Sep 20, 2013, 11:40 am
Last edit by: philemer
Posts from 1/1/16 onward can be found here: http://www.flyertalk.com/forum/credit-card-programs/1739359-2016-onward-usa-emv-cards-availability-q-chip-pin-signature.html
EMV wikipost volunteers: kebosabi
What is EMV?
EMV is a defacto global standard of technology where there is a visible microchip on the front of the card. It looks like this:
Who issues them?
See Google Docs spreadsheet in Post #1
SFOAMS also has created a list of excellent webpage that shows US EMV cards in a more interactive interface
Another site, which lets you narrow the search for an EMV card by various parameters, is http://www.spotterswiki.com/emv/index.php.
Several credit unions issue some form of Chip-and-PIN credit cards or prepaid cards. Prepaid EMV cards however are not recommended due to junk fees. USAA (currently restricted to members of military) used to offer Chip-and-PIN cards, but as late has backtracked to Chip-and-Signature priority.
Hey that's a cool Google Docs list! I know others that aren't on that list. How can I help by adding them to the list?
My bad for not putting this into the wiki sooner. Right now, the Google Docs is locked out of editing and only in "read-only" view because there were instances in the past where people would just delete the rows not thinking that it affects others viewing the list.
If you promise not to delete any rows and input all the pertinent info (annual fee, rewards, FTF, etc.), I can provide you with edit access. Just shoot me a PM to kebosabi with your gmail address and I'll provide you edit access.
Thanks for helping out!
As of October 2014, no USA-based card issuer offers Chip-and-PIN priority cards except for BMO Harris (Diners Club) and UN Federal Credit Union. Other major USA-based banks such as BofA, Chase, Citi, as well as others issue Chip-and-Signature cards which may work at many automated kiosks. However, bear in mind the word may is used above is a context where there is no absolute certainty of success for certain environments such as automated kiosks due to different natures of offline and online transactions. It is highly recommended to read Post #3 which lists real life FTer examples on how Chip-and-Signature worked and did not work at various transaction environments.
Can I upgrade it right now?
If it's listed on that Google Docs spreadsheet or SFOAMS' Silk page, wouldn't hurt to call/twitter them for a free upgrade. If you get the response you don't like, hang up, try again.
What is the difference between Chip-and-Signature and Chip-and-PIN?
You insert the chipped card into the slot. The physical contact terminal will read the EMV chip and the terminal will automatically read the preferred cardholder verification methods (called CVM) for that card.
Chip-and-Signature means that the terminal will printout a receipt for you to sign. This is the most prevalent authentication for most US issued EMV cards. Chip-and-Signature helps in a way that it will get through to face-to-face merchant transactions where you and the merchant do not speak the same language.
Chip-and-PIN means that the terminal will prompt you to input a PIN for authentication. Some credit union issued credit cards will have this CVM as secondary if Chip-and-Signature cannot be done. Chip-and-PIN is the more prevalent method of authentication used outside the US, especially in transaction environments where no human interaction is needed (i.e. automated gas pumps, toll roads, train kiosks, etc.).
The Google Docs spreadsheet will list which CVM are used in the EMV cards listed. Some cards can only do Chip-and-Signature. Other cards can do both Chip-and-Signature and Chip-and-PIN. And others might have a third option called No CVM (no authentication needed) which is reserved for low value transactions.
One chip can hold a lot more data, therefore it is capable of doing multiple verification methods. That's one of the great things about EMV over the mag-stripe which can hold very little data.
I want to know for sure what my EMV chip does. Is there anyway I can test out my own EMV card to see what the CVM list is?
alexmt has written up a nice step-by-step procedure on Post #3615.
If most of the EMV cards in the US is the Chip-and-Signature type, doesn't that mean it's still useless abroad?
Depends if you see it as glass half empty or glass half full. See Post #3 for further details on how Chip-and-Signature has worked both successfully and unsuccessfully depending on the merchant transaction environment and use your best judgment whether which one is right for you.
Are there any places in the US that are accepting transactions via the EMV chip?
tmiw has created a dedicated Google maps webpage to show where EMV has been proven to work here: http://emvacceptedhere.com/ Per his Post #4240, feel free to add any places with active EMV terminals if you come across one.
As of 2014/05, the EMV terminals in most Walmarts and Sam's Clubs are being turned on. Hence, the best place to try them out would be your local Walmart or Sam's Club. For other merchants, it's slowly being phased in.
I hope people will post them in the Post your receipt of your 1st EMV based transaction in the US thread. cvarming has shown us an EMV transaction receipt from Brooklyn, NY in Post #2380. I myself had my first EMV based (Chip-and-Signature) transaction in two stores in the Los Angeles area, as shown in detail in Post #2705 (courtesy of WhatWhatTech for pointing these two stores out)
I don't want a chip in my card. I heard horror stories all over the media saying hackers can steal my credit card info from a mile away.
There are two types of chips. One is contactless and the other is contact. Cards can be either one or the other, or both.
In the Google Docs spreadsheet, the cards that are capable of contactless payments are listed seperately under the "RFID or NFC contactless chip" column. If it says yes, then that means it has the ability to do contactless payments. If it says no, it doesn't have that feature.
The one that the media has overhyped about hackers "stealing your information wirelessly" was the contactless type like this:
You are worried about this happening, right?
You don't have to worry. EMV is a chip standard that can have both contact and contactless interfaces. With the traditional contact interface, this means you actually have to physically insert the chip into a POS terminal for it to be authorized, like this:
With the contact interface, nothing is wireless. No data is sent out in a stand-alone contact type EMV chip. With the EMV contactless interface, data is sent wirelessly.
Furthermore, contactless chip cards are required to show a symbol (looks like Wi-Fi symbol) somewhere on the card that to denote it's capability as a contactless card. For example, here's an example of a Discover Card with contactless capability (in which Discover calls "Discover ZIP") showing the contactless symbol on the back of the card:
Don't believe everything that the media says. Besides, millions of people all over the world from London to Singapore, uses contactless payments daily in extremely crowded subways and mass transit with nary any problems. There are multiple layers of encrypted securities and keys that are needed to break the code.
Frankly, giving your physical card to a waiter/waitress who takes the card out of your view is much more susceptible to fraud than contactless payments.
Why should I care?
If you are an international traveler, you will want this because majority of the world has or in the process of converting to this payment format.
In fact, in 2012, even North Korea moved to the EMV format, leaving the US as one of the countries in the world that hasn't done so.
In addition, VISA, MC, AMEX, and Discover have all agreed to incentivize the USA shifting to EMV payments by 2015 by shifting liability for fraudulent transactions to merchants if they do not have EMV equipment and the cardholder has an EMV card. So if you travel internationally or would like to get one before the others, you might be interested in getting one.
BS! I had no problems using my card in [insert whereever country], [insert whatever point in time]
If you stick to the tourist path where they have lots of visitors from the US, you should have no problems using your mag-stripe only card in hotels and restaurants, at least for now. But as things can change as things go forward.
However, consider that once you start taking the off-beaten path, go to non-touristy places where they are not familiar with mag-stripes, rent a car and use toll roads, fill up gas, or try to buy train tickets you might end up into a trouble of the machine not recognizing your card because it lacks the chip. Furthermore, a lot of toll roads, gas pumps, and automated ticket machines lack any human assistance to help you when you need it the most.
But [insert credit card company] told me all merchants that display their logo must accept them! All I have to do is report them for violating their agreements, right?
There are several factors against this.
1. You can only speak English. The merchant representative, most likely a part-time clerk earning minimum wage, speaks in a different language, let's say French. If you have no French language skills, how are you going to get your point across? Are you going to whip out your cell phone at exorbitant int'l roaming charges and hope the customer service is going to translate it for you on the spot? Or maybe you might actually know French. But how about Swahili, Farsi, Balinese, or the multiple languages in mainland China?
2. Just like US, the rest of the world's businesses uses part-time minimum wage workers as cashiers to cut down on labor costs. Most of their SOP training manuals are written by MBA types to not to do anything they are not familiar with. Do not expect them to understand the intricate details of credit card mumbo jumbo. You don't expect Taco Bell employees to understand the minute details of Discover-JCB-Union Pay agreements, right? Same thing the other way around: be respectful as a guest in their country, prepare in advance in their ways, avoid being an "ugly American" stereotype.
3. You are a guest in their country. You are a minority. If 99.9% of their country's people and other tourists from around the world uses EMV, do you really think they are going to accomodate the 0.1% of American tourists who only have mag-stripes credit cards?
4. Again, you are a guest in their country. How would you, as an American standing in line, react if a Chinese tourist was clogging up the lines at a local Taco Bell because the clerk doesn't understand the Discover-Union Pay agreement and has trouble communicating between Mandarin spoken by the tourist and English spoken by the Taco Bell clerk? Same way the other way around. You do not want to clog up the lines for everyone. The less hassle, the better.
5. VISA and MC make tons of money from merchants in that country. Say SNCF French Rail. It's a billion dollar company in France. Do you think VISA is going to pull the plug of their relationship with SNCF because SNCF refuses to do mag-stripe processing at their unmanned train station kiosk? Of course not. Be realistic.
6. And lastly, if you're up against an unstaffed toll kiosk, gas pump or train ticket machine, are you going to yell curses at the machine?
But I want my credit card to be able to be used in the US too!
No worries. They have not gotten rid of the mag-stripe on the back of the card for backward compatibility reasons, just like we still have embossed numbers on our cards for backwards compatibility to using those old carbon copy imprinters.
[insert own Hyatt card image front and back together with red arrows pointing to all the backward compatibility features]
You use the chip on the front of the card abroad (for now), and the mag-stripe just like any other card for the US. Basically, you're increasing your credit card's acceptance rate by getting a card that both via the chip and the mag-stripe. You're getting a better deal for free.
And when 2015 comes along and US switches to EMV, you'll be way ahead of everyone else too!
So why did the rest of the world and the US moved/moving toward EMV?
Primarily, due to fraud concerns. You see, the mag-stripe has been with us since the 1950s. It may have been the most high tech thing back in the day, but with the technology that is available today, any shmo can pick up a $100 USB magnetic card skimming device off of eBay and get your credit card info.
And unlike skimming off contactless cards which actually need the person to have l33t programming skills, skimming off a magnetic stripe has become so ubiquitous that nary a day goes about skimming fraud going on somewhere in America, from gas pumps, Michael's stores (2011), Target breaches (2013), restaurant waiters/waitresses, to even McDonald's drive thrus.
https://www.google.com/search?q=skimming+fraud
These type of fraud used to be prevalent in Europe. But once they started switching over to EMV starting over 2 decades ago, this type of fraud went elsewhere. It went over to Asia, Canada and Mexico, Latin America, etc. etc. until they too began implementing EMV to combat skimming fraud. The US is practically the only country left that hasn't done so, therefore all the fraud that used to take place elsewhere is now happening here.
But EMV is old and it's not fool proof. Shouldn't we just skip over it and do something new instead?
Yes, EMV is old. It was developed in the 1990s and its smart card payment predecessor was first introduced in France. But as of today, it has become the defacto global standard of payments.
But then, what else is there? There is no other de facto global standard of payments alternative. For example, if we decide to skip over it and do something new, hypothetically like DNA matching technology, it still means US int'l travelers will continue to have problems abroad with useless plastic acceptance because no other country is using this DNA matching technology except the US.
Besides, nothing is fool proof. You can say that the bank vault isn't fool proof because you can crack it open if enough C4 is used. But your average low-life scumbag isn't likely to get military grade C4 easily either. But the bank vault does make it harder to get the bank's money over say a petty cash box. That's the point here. EMV is akin to a security tight bank vault, the old mag-stripe is akin to a petty cash box lying around inside the drawer.
I'm a business owner and I don't think EMV is going to take off. I'm not going to spend extra hundreds of dollars to upgrade my credit card machine. Convince me other wise why I should.
I can understand the added extra cost to your business once this switchover takes place. But before even saying that, look at your existing POS terminal. Does it have a slot somewhere to insert a card?
Most likely, if you had replaced your POS terminal within the past five years, you already have an EMV capable terminal. EMV is basically just not turned on yet from the processor and acquirer side.
If you have an EMV capable terminal, then a best bet would be to contact your acquirer to have the EMV feature turned on. You did your end of the deal already by having an EMV capable terminal, it is now the acquirers' responsibility to turn it on in accordance to the EMV switchover mandate.
And if you don't, you are going to replace your POS terminal anyway from common wear and tear. It isn't a hard switch-over. You can continue to use your POS terminal until it dies out because EMV cardholders will still have the mag-stripe on the back. And by the time your non-EMV capable POS terminal is up for replacement the market will be full with these newer POS terminals that can accept the mag-stripe, EMV, as well as contactless payments.
In addition, you may also want to check with your acquirer or processor about EMV capable terminals. Some of them are willing to replace your terminal for free in preparation for the US EMV switchover. Call and ask for details.
But what's in it for me? I'm the one that has to pay for the upgrade.
All the major card networks have given incentives for merchants for the upcoming EMV switchover.
If 75% or more of your credit card transactions are done on an EMV contact and contactless terminal, they are going to waive your annual PCI-DSS fees, which usually costs you around $5.00-$19.95/month per terminal. The overall long term cost savings of those compliance fees will be larger than the cost of an one time upgrade for the terminal.
The downside is that once EMV switchover happens and if you do not have a POS terminal that is able to accept EMV, the fraud liability shifts over to the merchant.
I own several fast food franchises. If I upgrade my POS terminals at all of my restaurants, it's going to cost me thousands, if not millions. I don't think anyone is going to use a fake credit card to buy $5 burgers. And if they do, wouldn't it be cheaper for me to eat the fraud cost?
Remember also that fraud isn't just committed by dishonest customers using fraudulent cards. Fraud can also happen with dishonest employees skimming off credit card data from the mag-stripe as in the case of a teenage McDonald's drive thru employee skimming off $13,000 of customers' credit cards in Olympia, WA. Consider the public relations fall out that your business may have if this happens (i.e. the big Target breach of 2013, where someone used a mag stripe card to load malware INTO Target's system). Is it worth risking to take such a huge PR disaster?
EMV wikipost volunteers: kebosabi
What is EMV?
EMV is a defacto global standard of technology where there is a visible microchip on the front of the card. It looks like this:
Who issues them?
See Google Docs spreadsheet in Post #1
SFOAMS also has created a list of excellent webpage that shows US EMV cards in a more interactive interface
Another site, which lets you narrow the search for an EMV card by various parameters, is http://www.spotterswiki.com/emv/index.php.
Several credit unions issue some form of Chip-and-PIN credit cards or prepaid cards. Prepaid EMV cards however are not recommended due to junk fees. USAA (currently restricted to members of military) used to offer Chip-and-PIN cards, but as late has backtracked to Chip-and-Signature priority.
Hey that's a cool Google Docs list! I know others that aren't on that list. How can I help by adding them to the list?
My bad for not putting this into the wiki sooner. Right now, the Google Docs is locked out of editing and only in "read-only" view because there were instances in the past where people would just delete the rows not thinking that it affects others viewing the list.
If you promise not to delete any rows and input all the pertinent info (annual fee, rewards, FTF, etc.), I can provide you with edit access. Just shoot me a PM to kebosabi with your gmail address and I'll provide you edit access.
Thanks for helping out!
As of October 2014, no USA-based card issuer offers Chip-and-PIN priority cards except for BMO Harris (Diners Club) and UN Federal Credit Union. Other major USA-based banks such as BofA, Chase, Citi, as well as others issue Chip-and-Signature cards which may work at many automated kiosks. However, bear in mind the word may is used above is a context where there is no absolute certainty of success for certain environments such as automated kiosks due to different natures of offline and online transactions. It is highly recommended to read Post #3 which lists real life FTer examples on how Chip-and-Signature worked and did not work at various transaction environments.
Can I upgrade it right now?
If it's listed on that Google Docs spreadsheet or SFOAMS' Silk page, wouldn't hurt to call/twitter them for a free upgrade. If you get the response you don't like, hang up, try again.
What is the difference between Chip-and-Signature and Chip-and-PIN?
You insert the chipped card into the slot. The physical contact terminal will read the EMV chip and the terminal will automatically read the preferred cardholder verification methods (called CVM) for that card.
Chip-and-Signature means that the terminal will printout a receipt for you to sign. This is the most prevalent authentication for most US issued EMV cards. Chip-and-Signature helps in a way that it will get through to face-to-face merchant transactions where you and the merchant do not speak the same language.
Chip-and-PIN means that the terminal will prompt you to input a PIN for authentication. Some credit union issued credit cards will have this CVM as secondary if Chip-and-Signature cannot be done. Chip-and-PIN is the more prevalent method of authentication used outside the US, especially in transaction environments where no human interaction is needed (i.e. automated gas pumps, toll roads, train kiosks, etc.).
The Google Docs spreadsheet will list which CVM are used in the EMV cards listed. Some cards can only do Chip-and-Signature. Other cards can do both Chip-and-Signature and Chip-and-PIN. And others might have a third option called No CVM (no authentication needed) which is reserved for low value transactions.
One chip can hold a lot more data, therefore it is capable of doing multiple verification methods. That's one of the great things about EMV over the mag-stripe which can hold very little data.
I want to know for sure what my EMV chip does. Is there anyway I can test out my own EMV card to see what the CVM list is?
alexmt has written up a nice step-by-step procedure on Post #3615.
If most of the EMV cards in the US is the Chip-and-Signature type, doesn't that mean it's still useless abroad?
Depends if you see it as glass half empty or glass half full. See Post #3 for further details on how Chip-and-Signature has worked both successfully and unsuccessfully depending on the merchant transaction environment and use your best judgment whether which one is right for you.
Are there any places in the US that are accepting transactions via the EMV chip?
tmiw has created a dedicated Google maps webpage to show where EMV has been proven to work here: http://emvacceptedhere.com/ Per his Post #4240, feel free to add any places with active EMV terminals if you come across one.
As of 2014/05, the EMV terminals in most Walmarts and Sam's Clubs are being turned on. Hence, the best place to try them out would be your local Walmart or Sam's Club. For other merchants, it's slowly being phased in.
I hope people will post them in the Post your receipt of your 1st EMV based transaction in the US thread. cvarming has shown us an EMV transaction receipt from Brooklyn, NY in Post #2380. I myself had my first EMV based (Chip-and-Signature) transaction in two stores in the Los Angeles area, as shown in detail in Post #2705 (courtesy of WhatWhatTech for pointing these two stores out)
I don't want a chip in my card. I heard horror stories all over the media saying hackers can steal my credit card info from a mile away.
There are two types of chips. One is contactless and the other is contact. Cards can be either one or the other, or both.
In the Google Docs spreadsheet, the cards that are capable of contactless payments are listed seperately under the "RFID or NFC contactless chip" column. If it says yes, then that means it has the ability to do contactless payments. If it says no, it doesn't have that feature.
The one that the media has overhyped about hackers "stealing your information wirelessly" was the contactless type like this:
You are worried about this happening, right?
You don't have to worry. EMV is a chip standard that can have both contact and contactless interfaces. With the traditional contact interface, this means you actually have to physically insert the chip into a POS terminal for it to be authorized, like this:
With the contact interface, nothing is wireless. No data is sent out in a stand-alone contact type EMV chip. With the EMV contactless interface, data is sent wirelessly.
Furthermore, contactless chip cards are required to show a symbol (looks like Wi-Fi symbol) somewhere on the card that to denote it's capability as a contactless card. For example, here's an example of a Discover Card with contactless capability (in which Discover calls "Discover ZIP") showing the contactless symbol on the back of the card:
Don't believe everything that the media says. Besides, millions of people all over the world from London to Singapore, uses contactless payments daily in extremely crowded subways and mass transit with nary any problems. There are multiple layers of encrypted securities and keys that are needed to break the code.
Frankly, giving your physical card to a waiter/waitress who takes the card out of your view is much more susceptible to fraud than contactless payments.
Why should I care?
If you are an international traveler, you will want this because majority of the world has or in the process of converting to this payment format.
In fact, in 2012, even North Korea moved to the EMV format, leaving the US as one of the countries in the world that hasn't done so.
In addition, VISA, MC, AMEX, and Discover have all agreed to incentivize the USA shifting to EMV payments by 2015 by shifting liability for fraudulent transactions to merchants if they do not have EMV equipment and the cardholder has an EMV card. So if you travel internationally or would like to get one before the others, you might be interested in getting one.
BS! I had no problems using my card in [insert whereever country], [insert whatever point in time]
If you stick to the tourist path where they have lots of visitors from the US, you should have no problems using your mag-stripe only card in hotels and restaurants, at least for now. But as things can change as things go forward.
However, consider that once you start taking the off-beaten path, go to non-touristy places where they are not familiar with mag-stripes, rent a car and use toll roads, fill up gas, or try to buy train tickets you might end up into a trouble of the machine not recognizing your card because it lacks the chip. Furthermore, a lot of toll roads, gas pumps, and automated ticket machines lack any human assistance to help you when you need it the most.
But [insert credit card company] told me all merchants that display their logo must accept them! All I have to do is report them for violating their agreements, right?
There are several factors against this.
1. You can only speak English. The merchant representative, most likely a part-time clerk earning minimum wage, speaks in a different language, let's say French. If you have no French language skills, how are you going to get your point across? Are you going to whip out your cell phone at exorbitant int'l roaming charges and hope the customer service is going to translate it for you on the spot? Or maybe you might actually know French. But how about Swahili, Farsi, Balinese, or the multiple languages in mainland China?
2. Just like US, the rest of the world's businesses uses part-time minimum wage workers as cashiers to cut down on labor costs. Most of their SOP training manuals are written by MBA types to not to do anything they are not familiar with. Do not expect them to understand the intricate details of credit card mumbo jumbo. You don't expect Taco Bell employees to understand the minute details of Discover-JCB-Union Pay agreements, right? Same thing the other way around: be respectful as a guest in their country, prepare in advance in their ways, avoid being an "ugly American" stereotype.
3. You are a guest in their country. You are a minority. If 99.9% of their country's people and other tourists from around the world uses EMV, do you really think they are going to accomodate the 0.1% of American tourists who only have mag-stripes credit cards?
4. Again, you are a guest in their country. How would you, as an American standing in line, react if a Chinese tourist was clogging up the lines at a local Taco Bell because the clerk doesn't understand the Discover-Union Pay agreement and has trouble communicating between Mandarin spoken by the tourist and English spoken by the Taco Bell clerk? Same way the other way around. You do not want to clog up the lines for everyone. The less hassle, the better.
5. VISA and MC make tons of money from merchants in that country. Say SNCF French Rail. It's a billion dollar company in France. Do you think VISA is going to pull the plug of their relationship with SNCF because SNCF refuses to do mag-stripe processing at their unmanned train station kiosk? Of course not. Be realistic.
6. And lastly, if you're up against an unstaffed toll kiosk, gas pump or train ticket machine, are you going to yell curses at the machine?
But I want my credit card to be able to be used in the US too!
No worries. They have not gotten rid of the mag-stripe on the back of the card for backward compatibility reasons, just like we still have embossed numbers on our cards for backwards compatibility to using those old carbon copy imprinters.
[insert own Hyatt card image front and back together with red arrows pointing to all the backward compatibility features]
You use the chip on the front of the card abroad (for now), and the mag-stripe just like any other card for the US. Basically, you're increasing your credit card's acceptance rate by getting a card that both via the chip and the mag-stripe. You're getting a better deal for free.
And when 2015 comes along and US switches to EMV, you'll be way ahead of everyone else too!
So why did the rest of the world and the US moved/moving toward EMV?
Primarily, due to fraud concerns. You see, the mag-stripe has been with us since the 1950s. It may have been the most high tech thing back in the day, but with the technology that is available today, any shmo can pick up a $100 USB magnetic card skimming device off of eBay and get your credit card info.
And unlike skimming off contactless cards which actually need the person to have l33t programming skills, skimming off a magnetic stripe has become so ubiquitous that nary a day goes about skimming fraud going on somewhere in America, from gas pumps, Michael's stores (2011), Target breaches (2013), restaurant waiters/waitresses, to even McDonald's drive thrus.
https://www.google.com/search?q=skimming+fraud
These type of fraud used to be prevalent in Europe. But once they started switching over to EMV starting over 2 decades ago, this type of fraud went elsewhere. It went over to Asia, Canada and Mexico, Latin America, etc. etc. until they too began implementing EMV to combat skimming fraud. The US is practically the only country left that hasn't done so, therefore all the fraud that used to take place elsewhere is now happening here.
But EMV is old and it's not fool proof. Shouldn't we just skip over it and do something new instead?
Yes, EMV is old. It was developed in the 1990s and its smart card payment predecessor was first introduced in France. But as of today, it has become the defacto global standard of payments.
But then, what else is there? There is no other de facto global standard of payments alternative. For example, if we decide to skip over it and do something new, hypothetically like DNA matching technology, it still means US int'l travelers will continue to have problems abroad with useless plastic acceptance because no other country is using this DNA matching technology except the US.
Besides, nothing is fool proof. You can say that the bank vault isn't fool proof because you can crack it open if enough C4 is used. But your average low-life scumbag isn't likely to get military grade C4 easily either. But the bank vault does make it harder to get the bank's money over say a petty cash box. That's the point here. EMV is akin to a security tight bank vault, the old mag-stripe is akin to a petty cash box lying around inside the drawer.
I'm a business owner and I don't think EMV is going to take off. I'm not going to spend extra hundreds of dollars to upgrade my credit card machine. Convince me other wise why I should.
I can understand the added extra cost to your business once this switchover takes place. But before even saying that, look at your existing POS terminal. Does it have a slot somewhere to insert a card?
Most likely, if you had replaced your POS terminal within the past five years, you already have an EMV capable terminal. EMV is basically just not turned on yet from the processor and acquirer side.
If you have an EMV capable terminal, then a best bet would be to contact your acquirer to have the EMV feature turned on. You did your end of the deal already by having an EMV capable terminal, it is now the acquirers' responsibility to turn it on in accordance to the EMV switchover mandate.
And if you don't, you are going to replace your POS terminal anyway from common wear and tear. It isn't a hard switch-over. You can continue to use your POS terminal until it dies out because EMV cardholders will still have the mag-stripe on the back. And by the time your non-EMV capable POS terminal is up for replacement the market will be full with these newer POS terminals that can accept the mag-stripe, EMV, as well as contactless payments.
In addition, you may also want to check with your acquirer or processor about EMV capable terminals. Some of them are willing to replace your terminal for free in preparation for the US EMV switchover. Call and ask for details.
But what's in it for me? I'm the one that has to pay for the upgrade.
All the major card networks have given incentives for merchants for the upcoming EMV switchover.
If 75% or more of your credit card transactions are done on an EMV contact and contactless terminal, they are going to waive your annual PCI-DSS fees, which usually costs you around $5.00-$19.95/month per terminal. The overall long term cost savings of those compliance fees will be larger than the cost of an one time upgrade for the terminal.
The downside is that once EMV switchover happens and if you do not have a POS terminal that is able to accept EMV, the fraud liability shifts over to the merchant.
I own several fast food franchises. If I upgrade my POS terminals at all of my restaurants, it's going to cost me thousands, if not millions. I don't think anyone is going to use a fake credit card to buy $5 burgers. And if they do, wouldn't it be cheaper for me to eat the fraud cost?
Remember also that fraud isn't just committed by dishonest customers using fraudulent cards. Fraud can also happen with dishonest employees skimming off credit card data from the mag-stripe as in the case of a teenage McDonald's drive thru employee skimming off $13,000 of customers' credit cards in Olympia, WA. Consider the public relations fall out that your business may have if this happens (i.e. the big Target breach of 2013, where someone used a mag stripe card to load malware INTO Target's system). Is it worth risking to take such a huge PR disaster?
USA EMV cards: Availability, Q&A (Chip & PIN -or- Chip & Signature) [2012-2015]
Mar 11, 2013, 1:48 pm
#856
Suspended
Join Date: Jan 2013
Location: LAX/SNA
Programs: AA, Hilton Gold
Posts: 3,887
Mar 11, 2013, 1:50 pm
#857
Join Date: Jul 2007
Posts: 1,762
Does anyone know if an EMV credit card is required for Eurostar train tickets to be picked up at a machine at London St Pancras? I want to book some train tickets soon and would prefer to use an AMEX card with no forex fees and it seems that I can use it online. Just wanted to verify it will work to pick up the tickets.
I don't understand why you wouldn't prefer to print the tickets at home! Much simpler.
Mar 11, 2013, 1:54 pm
#858
Moderator
Join Date: Jun 2003
Location: Miami, Mpls & London
Programs: AA & Marriott Perpetual Platinum; DL & HH Gold
Posts: 48,954
Near as I can tell Bank of Hawaii is not owned by Bank of America:
However, in common with many regional and small banks, Bank of Hawaii has contracted with Bank of America's FIA Card Services to administer their card programs. (FIA was originally owned by MNBA which was acquired by Bank of America.)
Bank of Hawaii is the primary subsidiary of Bank of Hawaii Corporation, a regional bank holding company. Bank of Hawaii Corporation through its subsidiaries provide varied financial services to businesses, consumers and governments in Hawaii, American Samoa and the Pacific Islands.
The company is listed on the New York Stock Exchange as “BOH.” In the community, Bank of Hawaii is also affectionately known as “Bankoh.”
The company is listed on the New York Stock Exchange as “BOH.” In the community, Bank of Hawaii is also affectionately known as “Bankoh.”
Mar 11, 2013, 2:08 pm
#859
Join Date: Jul 2010
Location: New York
Programs: Cutting down :-(
Posts: 604
A few pages back there was some discussion on problems with some credit union cards defaulting to chip+sig when chip+pin is possible. So I emailed PenFed and asked if they could configure their cards to default to chip+pin first instead of chip+sig. Their reply is:
"Our Credit Card department has advised that PenFed cannot change the authorization configuration. It is the merchant's discretion as to what the method they choose to attempt first when processing an authorization for a PenFed chip credit card."
Essentially it depends on how each individual machine is configured and used.
"Our Credit Card department has advised that PenFed cannot change the authorization configuration. It is the merchant's discretion as to what the method they choose to attempt first when processing an authorization for a PenFed chip credit card."
Essentially it depends on how each individual machine is configured and used.
- Signature
- Online PIN
- No CVM required
- Signature
- Online PIN
- Offline PIN
- No CVM required
- Online PIN
- Offline PIN
- Signature
- No CVM required
Merchants pick the first applicable method, so a US issued chip-and-pin will result in signature verification for most transactions. If a US card prioritizes PIN methods, then you would have to use the PIN for transactions in the US and no US issuer wants that (no idea why, but I guess PIN is taboo in the US).
Mar 11, 2013, 2:39 pm
#860
Join Date: Jul 2006
Location: LAX
Programs: AA EXP 1.5MM, Asiana Club Silver, KE Morning Calm, Hyatt Platinum, Amtrak Select
Posts: 7,161
Mar 11, 2013, 4:32 pm
#861
Suspended
Join Date: Jan 2013
Location: LAX/SNA
Programs: AA, Hilton Gold
Posts: 3,887
For me, the biggest indicator that they were different banks is when I made the mistake of withdrawing at a BoH ATM using my BofA debit/ATM card back in the mid 1990s when the old BofA logo looked a lot like the BoH logo. It charged me a fee for it and didn't realize that it said Bank of Hawaii instead of America. Learned a lesson that I should pay attention to the logo more closely the next time around.
Mar 11, 2013, 4:50 pm
#862
Moderator: Manufactured Spending
Join Date: Jul 2011
Posts: 6,580
They weren't mistaken, just not clear. BoH credit cards and BoA credit cards are issued by the same company, which is a subsidiary of BoA. It is almost like Chase issuing United-branded cards and Southwest-branded cards. United and Southwest are certainly not the same company, but their cards are issued by the same bank.
I have a feeling that you are correct. PenFed's customer service person was probably just trying to pass the blame along to someone else.
Remember that not every merchant in the US is set up to accept PINs. Sit-down restaurants don't even have PIN keypads facing customers.
I haven't cared enough to actually read the standard, but according to Wikipedia the terminal reads the CVM list (card holder verification method list) from the card and the order of the list gives a priority to the different methods
....
Merchants pick the first applicable method, so a US issued chip-and-pin will result in signature verification for most transactions. If a US card prioritizes PIN methods, then you would have to use the PIN for transactions in the US and no US issuer wants that (no idea why, but I guess PIN is taboo in the US).
....
Merchants pick the first applicable method, so a US issued chip-and-pin will result in signature verification for most transactions. If a US card prioritizes PIN methods, then you would have to use the PIN for transactions in the US and no US issuer wants that (no idea why, but I guess PIN is taboo in the US).
Remember that not every merchant in the US is set up to accept PINs. Sit-down restaurants don't even have PIN keypads facing customers.
Mar 11, 2013, 5:02 pm
#863
FlyerTalk Evangelist
Join Date: Dec 2009
Location: HaMerkaz/Exit 145
Programs: UA, LY, BA, AA
Posts: 13,167
Any experience/luck with the BoA TravelRewards Chip&Sig card at unmanned kiosks, specifically in the UK? Does this card have a PIN that could work for terminals using online PIN?
Mar 11, 2013, 6:03 pm
#864
Suspended
Join Date: Jan 2013
Location: LAX/SNA
Programs: AA, Hilton Gold
Posts: 3,887
They weren't mistaken, just not clear. BoH credit cards and BoA credit cards are issued by the same company, which is a subsidiary of BoA. It is almost like Chase issuing United-branded cards and Southwest-branded cards. United and Southwest are certainly not the same company, but their cards are issued by the same bank.
But yes, I have been corrected, I know they aren't the same now.
Mar 12, 2013, 4:11 pm
#865
Join Date: Mar 2013
Posts: 3
I haven't cared enough to actually read the standard, but according to Wikipedia the terminal reads the CVM list (card holder verification method list) from the card and the order of the list gives a priority to the different methods. I conjecture that US issued chip-and-sig cards have the CVM list:
Merchants pick the first applicable method, so a US issued chip-and-pin will result in signature verification for most transactions. If a US card prioritizes PIN methods, then you would have to use the PIN for transactions in the US and no US issuer wants that (no idea why, but I guess PIN is taboo in the US).
- Signature
- Online PIN
- No CVM required
- Signature
- Online PIN
- Offline PIN
- No CVM required
- Online PIN
- Offline PIN
- Signature
- No CVM required
Merchants pick the first applicable method, so a US issued chip-and-pin will result in signature verification for most transactions. If a US card prioritizes PIN methods, then you would have to use the PIN for transactions in the US and no US issuer wants that (no idea why, but I guess PIN is taboo in the US).
http://www.openscdp.org/scripts/tuto...ification.html
Mar 12, 2013, 4:28 pm
#866
Join Date: Mar 2013
Posts: 3
double post
Last edited by zaben; Mar 14, 2013 at 5:12 pm Reason: double post
Mar 13, 2013, 8:54 am
#867
Join Date: Mar 2013
Posts: 35
I've been reading the EMV conversation with interest.
With a recent app spree, I now carry 8 cards, most of them cash rewards cards with the exception of my Amex Platinum. I have now converted that card, my Penfed Platinum Rewards Visa and my Bank of America Cash Rewards cards to EMV. Of those, the BofA and Amex Plat are definetely chip and signature. The Penfed did allow me to choose a pin when I signed up for it two weeks ago, but I thought it still defaults to signature as first authentication choice if available.
When I traveled to Switzerland last December on business and passed through airports in France and the Netherlands, I had no EMV cards then but still had no problems with swiping my cards at hotels, restaurants and shops. Two of my co-workers did have problems with a kiosk for train tickets in Switzerland which I had thought was an EMV issue but it turns out the machines refused the business American Express cards they tried to use. (Personal Visa cards did work). Strangely, I had no problem using Amex with the train but I did download the iPhone app for the train company and paid with my Amex card that way.
That leaves the following cards in my wallet without EMV:
Amex Green Business (ironically the one card where EMV would be the most useful for me)
Fidelity Amex
US Bank Cash + Visa Sig (US Bank does offer it on their travel card)
Amex BCP
Chase Freedom
Discover IT
With a recent app spree, I now carry 8 cards, most of them cash rewards cards with the exception of my Amex Platinum. I have now converted that card, my Penfed Platinum Rewards Visa and my Bank of America Cash Rewards cards to EMV. Of those, the BofA and Amex Plat are definetely chip and signature. The Penfed did allow me to choose a pin when I signed up for it two weeks ago, but I thought it still defaults to signature as first authentication choice if available.
When I traveled to Switzerland last December on business and passed through airports in France and the Netherlands, I had no EMV cards then but still had no problems with swiping my cards at hotels, restaurants and shops. Two of my co-workers did have problems with a kiosk for train tickets in Switzerland which I had thought was an EMV issue but it turns out the machines refused the business American Express cards they tried to use. (Personal Visa cards did work). Strangely, I had no problem using Amex with the train but I did download the iPhone app for the train company and paid with my Amex card that way.
That leaves the following cards in my wallet without EMV:
Amex Green Business (ironically the one card where EMV would be the most useful for me)
Fidelity Amex
US Bank Cash + Visa Sig (US Bank does offer it on their travel card)
Amex BCP
Chase Freedom
Discover IT
Mar 13, 2013, 9:00 am
#868
Join Date: Mar 2013
Posts: 35
One other thing that doesn't be in the conversation about EMV chip adoption in the United States is the cost factor. I read somewhere last year that a new swipe card issued by a credit card company costs less than 20 cents to make. An EMV version of the same card cost $1. Even is EMV is cheaper now, I'm not surprised that the trend in the US has been toward adoption by travel cards or annual fee cards first, for the most part.
The sheer ease of fraud of the magnetic swipe system naturally drives adoption and that fraud has a yearly price tag. But I'm sure that replacing millions of cards in the system with EMV ain't cheap either.
The sheer ease of fraud of the magnetic swipe system naturally drives adoption and that fraud has a yearly price tag. But I'm sure that replacing millions of cards in the system with EMV ain't cheap either.
Mar 13, 2013, 11:37 am
#869
Join Date: Jul 2006
Location: LAX
Programs: AA EXP 1.5MM, Asiana Club Silver, KE Morning Calm, Hyatt Platinum, Amtrak Select
Posts: 7,161
One other thing that doesn't be in the conversation about EMV chip adoption in the United States is the cost factor. I read somewhere last year that a new swipe card issued by a credit card company costs less than 20 cents to make. An EMV version of the same card cost $1. Even is EMV is cheaper now, I'm not surprised that the trend in the US has been toward adoption by travel cards or annual fee cards first, for the most part.
The sheer ease of fraud of the magnetic swipe system naturally drives adoption and that fraud has a yearly price tag. But I'm sure that replacing millions of cards in the system with EMV ain't cheap either.
The sheer ease of fraud of the magnetic swipe system naturally drives adoption and that fraud has a yearly price tag. But I'm sure that replacing millions of cards in the system with EMV ain't cheap either.
Actually the cost issue has been discussed on and off again from both the card issuer and the merchant (who need to upgrade their terminals) perspective.
The issuers' perspective is that by now all four majors VISA, MC, Discover, and AMEX have mandated that the US has to move to EMV so they have no other choice but to do so.
That in addition, fraud cost has been increasing to the US to the point that not a day goes by where there's news about skimming fraud ranging from waiters using skimmers in restaurants in NYC to criminals setting up skimming devices in gas pumps in rural Georgia to even criminals paying McDonald's employees to do their dirty jobs for them.
So from the issuers' perspective, it's choosing whether to pay for the one-time cost of more secure EMV cards which would help cut down fraud (it won't get rid of it 100%, nothing is foolproof) or continue the reliance on ancient technology where every criminal now sees the US as suckers for using the magnetic stripe which by today's standards is easy as stealing candy from a baby (unless you're Mr. Burns
) for years to come. Spend the $190 million now to issue new cards (the US has about 190 million credit card holders) which cost $1 per card, or continue to be reliable for $190 BILLION (and increasing) PER YEAR in credit card fraud. It's not hard to do the math; one time cost of $190 million versus annual reliability of sucking up $190 BILLION (and likely to increase if we continue to stick with the mag-stripe).
And it's also not really good news to hear that the US ranks the highest in number of credit card fraud either. Fraud used to be a non-issue. Now it's come to a point where it's a severe strain on our economy.
The merchant's perspective is a bit more mixed.
There are big name retailers like Walmart, Target, Home Depot and BestBuy that have been historically vocal in support of moving towards EMV. Scammers use stolen credit cards at these stores to buy expensive items and they end up eating the short end of the stick.
These places have high number of customers so they usually don't let their minimum wage cashiers do the "check signature on back" or "check ID" routine. Their roles are strictly, get through as many customers as quickly as possible.
They have insurance of course to recover their losses, but that doesn't leave them out of filling out massive paperwork, protecting themselves from lawsuits, complying with police investigation, etc. etc. which just adds up to more cost.
They also have to pay VISA and MC annual PCI-DSS fees per terminal (think "security fees") which they don't see a point to when they offer no security at all. From the big retailers' perspective, they're saying "why the heck do we have to pay security fees and a % of our revenues to VISA and MC when they're doing nothing about offering more secure credit cards?"
Hence if you go to big name retailers, you can see many have already started preparing from the April switch-on of EMV. Even my local CVS Pharmacy have upgraded their terminals.
OTOH, mom-and-pop stores might be reluctant to make the change. They have to pay extra to buy a new terminal. Walmart can afford it no problem. Jake's Bicycle Store which has to compete with Walmart cannot afford to spend another $1,000 to buy a new terminal. Mom-and-pop stores are unlikely to afford better insurance or lawyers like Walmart can either. Most mom-and-pop stores have few customers so they're more likely to take the time actually check the back of the card to see if they match the signature on the back of the card or may ask to see ID as well.
They may just play a wait-and-see game until their terminals breaks down and change it over when it's time to replace their existing terminals instead.
Last edited by kebosabi; Mar 13, 2013 at 12:16 pm
Mar 13, 2013, 1:18 pm
#870
Join Date: Mar 2013
Posts: 35
First of all, I agree on your points, but let's not get ahead of ourselves. DOJ stats put credit card fraud at $5.55 billion for the entire world according to the most recent data. So the US total should be a good chunk of, but less than that total.
Also, the cost of implementing EMV isn't just mailing out a bunch of new cards. There's a large infrastructure that has to be updated along with it. First, you have to invest in the supply chain and manufacturing of said cards. All the cards have to be mailed along with literature explaining what the new EMV chip is, how it's used, and why it matters. There may be larger expensive advertising campaigns by the major card networks to inform the public.
As we've already discussed, point of sale machines everywhere have to be updated but this may not be as horrible in some cases. Most POS machines are Windows PCs mated to cash drawers and use external customer facing swipe machines. The swipe machines can be upgraded and software upgraded on the POS device without tossing the entire device away. But then that's just the beginning. Vending machines, kiosks, ATM machine, personal swipe deviced (like Square).... And let's not forget the IT infrastructure upgrades that have to happen in data centers around the world. In the end, it costs the system billions.
But it's billions that must be spent if the industry wants to get any kind of handle on the exploding situation.
Also, the cost of implementing EMV isn't just mailing out a bunch of new cards. There's a large infrastructure that has to be updated along with it. First, you have to invest in the supply chain and manufacturing of said cards. All the cards have to be mailed along with literature explaining what the new EMV chip is, how it's used, and why it matters. There may be larger expensive advertising campaigns by the major card networks to inform the public.
As we've already discussed, point of sale machines everywhere have to be updated but this may not be as horrible in some cases. Most POS machines are Windows PCs mated to cash drawers and use external customer facing swipe machines. The swipe machines can be upgraded and software upgraded on the POS device without tossing the entire device away. But then that's just the beginning. Vending machines, kiosks, ATM machine, personal swipe deviced (like Square).... And let's not forget the IT infrastructure upgrades that have to happen in data centers around the world. In the end, it costs the system billions.
But it's billions that must be spent if the industry wants to get any kind of handle on the exploding situation.