> However, there are a great many smaller businesses in the United States that still rely on being able to swipe the customer’s card.
Who are these businesses? Seriously, stop issuing cards without chips and send new card readers to theses businesses. End of story.
Is it because US businesses use deeply embedded card readers in custom POS machines that aren't modular?
Everywhere I go in South America and Europe, businesses have portable readers. The card companies just sent them new readers and they were accepting chips overnight. Same when NFC was introduced.
The US payment and banking systems are truly maddening.
When Canada moved to Chip and Pin there was no fanfare.
Merchants started getting chip terminals as part of the regular replacement cycle, consumers started getting chip cards as part of that regular replacement cycle, and eventually the terminals started telling users to insert their card.
Interac was the first mover because most people were already familiar with swipe and pin, so the move to chip and pin was a virtual non-event. When the credit card companies moved the issuing banks had to issue PINs, but everyone already knew the mechanics of using it.
The most interesting part is that the US already has the infrastructure to support this. I went to a Walmart in the US and paying with my Canadian credit card worked EXACTLY like it does in Canada - insert card, confirm amount, enter PIN, done. The cashier was a little confused that I didn't need to sign for it, but ultimately they just went with it.
The problem is that there's no equivalent party in the "infrastructure" position in the US that Interac occupies in Canada. There's just 500 different state-level banks, who all license different companies to make their ATM cards. (This is the same reason it took so long for the US to get past two-day ACH settlement.)
For the purposes of accepting these cards as payment (which seems to be a much more common skimmer threat, for example at gas pumps) don't MasterCard and Visa fill this role?
The vast majority of terminals in the US use chip, but I doubt the US will ever require pin numbers for credit card purchases. It's just too inconvenient. Banks are willing to eat the tiny reversed transactions in exchange for making the payment flow more efficient.
What about it is inconvenient? We've had Chip+PIN in the UK since 2006 and contactless payments since 2007 and it isn't inconvenient at all. Supporting card machines are everywhere and in addition portable card machines are extremely commonplace. Even in restaurants they just bring the card reader to the table and you either tap-to-pay or you put your card in and enter your PIN.
You have to remember not one, not two, not three, but several digits. Not only that. You have to look at a keypad. Oh, and you have to push buttons. Not once, not twice, but several times! Pity the poor fool who accidentally pushes the wrong button. More looking at a keypad and button pushing!
Yeah, I don't get it either. My only guess is the customer support calls for forgotten pins are more expensive to deal with than dealing with the incidents of fraud the pin would prevent.
Don't they have to deal with those forgotten PIN calls anyway? Don't you need a PIN to get cash out of an ATM?
My debit card and its PIN are used for a few different things - in-store payments, using the ATM, and authenticating when in-person at a bank. The last one is interesting - each desk at the bank, both the tellers and the offices where you talk to someone, has a terminal and every interaction starts with putting in your debit card and entering your PIN.
Extending this to credit card is no big deal - my main bank syncs the PIN between the debit and credit cards. I only have a credit card with the other bank that I use and I haven't set foot in one of their branches in 20 years, so I have no idea whether they sync the PINs or use their cards for in-person authentication.
Imagine that in this other alien culture, most people were using credit cards for most transactions and rarely ever use their ATM/debit card. They don't have a day to day use for cash so do not frequent ATMs nor do they have much reason to frequent bank branches.
They've been presenting a credit card and making a squiggle with a pen for years and never remembered a PIN at all. Their credit card bill is paid electronically online somehow, either automatically because of a direct debit configuration setup years before or via an interactive banking website. These were authenticated with a web password and perhaps archaic knowledge of a routing number and checking account nunber. No PIN in sight there either...
Do you say this because you believe that Americans are exceptional compared to the rest of the world? Because the rest of the modern world has made the change without trouble.
it’s because american corporations put profit above all else, and someone probably crunched the numbers and determined that faster transactions make them more money despite higher occurrences of fraud
When still requested, the signature is often just scrawling something into a signature box on a touch screen of the same device with the chip reader or contactless receiver. There might be some stylus dangling on a tether and often a spastic finger tip is sufficient to satisfy the UI.
Generally (at least in my part of the US) people stopped being asked to sign for small purchases several years ago; usually now convenience stores and big box stores under a certain dollar amount just ask you to tap a button instead of sign.
Signing is very rare these days, non-existent for small purchases... and still seemingly rare for larger ones. I've spent hundreds of dollars in single transactions without signature or pin.
In Ireland I’ve had to enter a PIN for as little as 15 Euros. It’s very variable. Never run into this in Europe before and it’s been something of a pain because I don’t have a PIN on any of my personal cards. Fortunately I found I do have one on my corporate card.
The threshold varies between banks but there is often a limit as to how much you can spend or many times you can use "unverified" contactless payments (i.e. not Apple Pay which forces biometric verification) in a row before it will stop and demand a Chip+PIN transaction instead, to prevent someone who finds/steals a card from spending large amounts without ever needing to know the PIN.
For example, if the contactless limit is £100 and it only allows four contactless transactions in a row, the worst damage that can be done is £400, so banks and card issuers only need to manage the liability for fraudulent contactless transactions up to that amount (Visa and Mastercard call it "Zero Liability" protection).
I am nit sure how it works elsewhere but with NFC i can set limit when PIN is required . And with NFC on phone this gets preapproved by using biometrics.
The time is moot in almost all situations as long as it doesn’t take you longer to enter the PIN than it does for a cashier to finish tallying items. The concern I’ve heard businesses raise is that people won’t remember it but that’s also a chicken and egg problem since people will remember what they use regularly.
Of course, since it’s the 2020s and not the 1990s we don’t need either since NFC is widely supported and an Apple/Google device transaction secured by biometrics on the client is far better and already widely supported.
I've heard this argument but I honestly don't understand it. This is the reality for making credit card purchases in Canada, having to remember PINs for credit cards is something I've never heard anybody complain about.
Maybe it's because the prevalence of Interac already trained us to deal with PINs.
I want to call out this country wide edict. I've seen this done in both the United States and Canada. I do not know your personal situation, but I'm fairly sure it wasn't across the entire country of Canada.
Except not everyone in Canada requires chip and pin, and the parent comment made it sound like there are no other options with credit cards across the entire country.
Based on my experience both the United States and Canada are usually moving financial tech through different regions and social groups in phases and at different paces.
I'm trying to think of specific examples occurring nation wide and credit card technology just doesn't register. Maybe the removal of the Canadian penny, or paper dollar?
The paper dollar was converted to a coin in the '90s and the two-dollar bill followed suit.
Yes, every card in Canada is chip and PIN except possibly some prepaid gift cards. The same is the case across Europe and Australia and has been for the better part of two decades now.
Exactly. Removal of some of the coinage and paper was nationwide. They are no longer legal tender.
While all cards in Canada may have chip and PIN, no such event occurred where across the nation everyone started using it for every purchase, like there was no transition, nor different options to use with the same card. Consider contactless-enabled card payments as an example (like the original post did).
The assertion that the United States is somehow behind Canada in payment technology because all credit card issuers do not issue cards with chip and PIN seems invalid to me. Additionally the surprise at not requiring signatures. Merchants have been accepting contact-less enabled card payments in the United States, requiring no signature, for quite awhile.
The $1 and the $2 notes stopped being issued in 1989 and 1996 respectively. They are not demonetized and you can still exchange such money at any bank in Canada, or the Bank of Canada, for its face value.
>While all cards in Canada may have chip and PIN, no such event occurred where across the nation everyone started using it for every purchase, like there was no transition
What the hell is this supposed to mean? EMV-enabled cards were rolled out as each bank got onboard, replacing cards at expiry with EMV-enabled ones. Eventually no further non-chip cards were issued.
After a while, the same thing happened for contactless as well.
>nor different options to use with the same card.
EMV supports multiple applets per card, so you can absolutely have a debit and a credit card in the same physical card, choosing which you want to use after you insert it into the reader. These are unusual, perhaps because most people seem to prefer separate cards.
>The assertion that the United States is somehow behind Canada in payment technology because all credit card issuers do not issue cards with chip and PIN seems invalid to me.
The United States isn't just behind Canada, it's behind Europe, Australia, and most of Asia, as well.
I can send money from one European country to another in a regulated maximum of 15 seconds 24/7/365 (look up "SCT INST"), but the Americans can't get it from one bank to another in the same country quicker than a day or two (or sometimes three, apparently). Never mind consumers trying to punch in someone's ABA routing and account numbers to pay them... lol nope, hence the mess of insecure third-party services like Zelle, CashApp, etc.
Skimmers aren't really a thing in Europe because everything is EMV, and I don't mean the abortion which is chip-and-signature (although that still proves possession of the original card).
>Additionally the surprise at not requiring signatures. Merchants have been accepting contact-less enabled card payments in the United States, requiring no signature, for quite awhile.
Again you speak from whence you know not. Google Pay and Apple Pay use a different CVM, referred to as CDCVM, for which there is no PIN as user authentication is handled by the device (hence the need for a fingerprint or face scan before they can be used). For small transactions plastic cards are permitted to perform contactless transactions without a PIN in most countries for convenience as the risk of fraud is low given the maximum cumulative cap of perhaps €50/$50, configurable by the issuer, before a PIN becomes required, which caps the bank's liability in case of theft (since the cardholder is not on the hook for it).
>The $1 and the $2 notes stopped being issued in 1989 and 1996 respectively. They are not demonetized and you can still exchange such money at any bank in Canada, or the Bank of Canada, for its face value.
Since January 1, 2021, the Canadian $1, $2, $25, $500 and $1,000 bank notes are no longer considered legal tender. Essentially, this means that you may not be able to use them in cash transactions.
===
>> While all cards in Canada may have chip and PIN, no such event occurred where across the nation everyone started using it for every purchase, like there was no transition
> What the hell is this supposed to mean? EMV-enabled cards were rolled out as each bank got onboard, replacing cards at expiry with EMV-enabled ones. Eventually no further non-chip cards were issued.
> After a while, the same thing happened for contactless as well.
Again, I am explicitly making the claim that it is misleading to suggest Canada was ahead of the United States by mandating all credit cards have chip and PIN, because by then you could do the same thing with contactless (signatureless transations, with a benefit of not using a pin) just like in the United States.
>> nor different options to use with the same card.
> EMV supports multiple applets per card, so you can absolutely have a debit and a credit card in the same physical card, choosing which you want to use after you insert it into the reader. These are unusual, perhaps because most people seem to prefer separate cards.
I'm aware. I've had one.
>> The assertion that the United States is somehow behind Canada in payment technology because all credit card issuers do not issue cards with chip and PIN seems invalid to me.
> The United States isn't just behind Canada, it's behind Europe, Australia, and most of Asia, as well.
I kindly reject your assertion, because you are basing it on Canada requiring all cards have chip and PIN, but not enforcing its usage at all terminals.
> I can send money from one European country to another in a regulated maximum of 15 seconds 24/7/365 (look up "SCT INST"), but the Americans can't get it from one bank to another in the same country quicker than a day or two (or sometimes three, apparently). Never mind consumers trying to punch in someone's ABA routing and account numbers to pay them... lol nope, hence the mess of insecure third-party services like Zelle, CashApp, etc.
> Skimmers aren't really a thing in Europe because everything is EMV, and I don't mean the abortion which is chip-and-signature (although that still proves possession of the original card).
>> Additionally the surprise at not requiring signatures. Merchants have been accepting contact-less enabled card payments in the United States, requiring no signature, for quite awhile.
> Again you speak from whence you know not. Google Pay and Apple Pay use a different CVM, referred to as CDCVM, for which there is no PIN as user authentication is handled by the device (hence the need for a fingerprint or face scan before they can be used). For small transactions plastic cards are permitted to perform contactless transactions without a PIN in most countries for convenience as the risk of fraud is low given the maximum cumulative cap of perhaps €50/$50, configurable by the issuer, before a PIN becomes required, which caps the bank's liability in case of theft (since the cardholder is not on the hook for it).
I think we're done talking now, given you keep telling me I don't know what I'm saying, and you are obviously just ignoring the fact that I've been completing contactless, signatureless transactions with my credit card for a significant amount of my purchases made in the United States and Canada since 2008.
I'm curious what actually determines when a pin number or signature is required. I seem to get asked for them pretty randomly, sometimes not at all. It's been this way everywhere I go (currently living in Germany). What does the store actually do with all the signed receipts at the end of the day, anyway?
When I first moved from Canada to the US, before I got an American credit card, I used my Canadian card to tap as I was so used to doing. More than once, the clerk looked at me as though I were a wizard.
That's funny, I had similar experiences moving from the United States to Canada. When most people were paying with their debit cards at the terminal, I would tap my credit card (at the time issued from the United States) and have no signature. Like in your case, some clerks seemed surprised.
I'm unable to measure how "common" it was across two giant land masses with very different populations sizes. My personal story was paying by credit card via tap and requiring no signature, with a card issued in the United States while in Canada, and having people be very surprised at its use.
> Who are these businesses? Seriously, stop issuing cards without chips and send new card readers to theses businesses. End of story.
Alternatively - do what Monzo does in the UK and issue cards with a magnetic stripe that is disabled in the backend by default.
If you try to use the magnetic stripe, it sends you an alert that says "Someone (possibly you) tried to pay using the magnetic stripe. Do you want to allow the magnetic stripe for the next hour?"
Then if you travel to a country that relies on magnetic stripe, similarly it sends you a message saying "You have travelled to X - sometimes you may need to enable the magnetic stripe in order to use an ATM. Do you want to temporarily enable the magnetic stripe?"
Gas stations, parking meters, and ticket dispensers at most train/bus stations. They should replace them but I figure the problem is that they are built in to giant kiosks
With gas stations, there is so much more to it than just replacing a card reader in the kiosk, or even just replacing the kiosk itself. You may have to even tear out all of the old networking equipment. https://news.ycombinator.com/item?id=28207062
Thanks, but the post you linked is making me irrationally angry. Why does a gas pump card reader need full internet connectivity?! It's outrageous! Just use the two wires to talk to a head unit in the building! Then it brings up the gas pump advertising screens which are already a sore point for me (two conveniently located stations have these, so I can't go there anymore because I find the accompanying audio intolerable).
The whole situation smells like it involves a lot of vendor lock-in, too (which I always hate to see).
Replacing is not as simple as sending a new terminal. Then you’d have to integrate it with the legacy software workflow and modify the existing furniture at the airport to support a pin pad.
Also, we have your ID and you are going to be cleaning security, so we’re pretty certain you say who you are. Regardless of the physical security of the credit card.
Why is the US a special case though? Every other country replaced these old card machines more than a decade ago. Every other country has airline ticket counters too.
My fruit stand at the farmers market figured out how to accommodate a credit card reader. They did not have to replace any furniture. They literally have no counter space, and managed to make it work. A portable card reader with a pin pad is a solution that can work in all the hard cases.
> Replacing is not as simple as sending a new terminal. Then you’d have to integrate it with the legacy software workflow and modify the existing furniture at the airport to support a pin pad.
The rest of the world figured this out long ago; this is already a solved problem.
I just do not goddamn care any more. The writing has been on the wall for years, and if your business is based around accepting credit cards and you continue to dig your head in the sand, that's on you.
I encountered this in the US a few days ago. It made me angry because it locks out those who don't have a smartphone or aren't willing to install Yet Another App.
It’s relatively common in the US as well but having backup is important for visitors, when apps need a forgotten password rentered etc. Way too many ticketing and other systems are way too unfriendly for the occasional user as it is without requiring that an app has to be used.
NFC means I can pay with my watch. I think in China they rely upon phone cameras and QR codes. Great if you've got your phone with you, but I can go out for a run with just my watch and pay using NFC.
Yeah this is what I do, taking my watch out for a run and being able to track my run, etc. Then being able to stop at a shop on the way back for a cold drink or to pick up some groceries and just pay with the watch is so convenient.
Sucks that everything else about smart watches sucks tho. Thanks to Apple making the "pretty" Apple watch, other brands have forgone things like eink/mip displays that get better battery life. :/
I’m in Australia and an American friend who is visiting was shocked at how nearly everywhere from small cafes to supermarkets all support payments with Apple/Google pay and tap and go.
This spring I left a job working with payments in a SaaS for the self storage industry. I don't remember exact numbers but the overwhelming majority of the card present payments we processed were either keyed by hand or swiped with a magtek reader. A great many self storage companies are mom and pop operations that only have one or two locations, often run by retirees to supplement their retirement income. Needless to say they (and the industry as a whole) are highly resistant to change.
> This spring I left a job working with payments in a SaaS for the self storage industry. I don't remember exact numbers but the overwhelming majority of the card present payments we processed were either keyed by hand or swiped with a magtek reader. A great many self storage companies are mom and pop operations that only have one or two locations, often run by retirees to supplement their retirement income. Needless to say they (and the industry as a whole) are highly resistant to change.
In Europe you can buy card terminals for €30 with no monthly fee, and you don't even have to be a registered business entity.
Now that I check, that same company exists in the US too:
We're talking about people often in their 60s or 70s who quite literally hate technology and don't want to spend any money on it unless someone puts a gun to their head. Seriously, the company I worked for had dropped support for windows XP before I ever started there, but they still had some customers running it when I left (this year).
From the POV of these small business owners that Sumup terminal doesn't do anything to help them and if anything makes their life harder. It won't integrate with their business management software (our product) and most likely will have higher transaction fees than their current payment processor. The company I was with offered EMV terminals that were fully integrated with the management software (I helped write the integration), but there wasn't a lot of interest in them outside of larger companies. The small guys in general don't have a lot of incentive to care about information security. One of the other projects I worked on was migrating the management software from using encrypted CC numbers stored in its database to using tokens. When we took away the ability for users to unmask and view the full CC number some of them started saving saving card numbers in the plain text customer info fields (address, etc.).
Sure, but if the US government was on top of passing legislation to force businesses to stay up to date in order to protect consumers we wouldn't be having this conversation.
> great many self storage companies are mom and pop operations that only have one or two locations
Exactly the type of company that should be getting one of those portable card readers that can be easily replaced.
It can't be harder to enter an amount in the device and ask the customer to insert card and type pin than typing numbers or swiping many times, getting signatures, etc.
What is scary though is how easily the rfid can be read off of a person. It's a great thing to have but card issuers should include some kind of protective sleeve with every card rather than relying on the consumer to be both aware of and able to use an rfid blocking wallet.
Old payment card RFID contactless was really insecure; it basically spat out the data on the magnetic stripe. New contactless is directly tied to the EMV chips and requires the whole cryptographic round trip and such. You can put a protective sleeve around your cards if you want, but it doesn't really add much in real security anymore.
If payment can be authorized through the chip by mere proximity, without any explicit authorization by the owner, then it's still insecure. Of course the thief would need to have an official payment terminal, but those are everywhere.
Technically yes you are correct, but the threat model here is similar to someone grabbing a card from you and dipping it into a terminal chip reader without your permission. This is what the PIN part of chip-and-PIN protects against; the chip part (also applicable to EMV contactless) protects against card duplication and transaction replay.
There is a huge difference between this kind of attack and what an attacker can do with the old scheme of magnetic swipe data over RFID. With the former, the only thing an attacker can do is perform a real transaction in that moment; this transaction leaves behind an audit trail tied to a real merchant (the operator of the terminal) and their bank account. An attacker cannot, however, initiate additional payments without accessing the payment card again, and without access to the cryptographic secrets held by the payment service provider, they cannot extract the card number to use for online transactions.
With the latter, it's equivalent to skimming a the magnetic stripe: an attacker can clone the card and reuse it for transactions as often as they'd like for whatever amounts they can authorize. In addition, they will have access to the plaintext card number, which would allow them to use it for online transactions. And absolutely none of this leaves behind an audit trail of how the attacker got your card.
I disabled mine on the card, and exclusive useless NFC payment from my banking app. That still requires my explicit authorization and is therefore a lot more secure. I started doing this during Covid when we weren't allowed to touch anything anymore, and I'm not going back.
maddening maybe, but because of the simple equation that the fraud losses from continuing to use swipe and issue cards without chip are high, but the margins on credit cards, due to the high rates are high enough to cover it. Carrying a balance on a credit card in Europe and South America is not very common (your account bank will grant a decently priced overdraft facility (not the crazy US fees there), rebates/points/miles are lower - so it just pays to be complacent here for the industry.
Here in Alberta, it's the law that you need to pay before you pump[0]. If you're at a modern pump you insert your card, it does a preauth for some amount (you can select common amounts, like $20 of fuel, or "fill up" which is like $125 or $250 depending on the station), then when you're done it does a purchase for the exact amount.
If you're not at a modern pump, or you're paying cash, you have to go into the store, prepay for something that you think will fill your tank, fill your car, then go back into the store and get your change.
US is the same, except the pre-auth is set by the gas station owner, so you may need to go inside to pay with a debit card with less than that amount, and large trucks need two transactions to fill up
I added some gas in Frenchglen, Oregon. Population 11. You went into the store, told the clerk (owner in this case, I'm sure) that you wanted gas, she turned on the pump, then you took a photo with your phone and took it back to her so she could charge you. $6.75/gallon, which was about $2 more than in Burns (population 2766).
She didn't have any problem taking a chipped card but I imagine there are self-serve places that can't. It was only in 2018 that Oregon allowed self-serve in counties with less than 40,000 people. 17 of the 36 counties qualify.
The advice I've seen with credit cards seems to be "always tap if you can" since that's not subject to skimming or stealing a PIN.
There are not many anymore without a CHIP reader, because VISA and Mastercard FINALLY stopped the delay of shifting liability for all fraud to the individual gas station in summer 2021.
Delivers... new gas pumps? Because often with self-serve pumps, the pump and the card reader are one-and-the-same. Probably modular in some internal sense, but not with an expectation of owner serviceability; more "call the manufacturer" serviceability.
Who are these businesses? Seriously, stop issuing cards without chips and send new card readers to theses businesses. End of story.
Is it because US businesses use deeply embedded card readers in custom POS machines that aren't modular?
Everywhere I go in South America and Europe, businesses have portable readers. The card companies just sent them new readers and they were accepting chips overnight. Same when NFC was introduced.
The US payment and banking systems are truly maddening.