Smart Credit Cards 101: Chip-and-PIN FAQs
In Europe, they’ve transitioned away from signature-based credit card authorizations and are instead using credit cards with built-in chips that require a PIN for most transactions. The system is called EMV, named for the three companies that pioneered it–Europay, Mastercard and Visa–and is commonly referred to as chip-and-PIN. Widely accepted as more secure, the idea has yet to catch on in the U.S.–until now. United Nations Federal Credit Union became the first U.S. company to issue chip-and-PIN cards, signaling what may be a sea change in the way Americans pay with plastic. As with all new technology, chip-and-PIN, or “smart credit cards” raise a few questions:
How does chip-and-PIN work?
From a consumer standpoint, it’s not much different than using a debit card at checkout. You swipe your card, enter your PIN and the transaction is complete. No signatures required.
How is a chip-and-PIN card different?
Your current credit card has all of the relevant information contained in the magnetic strip on the back. Swiping it through a machine simply pulls it all up, as if they were plucking your file from a cabinet. With the chip-and-PIN card, your sensitive data is encoded and encrypted.
What’s wrong with signatures?
The main line of defense for signature-based cards is the checkout clerk, who is supposed to compare your signature to the one on the back of the card and reject your transaction if they don’t match. The pranksters over at Zug.com proved the pointlessness of credit card signatures by purposefully signing credit card receipts with wacky stuff like “Porky Pig,” and “I stole this card” and even just a plain X. None of those transactions were denied.
Why aren’t chip-and-PIN cards used in the U.S.?
Chip-and-PIN hasn’t caught on on our shores for one big reason: it’s a pain to upgrade equipment. Bring a chip-and-PIN card to your local TJ Maxx and they won’t likely be able to read it. Bring your U.S. magnetic strip card to a U.K. gastropub and their chip-and-PIN cards may not be able to process it. There’s going to have to be a tipping point either way before chip-and-PIN terminals become the norm. Currently, the UNFCU smart cards are hybrids–they work with magnetic-strip and chip-and-PIN readers.
Is this safer for me as a consumer?
Maybe. You may actually be worse off in the case of identity theft. Because the chip-and-PIN system is considered foolproof, bank policy presumes you liable for any point-of-sale transaction where a valid PIN was detected. In Europe, you have to prove without a doubt that you were not present during the transaction in order to fight a fraudulent chip-and-PIN charge. This is different from the current setup, where cardholders often get the benefit of the doubt and wind up paying $50 to $0 for fraudulent charges.
But is chip-and-PIN really foolproof?
Not at all. Researchers at Cambridge University found a way to hack chip-and-PIN cards that lets you bypass the validation without a correct PIN. Essentially, they mocked up a middleman device that faked the “validated” sign and sent it to the terminal regardless if the PIN was entered correctly. This kind of fraud hasn’t been detected in the wild, but the potential remains.
What else is a drag about chip-and-PIN?
For one, you’ll have to remember your PIN. Guess wrong three times in any given day and you’ll be locked out of your account until you get ahold of your bank and unlock it. Also, chip-and-PIN cards don’t offer the same level of protection online, where they work the same as any old credit card.
So who benefits from a chip-and-PIN system?
The real winners here are the card issuers. An estimated $4 billion in revenue was lost for U.S. card issuers because our dumb American cards won’t work in Europe half the time. Not only that, card issuers spend less overall on security audits and fraud cases with the chip-and-PIN system. In short, it makes their job easier. But it doesn’t really make a difference to us, unless you think those savings will trickle down.
What are your thoughts? Will chip-and-PIN be a big deal in the U.S.? Do you welcome the change or would you consider it an inconvenience? Let us know your thoughts in the comments.
img by anthrocopy
Related posts:
Those savings definitely wont trickle down to us consumers, but this is definitely a more convenient way of using a card. Its only a matter of time, the old cards are becoming outdated, and once enough people get these new PIN based cards, retailers will invest in the new equipment. That being said, this could take 2 or 10 years.
The chip and pin terminals are becoming common in Canada, but they read both types of cards at this point. My card has not been updated to a chip and pin card yet, but I imagine when it’s time to renew (next year) I’ll get one.
From what I’ve read, they give credit card companies way more benefit than consumers. I’ve read (don’t know if it’s true) but if they can prove that you used the same pin for more than one card, then they aren’t responsible for any fraudulent charges because it wasn’t a unique pin (and therefore not secure). I don’t know about you, but I have a limited repertoire of pins/passwords I use (the human brain can only keep track of so much arcane information) so I’m concerned about this clause. I know it was a pain for credit card companies to look up the signatures if you disputed a charge, but at least its harder to forge a signature than steal a pin!
I think chip-and-Pin is a good idea for credit cards. I think it would cut the costs and risks of fraudulent credit card use. I would welcome it gladly.
Actually savings will trickle down to end users one way or another…via points and having more to work with. So my guess is, this will help a lot.
Regarding remembering your PIN, we in the US have to do it daily for our Debit cards. And another point is that you can reset your PIN attempts after calling a customer service rep, so I wouldn’t worry too much about forgetting your PIN.
Now the funny part is, that the US will start getting slammed with fraud. Why? Because till it gets its act straight and make EMV mandatory, all fraud will be taking place here in our homeland. One word of advice to all FI’s and retailers, work on changing to the EMV tech, else it doesn’t make sense…. :)
Plus, i’m sick of constantly having to change my card due to fraud at this gas station or at this store, etc. I would rather use a highly encrypted card for my transactions…..
i love the chip pin terminals here in Australia. i actually opt to use it instead of my debit card linked to my bank account. My sisters debit card got skimmed and they eptied her ENTIRE bank account in a few days. There’s card insurance for both the debit and credit cards, but i find the credit card ones easier and faster to settle. My sister was in hell for 2 weeks before her bank paid back (most not all!) of her savings……she’s still fighting with the bank to get the rest of her money.
I just received notice from DinersClub (Mastercard, now owned by Harris Bank in Montreal) that I’m getting a CHIP & PIN card. Further, I am liable for all charges where a PIN was used. Here is the quote from their letter:
“Please memorize your PIN and keep it confidential. As an example, do not keep your PIN with your credit card or in your wallet. If you do not keep your PIN confidential, you will be responsible for all purchases and cash advances where a PIN was used. Please review your Card Agreement for further details regarding liability.”
They did not send a revised card agreement and I’m pretty certain the existing one won’t talk about Chip & PIN. Anyhow, IMHO, they are simply trying to get out of paying for fraudulent charges by making the customer liable. It’s going to be quite difficult for any consumer to prove they protected their PIN if it was compromised and I believe it could be easily compromised since it is my understanding it is actually encoded on the card itself, not to mention a high definition camera pointed at the terminal at appropriate angles, etc.
Part of their claim is you don’t have to hand your card to the sales person. Well, I haven’t had to do that in quite some time because all the stores have the card swipe terminal right in front of you. The notable exception being restaurants where I don’t see this solving the problem anyway. PS: The card still works in regular magnetic strip reading terminals and has no additional security.
Regards,
That’s an interesting point, Terry. If it’s hard to prove what measures you take to keep your PIN secure, then consumers may be held liable for unauthorised use of their card. Is that fair, do you think? Anyone else had similar notifications?