar company in France. Do you think VISA is going to pull the plug of their relationship with SNCF because SNCF refuses to do mag-stripe processing at their unmanned train station kiosk? Of course not. Be realistic.
6. And lastly, if you're up against an unstaffed toll kiosk, gas pump or train ticket machine, are you going to yell curses at the machine?
But I want my credit card to be able to be used in the US too!
No worries. They have not gotten rid of the mag-stripe on the back of the card for backward compatibility reasons, just like we still have embossed numbers on our cards for backwards compatibility to using those old carbon copy imprinters.
[insert own Hyatt card image front and back together with red arrows pointing to all the backward compatibility features]
You use the chip on the front of the card abroad (for now), and the mag-stripe just like any other card for the US. Basically, you're increasing your credit card's acceptance rate by getting a card that both via the chip and the mag-stripe. You're getting a better deal for free.
And when 2015 comes along and US switches to EMV, you'll be way ahead of everyone else too!
So why did the rest of the world and the US moved/moving toward EMV?
Primarily, due to fraud concerns. You see, the mag-stripe has been with us since the 1950s. It may have been the most high tech thing back in the day, but with the technology that is available today, any shmo can pick up a $100 USB magnetic card skimming device off of eBay and get your credit card info.
And unlike skimming off contactless cards which actually need the person to have l33t programming skills, skimming off a magnetic stripe has become so ubiquitous that nary a day goes about skimming fraud going on somewhere in America, from gas pumps, Michael's stores (2011), Target breaches (2013), restaurant waiters/waitresses, to even McDonald's drive thrus.
https://www.google.com/search?q=skimming+fraud
These type of fraud used to be prevalent in Europe. But once they started switching over to EMV starting over 2 decades ago, this type of fraud went elsewhere. It went over to Asia, Canada and Mexico, Latin America, etc. etc. until they too began implementing EMV to combat skimming fraud. The US is practically the only country left that hasn't done so, therefore all the fraud that used to take place elsewhere is now happening here.
But EMV is old and it's not fool proof. Shouldn't we just skip over it and do something new instead?
Yes, EMV is old. It was developed in the 1990s and its smart card payment predecessor was first introduced in France. But as of today, it has become the defacto global standard of payments.
But then, what else is there? There is no other de facto global standard of payments alternative. For example, if we decide to skip over it and do something new, hypothetically like DNA matching technology, it still means US int'l travelers will continue to have problems abroad with useless plastic acceptance because no other country is using this DNA matching technology except the US.
Besides, nothing is fool proof. You can say that the bank vault isn't fool proof because you can crack it open if enough C4 is used. But your average low-life scumbag isn't likely to get military grade C4 easily either. But the bank vault does make it harder to get the bank's money over say a petty cash box. That's the point here. EMV is akin to a security tight bank vault, the old mag-stripe is akin to a petty cash box lying around inside the drawer.
I'm a business owner and I don't think EMV is going to take off. I'm not going to spend extra hundreds of dollars to upgrade my credit card machine. Convince me other wise why I should.
I can understand the added extra cost to your business once this switchover takes place. But before even saying that, look at your existing POS terminal. Does it have a slot somewhere to insert a card?
Most likely, if you had replaced your POS terminal within the past five years, you already have an EMV capable terminal. EMV is basically just not turned on yet from the processor and acquirer side.
If you have an EMV capable terminal, then a best bet would be to contact your acquirer to have the EMV feature turned on. You did your end of the deal already by having an EMV capable terminal, it is now the acquirers' responsibility to turn it on in accordance to the EMV switchover mandate.
And if you don't, you are going to replace your POS terminal anyway from common wear and tear. It isn't a hard switch-over. You can continue to use your POS terminal until it dies out because EMV cardholders will still have the mag-stripe on the back. And by the time your non-EMV capable POS terminal is up for replacement the market will be full with these newer POS terminals that can accept the mag-stripe, EMV, as well as contactless payments.
In addition, you may also want to check with your acquirer or processor about EMV capable terminals. Some of them are willing to replace your terminal for free in preparation for the US EMV switchover. Call and ask for details.
But what's in it for me? I'm the one that has to pay for the upgrade.
All the major card networks have given incentives for merchants for the upcoming EMV switchover.
If 75% or more of your credit card transactions are done on an EMV contact and contactless terminal, they are going to waive your annual PCI-DSS fees, which usually costs you around $5.00-$19.95/month per terminal. The overall long term cost savings of those compliance fees will be larger than the cost of an one time upgrade for the terminal.
The downside is that once EMV switchover happens and if you do not have a POS terminal that is able to accept EMV, the fraud liability shifts over to the merchant.
I own several fast food franchises. If I upgrade my POS terminals at all of my restaurants, it's going to cost me thousands, if not millions. I don't think anyone is going to use a fake credit card to buy $5 burgers. And if they do, wouldn't it be cheaper for me to eat the fraud cost?
Remember also that fraud isn't just committed by dishonest customers using fraudulent cards. Fraud can also happen with dishonest employees skimming off credit card data from the mag-stripe as in the case of a teenage McDonald's drive thru employee skimming off $13,000 of customers' credit cards in Olympia, WA. Consider the public relations fall out that your business may have if this happens (i.e. the big Target breach of 2013, where someone used a mag stripe card to load malware INTO Target's system). Is it worth risking to take such a huge PR disaster?
EMV wikipost volunteers: kebosabi
What is EMV?
EMV is a defacto global standard of technology where there is a visible microchip on the front of the card. It looks like this:
Who issues them?
See Google Docs spreadsheet in Post #1
SFOAMS also has created a list of excellent webpage that shows US EMV cards in a more interactive interface
Another site, which lets you narrow the search for an EMV card by various parameters, is http://www.spotterswiki.com/emv/index.php.
Several credit unions issue some form of Chip-and-PIN credit cards or prepaid cards. Prepaid EMV cards however are not recommended due to junk fees. USAA (currently restricted to members of military) used to offer Chip-and-PIN cards, but as late has backtracked to Chip-and-Signature priority.
Hey that's a cool Google Docs list! I know others that aren't on that list. How can I help by adding them to the list?
My bad for not putting this into the wiki sooner. Right now, the Google Docs is locked out of editing and only in "read-only" view because there were instances in the past where people would just delete the rows not thinking that it affects others viewing the list.
If you promise not to delete any rows and input all the pertinent info (annual fee, rewards, FTF, etc.), I can provide you with edit access. Just shoot me a PM to kebosabi with your gmail address and I'll provide you edit access.
Thanks for helping out!
As of October 2014, no USA-based card issuer offers Chip-and-PIN priority cards except for BMO Harris (Diners Club) and UN Federal Credit Union. Other major USA-based banks such as BofA, Chase, Citi, as well as others issue Chip-and-Signature cards which may work at many automated kiosks. However, bear in mind the word may is used above is a context where there is no absolute certainty of success for certain environments such as automated kiosks due to different natures of offline and online transactions. It is highly recommended to read Post #3 which lists real life FTer examples on how Chip-and-Signature worked and did not work at various transaction environments.
Can I upgrade it right now?
If it's listed on that Google Docs spreadsheet or SFOAMS' Silk page, wouldn't hurt to call/twitter them for a free upgrade. If you get the response you don't like, hang up, try again.
What is the difference between Chip-and-Signature and Chip-and-PIN?
You insert the chipped card into the slot. The physical contact terminal will read the EMV chip and the terminal will automatically read the preferred cardholder verification methods (called CVM) for that card.
Chip-and-Signature means that the terminal will printout a receipt for you to sign. This is the most prevalent authentication for most US issued EMV cards. Chip-and-Signature helps in a way that it will get through to face-to-face merchant transactions where you and the merchant do not speak the same language.
Chip-and-PIN means that the terminal will prompt you to input a PIN for authentication. Some credit union issued credit cards will have this CVM as secondary if Chip-and-Signature cannot be done. Chip-and-PIN is the more prevalent method of authentication used outside the US, especially in transaction environments where no human interaction is needed (i.e. automated gas pumps, toll roads, train kiosks, etc.).
The Google Docs spreadsheet will list which CVM are used in the EMV cards listed. Some cards can only do Chip-and-Signature. Other cards can do both Chip-and-Signature and Chip-and-PIN. And others might have a third option called No CVM (no authentication needed) which is reserved for low value transactions.
One chip can hold a lot more data, therefore it is capable of doing multiple verification methods. That's one of the great things about EMV over the mag-stripe which can hold very little data.
I want to know for sure what my EMV chip does. Is there anyway I can test out my own EMV card to see what the CVM list is?
alexmt has written up a nice step-by-step procedure on Post #3615.
If most of the EMV cards in the US is the Chip-and-Signature type, doesn't that mean it's still useless abroad?
Depends if you see it as glass half empty or glass half full. See Post #3 for further details on how Chip-and-Signature has worked both successfully and unsuccessfully depending on the merchant transaction environment and use your best judgment whether which one is right for you.
Are there any places in the US that are accepting transactions via the EMV chip?
tmiw has created a dedicated Google maps webpage to show where EMV has been proven to work here: http://emvacceptedhere.com/ Per his Post #4240, feel free to add any places with active EMV terminals if you come across one.
As of 2014/05, the EMV terminals in most Walmarts and Sam's Clubs are being turned on. Hence, the best place to try them out would be your local Walmart or Sam's Club. For other merchants, it's slowly being phased in.
I hope people will post them in the Post your receipt of your 1st EMV based transaction in the US thread. cvarming has shown us an EMV transaction receipt from Brooklyn, NY in Post #2380. I myself had my first EMV based (Chip-and-Signature) transaction in two stores in the Los Angeles area, as shown in detail in Post #2705 (courtesy of WhatWhatTech for pointing these two stores out)
I don't want a chip in my card. I heard horror stories all over the media saying hackers can steal my credit card info from a mile away.
There are two types of chips. One is contactless and the other is contact. Cards can be either one or the other, or both.
In the Google Docs spreadsheet, the cards that are capable of contactless payments are listed seperately under the "RFID or NFC contactless chip" column. If it says yes, then that means it has the ability to do contactless payments. If it says no, it doesn't have that feature.
The one that the media has overhyped about hackers "stealing your information wirelessly" was the contactless type like this:
You are worried about this happening, right?
You don't have to worry. EMV is a chip standard that can have both contact and contactless interfaces. With the traditional contact interface, this means you actually have to physically insert the chip into a POS terminal for it to be authorized, like this:
With the contact interface, nothing is wireless. No data is sent out in a stand-alone contact type EMV chip. With the EMV contactless interface, data is sent wirelessly.
Furthermore, contactless chip cards are required to show a symbol (looks like Wi-Fi symbol) somewhere on the card that to denote it's capability as a contactless card. For example, here's an example of a Discover Card with contactless capability (in which Discover calls "Discover ZIP") showing the contactless symbol on the back of the card:
Don't believe everything that the media says. Besides, millions of people all over the world from London to Singapore, uses contactless payments daily in extremely crowded subways and mass transit with nary any problems. There are multiple layers of encrypted securities and keys that are needed to break the code.
Frankly, giving your physical card to a waiter/waitress who takes the card out of your view is much more susceptible to fraud than contactless payments.
Why should I care?
If you are an international traveler, you will want this because majority of the world has or in the process of converting to this payment format.
In fact, in 2012, even North Korea moved to the EMV format, leaving the US as one of the countries in the world that hasn't done so.
In addition, VISA, MC, AMEX, and Discover have all agreed to incentivize the USA shifting to EMV payments by 2015 by shifting liability for fraudulent transactions to merchants if they do not have EMV equipment and the cardholder has an EMV card. So if you travel internationally or would like to get one before the others, you might be interested in getting one.
BS! I had no problems using my card in [insert whereever country], [insert whatever point in time]
If you stick to the tourist path where they have lots of visitors from the US, you should have no problems using your mag-stripe only card in hotels and restaurants, at least for now. But as things can change as things go forward.
However, consider that once you start taking the off-beaten path, go to non-touristy places where they are not familiar with mag-stripes, rent a car and use toll roads, fill up gas, or try to buy train tickets you might end up into a trouble of the machine not recognizing your card because it lacks the chip. Furthermore, a lot of toll roads, gas pumps, and automated ticket machines lack any human assistance to help you when you need it the most.
But [insert credit card company] told me all merchants that display their logo must accept them! All I have to do is report them for violating their agreements, right?
There are several factors against this.
1. You can only speak English. The merchant representative, most likely a part-time clerk earning minimum wage, speaks in a different language, let's say French. If you have no French language skills, how are you going to get your point across? Are you going to whip out your cell phone at exorbitant int'l roaming charges and hope the customer service is going to translate it for you on the spot? Or maybe you might actually know French. But how about Swahili, Farsi, Balinese, or the multiple languages in mainland China?
2. Just like US, the rest of the world's businesses uses part-time minimum wage workers as cashiers to cut down on labor costs. Most of their SOP training manuals are written by MBA types to not to do anything they are not familiar with. Do not expect them to understand the intricate details of credit card mumbo jumbo. You don't expect Taco Bell employees to understand the minute details of Discover-JCB-Union Pay agreements, right? Same thing the other way around: be respectful as a guest in their country, prepare in advance in their ways, avoid being an "ugly American" stereotype.
3. You are a guest in their country. You are a minority. If 99.9% of their country's people and other tourists from around the world uses EMV, do you really think they are going to accomodate the 0.1% of American tourists who only have mag-stripes credit cards?
4. Again, you are a guest in their country. How would you, as an American standing in line, react if a Chinese tourist was clogging up the lines at a local Taco Bell because the clerk doesn't understand the Discover-Union Pay agreement and has trouble communicating between Mandarin spoken by the tourist and English spoken by the Taco Bell clerk? Same way the other way around. You do not want to clog up the lines for everyone. The less hassle, the better.
5. VISA and MC make tons of money from merchants in that country. Say SNCF French Rail. It's a billion dollar company in France. Do you think VISA is going to pull the plug of their relationship with SNCF because SNCF refuses to do mag-stripe processing at their unmanned train station kiosk? Of course not. Be realistic.
6. And lastly, if you're up against an unstaffed toll kiosk, gas pump or train ticket machine, are you going to yell curses at the machine?
But I want my credit card to be able to be used in the US too!
No worries. They have not gotten rid of the mag-stripe on the back of the card for backward compatibility reasons, just like we still have embossed numbers on our cards for backwards compatibility to using those old carbon copy imprinters.
[insert own Hyatt card image front and back together with red arrows pointing to all the backward compatibility features]
You use the chip on the front of the card abroad (for now), and the mag-stripe just like any other card for the US. Basically, you're increasing your credit card's acceptance rate by getting a card that both via the chip and the mag-stripe. You're getting a better deal for free.
And when 2015 comes along and US switches to EMV, you'll be way ahead of everyone else too!
So why did the rest of the world and the US moved/moving toward EMV?
Primarily, due to fraud concerns. You see, the mag-stripe has been with us since the 1950s. It may have been the most high tech thing back in the day, but with the technology that is available today, any shmo can pick up a $100 USB magnetic card skimming device off of eBay and get your credit card info.
And unlike skimming off contactless cards which actually need the person to have l33t programming skills, skimming off a magnetic stripe has become so ubiquitous that nary a day goes about skimming fraud going on somewhere in America, from gas pumps, Michael's stores (2011), Target breaches (2013), restaurant waiters/waitresses, to even McDonald's drive thrus.
https://www.google.com/search?q=skimming+fraud
These type of fraud used to be prevalent in Europe. But once they started switching over to EMV starting over 2 decades ago, this type of fraud went elsewhere. It went over to Asia, Canada and Mexico, Latin America, etc. etc. until they too began implementing EMV to combat skimming fraud. The US is practically the only country left that hasn't done so, therefore all the fraud that used to take place elsewhere is now happening here.
But EMV is old and it's not fool proof. Shouldn't we just skip over it and do something new instead?
Yes, EMV is old. It was developed in the 1990s and its smart card payment predecessor was first introduced in France. But as of today, it has become the defacto global standard of payments.
But then, what else is there? There is no other de facto global standard of payments alternative. For example, if we decide to skip over it and do something new, hypothetically like DNA matching technology, it still means US int'l travelers will continue to have problems abroad with useless plastic acceptance because no other country is using this DNA matching technology except the US.
Besides, nothing is fool proof. You can say that the bank vault isn't fool proof because you can crack it open if enough C4 is used. But your average low-life scumbag isn't likely to get military grade C4 easily either. But the bank vault does make it harder to get the bank's money over say a petty cash box. That's the point here. EMV is akin to a security tight bank vault, the old mag-stripe is akin to a petty cash box lying around inside the drawer.
I'm a business owner and I don't think EMV is going to take off. I'm not going to spend extra hundreds of dollars to upgrade my credit card machine. Convince me other wise why I should.
I can understand the added extra cost to your business once this switchover takes place. But before even saying that, look at your existing POS terminal. Does it have a slot somewhere to insert a card?
Most likely, if you had replaced your POS terminal within the past five years, you already have an EMV capable terminal. EMV is basically just not turned on yet from the processor and acquirer side.
If you have an EMV capable terminal, then a best bet would be to contact your acquirer to have the EMV feature turned on. You did your end of the deal already by having an EMV capable terminal, it is now the acquirers' responsibility to turn it on in accordance to the EMV switchover mandate.
And if you don't, you are going to replace your POS terminal anyway from common wear and tear. It isn't a hard switch-over. You can continue to use your POS terminal until it dies out because EMV cardholders will still have the mag-stripe on the back. And by the time your non-EMV capable POS terminal is up for replacement the market will be full with these newer POS terminals that can accept the mag-stripe, EMV, as well as contactless payments.
In addition, you may also want to check with your acquirer or processor about EMV capable terminals. Some of them are willing to replace your terminal for free in preparation for the US EMV switchover. Call and ask for details.
But what's in it for me? I'm the one that has to pay for the upgrade.
All the major card networks have given incentives for merchants for the upcoming EMV switchover.
If 75% or more of your credit card transactions are done on an EMV contact and contactless terminal, they are going to waive your annual PCI-DSS fees, which usually costs you around $5.00-$19.95/month per terminal. The overall long term cost savings of those compliance fees will be larger than the cost of an one time upgrade for the terminal.
The downside is that once EMV switchover happens and if you do not have a POS terminal that is able to accept EMV, the fraud liability shifts over to the merchant.
I own several fast food franchises. If I upgrade my POS terminals at all of my restaurants, it's going to cost me thousands, if not millions. I don't think anyone is going to use a fake credit card to buy $5 burgers. And if they do, wouldn't it be cheaper for me to eat the fraud cost?
Remember also that fraud isn't just committed by dishonest customers using fraudulent cards. Fraud can also happen with dishonest employees skimming off credit card data from the mag-stripe as in the case of a teenage McDonald's drive thru employee skimming off $13,000 of customers' credit cards in Olympia, WA. Consider the public relations fall out that your business may have if this happens (i.e. the big Target breach of 2013, where someone used a mag stripe card to load malware INTO Target's system). Is it worth risking to take such a huge PR disaster?
USA EMV cards: Availability, Q&A (Chip & PIN -or- Chip & Signature) [2012-2015]
Nov 5, 2014, 3:27 pm
#7846
Join Date: Jul 2009
Location: SJC
Programs: AA, AS, Marriott
Posts: 6,063
Actually it is possible to check, but you need to have some programming skills and be familiar with the actual EMV specification. 
I wrote an app that basically pretends to be a terminal that only supports plaintext offline PIN and was able to confirm that the Andrews PIN changed. Haven't tried changing the Diners Club PIN yet, but that's not as critical because it's PIN priority.
I wrote an app that basically pretends to be a terminal that only supports plaintext offline PIN and was able to confirm that the Andrews PIN changed. Haven't tried changing the Diners Club PIN yet, but that's not as critical because it's PIN priority.In my experience it's always been an online transaction.
Nov 5, 2014, 4:14 pm
#7847
Join Date: Jul 2010
Location: New York
Programs: Cutting down :-(
Posts: 604
Can you please explain why an enciphered PIN would be better against a man-in-middle attack. Does the card challenge the terminal (asking for it to authenticate itself)?
Nov 5, 2014, 4:47 pm
#7848
Join Date: Oct 2014
Location: Portland, OR, USA
Programs: Delta + United Airmiles
Posts: 703
Found out that BoA is waiving the debit card replacement fee because I'm apparently part of their Preferred Rewards program now. Just requested a chip enabled debit card using their online chat. 
Actually it is possible to check, but you need to have some programming skills and be familiar with the actual EMV specification. I wrote an app that basically pretends to be a terminal that only supports plaintext offline PIN and was able to confirm that the Andrews PIN changed. Haven't tried changing the Diners Club PIN yet, but that's not as critical because it's PIN priority.
Actually it is possible to check, but you need to have some programming skills and be familiar with the actual EMV specification.
I wrote an app that basically pretends to be a terminal that only supports plaintext offline PIN and was able to confirm that the Andrews PIN changed. Haven't tried changing the Diners Club PIN yet, but that's not as critical because it's PIN priority.Since BofA now charges 3% FTF on debit card ATM cash withdrawal even at partners in Europe, I'm leaving mine home in favor of ... State Farm Bank (free, no FTF, reimburses ATM fees worldwide, takes deposits at US Bank ATM, etc). Charles Schwab is not as easy to work with so is 2nd choice.
Don't need chip and anything for ATM cash throughout Europe, so don't care if either has it.
Nov 5, 2014, 4:50 pm
#7849
FlyerTalk Evangelist
Join Date: Jan 2014
Location: San Diego, CA
Programs: GE, Marriott Platinum
Posts: 15,508
Let's Just skip Sig and Go to Chip and PIN
Yeah Schwab is my first choice internationally (and places like Ohio that have few BoA branches). I already have a Schwab brokerage account so it was easier to work with them.
Neat - where do I get one?!?
Since BofA now charges 3% FTF on debit card ATM cash withdrawal even at partners in Europe, I'm leaving mine home in favor of ... State Farm Bank (free, no FTF, reimburses ATM fees worldwide, takes deposits at US Bank ATM, etc). Charles Schwab is not as easy to work with so is 2nd choice.
Don't need chip and anything for ATM cash throughout Europe, so don't care if either has it.
Since BofA now charges 3% FTF on debit card ATM cash withdrawal even at partners in Europe, I'm leaving mine home in favor of ... State Farm Bank (free, no FTF, reimburses ATM fees worldwide, takes deposits at US Bank ATM, etc). Charles Schwab is not as easy to work with so is 2nd choice.
Don't need chip and anything for ATM cash throughout Europe, so don't care if either has it.
Nov 5, 2014, 6:10 pm
#7850
Join Date: Nov 2014
Location: NYC
Posts: 557
When I requested a PIN for my Chase Freedom card coincident to requesting an EMV version, the CSR immediately informed me of my cash advance limit and the APRs associated with a cash advance. Note that I never mentioned anything about using my card for cash advances, but CSRs and many people have been trained that the only time one would need the PIN would be for use at an ATM for a cash advance.
Nov 5, 2014, 6:20 pm
#7852
Join Date: Jul 2009
Location: SJC
Programs: AA, AS, Marriott
Posts: 6,063
That's not entirely true. The Taiwan High Speed Rail ticket vending machines definitely do an online PIN verification. (I did some trials with this a few years ago where I entered incorrect PINs like 1234 or 1983 and the transaction failed. When I enter my CA PIN the transaction is successful.) I also remember entering my PIN at the TMB kiosks when purchasing tickets for the Barcelona metro in February. While the CVM doesn't support it, the transaction is either magnetic stripe or the terminal doesn't follow the card's CVM.
Nov 5, 2014, 6:41 pm
#7853
Join Date: May 2013
Posts: 54
The problem with security features that require cardholder input is that there’s a big chance the cardholder will say “screw it” and use another card because it’s easier.
The other big problem is that unfortunately people in general are not that bright and they have issues with the procedures/remembering passwords, etc.
The support calls needed to resolve any issues are rather expensive for banks.
Since we don't have chip/PIN credit cards in the US, I doubt that it's possible to say how much the "support calls" you refer to will cost. You say, however, that support calls are "rather expensive."
Debit cards are probably the closest comparison we have to chip/PIN so perhaps someone can tell us how much banks spend on support calls for debit card PIN issues.
Do you think support calls will cost anywhere close to the $190 billion dollars we lose to credit card fraud?
The combination of expensive support and cardholder abandonment is actually one of the reasons that Chip and Sig is more popular than Chip and PIN. As an example, in the US, on mag stripe Debit transactions, people are much more likely to use Signature Debit than PIN Debit because they don’t want to deal with entering a PIN.
Others have mentioned their reasons for choosing Signature Debit rather than PIN Debit are because they don't want to enter their Debit PIN into an untrusted terminal.
I believe that the US consumer would prefer chip/PIN credit cards if they were taught of the security advantages they have over chip/sig.
Issuing banks and payment networks, above all, want to gain payment volume. If a security feature creates the possibility that your cardholder doesn’t use your card, they won’t like it unless their bottom line impact from fraud reduction is greater than the potential volume lost from cardholder abandonment due to a complex product.
If the banks would educate their customers in the proper use of and the security benefits of a chip/PIN card, then perhaps more people would want (demand) to use them.
Instead, the banks are promoting the use of chip/signature as the more "convenient" method. "No PIN required", says the advertisement I received from Citibank for their EMV credit card. What are customers to think when they are being "sold" the chip/sig idea while never being told of the chip/PIN solution?
In the US, fraud doesn’t happen enough for banks to bother with that kind of stuff.
Additionally, for Card Not Present transactions (eCommerce), the Merchant holds fraud liability, so the Issuing banks don’t have financial liability for the fraud (and neither do you - if you run into eCommerce fraud, just call up your Issuing bank, say it was fraud, and that’s that, you won’t have to pay).
Because of this combination of factors, additional eCommerce security is usually seen on the merchant side (think about the great lengths Amazon has gone to to ensure that you are really who you say you are), and not on the network/issuer side. Most of the stuff the payment networks have rolled out has not been very successful in the US, like Verified by Visa, for instance.
In case that was too long too read, the short answer is I doubt we’ll see much of it. If we do, it would probably be opt-in. More likely, though, the next big step for security will be mobile.
I'll wrap this up by saying that I spend quite a bit of time in the UK and can attest to their successful use of chip/PIN credit cards. I can't recall seeing a card holder in the UK fumbling at the terminal because they couldn't remember their PIN. Oh, but I do remember many a merchant fumbling at the terminal because a certain card holder (yes, it might have been me) didn't have an ink pen to use to sign the receipt from their chip/signature transaction. Truth be told, this "pen search" I've described takes place 9 out of 10 times. I've never seen anyone else sign for their credit card transactions in the parts of the UK where I tend to stay. Somehow they get by quite well with their chip/PIN cards. I guess they're just that much smarter than the US consumer.
Furthermore, I have never seen a person in the UK, one who uses a chip/PIN credit card, hand their credit card over to another person. Their card never leaves their hand. Unlike in the US where we have been trained to hand our credit cards over to a complete stranger - many times only to have the card taken out of our site for minutes at a time while it's being processed. How crazy is that?!
Our use of the latest credit card technology in the US is completely unacceptable and the financial institutions and payment networks should be ashamed for not being proactive in the marketing of chip/PIN technology. Instead, they continue to insult the intelligence of the US consumer with their remarks about our inability to remember a 4-digit PIN and our inability to understand how to insert a chip card into a reader.
Unfortunately, the comments that you have made in your post reinforce similar comments that I have read in a recent report given by Visa to the United States Federal Reserve. At least you are all on the same page and preaching the same message. It's just too bad that the message is in the best interest of the payment networks and not the consumer. Regards.
Last edited by kv1; Nov 5, 2014 at 6:47 pm
Nov 5, 2014, 6:52 pm
#7854
FlyerTalk Evangelist
Join Date: Jan 2014
Location: San Diego, CA
Programs: GE, Marriott Platinum
Posts: 15,508
kv1, I think we've concluded over the course of this 500+ page thread that almost all banks aren't going to voluntarily adopt PIN priority. It's pretty much beating a dead horse at this point.
There are PIN priority cards out there (UNFCU, Diners Club). Get one and use it for your spending. The only way others will follow is if there's real demand for those cards, and they'll be able to see that by the decrease in swipe revenue and interest charges from any balances that would have resulted. Just note that card culture does matter and you may find that PIN priority is more of a hassle than signature priority domestically. For example, that one place I talked about before that rejected my DC card.
IMO, in a few years it won't really matter. I believe the US is going to skip straight over contact EMV except as a fallback and go straight to contactless/NFC anyway thanks mostly to Apple Pay making NFC popular again.
There are PIN priority cards out there (UNFCU, Diners Club). Get one and use it for your spending. The only way others will follow is if there's real demand for those cards, and they'll be able to see that by the decrease in swipe revenue and interest charges from any balances that would have resulted. Just note that card culture does matter and you may find that PIN priority is more of a hassle than signature priority domestically. For example, that one place I talked about before that rejected my DC card.
IMO, in a few years it won't really matter. I believe the US is going to skip straight over contact EMV except as a fallback and go straight to contactless/NFC anyway thanks mostly to Apple Pay making NFC popular again.
Nov 5, 2014, 7:01 pm
#7855
FlyerTalk Evangelist
Join Date: Aug 2001
Location: RSW
Programs: Delta - Silver; UA - Silver; HHonors - Diamond; IHG - Spire Ambassador; Marriott Bonvoy - Titanium
Posts: 14,185
Chip & Sign will attack the problem of mag stripe cloning theft, but it remains to be seen how much of a "solution" comparing signatures (or widespread lack thereof) will be in the USA.
Nov 5, 2014, 7:05 pm
#7856
Join Date: May 2013
Posts: 54
kv1, I think we've concluded over the course of this 500+ page thread that almost all banks aren't going to voluntarily adopt PIN priority. It's pretty much beating a dead horse at this point.
There are PIN priority cards out there (UNFCU, Diners Club). Get one and use it for your spending. The only way others will follow is if there's real demand for those cards, and they'll be able to see that by the decrease in swipe revenue and interest charges from any balances that would have resulted. Just note that card culture does matter and you may find that PIN priority is more of a hassle than signature priority domestically. For example, that one place I talked about before that rejected my DC card.
IMO, in a few years it won't really matter. I believe the US is going to skip straight over contact EMV except as a fallback and go straight to contactless/NFC anyway thanks mostly to Apple Pay making NFC popular again.
There are PIN priority cards out there (UNFCU, Diners Club). Get one and use it for your spending. The only way others will follow is if there's real demand for those cards, and they'll be able to see that by the decrease in swipe revenue and interest charges from any balances that would have resulted. Just note that card culture does matter and you may find that PIN priority is more of a hassle than signature priority domestically. For example, that one place I talked about before that rejected my DC card.
IMO, in a few years it won't really matter. I believe the US is going to skip straight over contact EMV except as a fallback and go straight to contactless/NFC anyway thanks mostly to Apple Pay making NFC popular again.
Yeah, I know I got on a bit of a rant. It's just that post I read from uds0 struck a nerve.
I'm tired of reading formal presentations from Visa and posts from people who work for Visa/MasterCard/American Express, in which they continue to insult the intelligence of the US card holder while preaching their "stockholder-friendly" marketing material.
I'll leave it at that lest I get started again.
Nov 5, 2014, 9:41 pm
#7857
Join Date: Oct 2014
Location: Portland, OR, USA
Programs: Delta + United Airmiles
Posts: 703
kv1,
I'm thinking maybe my intent - to present "reportedly" authorative additional resources - has anything to do with endorsement of their "expert" claims. I intend to hopefully contribute information from my experiences as well as possible information presented by others that MAY have more than just spin or misinformation.
As always, each of us has to sift through the mountains of crap to find the actual bit of real value and consistency. More sifting hopefully zeroes gets us closer to the reality so well hidden.
I'm thinking maybe my intent - to present "reportedly" authorative additional resources - has anything to do with endorsement of their "expert" claims. I intend to hopefully contribute information from my experiences as well as possible information presented by others that MAY have more than just spin or misinformation.
As always, each of us has to sift through the mountains of crap to find the actual bit of real value and consistency. More sifting hopefully zeroes gets us closer to the reality so well hidden.
Nov 5, 2014, 9:54 pm
#7858
Moderator: Manufactured Spending
Join Date: Jul 2011
Posts: 6,580
Of course banks are putting their profits first. That is the whole purpose of a business.
Do you really think banks anywhere in the world are going to put customers' financial security ahead of their own bottom line?
Banks have calculated that having a PIN will cost more (in lost merchant fees) than they will gain (through increased security). Given how most of the non-frequent fliers I know tend to make purchases, I don't doubt them on this.
Nov 5, 2014, 10:18 pm
#7859
Join Date: Jul 2007
Posts: 1,762
KV1...I don't necessarily disagree with anything your wrote however...
1. As noted, you are beating a dead horse. The decision has already been made. I am quite sure the bean counters at both the banks and the networks have studied this extensively. And the conclusion they have reached, rightly or wrongly, is that the USA has a completely different set up when it comes to plastic payment mechanisms. More banks in the USA, far more as a matter of fact, issue credit cards than almost anywhere else on earth. So Americans probably tend to carry more cards than other nationalities and hence indeed have more pins to remember than somebody carrying 1 or at most 2. Sure we can set up systems to change pins and the like but that's an additional hassle fo some.
2. You cited a total figure for credit card fraud. That includes both card is present and as they say e-commerce use of cards. As I am sure you will agree, the introduction of emv is only effective in card is present fraud. Since card is present fraud is very much hindered by the introduction of emv compliant cards, the use of emv will in and of itself cut into the amount of such fraud, whether pin priority or signature priority. It will do little or nothing about fraud online. I am sure you will agree.
3. When you step back for a second, the difference between pin or signature priority only comes into play when the physical card is lost or stolen. It is the same argument I had with a couple of people regarding writing see ID instead of their signature. I agree signature verification is not in the slightest secure and even though as your experience in the UK shows you while in the UK the clerks make a big charade about checking signatures, it is next to worthless to count on a 16 year old student working in McDonald's to make a stink about the signature. The UK would be much better off if they abandoned signatures completely for small purchases on non pin cards. However, I digress. How much actual fraud is there with lost or stolen cards which I am sure the banks have looked at and found their losses due to such fraud in card is present transactions is far less for stolen or lost cards than it is to introduce a pin system. And you can't just throw out that some will turn to other means of paying for stuff (cash?) if using a credit card become more troublesome for them.
I've said it and I'll say it again. Yes I prefer chip and pin only because I am unsure that mc/visa/amex can achieve 100% compliance for the use of emv enabled cards and yes, 98% is really not good enough for me. However, from what I can acertain, they have made strides in that and apparently are serious about requiring merchants not to use offline pin exclusively as a cvm. The day the Dutch National railroads start accepting chip and signature no cvm in their machines is the day I will know they have succeeded in that. I don't think it's quite there yet. It is for that reason, I swallowed hard and got a UNFCU card to sit in my pocket as a last resort but it will come with me the next time I leave the country and I've memorized the pin but I bring with me 3 or 4 other cards for use in my travels and don't lose any sleep over it.
All I really care about is maintaining the zero liability I have. And yes I have had the horror of tooting along the Santa Ana Freeway on my annual xmas holiday in So Cal and having my mobile phone ring with a call from Citibank inquiring whether I had just spent $8,000 for electronic equipment in Florida the day after I dined at a restaurant and given my card up to go to some back room for processing although obviously I can't prove that was where the number and info was pilfered. You know what the bank was most interested in? Mr. JJ, we're sorry this happened. We will of course remove the charge from your account. Where can we send your replacement card overnight so you will not be without the card. The next morning, I had a replacement card waiting at my hotel sent overnight and life went on. Since then, I've had my info pilfered 5 or 6 times and with the additional inconvenience of having to notify my merchants who automatically debit the cards of the new number. Yes, it's an inconvenience but unfortunately it's part of modern day life. All I want to know is will my card work when I need it which is really what all of us should know. The battle for chip and pin on US issued cards is essentially over no matter how painful it might seem to some. Let us be happy with whatever small victory we have achieved
1. As noted, you are beating a dead horse. The decision has already been made. I am quite sure the bean counters at both the banks and the networks have studied this extensively. And the conclusion they have reached, rightly or wrongly, is that the USA has a completely different set up when it comes to plastic payment mechanisms. More banks in the USA, far more as a matter of fact, issue credit cards than almost anywhere else on earth. So Americans probably tend to carry more cards than other nationalities and hence indeed have more pins to remember than somebody carrying 1 or at most 2. Sure we can set up systems to change pins and the like but that's an additional hassle fo some.
2. You cited a total figure for credit card fraud. That includes both card is present and as they say e-commerce use of cards. As I am sure you will agree, the introduction of emv is only effective in card is present fraud. Since card is present fraud is very much hindered by the introduction of emv compliant cards, the use of emv will in and of itself cut into the amount of such fraud, whether pin priority or signature priority. It will do little or nothing about fraud online. I am sure you will agree.
3. When you step back for a second, the difference between pin or signature priority only comes into play when the physical card is lost or stolen. It is the same argument I had with a couple of people regarding writing see ID instead of their signature. I agree signature verification is not in the slightest secure and even though as your experience in the UK shows you while in the UK the clerks make a big charade about checking signatures, it is next to worthless to count on a 16 year old student working in McDonald's to make a stink about the signature. The UK would be much better off if they abandoned signatures completely for small purchases on non pin cards. However, I digress. How much actual fraud is there with lost or stolen cards which I am sure the banks have looked at and found their losses due to such fraud in card is present transactions is far less for stolen or lost cards than it is to introduce a pin system. And you can't just throw out that some will turn to other means of paying for stuff (cash?) if using a credit card become more troublesome for them.
I've said it and I'll say it again. Yes I prefer chip and pin only because I am unsure that mc/visa/amex can achieve 100% compliance for the use of emv enabled cards and yes, 98% is really not good enough for me. However, from what I can acertain, they have made strides in that and apparently are serious about requiring merchants not to use offline pin exclusively as a cvm. The day the Dutch National railroads start accepting chip and signature no cvm in their machines is the day I will know they have succeeded in that. I don't think it's quite there yet. It is for that reason, I swallowed hard and got a UNFCU card to sit in my pocket as a last resort but it will come with me the next time I leave the country and I've memorized the pin but I bring with me 3 or 4 other cards for use in my travels and don't lose any sleep over it.
All I really care about is maintaining the zero liability I have. And yes I have had the horror of tooting along the Santa Ana Freeway on my annual xmas holiday in So Cal and having my mobile phone ring with a call from Citibank inquiring whether I had just spent $8,000 for electronic equipment in Florida the day after I dined at a restaurant and given my card up to go to some back room for processing although obviously I can't prove that was where the number and info was pilfered. You know what the bank was most interested in? Mr. JJ, we're sorry this happened. We will of course remove the charge from your account. Where can we send your replacement card overnight so you will not be without the card. The next morning, I had a replacement card waiting at my hotel sent overnight and life went on. Since then, I've had my info pilfered 5 or 6 times and with the additional inconvenience of having to notify my merchants who automatically debit the cards of the new number. Yes, it's an inconvenience but unfortunately it's part of modern day life. All I want to know is will my card work when I need it which is really what all of us should know. The battle for chip and pin on US issued cards is essentially over no matter how painful it might seem to some. Let us be happy with whatever small victory we have achieved
Last edited by JEFFJAGUAR; Nov 5, 2014 at 10:35 pm
Nov 5, 2014, 10:42 pm
#7860
FlyerTalk Evangelist
Join Date: Jan 2014
Location: San Diego, CA
Programs: GE, Marriott Platinum
Posts: 15,508
If you think about it from the perspective of the banks, the lost/stolen protection that PIN provides in an offline capable market isn't really needed in an online only market. Just set a flag on the computer and the lost/stolen card will be declined everywhere. There might even be a message on the merchant's terminal to tell them to keep the thief there until police arrive. There can't really be that many people who will hold off on reporting a stolen card for days while charges get racked up, right?
Like I said before though, I don't think we'll be exclusively using contact EMV long anyway. We might even find that our transition to contactless will be the fastest out of all of the other countries that adopted it. I could be totally wrong, however.
Like I said before though, I don't think we'll be exclusively using contact EMV long anyway. We might even find that our transition to contactless will be the fastest out of all of the other countries that adopted it. I could be totally wrong, however.