Jan 16, 2017, 6:55 am
Last edit by: storewanderer
Older (archived) threads: 2014-16
- - - - - -
- What is EMV contactless?
EMV contactless is a form of contactless/NFC that uses the same security and encryption that is used when inserting a chip card into an EMV-enabled terminal. Other than not having to sign/enter a PIN for smaller transactions, the security is effectively the same as chip and PIN/chip and signature.
In contrast, MSD contactless is an older version that is designed just and only for the United States. This effectively uses much the same flow as a swiped card transaction with the same rules.
- What is CDCVM?
CDCVM stands for Consumer Device Cardholder Verification Method. It's a method of telling the terminal that the customer verified their identity using their mobile device. Terminals that support it will waive the signature/PIN requirement typically in place for larger transactions, potentially saving time at checkout.
More info: https://support.apple.com/en-us/HT202527
- Does EMV contactless need to be supported to support CDCVM?
Typically, yes. (However, there are some exceptions below.)
- Why can't I tap my foreign-issued contactless card at most places in the US?
This is likely because the store does not support EMV contactless. Foreign issued contactless cards typically do not support MSD contactless since other markets have had EMV for quite some time. In contrast, most stores in the US have yet to get the necessary certifications/software for EMV contactless so they are typically MSD-only--if contactless is enabled at all. (See below for a list of stores where your card will likely work.)
- I paid for a purchase with Apple/Android/Samsung Pay and still had to sign for it.
Most likely, the store in question does not have EMV contactless enabled (see above question). However, there are instances where CDCVM does not work even with EMV contactless enabled. Restaurants that allow tip adjust, for example--where the tip amount is written on a paper receipt and entered by the staff later--cannot support CDCVM. It may simply be a matter of the merchant's processor or the POS software in use not supporting it too.
Another common reason is if you used a US-issued AmEx card with a mobile wallet. AmEx currently does not allow EMV contactless support in mobile wallets for these cards, so they always run as MSD contactless. Because of this, CDCVM is not supported (with very few exceptions, as noted below).
Note: if you used Samsung Pay, you may have paid with MST instead of NFC. Since MST emulates the magnetic pulses that the terminal receives when swiping a regular card, the normal magstripe rules apply.
- How can I tell whether EMV contactless was used?
An easy way to tell if you have Apple Pay is to pay with a Visa or MC while in airplane mode. Wallet will then show a transaction amount next to "Payment" for the card that was used. Alternatively, EMV-related information will typically print on the receipt (AID, etc.) if EMV contactless was used.
(Non-exhaustive) list of EMV contactless supporting merchants in the US:
- 7-Eleven
- 99 Ranch
- Albertsons (Safeway, Vons, Pak N Save, Jewel, Acme, Shaws, Star, Carrs, Randalls, Tom Thumb, Haggen, Eagle, Lucky UT/SoCal)
- Apple Store*†
- Athleta
- Auntie Anne’s Pretzels
- Banana Republic
- Costco Wholesale
- CVS
- DuaneReade*
- El Pollo Loco
- EG Group US (Quik Stop, Kwik Shop, Tom Thumb, Turkey Hill) Note: cashier must press "Electronic Payment" to activate NFC
- Five Below*
- Five Guys
- GAP
- Grocery Outlet*
- Harmon's Grocery
- H&M*
- Jolibee
- Kohl's*
- Lush Cosmetics*
- Maverik
- McDonald's*
- Meijer
- Old Navy
- Panera Bread
- PetSmart
- Ray's Food Place
- Round Table Pizza
- Royal Farms
- Red Ribbon Bakeshop
- Sheetz
- Sherm's Thunderbird Discount Markets Inc.*
- Sprouts
- Staples*
- Starbucks*
- Subway
- Walgreens*
- Weis Markets
- All businesses that use Square and support contactless*
- All businesses that use Clover and support EMV†**
- All businesses that use First Data standalone terminals (e.g. FD100+FD35, FD130) with EMV enabled**
* CDCVM support confirmed
** CDCVM support depends on store/restaurant
† CDCVM supported in MSD mode
USA contactless credit/debit/transit (2017 - 2021)
Aug 26, 2020, 7:52 am
#8686
Join Date: May 2005
Location: SEA
Programs: AS; Hyatt Globalist; Hilton Gold; NEXUS
Posts: 979
Update on Kroger/QFC - Apple Pay with Chase cards now works for me, as of Monday. Seems like Kroger is indeed working out the kinks.
Aug 27, 2020, 12:38 am
#8688
Join Date: Sep 2014
Posts: 1,722
Well today I found an Exxon Passport station that uses MX915s inside with EMV contactless enabled and it doesn't ask for a pin on contactless debit. It also has Flex Pay IV with EMV enabled at the pump and the ctls is only msd at the pump. A Commander station that just got emv ctls no longer has working ctls and it spits out cool long declined receipts which I will post pics of later and it says "chip read" and not contactless. It will need a bit of a tweak to fix it but I'm sure it will work eventually. Safeway gas does indeed not have working ctls at the pump yet.
Aug 27, 2020, 9:27 am
#8689
FlyerTalk Evangelist
Join Date: Jan 2014
Location: San Diego, CA
Programs: GE, Marriott Platinum
Posts: 15,507
One of the most infuriating things about the EMV migration (besides lack of pay at the table) IMO is that they shouldn't have needed to "work out the kinks". Ideally terminals would all basically have the same payment handling logic and the POS system's only involvement would be to send a transaction amount and get back approved/denied. Of course, that didn't happen and so here we are.
AFAIK the Vons pumps here don't even have readers yet. Not sure when those are coming.
AFAIK the Vons pumps here don't even have readers yet. Not sure when those are coming.
Aug 27, 2020, 11:51 pm
#8690
Join Date: Mar 2011
Location: Window Seat
Programs: National Executive, HHonors Gold, IHG Platinum, Hyatt Visitor
Posts: 2,495
One of the most infuriating things about the EMV migration (besides lack of pay at the table) IMO is that they shouldn't have needed to "work out the kinks". Ideally terminals would all basically have the same payment handling logic and the POS system's only involvement would be to send a transaction amount and get back approved/denied. Of course, that didn't happen and so here we are.
AFAIK the Vons pumps here don't even have readers yet. Not sure when those are coming.
AFAIK the Vons pumps here don't even have readers yet. Not sure when those are coming.
Vons in Bishop, CA has NFC at the pump readers - with coming soon stickers. Brand new pumps installed recently.
Aug 28, 2020, 3:55 am
#8691
FlyerTalk Evangelist
Join Date: Jan 2014
Location: San Diego, CA
Programs: GE, Marriott Platinum
Posts: 15,507
There should be no kink. Harmon's Grocery in Utah uses IBM Registers and MX915s basically the same software as Kroger and they have had working EMV Contactless now for like 3 years. The main quirk was it did not work until the cashier totaled and pressed EFT Tender and then took a few seconds to activate the tap function. But it did work.
Ideally the POS vendor wouldn't need to know much (if anything) about EMV/contactless at all--just a standard API for access to payment terminals--but of course, that ship has sailed.
Aug 28, 2020, 3:58 am
#8692
FlyerTalk Evangelist
Join Date: Jan 2014
Location: San Diego, CA
Programs: GE, Marriott Platinum
Posts: 15,507
BTW, not that this would particularly matter for most Americans, but: Academics bypass PINs for Visa contactless payments
I would think banks would see CDCVM happening on a non-tokenized PAN and instantly decline, but I guess not. It might not even be realistically possible to do that if biometric cards become more common (depending on how they're implemented).
At the technical level, the researchers said the attack is possible because of what they describe as design flaws in the EMV standard and in Visa's contactless protocol.These issues allow an attacker to alter data involved in a contactless transaction, including the fields that control transaction details and if the card owner has been verified.
"The cardholder verification method used in a transaction, if any, is neither authenticated nor cryptographically protected against modification," researchers said.
"The attack consists in a modification of a card-sourced data object –the Card Transaction Qualifiers– before delivering it to the terminal," they added.
"The modification instructs the terminal that: (1) PIN verification is not required, and (2) the cardholder was verified on the consumer's device (e.g., a smartphone)."
"The cardholder verification method used in a transaction, if any, is neither authenticated nor cryptographically protected against modification," researchers said.
"The attack consists in a modification of a card-sourced data object –the Card Transaction Qualifiers– before delivering it to the terminal," they added.
"The modification instructs the terminal that: (1) PIN verification is not required, and (2) the cardholder was verified on the consumer's device (e.g., a smartphone)."
Aug 28, 2020, 5:06 am
#8693
Join Date: May 2011
Location: NYC (LGA, JFK), CT
Programs: Delta Platinum, American Gold, JetBlue Mosaic 4, Marriott Platinum, Hyatt Explorist, Hilton Diamond,
Posts: 4,895
After recent updates, only two of my cards now are non contactless:
Apple Card (not a big deal since I have never used the physical card)
Capital One Venture (I have the metal version of the card; evidentially the plastic version is contactless)
Any idea when Capital One may switch their metal cards to contactless?
I usually use tap to pay via a card whenever I pay in person nowadays (Apple Pay is more cumbersome now given Face ID and the increase in this size of the phone, Apple Pay via the watch is still kind of awkward)
Apple Card (not a big deal since I have never used the physical card)
Capital One Venture (I have the metal version of the card; evidentially the plastic version is contactless)
Any idea when Capital One may switch their metal cards to contactless?
I usually use tap to pay via a card whenever I pay in person nowadays (Apple Pay is more cumbersome now given Face ID and the increase in this size of the phone, Apple Pay via the watch is still kind of awkward)
Aug 28, 2020, 12:19 pm
#8694
Join Date: Sep 2014
Posts: 1,722
7-Eleven no longer allows pin bypass on contactless as it declined when I pressed the green button but I remember pressing the red button to bypass the pin. So maybe I pressed the wrong button and I will see later when I press the red. Vitamin Shoppe got an upgraded pos and pin bypass is not allowed on ctls debit either.
Aug 29, 2020, 4:49 am
#8695
FlyerTalk Evangelist
Join Date: Jan 2014
Location: San Diego, CA
Programs: GE, Marriott Platinum
Posts: 15,507
Finally got a photo of that sign I see at the area Wetzel's Prezels locations:
Again, kinda sad that it took a pandemic to get them (and others) to start promoting it. To Wetzel's credit, though, they had the readers for a while before the pandemic started--even if some locations didn't have them customer facing before now.
Again, kinda sad that it took a pandemic to get them (and others) to start promoting it. To Wetzel's credit, though, they had the readers for a while before the pandemic started--even if some locations didn't have them customer facing before now.
Aug 30, 2020, 1:41 am
#8696
Join Date: Mar 2011
Location: Window Seat
Programs: National Executive, HHonors Gold, IHG Platinum, Hyatt Visitor
Posts: 2,495
As of today:
No Contactless at:
Stein Mart (guess it doesn't matter since they are going out of business)
Stage Stores (guess it doesn't matter since they are going out of business)
Nordstrom Rack
No Contactless at:
Stein Mart (guess it doesn't matter since they are going out of business)
Stage Stores (guess it doesn't matter since they are going out of business)
Nordstrom Rack
Aug 30, 2020, 3:10 pm
#8697
FlyerTalk Evangelist
Join Date: Jan 2014
Location: San Diego, CA
Programs: GE, Marriott Platinum
Posts: 15,507
Speaking of 99C Only, I wonder if SAP POS can even do contactless or if 99C Only explicitly disables it. They're the only place I've ever run into that uses it, anyway, so it can't be too common. OTOH, they also seem to be one of the only places that runs debit cards as PINless debit; I haven't had to enter a PIN yet with those (whereas my PIN-preferring credit cards always seem to trigger a PIN prompt).
Aug 30, 2020, 9:06 pm
#8698
FlyerTalk Evangelist
Join Date: Jan 2014
Location: San Diego, CA
Programs: GE, Marriott Platinum
Posts: 15,507
Actually, I did notice a recent change. I went to two malls today and while one Panda Express was still swipe only, the other got MX915s. Maybe they are actually rolling support out everywhere after all?
Aug 30, 2020, 10:24 pm
#8699
Join Date: Sep 2014
Posts: 1,722
Also it seems Colorado Passport is far ahead of EMV at the pump as both Exxon and Sinclair locations have it and they have EMV contactless inside. It flashes the AID name and says approved within 3 to 4 seconds. Far better then my state who still has neither on Passport. Commander seems really behind on EMV contactless inside and at the pump locally and in Colorado.
Total Wine & More uses a similar NCR pos to Trader Joe's but at liquor store. No AID listed but it does use the AID name so you know its still EMV contactless. I will post my receipt tomorrow.
Aug 30, 2020, 11:12 pm
#8700
FlyerTalk Evangelist
Join Date: Jan 2014
Location: San Diego, CA
Programs: GE, Marriott Platinum
Posts: 15,507
Also it seems Colorado Passport is far ahead of EMV at the pump as both Exxon and Sinclair locations have it and they have EMV contactless inside. It flashes the AID name and says approved within 3 to 4 seconds. Far better then my state who still has neither on Passport. Commander seems really behind on EMV contactless inside and at the pump locally and in Colorado.