61 comments

[ 45.4 ms ] story [ 1477 ms ] thread
I always find these things to be much slower to process than the swipe-readers, which is pretty annoying when you're in a long line.
They are slower, but I'm more than happy to stand in line longer each time if it means those of us in line aren't having to deal with fraud as often.
Let's go further: I'm happy to pay with cash, if it means I don't have to deal with fraud.

In all seriousness, using cards used to be super-fast. Remember those Visa commercials - swipe and go, swipe and go, oh no someone with cash ugh it will take forever.

Now in CVS I have to swipe the card, tap NO (I don't want to donate), YES (this is debit card), my pin, YES (is $9.75 correct?) and then wait for transaction to be completed. Meanwhile a guy next to me handed $10 bill and got quarter back. He left before I finished swiping my card..

Absolutely this. I'm so sick of all the damn prompts when using a card.

Donate?! WTF, go away. I want to swipe and go, damnit. I didn't come to your establishment to take part in your charity drive.

Debit? Credit? WTF, can't you tell?!

Is this the correct amount? Shit, I don't know. Did the computer add correctly? Is this a bartering interface, where I get to say "NO", and make a counteroffer? No? Then why the hell are you asking me when I don't have a real alternative choice to make?

My personal supreme pet peeve is going to a gas pump, pressing the credit button at the pump (which has both credit and debit buttons), then being asked if the credit card I just swiped is in fact a debit card.

They really want you to use the debit card portion of your card. I believe it involves the retailer paying lower fees. It's why every terminal is trying to funnel us into it, and doesn't have an obvious way to choose credit half the time.
Yeah, I get that. But 100% of the time, I'm swiping a credit card—so there is no debit portion. And I can't believe they don't know this, and still prompt to choose credit vs debit.
Come on, you know why it asks you if it's the correct amount. There are plenty of instances when it is not (item is mistagged, scanned twice, etc.)
I have never once used that prompt to catch or respond to an error. It gives so little actionable information. That's what watching the display that totals up your scanned purchases is for. Sure, I guess some people might use that screen as their method for catching an error, but it should be caught before you're given a number and asked if its correct.

Why I think that screen is there is to shield a merchant from someone coming back after the purchase to complain. And I doubt any merchant would use that confirmation to defend an error and risk losing a customer. Which, to me, makes it even more useless.

> Debit? Credit? WTF, can't you tell?!

No, they can't tell when the same card can be processed in both ways. Just for fun, check out your bank's debit card fraud protection details - odds are you're much better protected if you run your debit card as a credit card (i.e. no PIN, but a signature), that way visa/MC takes on the fraud risk.

Interesting. Are you sure about this? I typically only use a credit card. They can't tell there's no debit capability?

Also, on some rare occasions when I use my debit card, the PIN entry pops up without prompting. If I don't trust the place or don't want to divulge my PIN to prying eyes, I have to hit a cancel button to process as credit. I've never seen a PIN prompt show up when swiping my credit card. If they can't tell, how does the terminal prompt for PIN only when a debit card is swiped?

Just wait till you get 'contactless' https://en.m.wikipedia.org/wiki/Contactless_payment
The US actually had a lot of contactless cards for a while, before EMV, but it seems like that's been phased out (outside of the use of NFC via Apple Pay / Android Pay.
The US had NFC which just sent the magstripe which is different from EMV NFC.
My card now has pay wave (contactless), chip (and pin when required), and magnetic stripe.

It's a crapshoot which one will work at any given store. I do prefer the chip over swiping due to having to replace cards so often when the stripe wears out.

Contactless is listed at a lot of places, but it doesn't work consistently for some reason. Makes it hard to trust using it when the store is busy.

It was very popular for a while. Some banks were even issuing little mini-cards that were just big enough to contain the NFC chip.

As of this month, all of my contactless cards have been replaced by EMV cards without NFC. Now I only have it on my phone and smart watch.

That and when you accidentally pull your card out before the transaction finishes because your patience wanes. Then I just end up using the old magnetic swipe out of guilt.
Also you can't start the process early. At Trader Joe's I always swiped and entered pin before the clerk finished, but it's no longer possible. :(
At least TJ's allows Apple Pay and other contactless methods. Stupid places like Home Depot and others that intentionally block Apple Pay and require the super slow chip really annoy me.
Chip cards with contactless ability work great for speed, but I'm not sure about safety and fraud thing. It's also a matter of having people trained. I rarely need to use swipe, so naturally it takes me longer than entering pin.
They are much slower. Both perceptively because you have to leave your card in during the entire transaction, and we're sending/receiving more encrypted information.

My biggest gripe is the sound for a successful transaction is the same as an error sound. It always causes me to do a double take to ensure it went through.

That's true, especially if you have someone with a chip card who, out of habit, first tries swiping it. It takes him awhile to realize the swipe didn't work and that the reader is prompting him to insert the card into the chip reader.

That "someone" is me, by the way.

I am also that someone, as well as the someone who further slows lines down doing the reverse—expecting the chip reader to work, inserting my card, only to be told by the cashier (after waiting for a few moments with nothing happening, of course), "Oh, that thing doesn't work. I don't even know why it's there. Just swipe it."
This is so true. It's an annoying guessing game during this transition period.
The first time I used a chip reader I kept pulling the card out because I just assumed it was like a swipe. The guy at the till didn't seem too pleased when I kept canceling the transaction.
We've been using these for decades here, and they are not slow at all. Maybe it's the implementation you are using.
According to the article Visa is releasing a software update to make the transactions faster.
The slowness is implementation.

It's not slow outside the US, where it's been in use for a long time.

In the US, it depends on the POS. At Walgreens it's basically instant, whereas at Target it takes like 8-10 seconds. It's just poor implementation.

When I hear that the US still hasn't adopted chip+pin it sort of sounds unbelievable. This is the country that created VISA International, after all - a fantastic story chronicled in Dee Hock (founder of VISA)'s book. It seems like the financial industry in the US has taken giant strides backwards since then.
Banking and tax returns in the US are still in the stone age too.
The answer (assuming this is the same story I wanted to reference) is that the credit card companies just considered the existing fraud to be a cost of doing business. Yes, instituting these new chips will lead to less fraud, but it also has a big cost. For a long time, they looked at these two costs, and went with the cost from fraud.

Of course, that analysis ignores the very painful cost to consumers of identify theft, which is why I'm glad they're finally implementing a more secure system.

Hence why some giant businesses are run off COBOL and Excel documents. However given the affect of credit card theft on individuals I'd expect law enforcement/legislation to pass to require this.
The US is filled with very large companies ("too big to fail", etc.). Outside of tech, every one of them is scared shitless at the thought of doing anything different (especially the banking industry), even if it has a proven record of making things better. It takes something very bad to light a fire under their asses and get them moving.
My Target credit card has chip+pin (in USA)

Yes, it requires a pin number.

Though chip+pin does nothing for online fraud so I don't get it.

Yeah, I just got my new Target card the other day and was thrilled to see it come with a PIN.

After Target got thoroughly pwned a couple of years ago, I'm sure their security team have quite a bit of say in how things will run. Other companies won't take the risk of upsetting customers who can't use their card if they forget their PIN.

Ironically Target cards were the only safe cards when they got hacked. Visa/Mastercard is the one that took a hit.
I'm in Canada and have had chip tech in cards for a number of years (5+ I'd say). We've since moved on to tap/swipe/wave which requires no pin but does have a transaction limit.
> We've since moved on to tap/swipe/wave which requires no pin

This is growing in the US as well, which is why chip-and-PIN seems less helpful coming this late in the game to the US market. I'd much rather it be required that restaurants (among other merchants) use portable credit card readers like they do in Canada to keep cards in the hands of their owners.

The one thing I've seen in the states that I'd like to see here is pre-pay at the grocery line. I know Target has this, and I imagine others. Basically while the cashier is ringing up your groceries, you go through the process of paying and basically say "I agree to pay the amount of this purchase." Then when the cashier is finished, the payment is immediately processed and you are done. Saves 30-45 seconds for each customer.
The EMV rollout in Canada started in 2007.

The US banking sector is an ridiculously slow moving, technologically regressive cesspool, frankly. Their piggybacked debit system is a disaster compared to what we have here.

Us companies camd up with all kinds of methods. Some deployee them. Consumers mostly rejected them for inconvenience and spotty merchant support. Banks rejected costly changes in favor of smarter move of paying off politicians to push largest liabilites on merchants while keeping theirs super-low. Chip and PIN itself got broken plenty by smart crooks unlike some other schemes.

All in all, one would wonder why greedy banks in Europe weren't pulling same stuff or invested in tech with more problems. What American banks did made ton of sense given their evil and consumers' apathy. I was shocked at tge recent reversal to chip cards.

It's called infrastructural inertia. We had it first, so we have things implemented in legacy ways. Other countries get the benefit of "leapfrog development" or "second-mover advantage"
Bullshit. It might be true when it comes to copper lines, but not to credit card stuff. Most of the terminals must have at least a few generations of replacements already...

In Europe we had pinless-magnetic-only-sign-here cards and the like and were getting rid of them ~ten years ago

I participated Payments Summit 2016 where they presented some hard numbers and you could also discuss with industry people.

50% of credit card fraud is 1st person fraud (you lie about the purchase yourself). Rest is online fraud, which is expected to go up with the chip and pin. The same happened in UK as crooks just moved to different liquidation methods of stolen credit cards. Stolen / copied card is actually the smallest part of the problem and banks estimate that cost of people forgetting their pin numbers is higher than the actual fraud.

The estimate is that all fraud goes online until credit cards get tokenized CC numbers or time based CVV numbers (the card has a battery, LCD screen and CVV changes every few hours).

Most places I've been to have the new chip readers installed but they are disabled leaving you to swipe your card.
I don't understand how these help mitigate fraud in any way. You still have to sign afterwards, there is no PIN which is the way it works in Europe. How is this ANY different other than harder to implement a scanner which would steal the swipe, and those are bound to get implemented sooner or later anyway.
These chips are actually smartcards - ASICs that perform cryptographic operations based on a secret key inside of them.

"Visa chip cards are not only more secure, they are also simple to use. Chip cards and terminals work together to protect in-store payments. A unique one-time code is generated behind-the-scenes that is needed for the transaction to be approved - a feature that is virtually impossible to replicate in a counterfeit card."

Magnetic cards can be easily duplicated. A Smartcard is virtually impossible to duplicate (The NSA might be able to. A criminal won't).

The Pin code is used in Europe to provide 2 factor authentication. Something you have (the card) with something you know (the PIN). Its only to prevent people from using your smart card if it's physically stolen.

Not that chip-and-pin has been invincible: http://arstechnica.com/tech-policy/2015/10/how-a-criminal-ri...

Certainly harder than cloning a magnetic stripe, but the PIN verification was as simple as the reader saying "Is 1111 the right pin?" and the card responding "Yep, that's the right pin." So they took apart the cards and MITMed the response to always confirm, no matter what pin was entered.

Hopefully that's been fixed by now, but with the number of readers that would need to be upgraded, I wouldn't count on fixes rolling out quickly. And who knows if there are other weaknesses?

Unique transaction IDs
The chip is a copy-protection mechanism. This means you can't do a man in the middle attack (in your words 'steal he swipe') because the chip on the card has challenge-response protocol to authenticate. Even if you somehow steal a single response, next time the challenge will be different.

That is not to say it is impossible to get the secret inside of the chip, but it is hard, often requiring partial disassembly, some sort of side-channel and you will often destroy the card in the process.

The purpose of EMV isn't really to counter physical theft, it's to counter passive theft using devices like skimmers.

> How is this ANY different other than harder to implement a scanner which would steal the swipe [...]

The magnetic stripe on the card is essentially just a barcode read by magnets. Like a regular barcode, it's trivial to copy.

The chip on a card is actually a very low power computer that uses cryptography to produce an authentication token the scanner can present to a bank to authenticate a single purchase. It's essentially impossible to recreate the entire chip and the token can only be used on the purchase it was intended for so skimmers are pretty much dead.

You can read a little more about it here http://www.firstdata.com/downloads/thought-leadership/EMV-En...

While this sounds great, I was just given a debit card with a chip in it. While extra protection is afforded at terminals built for cards with chips, I still only use the magnetic strip on my card at the 90%+ of terminals that are not built for chipped-cards.
Interesting - I was suspicious that this "Quick Chip" process they refer is less secure, but apparently it is just a matter of poor implementations requiring the card for the entire authorization process:

"According to Ericksen, the ability for EMV transactions to continue as usual without the card remaining dipped after the creation of the cryptogram is actually already an existing EMV process, but it is just not widely used. With the implementation of Quick Chip, no additional testing or certification is needed from a Visa or EMVCo point of view, there are no changes to the process and the technology is inherently EMV compliant."

http://www.pymnts.com/news/emv/2016/visa-puts-the-quick-into...

I've been wondering about that for a while now. In Europe (The Netherlands for me), it seems like paying with NFC is a lot faster than paying with regular 'chip and pin' where the card needs to stay in the reader for ~5 seconds after entering the PIN. Since both use the EMV protocol and the same chip (just contact vs. contactless), I'm not sure why the contact method is so much slower.
I believe it's down to how your bank sets up your card, and how the retailer's set up. In the UK, when I pay with my debit card at Tesco, after entering my PIN it instantly says I can remove my card. Apparently it's because the card reader skips communicating with my bank until they cash up at the end of the day (the "available balance" of my card doesn't reduce after shopping there until the next day). Tesco is the only retailer where I've seen the card work almost instantaneously, but I expect that NFC payments work that way every time.
How do they detect invalid or cards with no balance? Seems you have to round trip to the bank at least once or you would be no better off than checks.
It's why I pay with NFC everywhere now in Austria. The terminals are much quicker that way.
You might call it poorly implemented. The companies dealing with fraud in the EU because scammers found they could physically insert a chip form one card into another[1], and the chips didn't actually authorize the card with the bank fully, just the pin used, might beg to differ.

1: https://news.ycombinator.com/item?id=10414375

I read through some of the discussion, and some of the article that you linked. Based on what you said, I was expecting to read that the hack depended on taking out the card "early", but that does not seem to be the case. I thought you were saying taking out the card early lead to this particular vulnerability. Were you instead saying this vulnerability existed because of poor implementation in general, and that has no direct relationship to removing the card early?
This thread[1] is the one you want. The EU allowed "offline" transactions, where the chip was used only to verify the pin. The "quick chip" method you describe may be secure, but I have very little faith that these companies can architect a lasting secure solution, the incentives just aren't aligned in our favor.

Simply put, requiring the authorization token (card, phone, etc) be present and accessible for the entire transaction is not a bug, it's a feature. I surely do not want transactions happening after I've left the store, and while you can sign a verified transaction request with everything needed to process the transaction on okay from the bank, that's an extra level of complexity on top of a system I already don't trust them to get right.

1: https://news.ycombinator.com/item?id=10414994

I'd like to see average payment size data (median, mean).

Is it necessary for the average person to be able to instantaneously spend hundreds of pounds? I don't see why all retailers need such high security (e.g. sandwich shops).

I personally rarely spend more than 50GBP in a store. Large amounts of groceries in bulk, full fuel tank when I owned a car.

The contactless limit is 30GBP and that makes sense to me. If I cared about losing that amount of money I wouldn't go outside. I can sit on the metro and see that 25%+ of the people there are playing with smartphones worth 300GBP+.

Given all of that I don't find the US stance on security very odd. I want large payments to be verified, I don't care if someone buys a sandwich on my card, even if I never get that back from the bank.

To put it another way - huge payments should not be possible using a physical object that is used all over the place. I'd be happy for my bank to call me (2FA) for all payments above 100GBP, and for them to freeze payments if many many small payments happen in a short time span.

Otherwise, I'll see problems on my statement, cancel the card, and carry on with life.