In Norway, the most common type of card is a debit card that can also be used as a Visa or MasterCard credit card. The card has a smart chip on the front, and on the back you have your national id number/date of birth, photo and signature, etc. The card is frequently used as an id card.
When you pay using the debit card, you have to insert the part of the card with the chip into a reader and enter your pin. Typically you can not do this until the cash register has transferred the amount to pay to the terminal.
You can also use it as a credit card when abroad or even in Norway. However, I'm not sure if the card will actually allow you credit (i.e. borrow money) per se -- I believe the account must have a sufficient positive balance, and I believe the domestic terminals are able to check that in real time (i.e. in a few seconds) and decline the sale if not funded.
As for online purchases, every time I use it as a credit card, I get re-routed to a card verification process. This means I get taken to some third party site (typically Visa or MasterCard) where I have to authenticate using my password and generate a one-time password (pin) on my phone. You can also use a FOB, but I find a phone more practical. After the verification is done, you get taken back to the merchant site. This is the same verification process that is used for online banking.
After living 15 years in the states I found this to be a bit annoying at first, but that had more to do with the speed of the implementation and the fact that it's applet-based (Java and Chrome -- have to switch browsers and hope that you don't lose your session).
If I had to authenticate every time I bought something on Amazon it would get old pretty fast. However, one could simply authenticate once to indicate that this merchant is trusted. A new merchant would trigger the authentication before the transaction can be accepted.
That is exactly what happens in India too, except that most banks issue debit and credit cards which are typically separate and not combined into a single card. It also does not serve as a national id. Is this not the case in US?
Basically the same here. I have both debit and credit cards are from the same bank. National id is a bit more contentious here but generally the two cards are about the same. With the caveat of much lower daily withdrawal limits on the debit (think 300).
Only until October 2015. After that, card issuers will be liable[1] if they accept a fraudulent payment unless the EMV (i.e. chipped) card was present or (for online payments) they authenticated the card holder with 3-D Secure[2].
I hear this a lot and I don't really know how EU's chip and pin works, but wouldn't it be best for the the card to spit out an encrypted blob that only the originating bank can decrypt? IE, no number that's useful to anyone in the middle at all? That seems like a better design to me.
A lot of places where I pay by PIN they still swipe it afterwards so that they have a record on their own system (not sure why they need this though) - I think this is what OP refers to.
The difference between US banks and mine though is that if I try to pay by signing my bank won't authorise it - I have to enter my PIN (and sometimes sign too) to make a payment.
Payments online is more of the retailers fault though. They shouldn't accept payments where the CVV check or address check fails. Here in the UK most retailers won't accept payments unless it all matches up, but as I understand this isn't as common in the US.
Yes, and the infrastructure is there for chip&pin cards, you just need an ISO7816 USB reader, which are cheap nowadays (<$20). Browsers already support it as well; in fact, our national ID cards follow the same standard and you can login to governmental websites with the card.
