Technical debt, network effects, and resistance to change.
It won't be a problem for much longer. EMV is supposed to become a standard late next year, and the "liability shift" (basically amending the processing rules so that accepting the old-style card means you're more responsible in case of fraud) is supposed to happen around that time as well.
I wish IT people had that level of control over their environments. We wouldn't be dealing with Windows XP anymore :)
As a Canadian, I've always wondered about this when I've visited the States. The transition from swipe cards to chip cards was fairly painless, from the consumer's point of view, up here.
I think what helped make it work is the prevalence of Interac. Before chip cards, you'd swipe your card, verify the amount, select an account, and enter your PIN. The only thing that changed with the chip was that you inserted your card instead of swiped.
When credit cards started getting chips, people were already familiar with the process and just needed to be issued a PIN by the credit card issuer.
I've recently gotten chip cards for some of my business CCs and they do not require a PIN. It's possible they'll introduce this later to ease the transition.
That's strange. In Europe you may request a card without magnetic strip (chip only). And, once chip is present even on a card with a strip, PIN entry is mandatory.
informatimago is absolutely right, chip based (credit) cards is a French invention. If you want to read in English: http://en.wikipedia.org/wiki/EMV
"The first standard for payment cards was the Carte Bancaire M4 from Bull-CP8 deployed in France in 1986 followed by the B4B0' (compatible with the M4) deployed in 1989. Geldkarte in Germany also predates EMV. EMV was designed to allow cards and terminals to be backwardly compatible with these standards. France has since migrated all its card and terminal infrastructure to EMV."
Ignore downvotes. They usually self-correct over the next few hours as people see unjustified downvotes and supply an upvote. And sometimes they're just fat finger errors.
The fraud implications aside, as a Canadian living in the United States, I've always found the payment process much more pleasant with magstripe cards. Every time I go home, I find it incredibly inconvenient to have to dip my card in the chip reader, type in my 4 digit pin without feeling like the whole world is looking at me, and waiting for what seems like an eternity for the auth/capture to happen.
I pay for pretty much everything with a chip-n-pin debit card here in the UK and I feel it is generally much faster than the the old swipe and sign (which always seem very clunky any time I visit the US).
NB The approval step on newer terminals seems to have got a lot faster - I'd estimate the payments step at the Sainsburys self service machines where I usually buy lunch takes about 5 seconds after I enter my PIN.
I (USian) recently visited the UK and knew from previous experience to use only visibly chipped cards (staff will sometimes refuse to take run a swipe-only card -- not sure if the machines don't even support it?)
Anyway, the systems never asked for my PIN and printed out signature receipts, which seemed to surprise people.
I think most machines do support swipe cards - though from what I can see they are almost never used (I think I've seen one swipe transaction in the last few years).
Cashier instructions usually include "never ever swipe a chipcard" - since if you allow swiping chipcards at your chain of stores, then you'll get used for cashing out cloned cards, and in this case merchant will be fully liable for that fraud.
So even when the swiping technically works, people have incentives to disallow it.
They're not allowed to do that:
"Both Visa and MasterCard prohibit merchants from requiring customer ID as a condition for accepting their credit or debit cards. All you need is a signed card, and of course the signatures must match [1]"
That's not been my experience: I use cards for every single purchase, which adds up to hundreds* per year, and have never been asked for ID. In any case, it's true that they're not allowed to require it. The link I gave above suggests the following as recourse:
"If you're a Visa cardholder and a merchant presses you for an ID, Visa says you should notify your card issuer. In the case of Amex, notify American Express directly. MasterCard customers should report the violation by visiting the company's merchant violation web page."
I probably get asked for ID less than 1% of the time. In general it tends to be in odd locations too. In my experience a less than $20 dollar purchase is more likely to have the employee ask for my ID than a $200 purchase.
It happens to me significantly more than 1% of the time, I'd say closer to 10%. And as you say it has nothing to do with the amount, $8? ID. $500? No ID.
I think it is more related to the amount of fraud the vendor experiences and they get pressure from the processor to reduce it, therefore they implement ID checking to counteract it a bit.
I've used a magstripe a lot before getting a new card that uses a chip. But even when using a magstripe, I still had to input my pin. Just allowing the card to be used freely on it's own seems reckless, it means that if I drop my wallet, a thief could access not only the cash stored in that wallet, but all the money I have available on the card.
That has nothing to do with the technical difference.
It's just that banks sometimes use the switch to simultaneously disallow a piece of text on a paper as an approval for taking money from your bank account.
That's really strange to me. That prevents the card from being used in the US too. I'm guessing not that many people from your part of the world travel to the US then.
I know that one of the reasons is that here is very frequent that the police find some tiny electronic systems (skimmers/false_keyboard + minicams) glued or stuck on a lot of atm and pos with the specific purpose of cloning your cards using the stripe. So the only strong solution to avoid all this is making cards only with the chip, making those systems useless
I haven't seen a magstripe transaction in probably a decade and I live in Cyprus (hardly a technologically advanced country). In the past couple of years everyone also got issued a contactless card which doesn't need a pin for sub 20euro ttransactions and obviously no need to insert it in the card reader.
We're getting there, albeit very slowly. Almost all the new readers I see at major stores now have the slot to slide your card in for the chip and pin. Every Target store I've been to appears to have been upgraded.
Wells Fargo has also started rolling out chip and pin credit cards, not sure if it's by default or not. I've had one for probably a year now.
That being said, I have no idea if the chip and pin even works end-to-end yet, as I haven't tried it. I'm likely part of the problem!
Also, we'll see what happens with the liability shifts in the US. Right now consumers have it fairly good with regards to fraud protection and getting reimbursed.
Most places, the readers don't seem to be hooked up yet. Least the ones I tried in 7-11 and Lowes did absolutely nothing. Haven't tried many other places. I've had a lot more luck with contactless readers, Walgreen's, CVS, even Jack in the Box seem to have those working well, with 7-11 again not having theirs working.
Lowes in Canada still doesn't have chip and pin yet. They are one of the last stores in the country that hasn't switched yet. Their readers don't even have chip readers, at least at the stores I've been to.
Another reason that the article doesn't touch on: there is so much extra money sloshing around in the US system due to high interchange fees that fraud pales in comparison. I don't see how you can ignore this as a disencentive to change.
IIRC, fraudulent charges account for ~40 bp of total transaction volume, very little of which is the responsibility of the issuing institution. Interchange fees are ~200 bp of total transaction volume.
Primarily because it's a big 1 time total system cost to change due to old technology that is current. In such circumstances, no one bites the bullet unless some outside regulatory body enforces it & in the US, regulators tend to have close links if not prior & post tenure employment with the industries they regulate. It's not as much of a habit change issue as much it's an incentives issue of who wants to pick up the one time cost .
In a developing market like India & I'm seeing the big transition to chip & pin happenning right now mandated by the reserve bank. I also saw the transition to securecode additional verification for online payments happen years back similarly - that has still not happened in the Us. The decision makers there are all primarily career economists in Government Service even though there's a lot of secondment into policy framing working teams that happens from the financial industry.
The worst part is that U.S. banks are issuing "chip-and-signature" cards and NOT true chip-and-PIN cards. This is so Americans aren't inconvenienced having to remember and enter a PIN.
Combined with a smartcard reader, Cardpeek [1] can be used to see which verification methods (and their priority if there are multiple) a card supports.
A list of what types of cards banks are issuing is maintained by the flyertalk forum as a Google Spreadsheet. [2]
In Canada we have had them for a few years, but still not all places utilize the pin. Chevron gas station for one all have the pin reader but have the card slot blocked so u have to swipe.
And if it errors on the chip read u can swipe anyways.
One annoying thing when it first came out and restaurants adopted chip readers.
Many didn't have GPRS/wireless card readers. There was always a huge line to pay and u had to goto the bar or front desk to pay, no giving them the card and they bring u back a cheque.
Most places do have wireless readers now.
I like the paypass where u just tap your card but for some reason some places don't have it working
You could just put up a QR code of a bitcoin address and let people scan over that with their phone and pay in one click.
Think of the money saved! Run a bitcoin wallet on some junker computer, print out a million copies of your barcode, and off you go.
Albeit, they have to manually enter the payment amount with static wallets, the alternative is to have any kind of localized computer that can transmit to the phone the address and debit (in any form - nfc, bluetooth, wifi, qr codes, whatever).
I had my first contactless transaction a few days ago (I had seen the logo on my card, but didn't think merchants would have the machine).
I'm still unsettled by the fact that there was no pin required, it felt like in the US (the merchant told me it doesn't require pin up to 20€, but it might be a bank specific or a shop specific policy).
edit: but if the US is really about to get out of conservatism, change your freaking units and mechanical standards first.
Banks pocket, depend heavily on $30B/year on bank account overdrafts alone, and have supported smartcards in Europe and around the planet for 30+ years.
Retailers prefer to be cracked (Target, etc) rather than protect themselves with better equipment and serious IT defenses.
Typical financial (payment) services: sh!tt!est possible product for lowest possible investment.
Anyone know what will happen to companies like Square that so heavily rely on the magstripe? How would square be able to capture chip and pin transactions? Because as far as I'm aware, the CC specifications require a separate hardware pin pad, (so a software keyboard can not be used to transmit the PIN)
> Some suggest that we should wait for a newer and more secure standard before expending resources shifting systems.
So Americans would continue to have cards which don't work abroad as is the case now? I know Americans notoriously don't travel very frequently but even still...
Most American cards lack chip and pin, if you travel to the UK for example a lot of vendors won't be able to even read your magnetic strip and some additionally have policies against doing so (for fraud prevention reasons).
Which country are you referring to? Because right now most American cards don't work in the majority of European countries.
You have to request a special chip and pin capable card from your bank in the US to be able to use your card abroad (although I believe Amax give these to you by default).
And the cost of going further than Canada or Mexico adds up very fast for a family of four. Hopping over to Europe could easily cost $5-6k in airfare alone for that sort of trip.
Wait, I just realized that this means I'm not going to have to keep and securely store 7 years of signed CC receipts for my business! Can't happen fast enough.
You don't need to switch the millions of cards nor the whole POS infrastucture to do changes for online purchases - things like http://en.wikipedia.org/wiki/3-D_Secure cover it fairly enough, I believe - it will deny online purchases with stolen CC data or a physically stolen card or both-sides-photographed, copying all the visible data including the cvv code.
you don't even require a connection, you can do an offline transaction, and it's still safer than a magnetic stripe, because duplicating a chip quickly is very hard.
Calling the bank to get an authorization is just an optional step in the process.
Technical debt, network effects, and resistance to change.
It won't be a problem for much longer. EMV is supposed to become a standard late next year, and the "liability shift" (basically amending the processing rules so that accepting the old-style card means you're more responsible in case of fraud) is supposed to happen around that time as well.
I wish IT people had that level of control over their environments. We wouldn't be dealing with Windows XP anymore :)