0 – The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach (without end-to-end encryption of card data, the card numbers and expiration dates can still be stolen and used in online transactions).
So do we know if it would have stopped the Home Depot breach?
An important point to note is that, if banks want/care, they can put other safeguards that solve this problem, too. In Europe it is common for banks to text you a 6 number pin to confirm an online transaction, for example. There is no good reason to not do these things. It's still not perfect, but certainly much better.
> "I'm quite surprised by the blasé attitude the US has to card security."
Currently, if my CC information is stolen, I am not liable for any fraudulent charges. So why would I care?
CC security is for the CC companies and the merchants, not for the consumers. That is why Americans (with the exception of those with Europe Envy or those who are merchants) don't care. There is no reason for them to.
(In past discussions on this, somebody has mentioned that C+P would be beneficial for American consumers because it would mean less confused American tourists in Europe. The typical American does not vacation in Europe very frequently.)
Well, any retailer has to increase their prices by 3% to cover CC charges. Even the simple act of a place insisting on a minimum spend of X on a CC can put you in a situation to spend more than you need to.
You might not think you are paying for card fraud, but it's all priced into the products you buy.
My credit union has absolutely negligible fees and, since I don't carry a balance on my CC, I give them a negligible amount of money as well. The cost of merchant fees passed on to the consumer is not something that I notice and therefore not something that I care about. I really do not have a reason to want C+P.
Edit: clarifying - what I meant was that the US EMV cards will be chip and sig, not chip and pin. Most US cards are obviously still mag stripe. I'm traveling to Europe later this year so I was looking into the CC issues, and as a US traveler not being able to get an EMV card with pin priority is annoying.
Edit 2: jvm, not sure what you meant to link to, but that link just goes to the Forbes splash advert.
I have three cards. Only my debit/credit card has a chip and there's no pin. I can press it against one of the few readers that support this (Walgreens, Subway) and it'll work. My other two cards don't even have this. Of course, if these guys are storing my card in a non-encrypted way, its still the same issue as using swipe.
On the plus side Google Wallet works at Walgreens. I have yet to see any other brick and mortar support it. Paying for stuff with your smartphone is such a no-brainer. Shame Apple won't play ball with Google (or even put NFC in its phones) and Verizon is doing its own thing with ISIS and not allowing Google Wallet to be installed on any phones on its network. There's a lot of wrong here and its not just limited to credit card number theft.
If we have a more diversified way to pay for things it could limit the damage when one method is cracked but the others aren't. Sure Targets credit cards got stolen, but imagine if we were allowed to use Google Wallet. We'd be immune to it.
I think the card you have is RFID enabled. They've been around for a while, and have some weaknesses (replay attacks [1], notably), against the ID they broadcast when inside an EM field.
The newer cards have a microprocessor inside them, with exposed contacts about 10mm from the left edge. With chip + pin transactions, the pin "unlocks" the payment authorization [2].
Only one of my cards is chip and sig, and I had to go out of my way to get it. It's not the default for all new cards, and certainly not for existing cards.
When my credit card expired recently I received a chip and sig replacement without requesting it. They're definitely starting to be offered by default.
I believe it is chip and signature... I got mine from Bank of America... no pin necessary when the chip is used (and it still has the magnetic strip for stores that don't have chip readers).
Even travelling through a lot of small towns in rural areas I don't think I've run into a magstripe-only reader in the past couple years at least.
There was a period where it was a guessing game every time you paid for something whether it was magstripe or chip (some locations even had a chip-capable machine, but didn't have the service enabled with their payment processor, so you still used the magstripe...).
Its not a blase attitude. Its a chicken and egg situation. The credit card companies want to implement it but they need the stores to upgrade their point of sale hardware to accept the new cards. Stores say they won't upgrade their hardware til card companies release the cards
When I last heard this discussion it went like this: Visa to store : "People have been asking us for chip + pin and we're ready! Just pay a one time fee of $199.99 for the upgraded reader and note that C+P cards carry an additional .5% service charge for the more complex handling they do."
Literally using it as a revenue generating opportunity and a way to raise fees. My friend who owns the store declined to participate as they weren't interested in raising their prices just to pay Visa more money. Had Visa come at it the other way, reducing fees due to likely less fraud it would have been a different story.
Literally using it as a revenue generating opportunity and a way to raise fees.
This is the crux of it. In the US, every change is an opportunity to raise margins. Vinyl to CD. Book to Kindle. It kills me when the dead tree version is less than the Kindle version, but it's the same thing at work as with C+P.
How is that? I have a Chip+PIN enabled credit card and if the shop doesn't support that I can still swipe the magnetic stripe.
I don't see why they don't just provide credit cards with both options for a while until enough of the PoS hardware has been upgraded that they can get rid of the magnetic stripe. I guess cost plays a role, but I would assume that the decrease in fraud might offset that somewhat.
It's a complicated issue. Banks are partly afraid of adopting something new. If Bank A is amongst the first American banks to switch and something goes wrong, Bank B may win its business due to customer frustration
I highly doubt that banks really care about "customer frustration." If they did, then they would be focused on fixing a million different existing problems.
Given that, despite all the customer frustration that exists right now, they haven't been losing customers. I don't think that Chip+PIN failing to work correctly at first would cause customers to switch. Chip+PIN cards would only be cycled into use gradually, as people replaced their older, swipe-only cards with Chip+PIN cards, or signed up for new accounts. There would be more than enough time to sort out any problems, and you could also start out by making Chip+PIN optional for new/replaced cards.
This is exactly what will happen. During the transition you will still be able to use mag swipe, then after some period the reader will force the use of the chip and only use mag swipe as a fallback when a chip error occurs. I suspect after a short while mag swipe will be removed entirely, but it remains in many places outside of the US as a fallback.
It's all politics. Its a big financial commitment for whichever side goes first. The US has a bigger population than Britain. And perhaps the industry politics were different there too. The card companies may have got their way.
There's liability to consider as well. In the US, the consumer is generally not liable for fraud; I've certainly heard that in other countries with chip and PIN, if somebody steals and uses your card (having somehow obtained your PIN) you don't necessarily get your money back.
They rolled it out in Canada without anyone getting into a flap. It just happened.
Readers wear out. As people buy new ones they were chip/pin ready. A lot of these terminals are rented as well, making it easier for providers to swap them.
The lack of chip and pin still surprises me. I'm surprised a lot of the bigger retail companies haven't put pressure on the banks to bring this in.