Many savvy credit card consumers like “chip and PIN” cards — cards that don’t just have a magnetic strip (or, don’t even have a strip if they aren’t being used in places like the U.S.) but offer an embedded “EMV chip” that contains encrypted card information.
It’s more secure, and credit card security has been all over the news, leading folks to wonder what these savvy card consumers have been asking themselves for a very long time, why is the U.S. so backward? When the rest of the world has been using EMV chips in their credit cards for years, why do so few US cards feature those chips? And when a bank finally brings out chip cards, why are they “chip and signature” (you can scan the chip and then sign the slip) instead of “chip and PIN” (where you enter a PIN code rather than signing)?
If you travel to Europe and elsewhere it can be helpful to have a card with an EMV chip, restaurants and stores generally can swipe your magnetic stripe but it’s not common and you stand out as a tourist when asking them to. And yes there are unmanned kiosks where a chip is needed, and even stories about a default PIN not working.
But cards with an encrypted chip and a magnetic stripe, where folks just use the stripe, are still insecure.
So what’s up with that?
Todd Zywicki offers an answer.
- The US is a higher-trust country with lower fraud risk than areas of the world where chip cards became prevalent. The security was more necessary there.
- Fraud is a big problem here too, but it isn’t existential. Estimates of potential fraud savings are $1 billion to $5 billion annually.
- Credit card use is more common in the U.S., cardholders have more cards per person as well (many of my readers would know about that!). And chip cards are more expensive to produce. Replacing existing US cards with chip cards would cost $5 billion to $10 billion.
- That doesn’t account for consumer annoyance at switching, or the cost to retailers of buying new machines. Retailers have just had good success in suing merchant networks recently, imposing huge new costs isn’t something merchant networks and banks are looking to force.
- An issue specific to debit cards, while Dodd Frank’s Durbin Amendment allows banks to build the cost of recovering fraud into their free structures, it likely precludes card issuers from incorporating the cost to issue new chip cards into their fees. So there’s a legal bias against switching debit cards.
None of which is to say chip and pin cards won’t eventually reach the U.S., only that it’s entirely understandable why they haven’t taken hold here they way they have in Europe. Which is no solace when you’re trying to buy a train ticket from an unattended kiosk somewhere across the Pond.
- You can join the 30,000+ people who see these deals and analysis every day — sign up to receive posts by email (just one e-mail per day) or subscribe to the RSS feed. It’s free. You can also follow me on Twitter for the latest deals. Don’t miss out!
My understanding is that all of this will dramatically change in 2015. Todd’s theories are right but in 2015 the burden of fraud shifts to the merchants, not the credit card companies.
Prof. Zywicki’s point #2 is important because right now that fraud is paid for by the banks. In October of 2015 it flips 180 degrees: the merchant is now responsible unless they use EMV. So guess who is going to shell out the money for a new POS terminal that handles chip + pin EMV? That’s right, the merchants who are otherwise completely on the hook magnetic stripe fraud.
This has been on the schedule for years – yet it is hardly mentioned anywhere. This is a solved problem, and the solution was already scheduled. Why no one mentions it I have no idea (oh and gas stations get a few extra years FWIW).
Want more actual information?
http://en.wikipedia.org/wiki/EMV
I also remember reading somewhere (and you touched on it above) that fraud protection for consumers using credit cards is second to none in the US already. I think the consumer is only limited to $50 or something like that if it’s reported in 3 days or less. So from the consumer standpoint, the question is ‘why would I?’ Then it comes back to the banks, and as you’ve stated, the costs of going that route outweigh the costs they already spend to handle the rate of fraud on their accounts.
Canada has chip and pin!
The option sure would be nice. On my recent stay in Amsterdam, I had to find strangers who would put 10 Euros on my card with their chip card in return for cash. I always felt shady doing it, but it was the only way since it can only be done by machine. Very frustrating…so yes, I’d love to see these cards geared toward travel, e.g. the no currency transaction fee ones, have this feature.
In so far as the cost is preventing re-issuance of cards, why isn’t this a pay option for folks that do a substantial amount of international travel? I’d *pay* a non-trivial amount to get my CSP or other cards with chip + pin. You’d think if there’s a demand for it, companies would offer. Maybe we really are quite few in number.
I believe it is because the US had connected terminals to verify credit cards and the idea of switching to Chip+PIN seemed backwards. Merchants could verify the card online (phone or internet) while this was not always possible in Europe. It is ironic that a more connected system yields lower security.
What I will never understand is why (for the cards WITH the chip already) they cant handle the pin stuff properly when you’re in Europe. Where is the technical limitation with their systems which are already setting “default pins”?
I mean, the change can be gradual and take some time.
All your CCs will expire sooner or later, and you’re going to get new ones. How about those being with EMV rather than without? Might take 5 or so years, but I don’t see the issue.
And for shops?
Well, for one they do swap now and then, and you can also do what was done here which is to incentiveise. Lower fees for the those with it, sounds like a good deal to me.
I can’t believe our country is high trust ..look at that Target fraud.
Um… This is not news.
And Shannon, yes, the US is a high trust country. Everything is relative to cost
Chip + pin (or fingerprint) will probably be on iPhone 6.
I can think of a few more reasons, as compared to Canada where we’ve had the chip for several years.
1. The US banking industry is very widely distributed, so it would take a lot to coordinate big industry-wide changes vs. in Canada where we basically have 5 big banks.
2. The US banking industry is so competitive that there isn’t money to invest in this. They are spending too much money on sign-up bonuses and low annual fees (to the benefit of readers of this blog, of course)
3. Americans are individualistic and don’t easily accept
change that isn’t immediately beneficial to them. (e.g. When are y’all going to adopt the metric system? Or replace $1 bills with coins, like the Euro or Pound, both of which are worth more than $1?)
“… there are unmanned kiosks where a chip is needed …”
I was recently stuck in France on a Sunday with no way to buy gas for the rental car because none of my 8 cards would work in the automated card machines, which didn’t take cash either. Had to convince another motorist to buy my gas on his card in exchange for my Euros.
The market is always driven by consumer demands, albeit sometimes indirectly. I think Todd is correct in concluding the consumers see this as a major annoyance with no clear picture of their gain. I’ll add that not only would they have to replace their cards, it would take a longer amount of time to process consumer transactions! And what’s the material benefit to them? More security? How would they realize benefits from a spending perspective?
I’m interested in how the latest retailer data breach plays with consumer perceptions. I think the latest news and the ensuing scare helps consumers associate data security with an actual value add. It’ll be a while though.
Are there any cards in the US that are chip and sign or chip and pin? Would love to get one for my European travel
Most of Zywicki’s arguments are pretty silly. The US is a higher-trust country than Canada? Half the credit card fraud in the world occurs in the United States!
The reason we don’t have chip and pin is probably twofold:
– Our credit card network developed before the rest of the world’s, based on older standards and technology. We had a several decade lead on the rest of the world in terms of relatively common credit card usage.
– Having developed a large infrastructure, no one wants to invest money in a new one. Neither banks nor merchants want to pay for the new technology.
It’s not too dissimilar to the reason we have a decaying public infrastructure compared to more-recently-developed nations — ours was built decades earlier, and no one wants to pay for the upgrades.
In 2015, however, something interesting happens with fraud responsibility. In the case of fraud, the party (bank or merchant) who was NOT using chip and pin technology is responsible (the bank, if a non-C & P card is presented to a merchant with a C & P reader; the merchant if a C & P card is presented and the merchant does NOT have a C & P reader). That should produce a strong incentive for both sides to upgrade.
Another disruptive thing that might happen would be for Square to come up with a well-crafted C & P reader for iPhones.
Fraud has become so prevalent on my cards that I don’t even call when I notice it on my cards,I keep on using them and wait until the credit card company calls me
I tried to use Marriott Visa’s fancy new chip and pin in Europe last month. Card was too thick to fit and be read in the chip reader 🙁
I have several cards with chips that I take to Europe. Chase has several (British Airways VISA is one of my favorites) and Amex has the Platinum Business Card with one in it… Citibank has the Thank You card with a chip. All these cards have no forex charges either. So those are the ones I travel with. Most places I went on my last trip (last week) took them fine; I just had to sign. It would be easier with a pin though. It’s coming. Especially after all the latest fiascos with TARGET, etc.
I beat up on my Chase branch about giving me cards with chip so I could travel to Europe last summer………..bizarre that the stripe cards I carried worked better in the restaurants than the chip cards did…….go figure……
USAA has a chip and pin card. Masters not Visa, but it will work in Europe on those unmanned kiosks. Bank of America has a chip and signature. Not as useful, but better thsn the unusable credit cards we have. Chase Sapphire also has a chip and signature. Chase should come out with a chip and pin! Trying to get gas when your car is empty is not fun
It will catch on – eventually.
After all we are talking about a country still widely using CHEQUES – not seen hereabouts since the early 80’s. Going by that, around 2050 chip-and-pin cards will be the latest hoot in the US. 🙂
First off, as a long-time user of Chip & Pin cards, I find them much more convenient than swipe cards, especially in restaurants where the machine is brought to the table and payment is done immediately.
Second, the costs for change quoted by the industry are ridiculously padded. Credit cards all have expiry dates. You don’t have to change on one day, but you can agree that all cards issued subsequent to a certain date will have Chip & Pin – then nature takes its course.
Third, the changeover in the UK was effected over a number of years, with liability switching to the retailer for swipe transactions coming once most cards were already Chip & Pin. This is why most small retailers won’t take signature cards – they hardly ever see them and wrongly think they’ll be liable if there is fraud.
Fourth, the reduction in fraud costs should make a huge dent in the issuance cost.
Fifth, they are not a panacea for all evils – in particular, they offer no added protection for online transactions.
check this article, there you can read the future http://www.usatoday.com/story/news/nation/2014/01/09/encrypted-chips-help-fight-credit-card-fraud/4400347/
Most of these arguments are specious. Card replacement would cost money, that’s true. But the only actual money outlay is the incremental cost of fitting the chips on to the cards, because cards with chips aren’t sent en masse on day 1 they are sent out over a period of years as existing cards expire. Believe it or not the same is true of POS terminals; it’s not like every retailer is using the same terminals they bought in the 80s when electronic terminals started trickling into use is it? And to suggest that somehow fraud in the US is better than it is in America is just uninformed speculation.
The Target problem most likely would not have been prevented by Chip and Pin. From what I have read at Krebs on Security the credit point of sale systems were infiltrated with Malware and then other servers were compromised so they could login and retrieve the hijacked data. Good reading for those interested in what seems to have specifically happened. http://krebsonsecurity.com/
My understanding is that true Chip & Pin cards do not have a magnetic stripe and can only be used at POS devices that accept Chip & Pin. Therefore, in the US the conversion would have to happen over time and with hybrid cards until critical mass is reached with merchants replacing their machines with Chip & Pin capable ones. Until said critical mass is reached, the same fraud risks would be present. Kind of like “herd immunity” you get from vaccination programs.
@Mike P: Having lived in the UK, all of my chip & PIN cards also had a magnetic strip, and no one would argue that they were not “true” chip & PIN cards. The key feature is that when a chip & PIN card is swiped in a terminal that supports chip & PIN, the terminal requires you to use the chip and will not process the transaction based on the card swipe. Since the vast majority of US terminals do not have chip & PIN and people from all over the world travel here, their card issuers continue to include the magnetic strip for use where chip & PIN is not supported.
Diners Mastercard(which is issued by the Bank of Montreal) is a true chip & pin that we have used in Europe with no problem. But because it has forex fees, we only use it while traveling abroad when we have to. We recently got a true chip & pin card from Commerce Bank with no forex fees. We are anxious to test it out next time we travel.
It is worth noting that the burden of proof in a fraudulent chip+pin transaction can fall to the consumer rather than the bank or retailer. The bank can claim you did not do enough to keep your pin secret and are therefore liable.
Merchants are in the process of upgrading the terminals to at least have the ability to accept Chip cards. Just saw the newly upgraded terminal at Trader Joe’s. Alas, like most stores with the new terminal, the chip port was not activated, since I tried it with my BofA card.
Banks are very aggressive in passing on liabilities of fraudulent charges to merchants without justifications and practical solutions. I cannot detect or verify if cc is genuine or duplicate after I check photo ID.Old and beat up cc that cannot be read when swiping requires manual input invite the most charge back dispute problems that cannot be overturned. Banks cannot determine the true authenticity of the card over the phone, only verify the info. Banks require merchants to use the slide machine with carbon receipts that I saw exist in the 1980s,when manually input. A growing population of cc holders work the system to get away with not paying for the services or merchandises. US banks have capital to upgrade the system but they all choose to pay big fines or liability costs as part of the costs of doing business and engage in the blame game since the 1980s. US is the breeding and fertile ground for many fraudulent activities in major aspects of life: Immigrants import their unscrupulous practices and the native born exercise their low morale and ethical values. The entitlement”me first me now” mentality and the short term gain without long term vision approach will impair our ability to maintain our standing and status in the world.
On the chip alone, replacing magstripe cards with EMV is definitely good for the consumer. Why stick to the abacus when you can have a calculator?
Furthermore, if merchants are happy to rely on the chip alone for cardholder verification for small amounts, they should be allowed to do so.
(These two are already occuring in HK, where I live)
Furthermore, I don’t mind authenticating some larger purchases by PIN. I already do so for ATM already, no real loss.
(not yet implemented in HK)
What I’m terrified about is banks being allowed to use PIN as conclusive cardholder verification, similar to the situation in the UK between introduction of chip-and-PIN and 2009 when legislation was enacted to require banks to provide additional proof that the transaction to stand.
A theory I hold (not conclusively proven) is that a card slip has similar protections like a cheque, in that bad signatures will not stand.
http://www.chipandspin.co.uk/spin.pdf
“Until the Chip and PIN initiative, manuscript signature was the only authentication mechanism used in the UK at Point-of-Sale (POS) terminals. Sales vouchers were governed by laws that evolved for cheques, of which the most important is that a forged signature is completely null and void. This gives the customer strong protection against abuse of a stolen card. Although some argument can be made about card terms and conditions, and about possible negligence by a customer, in practice the banking industry paid the costs of fraud.”
I don’t give a damn that 99% of cashiers won’t bat an eyelid to my cards’ signature panel even if someone else uses it, I want the bank to be required to show me the card slip in case of fraudulent transaction – placing the burden of proof on the bank.
I am also not happy that banks are allowed to keep roughly the same interchange but pass the liability for fraud to the consumer (UK case). In that case, a competition watchdog should oversee a reduction in fees once the protection has been removed.
Not setting up my “chip and signature” cards to function as “chip and pin” when abroad is inexcusable. The bank has already paid for the chip. I am less concerned about how long it takes to change over in the U.S. However, about one third of the POS terminals that I see have gotten new readers in the last year with a keypad that look similar to the “chip and pin” readers used in Europe.
Chip is good. Pin is bad.
My overseas cards are CHIP And SIGNATURE.
I have the security of a CHIP, and the knowledge that only my signature is vulnerable (I cannot have my OIN copied if I never use it).
PIN is only good for the retailer, so they don’t have to keep and remit paper.
CHIP & SIG
Secure, and I love it.