This is supposed to be much bigger than the Target breach. If this doesn't give the move to the more secure EMV chip and pin method in the US, nothing will.
In Norway, the most common type of card is a debit card that can also be used as a Visa or MasterCard credit card. The card has a smart chip on the front, and on the back you have your national id number/date of birth, photo and signature, etc. The card is frequently used as an id card.
When you pay using the debit card, you have to insert the part of the card with the chip into a reader and enter your pin. Typically you can not do this until the cash register has transferred the amount to pay to the terminal.
You can also use it as a credit card when abroad or even in Norway. However, I'm not sure if the card will actually allow you credit (i.e. borrow money) per se -- I believe the account must have a sufficient positive balance, and I believe the domestic terminals are able to check that in real time (i.e. in a few seconds) and decline the sale if not funded.
As for online purchases, every time I use it as a credit card, I get re-routed to a card verification process. This means I get taken to some third party site (typically Visa or MasterCard) where I have to authenticate using my password and generate a one-time password (pin) on my phone. You can also use a FOB, but I find a phone more practical. After the verification is done, you get taken back to the merchant site. This is the same verification process that is used for online banking.
After living 15 years in the states I found this to be a bit annoying at first, but that had more to do with the speed of the implementation and the fact that it's applet-based (Java and Chrome -- have to switch browsers and hope that you don't lose your session).
If I had to authenticate every time I bought something on Amazon it would get old pretty fast. However, one could simply authenticate once to indicate that this merchant is trusted. A new merchant would trigger the authentication before the transaction can be accepted.
That is exactly what happens in India too, except that most banks issue debit and credit cards which are typically separate and not combined into a single card. It also does not serve as a national id. Is this not the case in US?
Basically the same here. I have both debit and credit cards are from the same bank. National id is a bit more contentious here but generally the two cards are about the same. With the caveat of much lower daily withdrawal limits on the debit (think 300).
Only until October 2015. After that, card issuers will be liable[1] if they accept a fraudulent payment unless the EMV (i.e. chipped) card was present or (for online payments) they authenticated the card holder with 3-D Secure[2].
I hear this a lot and I don't really know how EU's chip and pin works, but wouldn't it be best for the the card to spit out an encrypted blob that only the originating bank can decrypt? IE, no number that's useful to anyone in the middle at all? That seems like a better design to me.
A lot of places where I pay by PIN they still swipe it afterwards so that they have a record on their own system (not sure why they need this though) - I think this is what OP refers to.
The difference between US banks and mine though is that if I try to pay by signing my bank won't authorise it - I have to enter my PIN (and sometimes sign too) to make a payment.
Payments online is more of the retailers fault though. They shouldn't accept payments where the CVV check or address check fails. Here in the UK most retailers won't accept payments unless it all matches up, but as I understand this isn't as common in the US.
Yes, and the infrastructure is there for chip&pin cards, you just need an ISO7816 USB reader, which are cheap nowadays (<$20). Browsers already support it as well; in fact, our national ID cards follow the same standard and you can login to governmental websites with the card.
I wish they would deny merchant accounts to merchants too cheap/lazy to roll out contactless payments alongside chip and pin. There's nothing more stupid and frustrating than holding up the line doing chip and pin to buy a $5 meal at Subway.
Does the US use some byzantine tech for chip and PIN? Entering the PIN is about as fast as signing the receipt, at least where I’m from. I doubt it’s much slower than paying cash. (I hand over my card. Card is inserted in reader. I enter my PIN and confirm. Transaction is confirmed after a couple seconds. That can’t be more than ten seconds or so.)
Before Canada implemented Chip and PIN, you usually didn't have to sign the receipt for those kind of small purchases. It takes at least 10x longer now to do the insert, type PIN, remove than just a swipe.
This. In Holland we have chip and pin, which I've got to say goes much faster than someone can fish out cash from their wallet, certainly faster than someone can make change.
Recently many places also support RFID with no pin required for small purchases (I think it's €25). Goes much faster than the employee can bag your order up.
The chip-and-pin mechanism when optimized is very low overhead, probably faster than using cash and not nearly as slow as signing a physical receipt.
For instance, one oft used optimization is that you can insert the card in the reader prior to the register sending the amount to the chip&pin terminal.
The correct way to implement chip-and-pin is alongside a paypass/paywave reader. Customers making purchases over $50 must use chip-and-pin, everyone else can just tap their wallets against the reader.
Some other problems with chip-and-pin:
- You get really cheap merchants who would prefer to waste your time rather than shell out for the contactless reader.
- You get international merchants who have no idea what's going on and make you sign two receipts in addition to entering your pin after trying and failing to swipe it twice.
- You have to type your pin in with your bare hands in -40C weather at the gas station.
- You have to tip waiters with them standing right there and judging you.
- It breaks square and the like
IMO it's an unnecessary mess for anything under ~$50.
I make several payments per day using chip&pin, according to my bank last month more than 300 pin transactions. That's 10 per day (travelling I do this a lot more than when I'm at home).
Online it's not a problem either (fairly easy integration here with a system called 'iDeal'), typing in your pin at -40C at the gas station is still a requirement with the current prices of gas and I'm not one bit bothered by 'waiters judging me', that's a self esteem issue, not a technical one.
As for international merchants who have no idea what is going on: I spend more time abroad than I do in my home country and chip-and-pin have made my life a lot easier than it ever was before in this respect.
Something like 7 countries in the last 3 weeks and I have yet to use my 'cash backup' or my 'credit card backup'.
Contactless is a nice technology but it is as far as I'm concerned a step backwards, I can see the advantages only for bars and festivals where the risk of contaminating your card with fluids is significant and purchases are very small (<$10).
> As for international merchants who have no idea what is going on: I spend more time abroad than I do in my home country and chip-and-pin have made my life a lot easier than it ever was before in this respect.
Well YMMV, of course, but here in Vietnam I've had to go around the other side of the checkout to type in my pin because the terminal was bolted to the desk. Multiple times. And then they still make me sign two receipts anyways.
Has a pretty explicit note that Vietnam is still primarily a cash based society, I think that is where your problems stem from, not necessarily from the technological merits or lack thereof of chip&pin.
Paypal provide a Chip-and-PIN payment system for mobile devices here in the UK[0]. It'll break Square no more than it breaks everything else; I have no doubt that Square already have a working prototype of such a thing.
> - You have to tip waiters with them standing right there and judging you.
In the US currently you write down the tip and leave, they can then charge you whatever they feel like after you're gone. As a tourist I was really paranoid about this, as by the time I looked at my statement when I got back I had no idea which charge was which restaurant and how much it should have been.
A common thing to do in the UK is pay without tip on card, then tip in cash
Yeah, right, there is lots that can be done. Sadly, also Germany is still somewhat backward in that regard. Every reader seems to work differently, so I’m always a bit hesitant to just stick in my card unprompted (and maybe prematurely), lest I get yelled at or something.
There is lots to optimise, but chip and PIN is not inherently slow. In fact, for me it’s already as fast as cash in most cases.
Correction: I meant "insert your card", not "swipe". Though low-cost transactions can still be authorised without having to enter a PIN, at least in the UK.
To be fair to Home Depot, its self checkout systems have the most payment options of any system I've ever seen. They include feeding the machine a check, paying with PayPal, writing in a bank transfer, among something like a dozen payment mechanisms.
Where are you from? Around here (Southern California) every card reading machine defaults to debit transactions, where you have to enter your PIN anyway. At least when you do credit cards you don't have to sign them for small purchases any more (less than $50 at Home Depot, for instance).
I really can't say I've ever felt frustrated waiting for the person ahead of me to pay (except for maybe old people hand writing checks at the grocery store—and even then it's kind of interesting to see such old-school payments in action).
Debit or credit? Debit is the default everywhere. Why? Because credit has a surcharge for the merchant.
It is complete bullshit that the merchants put the onus on their customers and then shrug their shoulders when fraud happens. At least with credit you are insured. They get your pin and you are screwed.
I've never used a contactless method. Is it NFC (or something similar)? Is it really faster than swiping your card? I had the impression you still had to do something on your phone to authorize it...
Even in 2007 in Denver, Amex issued me a credit (not charge) card with a little RFID chip. Worked at a fair number of places. Just get the card near and it beeps and you go on your way.
