Sep 20, 2013, 11:40 am
Last edit by: philemer
Posts from 1/1/16 onward can be found here: http://www.flyertalk.com/forum/credit-card-programs/1739359-2016-onward-usa-emv-cards-availability-q-chip-pin-signature.html
EMV wikipost volunteers: kebosabi
What is EMV?
EMV is a defacto global standard of technology where there is a visible microchip on the front of the card. It looks like this:
Who issues them?
See Google Docs spreadsheet in Post #1
SFOAMS also has created a list of excellent webpage that shows US EMV cards in a more interactive interface
Another site, which lets you narrow the search for an EMV card by various parameters, is http://www.spotterswiki.com/emv/index.php.
Several credit unions issue some form of Chip-and-PIN credit cards or prepaid cards. Prepaid EMV cards however are not recommended due to junk fees. USAA (currently restricted to members of military) used to offer Chip-and-PIN cards, but as late has backtracked to Chip-and-Signature priority.
Hey that's a cool Google Docs list! I know others that aren't on that list. How can I help by adding them to the list?
My bad for not putting this into the wiki sooner. Right now, the Google Docs is locked out of editing and only in "read-only" view because there were instances in the past where people would just delete the rows not thinking that it affects others viewing the list.
If you promise not to delete any rows and input all the pertinent info (annual fee, rewards, FTF, etc.), I can provide you with edit access. Just shoot me a PM to kebosabi with your gmail address and I'll provide you edit access.
Thanks for helping out!
As of October 2014, no USA-based card issuer offers Chip-and-PIN priority cards except for BMO Harris (Diners Club) and UN Federal Credit Union. Other major USA-based banks such as BofA, Chase, Citi, as well as others issue Chip-and-Signature cards which may work at many automated kiosks. However, bear in mind the word may is used above is a context where there is no absolute certainty of success for certain environments such as automated kiosks due to different natures of offline and online transactions. It is highly recommended to read Post #3 which lists real life FTer examples on how Chip-and-Signature worked and did not work at various transaction environments.
Can I upgrade it right now?
If it's listed on that Google Docs spreadsheet or SFOAMS' Silk page, wouldn't hurt to call/twitter them for a free upgrade. If you get the response you don't like, hang up, try again.
What is the difference between Chip-and-Signature and Chip-and-PIN?
You insert the chipped card into the slot. The physical contact terminal will read the EMV chip and the terminal will automatically read the preferred cardholder verification methods (called CVM) for that card.
Chip-and-Signature means that the terminal will printout a receipt for you to sign. This is the most prevalent authentication for most US issued EMV cards. Chip-and-Signature helps in a way that it will get through to face-to-face merchant transactions where you and the merchant do not speak the same language.
Chip-and-PIN means that the terminal will prompt you to input a PIN for authentication. Some credit union issued credit cards will have this CVM as secondary if Chip-and-Signature cannot be done. Chip-and-PIN is the more prevalent method of authentication used outside the US, especially in transaction environments where no human interaction is needed (i.e. automated gas pumps, toll roads, train kiosks, etc.).
The Google Docs spreadsheet will list which CVM are used in the EMV cards listed. Some cards can only do Chip-and-Signature. Other cards can do both Chip-and-Signature and Chip-and-PIN. And others might have a third option called No CVM (no authentication needed) which is reserved for low value transactions.
One chip can hold a lot more data, therefore it is capable of doing multiple verification methods. That's one of the great things about EMV over the mag-stripe which can hold very little data.
I want to know for sure what my EMV chip does. Is there anyway I can test out my own EMV card to see what the CVM list is?
alexmt has written up a nice step-by-step procedure on Post #3615.
If most of the EMV cards in the US is the Chip-and-Signature type, doesn't that mean it's still useless abroad?
Depends if you see it as glass half empty or glass half full. See Post #3 for further details on how Chip-and-Signature has worked both successfully and unsuccessfully depending on the merchant transaction environment and use your best judgment whether which one is right for you.
Are there any places in the US that are accepting transactions via the EMV chip?
tmiw has created a dedicated Google maps webpage to show where EMV has been proven to work here: http://emvacceptedhere.com/ Per his Post #4240, feel free to add any places with active EMV terminals if you come across one.
As of 2014/05, the EMV terminals in most Walmarts and Sam's Clubs are being turned on. Hence, the best place to try them out would be your local Walmart or Sam's Club. For other merchants, it's slowly being phased in.
I hope people will post them in the Post your receipt of your 1st EMV based transaction in the US thread. cvarming has shown us an EMV transaction receipt from Brooklyn, NY in Post #2380. I myself had my first EMV based (Chip-and-Signature) transaction in two stores in the Los Angeles area, as shown in detail in Post #2705 (courtesy of WhatWhatTech for pointing these two stores out)
I don't want a chip in my card. I heard horror stories all over the media saying hackers can steal my credit card info from a mile away.
There are two types of chips. One is contactless and the other is contact. Cards can be either one or the other, or both.
In the Google Docs spreadsheet, the cards that are capable of contactless payments are listed seperately under the "RFID or NFC contactless chip" column. If it says yes, then that means it has the ability to do contactless payments. If it says no, it doesn't have that feature.
The one that the media has overhyped about hackers "stealing your information wirelessly" was the contactless type like this:
You are worried about this happening, right?
You don't have to worry. EMV is a chip standard that can have both contact and contactless interfaces. With the traditional contact interface, this means you actually have to physically insert the chip into a POS terminal for it to be authorized, like this:
With the contact interface, nothing is wireless. No data is sent out in a stand-alone contact type EMV chip. With the EMV contactless interface, data is sent wirelessly.
Furthermore, contactless chip cards are required to show a symbol (looks like Wi-Fi symbol) somewhere on the card that to denote it's capability as a contactless card. For example, here's an example of a Discover Card with contactless capability (in which Discover calls "Discover ZIP") showing the contactless symbol on the back of the card:
Don't believe everything that the media says. Besides, millions of people all over the world from London to Singapore, uses contactless payments daily in extremely crowded subways and mass transit with nary any problems. There are multiple layers of encrypted securities and keys that are needed to break the code.
Frankly, giving your physical card to a waiter/waitress who takes the card out of your view is much more susceptible to fraud than contactless payments.
Why should I care?
If you are an international traveler, you will want this because majority of the world has or in the process of converting to this payment format.
In fact, in 2012, even North Korea moved to the EMV format, leaving the US as one of the countries in the world that hasn't done so.
In addition, VISA, MC, AMEX, and Discover have all agreed to incentivize the USA shifting to EMV payments by 2015 by shifting liability for fraudulent transactions to merchants if they do not have EMV equipment and the cardholder has an EMV card. So if you travel internationally or would like to get one before the others, you might be interested in getting one.
BS! I had no problems using my card in [insert whereever country], [insert whatever point in time]
If you stick to the tourist path where they have lots of visitors from the US, you should have no problems using your mag-stripe only card in hotels and restaurants, at least for now. But as things can change as things go forward.
However, consider that once you start taking the off-beaten path, go to non-touristy places where they are not familiar with mag-stripes, rent a car and use toll roads, fill up gas, or try to buy train tickets you might end up into a trouble of the machine not recognizing your card because it lacks the chip. Furthermore, a lot of toll roads, gas pumps, and automated ticket machines lack any human assistance to help you when you need it the most.
But [insert credit card company] told me all merchants that display their logo must accept them! All I have to do is report them for violating their agreements, right?
There are several factors against this.
1. You can only speak English. The merchant representative, most likely a part-time clerk earning minimum wage, speaks in a different language, let's say French. If you have no French language skills, how are you going to get your point across? Are you going to whip out your cell phone at exorbitant int'l roaming charges and hope the customer service is going to translate it for you on the spot? Or maybe you might actually know French. But how about Swahili, Farsi, Balinese, or the multiple languages in mainland China?
2. Just like US, the rest of the world's businesses uses part-time minimum wage workers as cashiers to cut down on labor costs. Most of their SOP training manuals are written by MBA types to not to do anything they are not familiar with. Do not expect them to understand the intricate details of credit card mumbo jumbo. You don't expect Taco Bell employees to understand the minute details of Discover-JCB-Union Pay agreements, right? Same thing the other way around: be respectful as a guest in their country, prepare in advance in their ways, avoid being an "ugly American" stereotype.
3. You are a guest in their country. You are a minority. If 99.9% of their country's people and other tourists from around the world uses EMV, do you really think they are going to accomodate the 0.1% of American tourists who only have mag-stripes credit cards?
4. Again, you are a guest in their country. How would you, as an American standing in line, react if a Chinese tourist was clogging up the lines at a local Taco Bell because the clerk doesn't understand the Discover-Union Pay agreement and has trouble communicating between Mandarin spoken by the tourist and English spoken by the Taco Bell clerk? Same way the other way around. You do not want to clog up the lines for everyone. The less hassle, the better.
5. VISA and MC make tons of money from merchants in that country. Say SNCF French Rail. It's a billion dollar company in France. Do you think VISA is going to pull the plug of their relationship with SNCF because SNCF refuses to do mag-stripe processing at their unmanned train station kiosk? Of course not. Be realistic.
6. And lastly, if you're up against an unstaffed toll kiosk, gas pump or train ticket machine, are you going to yell curses at the machine?
But I want my credit card to be able to be used in the US too!
No worries. They have not gotten rid of the mag-stripe on the back of the card for backward compatibility reasons, just like we still have embossed numbers on our cards for backwards compatibility to using those old carbon copy imprinters.
[insert own Hyatt card image front and back together with red arrows pointing to all the backward compatibility features]
You use the chip on the front of the card abroad (for now), and the mag-stripe just like any other card for the US. Basically, you're increasing your credit card's acceptance rate by getting a card that both via the chip and the mag-stripe. You're getting a better deal for free.
And when 2015 comes along and US switches to EMV, you'll be way ahead of everyone else too!
So why did the rest of the world and the US moved/moving toward EMV?
Primarily, due to fraud concerns. You see, the mag-stripe has been with us since the 1950s. It may have been the most high tech thing back in the day, but with the technology that is available today, any shmo can pick up a $100 USB magnetic card skimming device off of eBay and get your credit card info.
And unlike skimming off contactless cards which actually need the person to have l33t programming skills, skimming off a magnetic stripe has become so ubiquitous that nary a day goes about skimming fraud going on somewhere in America, from gas pumps, Michael's stores (2011), Target breaches (2013), restaurant waiters/waitresses, to even McDonald's drive thrus.
https://www.google.com/search?q=skimming+fraud
These type of fraud used to be prevalent in Europe. But once they started switching over to EMV starting over 2 decades ago, this type of fraud went elsewhere. It went over to Asia, Canada and Mexico, Latin America, etc. etc. until they too began implementing EMV to combat skimming fraud. The US is practically the only country left that hasn't done so, therefore all the fraud that used to take place elsewhere is now happening here.
But EMV is old and it's not fool proof. Shouldn't we just skip over it and do something new instead?
Yes, EMV is old. It was developed in the 1990s and its smart card payment predecessor was first introduced in France. But as of today, it has become the defacto global standard of payments.
But then, what else is there? There is no other de facto global standard of payments alternative. For example, if we decide to skip over it and do something new, hypothetically like DNA matching technology, it still means US int'l travelers will continue to have problems abroad with useless plastic acceptance because no other country is using this DNA matching technology except the US.
Besides, nothing is fool proof. You can say that the bank vault isn't fool proof because you can crack it open if enough C4 is used. But your average low-life scumbag isn't likely to get military grade C4 easily either. But the bank vault does make it harder to get the bank's money over say a petty cash box. That's the point here. EMV is akin to a security tight bank vault, the old mag-stripe is akin to a petty cash box lying around inside the drawer.
I'm a business owner and I don't think EMV is going to take off. I'm not going to spend extra hundreds of dollars to upgrade my credit card machine. Convince me other wise why I should.
I can understand the added extra cost to your business once this switchover takes place. But before even saying that, look at your existing POS terminal. Does it have a slot somewhere to insert a card?
Most likely, if you had replaced your POS terminal within the past five years, you already have an EMV capable terminal. EMV is basically just not turned on yet from the processor and acquirer side.
If you have an EMV capable terminal, then a best bet would be to contact your acquirer to have the EMV feature turned on. You did your end of the deal already by having an EMV capable terminal, it is now the acquirers' responsibility to turn it on in accordance to the EMV switchover mandate.
And if you don't, you are going to replace your POS terminal anyway from common wear and tear. It isn't a hard switch-over. You can continue to use your POS terminal until it dies out because EMV cardholders will still have the mag-stripe on the back. And by the time your non-EMV capable POS terminal is up for replacement the market will be full with these newer POS terminals that can accept the mag-stripe, EMV, as well as contactless payments.
In addition, you may also want to check with your acquirer or processor about EMV capable terminals. Some of them are willing to replace your terminal for free in preparation for the US EMV switchover. Call and ask for details.
But what's in it for me? I'm the one that has to pay for the upgrade.
All the major card networks have given incentives for merchants for the upcoming EMV switchover.
If 75% or more of your credit card transactions are done on an EMV contact and contactless terminal, they are going to waive your annual PCI-DSS fees, which usually costs you around $5.00-$19.95/month per terminal. The overall long term cost savings of those compliance fees will be larger than the cost of an one time upgrade for the terminal.
The downside is that once EMV switchover happens and if you do not have a POS terminal that is able to accept EMV, the fraud liability shifts over to the merchant.
I own several fast food franchises. If I upgrade my POS terminals at all of my restaurants, it's going to cost me thousands, if not millions. I don't think anyone is going to use a fake credit card to buy $5 burgers. And if they do, wouldn't it be cheaper for me to eat the fraud cost?
Remember also that fraud isn't just committed by dishonest customers using fraudulent cards. Fraud can also happen with dishonest employees skimming off credit card data from the mag-stripe as in the case of a teenage McDonald's drive thru employee skimming off $13,000 of customers' credit cards in Olympia, WA. Consider the public relations fall out that your business may have if this happens (i.e. the big Target breach of 2013, where someone used a mag stripe card to load malware INTO Target's system). Is it worth risking to take such a huge PR disaster?
EMV wikipost volunteers: kebosabi
What is EMV?
EMV is a defacto global standard of technology where there is a visible microchip on the front of the card. It looks like this:
Who issues them?
See Google Docs spreadsheet in Post #1
SFOAMS also has created a list of excellent webpage that shows US EMV cards in a more interactive interface
Another site, which lets you narrow the search for an EMV card by various parameters, is http://www.spotterswiki.com/emv/index.php.
Several credit unions issue some form of Chip-and-PIN credit cards or prepaid cards. Prepaid EMV cards however are not recommended due to junk fees. USAA (currently restricted to members of military) used to offer Chip-and-PIN cards, but as late has backtracked to Chip-and-Signature priority.
Hey that's a cool Google Docs list! I know others that aren't on that list. How can I help by adding them to the list?
My bad for not putting this into the wiki sooner. Right now, the Google Docs is locked out of editing and only in "read-only" view because there were instances in the past where people would just delete the rows not thinking that it affects others viewing the list.
If you promise not to delete any rows and input all the pertinent info (annual fee, rewards, FTF, etc.), I can provide you with edit access. Just shoot me a PM to kebosabi with your gmail address and I'll provide you edit access.
Thanks for helping out!
As of October 2014, no USA-based card issuer offers Chip-and-PIN priority cards except for BMO Harris (Diners Club) and UN Federal Credit Union. Other major USA-based banks such as BofA, Chase, Citi, as well as others issue Chip-and-Signature cards which may work at many automated kiosks. However, bear in mind the word may is used above is a context where there is no absolute certainty of success for certain environments such as automated kiosks due to different natures of offline and online transactions. It is highly recommended to read Post #3 which lists real life FTer examples on how Chip-and-Signature worked and did not work at various transaction environments.
Can I upgrade it right now?
If it's listed on that Google Docs spreadsheet or SFOAMS' Silk page, wouldn't hurt to call/twitter them for a free upgrade. If you get the response you don't like, hang up, try again.
What is the difference between Chip-and-Signature and Chip-and-PIN?
You insert the chipped card into the slot. The physical contact terminal will read the EMV chip and the terminal will automatically read the preferred cardholder verification methods (called CVM) for that card.
Chip-and-Signature means that the terminal will printout a receipt for you to sign. This is the most prevalent authentication for most US issued EMV cards. Chip-and-Signature helps in a way that it will get through to face-to-face merchant transactions where you and the merchant do not speak the same language.
Chip-and-PIN means that the terminal will prompt you to input a PIN for authentication. Some credit union issued credit cards will have this CVM as secondary if Chip-and-Signature cannot be done. Chip-and-PIN is the more prevalent method of authentication used outside the US, especially in transaction environments where no human interaction is needed (i.e. automated gas pumps, toll roads, train kiosks, etc.).
The Google Docs spreadsheet will list which CVM are used in the EMV cards listed. Some cards can only do Chip-and-Signature. Other cards can do both Chip-and-Signature and Chip-and-PIN. And others might have a third option called No CVM (no authentication needed) which is reserved for low value transactions.
One chip can hold a lot more data, therefore it is capable of doing multiple verification methods. That's one of the great things about EMV over the mag-stripe which can hold very little data.
I want to know for sure what my EMV chip does. Is there anyway I can test out my own EMV card to see what the CVM list is?
alexmt has written up a nice step-by-step procedure on Post #3615.
If most of the EMV cards in the US is the Chip-and-Signature type, doesn't that mean it's still useless abroad?
Depends if you see it as glass half empty or glass half full. See Post #3 for further details on how Chip-and-Signature has worked both successfully and unsuccessfully depending on the merchant transaction environment and use your best judgment whether which one is right for you.
Are there any places in the US that are accepting transactions via the EMV chip?
tmiw has created a dedicated Google maps webpage to show where EMV has been proven to work here: http://emvacceptedhere.com/ Per his Post #4240, feel free to add any places with active EMV terminals if you come across one.
As of 2014/05, the EMV terminals in most Walmarts and Sam's Clubs are being turned on. Hence, the best place to try them out would be your local Walmart or Sam's Club. For other merchants, it's slowly being phased in.
I hope people will post them in the Post your receipt of your 1st EMV based transaction in the US thread. cvarming has shown us an EMV transaction receipt from Brooklyn, NY in Post #2380. I myself had my first EMV based (Chip-and-Signature) transaction in two stores in the Los Angeles area, as shown in detail in Post #2705 (courtesy of WhatWhatTech for pointing these two stores out)
I don't want a chip in my card. I heard horror stories all over the media saying hackers can steal my credit card info from a mile away.
There are two types of chips. One is contactless and the other is contact. Cards can be either one or the other, or both.
In the Google Docs spreadsheet, the cards that are capable of contactless payments are listed seperately under the "RFID or NFC contactless chip" column. If it says yes, then that means it has the ability to do contactless payments. If it says no, it doesn't have that feature.
The one that the media has overhyped about hackers "stealing your information wirelessly" was the contactless type like this:
You are worried about this happening, right?
You don't have to worry. EMV is a chip standard that can have both contact and contactless interfaces. With the traditional contact interface, this means you actually have to physically insert the chip into a POS terminal for it to be authorized, like this:
With the contact interface, nothing is wireless. No data is sent out in a stand-alone contact type EMV chip. With the EMV contactless interface, data is sent wirelessly.
Furthermore, contactless chip cards are required to show a symbol (looks like Wi-Fi symbol) somewhere on the card that to denote it's capability as a contactless card. For example, here's an example of a Discover Card with contactless capability (in which Discover calls "Discover ZIP") showing the contactless symbol on the back of the card:
Don't believe everything that the media says. Besides, millions of people all over the world from London to Singapore, uses contactless payments daily in extremely crowded subways and mass transit with nary any problems. There are multiple layers of encrypted securities and keys that are needed to break the code.
Frankly, giving your physical card to a waiter/waitress who takes the card out of your view is much more susceptible to fraud than contactless payments.
Why should I care?
If you are an international traveler, you will want this because majority of the world has or in the process of converting to this payment format.
In fact, in 2012, even North Korea moved to the EMV format, leaving the US as one of the countries in the world that hasn't done so.
In addition, VISA, MC, AMEX, and Discover have all agreed to incentivize the USA shifting to EMV payments by 2015 by shifting liability for fraudulent transactions to merchants if they do not have EMV equipment and the cardholder has an EMV card. So if you travel internationally or would like to get one before the others, you might be interested in getting one.
BS! I had no problems using my card in [insert whereever country], [insert whatever point in time]
If you stick to the tourist path where they have lots of visitors from the US, you should have no problems using your mag-stripe only card in hotels and restaurants, at least for now. But as things can change as things go forward.
However, consider that once you start taking the off-beaten path, go to non-touristy places where they are not familiar with mag-stripes, rent a car and use toll roads, fill up gas, or try to buy train tickets you might end up into a trouble of the machine not recognizing your card because it lacks the chip. Furthermore, a lot of toll roads, gas pumps, and automated ticket machines lack any human assistance to help you when you need it the most.
But [insert credit card company] told me all merchants that display their logo must accept them! All I have to do is report them for violating their agreements, right?
There are several factors against this.
1. You can only speak English. The merchant representative, most likely a part-time clerk earning minimum wage, speaks in a different language, let's say French. If you have no French language skills, how are you going to get your point across? Are you going to whip out your cell phone at exorbitant int'l roaming charges and hope the customer service is going to translate it for you on the spot? Or maybe you might actually know French. But how about Swahili, Farsi, Balinese, or the multiple languages in mainland China?
2. Just like US, the rest of the world's businesses uses part-time minimum wage workers as cashiers to cut down on labor costs. Most of their SOP training manuals are written by MBA types to not to do anything they are not familiar with. Do not expect them to understand the intricate details of credit card mumbo jumbo. You don't expect Taco Bell employees to understand the minute details of Discover-JCB-Union Pay agreements, right? Same thing the other way around: be respectful as a guest in their country, prepare in advance in their ways, avoid being an "ugly American" stereotype.
3. You are a guest in their country. You are a minority. If 99.9% of their country's people and other tourists from around the world uses EMV, do you really think they are going to accomodate the 0.1% of American tourists who only have mag-stripes credit cards?
4. Again, you are a guest in their country. How would you, as an American standing in line, react if a Chinese tourist was clogging up the lines at a local Taco Bell because the clerk doesn't understand the Discover-Union Pay agreement and has trouble communicating between Mandarin spoken by the tourist and English spoken by the Taco Bell clerk? Same way the other way around. You do not want to clog up the lines for everyone. The less hassle, the better.
5. VISA and MC make tons of money from merchants in that country. Say SNCF French Rail. It's a billion dollar company in France. Do you think VISA is going to pull the plug of their relationship with SNCF because SNCF refuses to do mag-stripe processing at their unmanned train station kiosk? Of course not. Be realistic.
6. And lastly, if you're up against an unstaffed toll kiosk, gas pump or train ticket machine, are you going to yell curses at the machine?
But I want my credit card to be able to be used in the US too!
No worries. They have not gotten rid of the mag-stripe on the back of the card for backward compatibility reasons, just like we still have embossed numbers on our cards for backwards compatibility to using those old carbon copy imprinters.
[insert own Hyatt card image front and back together with red arrows pointing to all the backward compatibility features]
You use the chip on the front of the card abroad (for now), and the mag-stripe just like any other card for the US. Basically, you're increasing your credit card's acceptance rate by getting a card that both via the chip and the mag-stripe. You're getting a better deal for free.
And when 2015 comes along and US switches to EMV, you'll be way ahead of everyone else too!
So why did the rest of the world and the US moved/moving toward EMV?
Primarily, due to fraud concerns. You see, the mag-stripe has been with us since the 1950s. It may have been the most high tech thing back in the day, but with the technology that is available today, any shmo can pick up a $100 USB magnetic card skimming device off of eBay and get your credit card info.
And unlike skimming off contactless cards which actually need the person to have l33t programming skills, skimming off a magnetic stripe has become so ubiquitous that nary a day goes about skimming fraud going on somewhere in America, from gas pumps, Michael's stores (2011), Target breaches (2013), restaurant waiters/waitresses, to even McDonald's drive thrus.
https://www.google.com/search?q=skimming+fraud
These type of fraud used to be prevalent in Europe. But once they started switching over to EMV starting over 2 decades ago, this type of fraud went elsewhere. It went over to Asia, Canada and Mexico, Latin America, etc. etc. until they too began implementing EMV to combat skimming fraud. The US is practically the only country left that hasn't done so, therefore all the fraud that used to take place elsewhere is now happening here.
But EMV is old and it's not fool proof. Shouldn't we just skip over it and do something new instead?
Yes, EMV is old. It was developed in the 1990s and its smart card payment predecessor was first introduced in France. But as of today, it has become the defacto global standard of payments.
But then, what else is there? There is no other de facto global standard of payments alternative. For example, if we decide to skip over it and do something new, hypothetically like DNA matching technology, it still means US int'l travelers will continue to have problems abroad with useless plastic acceptance because no other country is using this DNA matching technology except the US.
Besides, nothing is fool proof. You can say that the bank vault isn't fool proof because you can crack it open if enough C4 is used. But your average low-life scumbag isn't likely to get military grade C4 easily either. But the bank vault does make it harder to get the bank's money over say a petty cash box. That's the point here. EMV is akin to a security tight bank vault, the old mag-stripe is akin to a petty cash box lying around inside the drawer.
I'm a business owner and I don't think EMV is going to take off. I'm not going to spend extra hundreds of dollars to upgrade my credit card machine. Convince me other wise why I should.
I can understand the added extra cost to your business once this switchover takes place. But before even saying that, look at your existing POS terminal. Does it have a slot somewhere to insert a card?
Most likely, if you had replaced your POS terminal within the past five years, you already have an EMV capable terminal. EMV is basically just not turned on yet from the processor and acquirer side.
If you have an EMV capable terminal, then a best bet would be to contact your acquirer to have the EMV feature turned on. You did your end of the deal already by having an EMV capable terminal, it is now the acquirers' responsibility to turn it on in accordance to the EMV switchover mandate.
And if you don't, you are going to replace your POS terminal anyway from common wear and tear. It isn't a hard switch-over. You can continue to use your POS terminal until it dies out because EMV cardholders will still have the mag-stripe on the back. And by the time your non-EMV capable POS terminal is up for replacement the market will be full with these newer POS terminals that can accept the mag-stripe, EMV, as well as contactless payments.
In addition, you may also want to check with your acquirer or processor about EMV capable terminals. Some of them are willing to replace your terminal for free in preparation for the US EMV switchover. Call and ask for details.
But what's in it for me? I'm the one that has to pay for the upgrade.
All the major card networks have given incentives for merchants for the upcoming EMV switchover.
If 75% or more of your credit card transactions are done on an EMV contact and contactless terminal, they are going to waive your annual PCI-DSS fees, which usually costs you around $5.00-$19.95/month per terminal. The overall long term cost savings of those compliance fees will be larger than the cost of an one time upgrade for the terminal.
The downside is that once EMV switchover happens and if you do not have a POS terminal that is able to accept EMV, the fraud liability shifts over to the merchant.
I own several fast food franchises. If I upgrade my POS terminals at all of my restaurants, it's going to cost me thousands, if not millions. I don't think anyone is going to use a fake credit card to buy $5 burgers. And if they do, wouldn't it be cheaper for me to eat the fraud cost?
Remember also that fraud isn't just committed by dishonest customers using fraudulent cards. Fraud can also happen with dishonest employees skimming off credit card data from the mag-stripe as in the case of a teenage McDonald's drive thru employee skimming off $13,000 of customers' credit cards in Olympia, WA. Consider the public relations fall out that your business may have if this happens (i.e. the big Target breach of 2013, where someone used a mag stripe card to load malware INTO Target's system). Is it worth risking to take such a huge PR disaster?
USA EMV cards: Availability, Q&A (Chip & PIN -or- Chip & Signature) [2012-2015]
Sep 26, 2015, 9:18 am
Join Date: Oct 2014
Programs: Skymiles
Posts: 3,251
Many store giftcards are already non-swipe. Target, for example.
Also most stores still have cashier-side swipe equipment. They could just have the cashier swipe gift cards (and also have the cashier handle any swipe credit cards...). I could see swipe ability being disabled on the customer-facing equipment for sure.
Also most stores still have cashier-side swipe equipment. They could just have the cashier swipe gift cards (and also have the cashier handle any swipe credit cards...). I could see swipe ability being disabled on the customer-facing equipment for sure.
Sep 26, 2015, 9:51 am
Join Date: Dec 2012
Posts: 814
I think we have to agree to disagree agreeably. These are my reasons for disagreeing with these statements
"fellows, we all agree there will be some situations where a card lacking a pin may not work but those places are, at least it seems, not all that many. Yes I know if it happens on the day you need gas desperately it's not good."
Not good? It's inconvenient at best, and bad if you are that mom or dad with kids stuck at night trying to buy gasoline or a ticket to get back to your hotel room.
" I get it but then again all cards fail every so often for communications reasons, for odd ball times when your bank's computer may be down (it even happens at home)."
Lack of true chip-and-pin is not a failure. This is an intentional decision to not provide a fully functional credit card in a modern world where others can and do provide them.
"It is obvious that the die has been cast and all the screaming and whining we do here while interesting to read and a way to let off steam is not going to change anybody's mind. Obviously they feel the cost of converting to pins outweigh the losses due to fraud from lost or stolen cards which from their view is the only difference between chip and pin as opposed to chip and signature. "
Also obvious, is that the issuers don't care if their customers are inconvenienced or hurt by their decision to not provide a fully functional credit card.
"And what happens to the person setting off on his or her first foreign trip who has only one card and has a pin of 5217 (made up number by me) and somehow in his mind thinks the pin is 5271. That person is up the creek without a paddle; at least without a credit card. The battle for pins has been lost and all the screaming in the world, at least in my opinion, will not change it."
I don't buy this argument. Somehow virtually all the Europeans and Canadians I know seem to be able to remember their pin. Americans are not stupider than others, nor do we have poorer memories.
"Best you can do is to get a card at the very least with pin capabilities (Andrews, Barclay Arrival whatever) or go with the UNFCU or First Tech. I just don't see this is going to be changed no matter how much we scream here."
Yes, we agree on this point. It's time to take our business to those institutions who want and deserve it. I would add: Not just credit cards, but savings, checking, etc.
"fellows, we all agree there will be some situations where a card lacking a pin may not work but those places are, at least it seems, not all that many. Yes I know if it happens on the day you need gas desperately it's not good."
Not good? It's inconvenient at best, and bad if you are that mom or dad with kids stuck at night trying to buy gasoline or a ticket to get back to your hotel room.
" I get it but then again all cards fail every so often for communications reasons, for odd ball times when your bank's computer may be down (it even happens at home)."
Lack of true chip-and-pin is not a failure. This is an intentional decision to not provide a fully functional credit card in a modern world where others can and do provide them.
"It is obvious that the die has been cast and all the screaming and whining we do here while interesting to read and a way to let off steam is not going to change anybody's mind. Obviously they feel the cost of converting to pins outweigh the losses due to fraud from lost or stolen cards which from their view is the only difference between chip and pin as opposed to chip and signature. "
Also obvious, is that the issuers don't care if their customers are inconvenienced or hurt by their decision to not provide a fully functional credit card.
"And what happens to the person setting off on his or her first foreign trip who has only one card and has a pin of 5217 (made up number by me) and somehow in his mind thinks the pin is 5271. That person is up the creek without a paddle; at least without a credit card. The battle for pins has been lost and all the screaming in the world, at least in my opinion, will not change it."
I don't buy this argument. Somehow virtually all the Europeans and Canadians I know seem to be able to remember their pin. Americans are not stupider than others, nor do we have poorer memories.
"Best you can do is to get a card at the very least with pin capabilities (Andrews, Barclay Arrival whatever) or go with the UNFCU or First Tech. I just don't see this is going to be changed no matter how much we scream here."
Yes, we agree on this point. It's time to take our business to those institutions who want and deserve it. I would add: Not just credit cards, but savings, checking, etc.
Sep 26, 2015, 9:57 am
Join Date: Dec 2012
Posts: 814
I am wondering how those institutions that offer true chip-and-pin credit cards do it. Do they need special equipment or it is a software issue? Obviously, they do not setup their own credit card processing system, so the ability to do chip-and-pin must already exist in the current processing system, right?
Why would it be more expensive for the bank to do chip-and-pin rather than chip-and-signature?
Why would it be more expensive for the bank to do chip-and-pin rather than chip-and-signature?
Sep 26, 2015, 10:25 am
Join Date: Jun 2015
Posts: 710
I am wondering how those institutions that offer true chip-and-pin credit cards do it. Do they need special equipment or it is a software issue? Obviously, they do not setup their own credit card processing system, so the ability to do chip-and-pin must already exist in the current processing system, right?
Why would it be more expensive for the bank to do chip-and-pin rather than chip-and-signature?
Why would it be more expensive for the bank to do chip-and-pin rather than chip-and-signature?
As to why, it's a combination of factors that been covered in the 900+ pages of messages in this thread. Based on public statements, first and foremost on the issuer concern list is that they do not want their card to be relegated to backup status or cancelled. Their concern is that one or two bad experiences with forgetting the pin would do that.
Second are the customer support costs. When you issue millions of cards, just one additional three minute customer support call from even a minor number of customers will drive your costs through the roof.
For the smaller issuers who don't already have systems in place to manage pins, there's a significant infrastructure cost. Those that have chosen to issue pins see a business niche advantage to doing it.
You can translate all these reasons into the slightly misleading "Our customers want a card that works the same as their current mag stripe card." I hope that the US will switch to pin verification after the EMV cards are widely distributed and being used, but wouldn't put any money on it.
Last edited by glbltvlr; Sep 26, 2015 at 10:50 am
Sep 26, 2015, 10:42 am
Join Date: Aug 2003
Location: Washington, DC
Programs: AA GLD (1MM), DL GLD, Marriott Plat, RCL D+, X Elite
Posts: 3,229
Did I read on this forum or elsewhere that the merchant fee for a PIN based EMV transaction is less than signature based? I'm entirely amenable to believing I could have made that up in my mind, but seems like I did read it. Is it true?
On another note - I acknowledge that ae majority of Americans are probably not going to be impacted by Chip & Sig vs Chip & PIN from a usability perspective. That said, I've found myself wondering why some mainstream large bank hasn't at least acknowledged that there is some demand for a true Chip & PIN product and offered one card that features it.
Just thinking aloud via FT on a Sat. afternoon.
On another note - I acknowledge that ae majority of Americans are probably not going to be impacted by Chip & Sig vs Chip & PIN from a usability perspective. That said, I've found myself wondering why some mainstream large bank hasn't at least acknowledged that there is some demand for a true Chip & PIN product and offered one card that features it.
Just thinking aloud via FT on a Sat. afternoon.
Sep 26, 2015, 10:49 am
Join Date: Jun 2015
Posts: 710
AFAIK EMV deployment doesn't change that.
Sep 26, 2015, 10:56 am
Join Date: Nov 2012
Posts: 3,537
That's the terminology used, but it has nothing to do with PIN vs signature, it has to do with what network it runs on. But this is one incentive for chip and signature debit cards... with a chip and PIN debit card, the customer has no incentive to choose the Visa/MasterCard network if given a choice (since both require a PIN), whereas with a chip and signature debit card customers will choose Visa/MC to avoid needing the PIN.
Sep 26, 2015, 10:57 am
FlyerTalk Evangelist
Join Date: Jan 2014
Location: San Diego, CA
Programs: GE, Marriott Platinum
Posts: 15,508
Pre EMV debit transactions have always been cheaper for the merchant than credit transactions. IIRC the charge for a debit transaction was in the order of .20 to .25 regardless of what the transaction value was, and credit transactions were 2.5-3.0% plus a base charge of .25 or so. This has led to some interesting fights where merchants (like Kohls) program their terminals to default to pin debit, while card issuers entice their holders with "points" to treat their debit card like a credit card.
AFAIK EMV deployment doesn't change that.
AFAIK EMV deployment doesn't change that.
Another factor that might be influencing the signature preference--higher transaction amounts for the latter vs. the former. There have been studies that have shown that people spend up to 15% more with a credit card than a debit card or cash. Mandating PIN could cut that differential down significantly, which would also cut into interchange.
Sep 26, 2015, 11:06 am
Join Date: May 2003
Location: Redwood City, CA USA (SFO/SJC)
Programs: 1K 2010, 1P in 2011, Plat for 2012,13,14,15 & 2016. Gold in 17 & 18, Plat since
Posts: 8,826
Regarding the National Retail Federation viewpoint-
Please keep in mind that there's a lot of money involved here, and it took forever to get things off the ground due to changes in who's on the hook for fraudulent card use. That's very relevant when discussing any further changes, because those changes are far more than technological... each and every such change is going to involve further and lengthy discussions on the fine print that determines whether the retailer or bank is on the hook when something goes bad.
Prior to October 1st, 2015, if a retailer took a card and in good faith determined it to be legit (which, by the way, we're not allowed to ask for alternative forms of ID), actually had the physical card in possession so it was swiped (not number typed) into the machine, and has a signature... the retailer is covered for fraud.
On October 1st, 2015, if a consumer presents a chipped card and the retailer swipes it instead of "plugging it in" (using the chip), and it's later determined to be a fraudulent use (a determination the retailer will have no say in), the retailer is on the hook for the bill.
So can you imagine how much time it took just to accept that change in liability? It was a very long process, and because there's been no real phase-in period for the new technology, it's really tough on the retailer (because they will have had virtually zero experience with it prior to October 1st).
Further, we, as retailers, haven't been the ones dragging our feet. Our CC processors and point-of-sale system providers are only just now delivering new terminals. Last month, I didn't even know what terminals I'd be using. Somehow, in the next few days, it's all just supposed to magically happen.
Chip & Pin. Yes, that will be better; creating a "signature" on a tiny touchscreen is a complete joke. Can anybody really compare one to see that it's real? To my mind, replacing a swiped card with a Chip & Signature card is actually a reduction in security, because you don't have that signature to compare.
Ah, you think a lay person can't compare a signature? It's actually very simple. Never, ever, compare signatures right-side up. Always look at them upside-down. When "normal" you tend to read the signature, and you're predisposed to thinking it matches. Look at it upside-down and you see patterns. Even the sloppiest of signatures will have repeating patterns from signature to signature. Try it. An ex-cop now in fraud showed me this. It's amazing!
OK, in the end, the local brick & mortar retailer really feels like they've been thrown under the bus. We're not getting the support from our vendors, and we're facing really scary fraud potential. It would be different if we could do more to make sure the person presenting the card is the person the card says they are, but we can't.
This has been really poorly planned & implemented. Everything except from the bank's standpoint, since there's suddenly a significant shift in fraud responsibility to those not fully able to mitigate it yet.
Prior to October 1st, 2015, if a retailer took a card and in good faith determined it to be legit (which, by the way, we're not allowed to ask for alternative forms of ID), actually had the physical card in possession so it was swiped (not number typed) into the machine, and has a signature... the retailer is covered for fraud.
On October 1st, 2015, if a consumer presents a chipped card and the retailer swipes it instead of "plugging it in" (using the chip), and it's later determined to be a fraudulent use (a determination the retailer will have no say in), the retailer is on the hook for the bill.
So can you imagine how much time it took just to accept that change in liability? It was a very long process, and because there's been no real phase-in period for the new technology, it's really tough on the retailer (because they will have had virtually zero experience with it prior to October 1st).
Further, we, as retailers, haven't been the ones dragging our feet. Our CC processors and point-of-sale system providers are only just now delivering new terminals. Last month, I didn't even know what terminals I'd be using. Somehow, in the next few days, it's all just supposed to magically happen.
Chip & Pin. Yes, that will be better; creating a "signature" on a tiny touchscreen is a complete joke. Can anybody really compare one to see that it's real? To my mind, replacing a swiped card with a Chip & Signature card is actually a reduction in security, because you don't have that signature to compare.
Ah, you think a lay person can't compare a signature? It's actually very simple. Never, ever, compare signatures right-side up. Always look at them upside-down. When "normal" you tend to read the signature, and you're predisposed to thinking it matches. Look at it upside-down and you see patterns. Even the sloppiest of signatures will have repeating patterns from signature to signature. Try it. An ex-cop now in fraud showed me this. It's amazing!
OK, in the end, the local brick & mortar retailer really feels like they've been thrown under the bus. We're not getting the support from our vendors, and we're facing really scary fraud potential. It would be different if we could do more to make sure the person presenting the card is the person the card says they are, but we can't.
This has been really poorly planned & implemented. Everything except from the bank's standpoint, since there's suddenly a significant shift in fraud responsibility to those not fully able to mitigate it yet.
Sep 26, 2015, 11:19 am
FlyerTalk Evangelist
Join Date: Jan 2014
Location: San Diego, CA
Programs: GE, Marriott Platinum
Posts: 15,508
So can you imagine how much time it took just to accept that change in liability? It was a very long process, and because there's been no real phase-in period for the new technology, it's really tough on the retailer (because they will have had virtually zero experience with it prior to October 1st).
Chip & Pin. Yes, that will be better; creating a "signature" on a tiny touchscreen is a complete joke. Can anybody really compare one to see that it's real? To my mind, replacing a swiped card with a Chip & Signature card is actually a reduction in security, because you don't have that signature to compare.
Ah, you think a lay person can't compare a signature? It's actually very simple. Never, ever, compare signatures right-side up. Always look at them upside-down. When "normal" you tend to read the signature, and you're predisposed to thinking it matches. Look at it upside-down and you see patterns. Even the sloppiest of signatures will have repeating patterns from signature to signature. Try it. An ex-cop now in fraud showed me this. It's amazing!
Ah, you think a lay person can't compare a signature? It's actually very simple. Never, ever, compare signatures right-side up. Always look at them upside-down. When "normal" you tend to read the signature, and you're predisposed to thinking it matches. Look at it upside-down and you see patterns. Even the sloppiest of signatures will have repeating patterns from signature to signature. Try it. An ex-cop now in fraud showed me this. It's amazing!
Yep, but there's more than enough blame to go around.
Sep 26, 2015, 11:25 am
Join Date: May 2003
Location: Redwood City, CA USA (SFO/SJC)
Programs: 1K 2010, 1P in 2011, Plat for 2012,13,14,15 & 2016. Gold in 17 & 18, Plat since
Posts: 8,826
As to why, it's a combination of factors that been covered in the 900+ pages of messages in this thread. Based on public statements, first and foremost on the issuer concern list is that they do not want their card to be relegated to backup status or cancelled. Their concern is that one or two bad experiences with forgetting the pin would do that.
What was I last week? xyzzy321T*2. Today the bank says I have to change that to 98yT#5. And I have to decide... let's see... how many accounts do I have? Do I change them all at the same time? Or do I have different passwords for different accounts?
What consumer in their right mind would ask for more of this?
Sep 26, 2015, 11:37 am
Join Date: May 2003
Location: Redwood City, CA USA (SFO/SJC)
Programs: 1K 2010, 1P in 2011, Plat for 2012,13,14,15 & 2016. Gold in 17 & 18, Plat since
Posts: 8,826
All parties involved had 4+ years; Visa for instance announced the liability shift for the US back in 2011. Everyone only really started to implement it after it became obvious that delaying the liability shift or canceling it entirely wasn't politically viable. Before the Target, etc. breaches no one was taking EMV seriously and we had to look to sources like this thread to find cards suitable for international use, since US magstripe-only cards were starting to no longer work abroad.
Unless you previously didn't have a signature capture terminal, how is this any different? In any case, it looks like you're able to compare signatures well enough so that they serve their anti lost/stolen fraud purpose. (BTW you're probably one of the only merchants who actually follows Visa/MC requirements!)
Yep, but there's more than enough blame to go around.
Unless you previously didn't have a signature capture terminal, how is this any different? In any case, it looks like you're able to compare signatures well enough so that they serve their anti lost/stolen fraud purpose. (BTW you're probably one of the only merchants who actually follows Visa/MC requirements!)
Yep, but there's more than enough blame to go around.
As for following the rules, you betcha. Why not take advantage of whatever protections you're offered? Just because they don't follow the rules in Europe when you try to use your swiped card, doesn't mean I shouldn't follow the rules I agreed to when I signed my contract with the CC companies. (For what it's worth, one could challenge maybe half the swiped transactions they do allow in Europe because that's how often they don't even bother to have me sign, even for transactions over 25 euros...)
But the new stuff dealing with swiping cards... that's scary stuff I would never have agreed to, given a choice. There should have been requirements to the point-of-sale and CC providers that placed potential liability on them if they didn't provide the proper tools in a reasonable time frame.
Sep 26, 2015, 11:52 am
FlyerTalk Evangelist
Join Date: Jan 2014
Location: San Diego, CA
Programs: GE, Marriott Platinum
Posts: 15,508
Just to be clear, the smaller retailer has had no voice whatsoever in this issue. We've been told to wait... it's coming... be patient... you'll have what you need. Do you have any idea how difficult it is to shop for different CC processors, or how many businesses switched and discovered that the fine print really screwed them? It's not something where we can easily shop around for someone who "has their act together" on this matter. Nevertheless, we do! We put out feelers, we talk with various CC providers... and it's always the same. The more money you have, the more voice. The money is so highly concentrated at the top that even retail federations don't have much say in the matter.
As for following the rules, you betcha. Why not take advantage of whatever protections you're offered? Just because they don't follow the rules in Europe when you try to use your swiped card, doesn't mean I shouldn't follow the rules I agreed to when I signed my contract with the CC companies. (For what it's worth, one could challenge maybe half the swiped transactions they do allow in Europe because that's how often they don't even bother to have me sign, even for transactions over 25 euros...)
But the new stuff dealing with swiping cards... that's scary stuff I would never have agreed to, given a choice. There should have been requirements to the point-of-sale and CC providers that placed potential liability on them if they didn't provide the proper tools in a reasonable time frame.
As for following the rules, you betcha. Why not take advantage of whatever protections you're offered? Just because they don't follow the rules in Europe when you try to use your swiped card, doesn't mean I shouldn't follow the rules I agreed to when I signed my contract with the CC companies. (For what it's worth, one could challenge maybe half the swiped transactions they do allow in Europe because that's how often they don't even bother to have me sign, even for transactions over 25 euros...)
But the new stuff dealing with swiping cards... that's scary stuff I would never have agreed to, given a choice. There should have been requirements to the point-of-sale and CC providers that placed potential liability on them if they didn't provide the proper tools in a reasonable time frame.
If you were relying on your current merchant provider to give you info on at least what EMV means, then they seriously dropped the ball and you should be looking for a new one on that basis alone.
Sep 26, 2015, 12:07 pm
Join Date: Jul 2007
Posts: 1,762
Is there a problem remembering one four digit pin? No of course not. Is there a problem remembering two four digit pins? No of course not but now there's a small problem reaching for the wrong credit card with the wrong pin but only a slight problem.
However, I now have about 12 different credit cards I have acquired over the years. Where I can I make them the same pin with emphasis on where I can I most certainly do. It isn't all that easy to set up the same pins and I wonder, as I've said, just how wise that is. I think too many hear belittle the idea that at a certain point it does become somewhat difficult to remember all the different pins. I wonder how many of the people here who scream loudest and belittle people who might think it is difficult to remember all those different pins (and passwords) have five or six different pins and/or passwords for their various credit, debit cards and online activities.
Of course part of the problem, I do admit, is that I have little opportunity to use my pins as things have evolved here. I got the First Tech card, used it once and as I write this don't remember the pin (I can look it up as I scan the notices into my computer which don't have the account numbers. I wonder, as always in all due respect, how many of those ridiculing the banks' arguments about memorizing pins have five or more accounts and can recite all the various pins for each unless they've all been made the same. The argument about memorizing different pins does have a degree of validity even for some of those who scream the loudest here.
I think it is up to the networks to aggressively enforce their new regs regarding no cvm at kiosks and cut to the absolute minimum the number of places where chip and signature cards don't work. Right now, I have no idea just how prevalent it is given the new regulations not to be able to use a chip and signature card at any given place and whether or not such non compliant places are increasing.
However, I now have about 12 different credit cards I have acquired over the years. Where I can I make them the same pin with emphasis on where I can I most certainly do. It isn't all that easy to set up the same pins and I wonder, as I've said, just how wise that is. I think too many hear belittle the idea that at a certain point it does become somewhat difficult to remember all the different pins. I wonder how many of the people here who scream loudest and belittle people who might think it is difficult to remember all those different pins (and passwords) have five or six different pins and/or passwords for their various credit, debit cards and online activities.
Of course part of the problem, I do admit, is that I have little opportunity to use my pins as things have evolved here. I got the First Tech card, used it once and as I write this don't remember the pin (I can look it up as I scan the notices into my computer which don't have the account numbers. I wonder, as always in all due respect, how many of those ridiculing the banks' arguments about memorizing pins have five or more accounts and can recite all the various pins for each unless they've all been made the same. The argument about memorizing different pins does have a degree of validity even for some of those who scream the loudest here.
I think it is up to the networks to aggressively enforce their new regs regarding no cvm at kiosks and cut to the absolute minimum the number of places where chip and signature cards don't work. Right now, I have no idea just how prevalent it is given the new regulations not to be able to use a chip and signature card at any given place and whether or not such non compliant places are increasing.
Sep 26, 2015, 12:31 pm
FlyerTalk Evangelist
Join Date: Jan 2014
Location: San Diego, CA
Programs: GE, Marriott Platinum
Posts: 15,508
I'd like to think that having more than a couple credit cards isn't that common outside of FT and some other Internet communities. At least for me, most of the people I know seem to have a debit card and (maybe) 2-3 credit cards, all likely with no annual fee. I also almost want to say that despite the credit cards, the debit card ends up being the most commonly used, but I could be wrong on that.