I just got a new credit card recently. There definitely still is the space for signatures in the US. I actually once had a store turn me away because I didn't sign it.
Got a new mastercard (debit) without signature field and a mastercard (credit) with embossed numbers and signature field. It makes sense with the debit/credit split.
My Apple Card doesn't have a space for a signature but it also doesn't have a PIN. Does have a chip though, a combination I find routinely frustrating. Just let me use a PIN if the card has a chip!
I think some of it is just them not marketing features. I was unaware that my card would do the NFC/no-pin-needed thing until I paid attention to someone in front of me in line one day.
They're supposed to help you locate fraudulent transactions after your card is stolen. I guess that benefits the merchant because it makes you less likely to mark legitimate transactions as fraudulent.
In a world where that was actually the goal, you'd presumably be able to see a little image of the signature used, beside each card-provided charge in on your credit card in your online banking portal.
No, you can't see the signatures, so they don't help you locate fraudulent transactions. What they do is provide a defense for the merchant against you. If you try to say you didn't authorize the charge, then the merchant can produce the signature as proof that you did. The signature is never evidence that you weren't there. Even if it is someone else's name, that doesn't prove anything, so it never benefits you.
There are some reasons it still exists, however, it is no longer required and merchants/POS systems ought to start phasing it out.
In the US, the way we do tip on receipt is a lot more natural if you're asking for a signature. Without a signature, you're just handing someone a tip option, which is awkward with our current way of doing things.
Some merchants opt to keep signature enabled because it gives them a fuzzy feeling and it's a point of closure to a transaction.
When I was over there I constantly got confused around the tipping system and how some bars keep a tab open for you (by take your card and putting it in a little book at the back and then you pay/tip at the end)
I didn't trust that so I ended up just signing the receipt and adding the tip to the bottom and keeping my card in my wallet. Needless to say I think the bar staff got a lot of tips that night!
>Needless to say I think the bar staff got a lot of tips that night!
You generally tip based on percentage or the number of drinks, so it shouldn't matter too much unless you're doing it by percentage and rounding up the nearest dollar.
For those abroad, even the notion of tipping can be absurd. Using that notion as a point of support for a payment system the levies fraud responsibilities onto the merchant and is very easy to circumvent, and the reason most other places moved to chip+pin, or contactless a long time ago is even more amusing.
I understand what you're saying, and how its locally relevant, but from the outside looking in the US is a long way behind on keeping up with the tech in this space.
Lot's of payment terminals in the UK allow the customer to input the service charge themselves before they enter their PIN. Otherwise the waiter/waitress typically asks you how much you want to pay before typing in the amount. If you're splitting the bill then they need to do that anyway.
Here in Canada, portable POS terminals usually have a screen before "TAP/INSERT CARD" that says "Add tip?" and offers vendor-set default options, usually either 10%/12%/15% or 12%/15%/20%. The fourth option is always "custom", which allows people to enter 0 if they wish. (There are also payment flows that have an initial "Yes/No" on the "Add Tip?" question, in cases where a tip may or may not make sense, e.g. a bakery/deli that offers both high-touch dine-in and extremely-low-touch "we just take it from the fridge and give it to you" take-out service.)
Since Canada and the US have basically the same tipping culture, these POS systems seem to be already tailored for adoption in the US market (or at least, being cloned by US POS mfgrs.) Not sure why they haven't been.
>
In the US, the way we do tip on receipt is a lot more natural if you're asking for a signature. Without a signature, you're just handing someone a tip option, which is awkward with our current way of doing things.
Most places I go now have a receipt option step that serves as a justification for the tip screen, rather than the signature. Tapping “No Receipt” for a $5 beer purchase is only a little faster and less ridiculous than signing for it.
> In the US, the way we do tip on receipt is a lot more natural
American in Hungary. Here tipping isn't expected like it is in the US. But when you pay, they bring the terminal to your table with the check, then you tell them that you want to add a tip and how much, and they type the total into the terminal before you tap your phone or card. Perfectly natural.
Signature requirement has gone away in the US (and Mastercard was also the first to do that was well).
Just so many merchants are accomplished to asking for it (or haven't updated their terminals to code for not asking for it) - which is why you still encounter it.
"The magnetic stripe will start to disappear in 2024 from Mastercard payment cards in regions, such as Europe, where chip cards are already widely used. Banks in the U.S. will no longer be required to issue chip cards with a magnetic stripe, starting in 2027.
By 2029, no new Mastercard credit or debit cards will be issued with a magnetic stripe. Prepaid cards in the U.S. and Canada are currently exempt from this change."
At least in Australia the magnetic stripe is already gone for all intents and purposes. I can't remember the last time I used it. The American schedule may be a little aggressive though, you guys still use cheques extensively.
Define extensively. Anybody who pays with checks in situations where credit cards or cash can be used is gonna get funny looks, unless they’re a little old lady.
Compare that to every single bank refusing to pay out my $150 check. Most banks even having no idea if this is actually still a thing, some had to get their boss to ask because they never had this situation before.
I still have that check because it's literally worth nothing around here.
The difference is that in Australia literally zero retail businesses will ever accept a cheque under any circumstance and all government payments are made using electronic transfers. I haven't been issued a cheque book from my bank in over decade and I've maybe cashed 3 in my 30+ years alive.
I actually can't think of a single place outside of a bank where you can use a cheque and even then it's a challenge to actually exchange it for cash. Most banks in Australia have trouble coming up with $10,000 - even busy branches in the CBD of a major city.
Now, granted I haven't been to America, but I do read things on the internet. From what I understand, your financial system is held together by a system of pneumatic tubes passing cheques around, though I hear there is some experiment with telegram machines.
Alas, I’m not sure which tubes you’re referring to. These days, banks use FTP to shuffle bank transfers around.
However, I do think checks have their uses. I’d rather write a check than use cash any day of the week. You can cancel a check, but you can’t cancel cash. Of course, I’d rather pay digitally. But sometimes that’s not an option.
Also: “cashing” a check usually just mean depositing it into your bank account. Not swapping it for cash, although you can do that, too.
So most of my current cards (in Europe) have 3 interaction methods:
In order of decreasing readability/communication reliability:
1. Magnetic stripe
2. NFC
3. EMV
The EMV ("chip") method is the least insecure, but lately all of my cards have been started oxidating. And it seems like the pogo pins in almost all readers also started wearing out too. Chip reader failures have become very common lately.
It's very common that I have to both clean the card before using it and also bend it while pushing it into the reader to counteract the worn out pogo pins in the in-store reader. Super annoying.
NFC has been a saver, but because of the banks security risk (it's cleartext, after all) you can't really use it all of the time.
The magnetic stripe seems like it never seems to stop working. I've assumed I can't use it outside of my native country, though, perhaps incorrectly.
To echo my other comment: my chip broke on my debit card and the card refused to work with magstripe only (and it was broken in a way were the NFC thing also no longer functioned). So not sure if the magstripe has any functionality in the SEPA region based on that experience.
I think the magstripe is disabled in my region, I've never managed to use it on any of my cards. I tried testing it out to see if it even was functional. Surely they must work as I've heard quite a few stories of card skimmers...
There is definitely a card number on the magstripe on it, but i think you cannot make a transaction with it in the SEPA region. So you need to "clone" that card and make a transaction with it in a non SEPA region country and that is disabled by default on debit cards (not credit cards though).
I wasn't aware of that mode. Is there a way of figuring out if your card has NFC (EMV Mode), or is just blasting out the CC number/expiration date when powered up via induction?
Almost all NFC you find these days is going to be a form of EMV and is encrypted.
There was a form of contactless magstripe (MSD) that was not encrypted and has been phased out of usage as of like, late 2019 via card update bulletins.
I can't remember ever having paid using the magnetic stripe in Europe since 2010 (having been to Spain, Italy, France, Netherlands, Romania and living in Germany), before I didn't use a credit card at all since it wasn't very popular here.
Honestly curios: where (and when) did you make that observation?
Huh, wherever I try to use a magnetic stripe, the terminal would ask me that I have to use the chip. Even if a transaction failed when I used the chip.
I'm pretty sure the magstripe is already somewhat disabled over here. My debit mastercard refuses to work outside of the European union unless I disable the geo locking in the banking app, and when my chip was broken the readers kept telling me to put the chip in.
That’s just a bit on the mag strip that encodes if your card has a chip present.
You can flip it with a writer and use the magnet strip again if you want.
It’s quicker as one doesn’t have to wait for the Javacard OS on the chip to boot up and handshake. (Ie swipe and walk away vs insert, wait 4 seconds, remove).
Wouldn’t do this on my debit card but it’s fine on credit cards with chargeback protection.
Isn't that going to lead to the transaction being denied, either by the bank (which knows there's a chip), or even the reader (does it know that all cards beginning WXYZ have chips, for example?)?
I sometimes keep my credit card near my iPhone. I have wondered about the impact on credit cards of the new MagSafe magnets in iPhones. I guess if there aren't magnetic strips anymore, I won't have to worry about it. OTOH, there won't be any backup if the chip doesn't work, which it doesn't always.
Where I lived over the last years (two countries in Europe), I don’t even have to use the physical card. I just use contactless payments with the phone. Prior to that, it was contactless with card. Even ATMs work with contactless (not all, yet). Prior to that, it was chip. I honestly don’t even recall the time when the magnetic stripe was needed.
(edit) Think of this: I made an account with one of these neo banks, ordered the card too, and it took me over a year to activate it. I still don’t use it. I just installed the virtual card into the phone’s wallet and used the account like that.
It really is mind blowing to me. Especially in a pandemic, why why why require a signature for anything? This is one of the few things that would reduce exposure that we already have a technical solution for. I just don’t understand.
>Especially in a pandemic, why why why require a signature for anything? This is one of the few things that would reduce exposure that we already have a technical solution for.
Turns out infection from surfaces is basically a non-issue.
>“People can be affected with the virus that causes Covid-19 through contact with contaminated surfaces and objects,” Dr. Rochelle Walensky, the director of the C.D.C., said at a White House briefing on Monday. “However, evidence has demonstrated that the risk by this route of infection of transmission is actually low.”
Coronavirus isn't the only virus to be concerned with, Norovirus is a well known one that can spread through surfaces, which is why it can be so rampant on cruise ships -- and it can live for weeks on surfaces.
Yes, but microphobia is more annoying than most viruses, and keeping the immune system unprepared due to lack of exposure is potentially fatal, so perhaps they don't want to encourage those...
The holdouts have long been the gas station fuel pumps. Though that is finally changing at least where I am many stations now support chip and tap card payments.
Gas stations around me (Utah) have all replaced their magstripe with a dual magstripe/chip reader. It drives me nuts though, because you still have to insert your card ALL THE WAY IN as if you're using the mag stripe, and then it decides which one to use.
Are gas stations not a big target for skimmers? Why didn't they design it to avoid the magstripe-skimmers? have two inserts or something, I don't care. But now we're a FULL generation of gas station pumps away from being free'd from skimmers. I just don't understand.
Also, don't get me started on the audio/video ads at the pump these days. They're the worst. I'd rather have to pay inside than have "while you're pumping" ads.
What I like about the gas station ones, at least where I am, is that they use Zero insertion force contacts instead of brush contacts, so they won’t wear out the connector or your card. You can hear the machine click up and down as it engages.
A lot of pumps with the chip readers also have contactless readers, but the on-screen prompts still just say "insert card". If your chip card is also contactless, you should be able to just hold it in front of the contactless reader and save both time and wear.
I'm in the US. The only places I've seen in the last year or so that still use the magnetic stripes are gas stations, and all the ones I usually go to take the chip.
This will unlock your phone but not authorize Apple Pay. So the Watch is much more convenient for payments in mask mandate areas. I find it more convenient to tap when unmasked too but that’s more personal preference.
There’s always that old book shop that doesn’t have the latest and greatest yet. And this type of support is typically enforced by contracts; eg if you buy some device that accepts MasterCard, they promise it will be supported for at least 10 years.
I've been trying to shift to contactless payments recently, and my anecdotal experience has been the opposite: mom-and-pop shops usually have some kind of terminal from a dedicated payments company (verifone, square, etc) that's been updated in the last few years, while big behemoths (e.g. Lowe's, Fedex, USPS) are the holdouts clinging to bespoke antiquated payments hardware.
The USA is a big holdup. I just traveled across the country and there are still filling (petrol) stations where the only card reader is stripe. See also other comments about the stripe being a fallback for chip as chip readers on POS terminals seem to be more fragile than magnetic stripe readers.
FWIW, Contactless is very hit-or-miss for me in the US; about 1/3 the time it just doesn't work at all (even with multiple retries), and that's when the terminal has one. Was picking up something at the corner store the other day, realized I didn't have my wallet and contactless just didn't work with the phone at all for some reason.
On your point about contact less being hit-or-miss, this very much goes away when you have a number of options for vendors to choose from on the market, with terminals being supplied mainly by banks who want the business. Both competition and a lack of desire to deal with merchants having issues with the payment system provided lead to increases in reliability.
The overseas market has been saturated with chips for 10-15 years, and contact less for 5+, probably notably more.
I have asked in several stores (in Denmark) where contactless doesn’t work, but the terminal has the required hardware - The merchant has to pay a fee to enable contactless.
My auto mechanic bitched loudly about it, until I told him he wanted $200 for enabling “daytime running lights” in my rear lights, which is also just “flipping a bit”
Yea, the Achilles Heel of contactless (or phone/NFC) in the USA is the uncertainty that it's supported and the terrible UX for failure cases. How many times have you had this happen?
Your groceries are all rung up and the POS terminal is waiting. You dig out your phone or contactless card and try to invoke the contactless payment system. Nothing's happening. You wave it around a little. Still nothing. Grocery cashier is looking at you like you're an idiot nerd, saying "That thing doesn't work. Just stick the card in the slot." Now I dig in my wallet looking for my chip card as the whole line behind me huffs about how much of a moron I am. Stick it in the POS terminal, and it waits... and waits... and waits... and finally, loudly proclaims BONK BONK BONK transaction approved. Everyone other than me is saying "Finally, we can move on".
Contrast that with mag swipe: Pull out the card. Swipe it (which takes 500ms). Done.
Those exist, but they are somewhat rare overall. The chip does take a lot longer than it should in most cases (I'll give them 2 seconds - which is enough time to cross satellites in geosynchronous orbit, for land based internet connections 50ms is plenty of time).
I've had that too, but when that happens, it's obvious to others; they can see you swiping again and again. Failed NFC just looks like you're standing there.
Coming from Canada: my last experience with the stripe, >3-4 years ago, was more like: pull out the card. Swipe it (it doesn't work), Swipe it (it doesn't work), Swipe it slowly (it doesn't work), wrap a garbage bag around it and Swipe it slowly (it doesn't work), Swipe it one last time -- hey, it works! Then, physically sign my name on some piece of paper with a gross pen they had lying around.
vs my last 100 contactless payments: pull out the card, tap. Almost instant happy beep.
I once actually got stuck at La Guardia because of the chip/stripe divide. I hadn't thought to get enough US cash out in advance, and all I had was my Canadian CC and Debit cards. I'd used nothing but the chip on the CC for > a year and didn't realize the magnetic stripe was completely worn off!
I tried several money-changers and ATMs there, and even called my bank -- no options at all. I finally found $5 CAD in my backpack and changed it to USD for bus fare, then caught a local bus to a nearby actual bank, where they were finally able to use my ID and the card number to authorize an advance. It was a heck of a day.
Some US chip-enabled ATMs still insist on reading the magstripe first, and then tell you to reinsert if the card tells it that it's a chip card. If the ATM doesn't swallow your card, you can often swipe ANY chip-enabled card and then insert your preferred card when it tells you to reinsert.
I live in the US. This happens to me often. About 50% of my contactless payments fail. The "genius" automatic fraud detection always seems to think it's fraud. Why a fraudster would buy $10 worth of fruits at a grocery store next to my listed address, I don't know. It's not that the terminals are bad. The payment companies use historical data to determine the "right" amount of contactless payments and so we can never really progress.
It’s not a problem with the tech — just a matter of time and adoption. Swipe cards used to be just as problematic back in the day. Many places didn’t accept them either, and then if they did, it took a lengthy dial-up connection to process. Sometimes it would fail and retry multiples times, and if it still didn’t work, the cashier would grab one of these out from under the counter: https://images-na.ssl-images-amazon.com/images/I/41xAsDSTsXL...
Now those are slow. But hey, this is back in the time when people would write checks at the checkout.
It's astounding how slow the rollout is in the US. I'm 22 and in Australia and I have never used a magnetic strip card and have used the insert chip method less than 10 times. Not a single card machine does not support contactless and only weird edge cases like refunds require you to insert your card.
Don’t be surprised. The almighty dollar rules here. If they have to pay a dollar to upgrade the infrastructure to support contactless payments, they won’t do it until they absolutely have to. And even then, if there is a payment machine that doesn’t support contactless payments and it is 5 cents cheaper than one that does, they will go with the one that is cheaper. Multiply that by all the hundreds of thousands of different stores. There is a huge national retailer near me that recently replaced all of their sales terminals. I thought that finally I’d be able to use contactless payments. Nope. The new machines don’t accept contactless payments.
Here in the UK everywhere accepts chip and contactless. It rarely fails, and when it does everyone assumes its the card reader rather than the card. It's common for people to claim they'll stop shopping in places where the card readers fail, which means there's an incentive for retailers to keep them well maintained.
I've always suspected they don't, but the cab driver says it's not working so you pay cash that they don't to declare as income in order to minimize their tax liability. I have no real basis for this suspicion though, besides knowing that taxi drivers were notorious for tax dodging before card readers were common (like most cash-based businesses really).
FYI my understanding is that, in London at least, cabs aren't allowed to operated with a broken card reader; if that happens to you, tell them that you have no cash and either it will suddenly magically work or you'll get a free ride (this has happened to me).
When I ask to pay by card in the UK or Norway, it's 50/50 whether the driver claims the card machine is broken. If you say you don't have cash, they're like "oh, well, let's try just in case", and lo and behold, it works every time.
The few times contactless has not worked you just put in the same card in the chip slot (why would it be two different cards?).
Besides, I don't see how your situation is an argument for mag swipe. Are you saying contactless fails more than mag swipes? Or that mag swipe is faster than contactless/chip? Absolutely not my experience in either way.
All of my cards have the tap to pay symbol, so all I do is tap the card and it works pretty much every time. If it does not, then I insert it into the chip reader.
Since cards can have tap to pay, chip, and stripe all on the same card, I do not see the uncertainty in merchants supporting it to be an Achilles heel since you will have the card anyway. It might be an Achilles heel for Apple Pay/Google Pay, but not contactless/tap to pay in general.
I have run into terminals where if you do tap to pay and it fails, it won't accept the chip until the cashier re-runs the transaction. This has caused me to just not use tap to pay.
I live in US, use contactless everywhere, and never have this trouble. But I just look for the (standard?) design pattern that indicates contactless is enabled - either text on a screen saying ”… or tap”, or the row of 4 blue LEDs across the top of the reader.
I last had this happen 4 years ago at a pharmacy that was having network issues. But now I no longer have any cards with embossed letters so the imprinting fallback would not longer work for me. I supposed they could fill in the slip manually which seems equivalent to a card-not-present transaction but without the instant confirmation?
> Contactless is very hit-or-miss for me in the US; about 1/3 the time it just doesn't work at all
That's a shockingly high number. I'm in Canada, and I'd take a rough guess that maybe 1-2% of taps fail on first try. Most of the time it works on a second try -- and I actually think that usually happens when the POS system is slow and you tap too early.
And in cases where it really is just not working, the fallback is chip + PIN, which is 100% success rate. I'm sure there's cases where a card gets damaged and it wouldn't work, but it's not like the magnetic strip will survive that.
I don't think I've used the actual magnetic strip in at least a decade, except when I've been travelling in the US.
I am in the US and I have been using tap to pay for a few years now with consistent success. And as you wrote, if it does not, you just insert the chip. But that seems rare.
I've come across a few places that accept contactless, but specifically reject Google and Apple Pay, and until recently, none of my cards had contactless built in, so Google Pay was the only way to do contactless. But, I have a Samsung phone with MST, so I can fake a swipe. Amusingly, the terminals that won't do contactless Google Pay happily accept the same with the magnetic reader.
Not just US. Take for example Germany, the largest country in EU and most places are cash-only. Although due to coronavirus adoption of different payment methods (apple pay, contactless, card, etc) has been increasing.
What is wrong with cash? It is one of the most fail proof form of payment. Stripe fail, chip fail, NFC fail, internet connection fail, phone line fail. But cash work almost all the time.
In last year, I have bailed out quite a few people stuck in the checkout lines because whatever hi tech form of payment, they were using, didn’t work and had no cash.
I live in Norway, and cannot remember the last time my card wouldn't work - period. Not just with the reasons stated.
When I lived in the states and worked retail, your cash wouldn't be accepted at a lot of stores if the power was out (or if internet/phone lines caused the registers to fail). To complicate things, I worked in a pharmacy, so accepting cash for the medicine without it going through the system might have actually been illegal.
You have to remember to get it out of the ATM. I ran out of cash like a week or two ago and have been too lazy or forgetful to stop by an ATM to get it.
Not to mention to use an ATM you need a card already to begin with, might as well just pay with that card directly?
That's different though. It's one thing to only support ancient tech for cashless payment and another to stay cash-only. I wouldn't call that backwards. It's just a choice.
I'd actually be curious about the numbers/actual ratio. I can't think of a single chain of stores that takes cash only, which will make up a huge percentage. On the other hand, restaurants, food stalls, ... are hit and miss.
In Switzerland we have both. You can pay cash nearly everywhere, or contact less, or using our own transaction system 'twint' usually over the phone linked to any bank account (or even prepaid kinda like PayPal)
To play devil's advocate – who cares? We've had magnetic strips for decades and they work fine. Yes, they're insecure but anti-fraud measures taken by the bank can mitigate that. If this helps more stores accept payments without having a painful transition isn't that worth it? I use Apple Pay most places but I don't mind having to use a strip once in a while or if others do.
Think about who is paying for that fraud. Prior to EMV liability shift, Banks paid for the fraud. After Liability Shift, merchants are paying for fraud using magstripe.
Merchants don't want to be responsible for the fraud, so they are incentivized to get rid of the mag stripe.
Depends on the transaction, but merchants can absolutely be liable for fraud before the EMV shift...
Also the rate of mag fraud is still pretty low, more Online Fraud which was ALWAYS liable to the merchant and did not see to do much ti incentivize any changes there.
Causing 90% of your customers pain to save less than 1% on fraud is likely going to cost merchants more than just paying for the fraud, which is also the math online merchants used. Online merchants that have huge fraud prevention lost more customers than the fraud....
Hell I remember one time a online merchant wanted me to submit more info after the sale for anti-fraud... I cancelled the order and bought from someone else
How painful could it possibly be to go and buy a new card reader? Why doesn't the payments provider offer them as part of the service? They are not so expensive.
The reader may be cheap, but the things its integrated with aren't. If it costs $20k to replace a gas pump and you have a half dozen pumps, the cost of replacing them might be comparable to the value of the gas station. A grocery store point of sale system is even more expensive, around $40k a pop. Maybe you're lucky and the manufacturer of your current setup has made it in such a way that the card reader can be swapped out without replacing the entire thing, but that's a big if.
It's not like this is an investment that will lead to more customers or new revenue, this is a big expense just to stay afloat. Getting financing for such an expenditure is extremely difficult. At least in a mixed ecosystem you might be able to recoup some of the cost selling your old equipment, but no one's going to buy it if it's going to stop working soon.
It is weird that a lot of folks in the thread ignore the very real costs of transition. If there was a nationwide subsidy system for retailers from merchants and banks for fraud reduction en masse, then the transition would be smoother. But since there isn’t it’s partially an iterated prisoner’s dilemma.
>the manufacturer of your current setup has made it in such a way that the card reader can be swapped out without replacing the entire thing, but that's a big if.
This seems to be universal in Australia. Even the mega store self serve integrated systems have a separate machine mounted on for processing card payments.
Visa and MC put Australia in the Asia-Pacific region, and the regional rules and fees have been gradually changed (2004ish onwards) to favour chip payments. There still had to be an extravagant amount of re-work for ATMs and compromises to suit some of the major players in Oz, whose quirks dictate the norms for the rest of the market.
Even if the machine is physically separated, it still needs to be integrated. At the very least, you need a way of telling the machine what is owed and a method for the machine to communicate back that the amount has been payed, and it can't be easily spoofed. Nowadays there is a lot more customer specific integration as well (deals, rebates, signing people up for mailing lists, etc). There are about a dozen different communication standards for POS systems, and some POS systems support more than one, but there are also boatloads of proprietary communications protocols floating around. Presumably you're replacing the POS system with one from the same manufacturer, so the communication protocol is likely to be supported, but that doesn't mean any custom software you have on your system will run as is.
And even if you can hotswap a POS system, they're still expensive. A machine plus software is about $4000 per lane, and that's when you're not a captive market. Even small retailers typically have enough lanes that this is a significant expense. People in this thread are giving prices for Square readers which 1) are not at all sufficient for most businesses and 2) are sold at a loss while Square makes its money on transaction fees and subscription services (the same is true for the rest of the Square clones). It's like comparing a home projector to a movie theater projector.
> but anti-fraud measures taken by the bank can mitigate that.
Not really. Anti-fraud measures by the banks usually amount to taking the hit themselves, unless they actually catch the culprit. And that's only in the case of actual fraud. In other instances, the banks' algorithm screws up and blocks your card for a legitimate transaction. Then there's the hassle of replacing your card.
In the U.S., the bank where I have my checking account can print cards in the branch, but many more make you wait for the ever-worsening postal service to deliver you a new one.
Anti-fraud measures for inherently insecure mag stripe are really tilted in favour of the big operators who can afford a well-skilled fraud shop or a provider who’ll happily charge millions per year in licence fees. The difference in fraud-to-total-dollars-transacted between a big player vs something like a credit union can be 20x, especially if there’s a major counterfeiting campaign. And it’s generally considered a social good not to make things easy for organised crime.
The fatter margins in card processing in the US can pay for more fraud than in other countries where regulators have limited card processing interchange fees (e.g. 3% is common in the US, 0.3% is regulated in the EU)
> I honestly don’t even recall the time when the magnetic stripe was needed.
Every time I've been to the US it's still magnetic stripe in places like restaurants/bars where the wait staff whisk your card away and then 4 days later the charge ends up appearing on your card.
I saw chip and pin (or sometimes the odd chip and sign) appearing in the big shops/chains like walgreens though so I guess it's slowly changing.
It felt a bit like what the UK was like 15-20 years ago.
The Pandemic has really changed how credit cards are handled here. Pre-Pandemic, Tap and Pay was fairly rare, but now, it is everywhere (Nearly 90% by my informal count). The odd thing I noticed is that the smaller the market, the more likely the store/shop uses Tap and Pay.
American's are also using their phone more to pay.
For us ‘Mericans, all credit card transactions at a chip reader are chip+signature. We typically only have PIN numbers configured for debit cards. And most of those can be processed successfully without providing the PIN by pressing the credit button on the terminal.
Although, in many cases signatures aren’t necessary. Anecdotally, I can only recall having to sign a handful of times in the last five or so years. (Edit: outside of restaurants.)
Also: it’s important to remember that running a debit card as credit isn’t the same thing as using debit. At most banks, your credit limit for debit cards (weird sentence, yeah) is very low: like $500 or so. If you call (and have sufficient funds), they’ll often temporarily raise it for you. (It’s how I paid for school on a debit card when the school could only run it as credit.)
From the card companies' perspective, the alternative to magstripe isn't contactless, it's contact (the smart card IC embedded in the physical card).
In the US, the card companies convinced merchants to adopt the EMV contact standard by implementing a liability shift that would make the merchants liable for card-present magstripe fraud after a certain date. For merchants using POS terminals, the liability shift happened in 2015, and for gas stations it happened a few months ago (after several delays). EMV contact coverage needs to be essentially 100% before they'll consider getting rid of magstripe completely.
Contactless is an entirely optional sideshow, and is not required by anyone anywhere. It has lots of issues (they somehow managed to make it less secure than magstripe(!), which is kind of appaling) and there are no plans to ever have it supersede EMV contact as the baseline standard.
Contactless is not less secure than magstripe. I don't know where you got that from.
You can't make a fake contactless card, because each card has a private key that you can't extract. But it's trivial to make a fake magnetic stripe card.
One type of fraud with EU credit cards works like this: Criminal collects credit card numbers and pins by adding a hidden magnetic stripe reader to an ATM and a video camera, then create a fake magnetic card, and then withdraw money with fake card + PIN somewhere abroad where magnetic stripes are still allowed.
For this reason, my bank disables withdrawals from abroad by default, and you need to manually enable world wide payments in the online banking app.
You're correct that you can't easily clone an NFC card from RF interactions alone, but beyond that just about every other aspect of these cards is worse.
Most contactless cards can be asked to transmit the cardholder's name, credit card number, and expiration date, and the card will happily do so, wirelessly. This is often enough to make fraudulent online transactions.
It's trivially easy to build a device that does this using a microcontroller and a coil of wire. You don't need to have a payment processor's encryption key, you can just make one up and the card will reply. You can walk around in a crowded area with such a device and capture responses from hundreds of cards in under an hour.
Electronic devices that clone your contactless card are usually better, as they generally require some sort of interaction before they'll respond -- actual physical contactless cards might as well be a megaphone attached to your credit card number.
If you can capture a genuine transaction between a POS terminal and a contactless card, and if the transaction amount is below the card's floor limit, the transaction can often be replayed or relayed to a different terminal.
With a cheap amplifier, this can be done reliably from low single digit ft away. The floor limit is usually somewhere around $20-$100 below which the terminal doesn't ask for a PIN or go online.
You imply that it is possible to clone NFC cards with other means. Is that really possible? Crypto chips are usually hardened against all kinds of attacks, and I would assume that NFC cards are resistant to cloning even if you have physical access to the chip. I'd be curious to learn more about that if my assumption is incorrect.
Regarding replay attacks, do you have a source on that? I would assume that even offline POS terminals would use a nonce to prevent replay attacks. Is that assumption incorrect?
And finally, you can extract card holder name and card number from most cards just by looking at them. Claiming that NFC cards are somehow worse than mag stripe cards in that regard is just FUD.
> You imply that it is possible to clone NFC cards with other means. Is that really possible?
I mean, sure, it's always possible, but probing a secure microcontroller with needles and an electron microscope isn't really what I meant.
I was referring to what the various mobile wallet applications do behind the scenes when they allow you to "import" a plastic card and then use it as a contactless payment source via your phone's NFC radio. They're not actually cloning the private key inside the card, they're using various banking APIs to ask for a new key that, for all intents and purposes, will act exactly like the key on the physical card.
They're supposed to ask for extra info so that they're super ultra sure the person importing the card is the legitimate cardholder, but this is not always very thorough. What kind of info do they typically ask for? Numbers printed on the card that you can acquire wirelessly by accidentally bumping into someone. If you're lucky, they'll try to do two-factor via SMS or email with information that they have on file, but I've seen some that don't bother.
> Regarding replay attacks, do you have a source on that? I would assume that even offline POS terminals would use a nonce to prevent replay attacks. Is that assumption incorrect?
I worked on an EMV contact + contactless implementation several years ago, and at the time contactless replay attacks were easy to demonstrate. Things may have improved since then, but the protocol was not very good (supposedly due to constraints from early NFC cards that were small and anemic), and I think they would need to redo most of it and kill backwards compatibility to mitigate the risk completely.
From what I can tell, there was a lot of discourse around these problems around 2015-2018. There were demonstrations and exploits galore. But the standards were already out and none of the banks or card issuers wanted to change anything. Security researchers got bored and moved on. I don't see any evidence that replay and relay attack vectors have been fixed, or that they aren't exploited in the wild, just that the banks seem to consider the risk acceptable.
> And finally, you can extract card holder name and card number from most cards just by looking at them. Claiming that NFC cards are somehow worse than mag stripe cards in that regard is just FUD.
So you'll let me rifle through your wallet and write down the card numbers and expiration dates? Would the average person let me do this? Of course they wouldn't, because basically everybody knows that they need to prevent random people from seeing the various numbers printed on their payment cards.
Is the average person aware that I can capture these markings by "accidentally" bumping into their back pocket on the subway?
It's not FUD, it's a (subtly?) different issue, one that the public largely doesn't understand yet.
What's frustrating about contactless cards is that there isn't even a good solution once you do understand the ...
Eh? No, it’s part of the EMV standard and uses the same triple-DES crypto. There have been contactless implementations with poor security, including some truly weird contactless-mag stripe devices, but they are not the current standard or widespread in most markets.
I said baseline standard. EMV contact is the baseline standard. EMV contactless is optional.
If you want to issue a new card today, it must have a chip, but it doesn't need to have contactless. There are currently no (public) plans to change this.
Living in Europe, I genuinely had no idea cards with magnetic stripes were still in use. I thought everything used chips nowadays.
I still prefer my card for contactless payments though; using my phone is not really much more convenient since my phone case holds the card anyway and it at least works consistently.
It's more convenient if you need to pay more than 25 EUR (or whatever the limit is where you live), where you need to use your PIN with contactless card.
Or you use contactless payment with your phone which then does not have a 25 EUR limit (actually I think these days it is more like 50 EUR) since the phone supplies some form of authentication, which a plain contactless card can't.
Mag strip or chip, you still need your pin here. With contactless there is a limit of 50-100 EUR, and when you use Apple Pay you never have to provide a pin.
Except for the excellent infrastructure, public transit, trains, roads, quality of food, safety, lack of junkies and meth addicts and mass homelessness, and so on, whereas its the US that is increasingly like 1880 almost everywhere you go...
Because here in the US there are still gas stations using embossed credit card systems who get confused when your card doesn't have raised numbers on it.
Gas stations. The gas station industry has been avoiding upgrading pumps. It's expensive. Retail checkouts usually just need a replacement of the desktop unit, but gas pumps require actual modification. They got a 3-year delay, until October 2020. Then April 17, 2021. Then they got hit by the coronavirus epidemic.
The upgrade has to be done by a qualified installer; you don't want someone who doesn't know what each wire does mucking about with the electrical innards of a gasoline pump. There isn't a huge supply of trained gas pump upgraders. There are many pump variations, and some can't be upgraded at all. Gas pumps often don't have an Internet connection, just a 2-wire twisted pair running RS-422 or something. The chip card readers, inevitably, want full Internet connectivity. Which means getting CAT-5 out to the pump. Which sometimes runs into CAT-5 length limitations. The older systems sometimes worked over dial-up.
Average cost per pump is about $6,000.
Gilbarco/Veeder-Root has a product which is basically a pair of DSL modems to allow using the existing 2-wire connection to carry the Internet out to the pump.[1] Amusingly, they'll give you this for free if you buy their product for running ads on the pump.
In Europe (Scandinavia at least), Gas stations use contactless, and most gas/oil companies have a dedicated app (think loyalty card) that can also handle payment for you over the internet.
It uses GPS, so when you open the app at a gas station it already knows where you are, and simply asks you which pump you want to unlock.
It's probably not a problem in a place like that with some kind of privacy regulation. Import the concept to the US and it'll be outsourced to some company with sketchy security that'll find all its user data leaked in a year because they'll face no social, economic, or legal consequences for not preventing it. If they're not selling the data themselves.
I assume they will require an account of some sort, and their DB will inevitably be breached to leak it who knows where. It knows more about me than my location. Probably. I don't know what all the proprietary software running on my portable sensor suite does or knows.
And almost without fail corporate one-off apps are bloated piles of contracted out and barely maintained garbage taking up too much space when a couple of forms and a few Mb of graphics/logos would do. Lastly very few actually work well or reliably, logging me out after needless updates seems to be a common pattern.
They require an account yes, but don’t kid yourself, every time you use a credit card to purchase something, your habits are being tracked by the merchant, using your very identifiable card number.
As for garbage apps, the one I use is well maintained, 53.7 MB binary, so not much on the side of tracking considering it contains ALL of their gas stations with pump details, paid parking lots and car washes. I had to check if it actually used an account, because I don’t remember ever signing in to it.
Also some retail places. Home Depot is a huge retailer in the USA, but they will not accept contactless payments. I assume it has something to do with having to pay a higher percent per transaction.
Initially only “credit” networks like Visa/MC supported tap to pay with interchange fees of 1 to 2.5%. The low fee debit networks did not. Regulated debit is as cheap as 21c + 0.05%. A lot of retailers have thin profit margins of 5%. So contactless adoption would mean more high interchange “credit” transactions and fewer low interchange debit transactions. Thus the retailer resistance to contactless.
The dumb thing is they have the tech to do it - when they rolled out their new chip readers several years ago, I was in a store where they had accidentally left the contactless reader on for a day or two, and was able to use ApplePay.
Next time I went back the reader just feigned ignorance.
Gas stations also have a disincentive to have you pay at the pump. They want you to walk in and buy from the mini-market, at least here in Australia the petrol was a loss-leader for a long time. They made all their money from the in store mini-market. All petrol stations here are essentially convenience stores with a gas station attached to get you in the door.
We have had pay at the pump before, but they got rid of it, and even brand new stations don't have it so it's not just upgrading the pumps.
This may be the case in Australia, but it's very much not in the US. Pay-at-pump is ubiquitous. Barring outliers like Oregon, people are not used to having to interact with another person or walk away from their cars in the process of filling up their tanks. Gas stations do tend to have colocated convenience stores, but going in one is an optional part of the experience.
A lot of gas stations now have a screen on the pump that plays ads at you to make up for the fact that you're not coming in. Fortunately there's a mute button and it usually works.
I wonder why there isn't a "Buy now" button, they're already charging your credit card, they'd just need to hire someone to run the item from inside the store to you at your car. Add some sensors like body temperature monitoring; Sweating person who looks like they like their sweets? "5% off this ice cream if you hit 'Buy!' within the next 30 seconds!".
Damn, I think this is an idea. At least for developing countries, were labor is cheap, the runner is the expensive part of this concept.
This should be a good incentive for "gas stations" to set up and maintain SAE CCS DC Fast charging for electric vehicles. Put a couple of small tables and a cafe, and people would stick around for the 30 minutes to get a good charge.
That was the premise for CHAdeMO. Stop and have a cup of coffee and read the paper in a Starbucks-esque environment. Perhaps even mingle with one's fellow man.
I don't think it will really work outside of very specific demographics who a.) want to get coffee and read the paper/rss feeds, and b.) have 30 minutes to spend on a charge-centric event (as in you went there to charge, not to get coffee and croissant).
In the US, it's much more the norm to start the fuel running, then go inside and buy whatever you need, and come back out to find that your car is full and you can simply drive off. Do Australian pumps not have the little latch to allow fuel to keep running without someone squeezing the handle the entire time?
Too many stations in my area of the US (western Ohio) allow this. I was a cashier at my family's independent gas station for a number of years, and it always pissed off customers when we stopped the dispenser when they walked away / got in their car / etc. It's a legitimate safety and environmental hazard (some hold-open latches don't disengage reliably on some filler necks leading to gasoline rolling out of the tank onto the ground). People get used to lax non-safety conscious stations and then act like jerks to the employees in stations who do care.
This isn’t the case in Tasmania, since nearly nothing is open here 24hrs almost all fuel stations have a pay station located by the building, rather than at each pump.
Recently one independent has built a few fuel only prepaid only fuel stops, no minimart and no staff.
That's interesting, maybe we adopted contactless payments faster in part because in our gas stations you'd usually pay inside the shop. I have to think that was only one of many reasons, though.
Partly that, and the USA's much higher car dependence in general. I'd wager the average adult in the USA spends more time in a petrol station than the average European.
Well, my 7 years old Mercedes A 180 CDI 2012 model (Diesel engine) averages 53 mpg (4.4 l/100Km) still today (see my old comment with all the details for the these numbers at https://news.ycombinator.com/item?id=14552816). The manufacturer-supplied official numbers are even better (3.3 to 3.6 l/100Km, or about 65 to 71 mpg).
NB: the above mpg numbers are computed using US gallons (3.785 litres)
Useful economy figures, for sure. It's the average across Europe that I'd find really surprising, given how many older vehicles there will be, and not all diesels
That’s a great answer. My observation (watching from a card issuer across the pond) has been that it’s also integrated checkout/POS infrastructure at a number of large retailers - supermarkets, department stores, pharmacies as well as automated fuel dispensers and ATM†. The USA lagged for probably 15 years before there was any significant penetration of chip + PIN and contactless payments. Once the first large retailer replaced its fleet in ~2017 it’s been accelerating.
Since the USA makes up fully half of global card payments, MC and Visa were never going to ditch mag stripe until there was 80% penetration.
†Many AFDs seem to be configured to reject international cards which may explain why they’re not well represented in my sample set.
Try the buttons around the display. That almost always solves the problem. If none of them work, stop pumping gas and leave. That always solves the problem.
The fuel dispenser industry, from an IT perspective, is a racket. My family owns a small independent gas station and recently did a POS replacement. The proprietary protocols for communicating to dispensers and controllers makes for crazy vendor lock-in and ridiculous installation fees, hardware prices, and ongoing support fees.
I guess one reason is global compatibility. For a global system to hold its promise, a card issued in one country (including developing ones) should be serviceable anywhere else.
WePay and Alipay have their dual in CashApp and Venmo. The only difference being that Alipay has a lot more institutional support, ie. you can scan your QR code at the grocery store - not the case with Venmo (yet).
Zelle took a long time to be developed, so it has essentially no network effects - most people don't have Zelle.
Zelle can only be used by people who have banks that support Zelle, which many people do not (my bank for instance does not support Zelle, nor does my SO's - so we have no way of using Zelle to transfer money between each other.)
Zelle doesn't allow you to use credit card AFAIK.
Zelle doesn't have QR code AFAIK.
Interesting. I would expect most people in the US to have Zelle due to the market share of the big banks, and the extensive list of Zelle participants:
As far as I know, you do not have to do anything other than let your bank know the phone number/email to associate with the account you want to send/receive money to.
> As far as I know, you do not have to do anything other than let your bank know the phone number/email to associate with the account you want to send/receive money to.
Yes, if your bank supports Zelle (which as I said, mine doesn't).
You can look at the numbers around this - way more people know about and use venmo than zelle.
Still a LOT of merchants that need to upgrade equipment to do chip cards including some large franchises. There is a real problem that chip reading devices do not yet have anywhere near the longevity that magswipe use does. Machines go out of service for repair and cleaning after as little as a month of use in busy locations. Magstripe machines typically lasted 12 months plus before needing attention.
Where do you live? I haven't seen a card terminal that can't do chip in like 15 years. The old terminals that need to be upgraded are the ones that can't do contactless but even those are rare. A card terminal that can only do magnetic seems really alien and ancient.
Who cares about inserting chips into the machine? We're already well past that, to contactless payment — tapping the chipped card against the terminal like an NFC door tag. It still uses the chip, and can still require your PIN (depending on your bank); you just don't stick the card in the machine to do it. MTBF = approximately forever.
Inserting the chip is a fallback, or for high-value transactions. Both use-cases are low-volume enough that a POS terminal's chip-slot reader should see relatively little use/wear.
In Finland they motivated the stores to upgrade by telling them that after date X they would be responsible for any fraudulent transactions done with a magstrip.
The transition went really fucking fast after that =)
This has been the case in the US for two years. Lots of merchants including some very large one don't really care. Fraud is relatively small in comparison to technology and maintenance costs.
most stores in my town (pop 500, US, mi) still take personal checks. mag reader is needed for fuel pump. a few times needed in store when ship reader wasn't working.
Of the three modes nfc is my favorite, takes less time, but also works less reliably. Chip takes the longest time. And I keep removing it early out of habit. And stripe is the least used. But works the best.
Yeah, it was very confusing the first time I went to the US for more than a couple of days. When getting some cash, I was used to putting the card in ATMs and leave it there during the operation. In the US, the ATM did nothing before I took the card out.
In the UK (and most of Europe afaik) the card is ejected immediately before the cash; the ejecting of the card indicates your authenticated session has ended.
There are some in the U.S. that do this, but it still didn't stop my friend from leaving his card in the ATM and having to go through a process with the bank and wait for a new card to show. Better to just make sure you have it by stopping you from doing anything else until you have it imo.
I have never, ever heard someone saying they forgot their card in the handfuls of European countries where I have been. I have heard complaints about the ATM "eating" the card (not restituting it; this happens sometimes for various reasons). You'd have to try very hard to do it (like take the card out, because otherwise you won't get any cash, and then sticking it back in, or just leaving without taking either cash or card). This just is not a problem.
In recent years, I've had more transactions using the embossed numbers than I've had using the magnetic stripe. I've had a few taxis in various countries dig out and use one of the slide-across carbon-paper impression machines, once they got through the second or third round of "are you sure you won't pay with cash?". I've had fewer cases of "our chip reader doesn't work, please swipe the card instead".
Why wouldn’t everywhere be supporting contactless payments by this point?
And that’s not me being snippy, because perplexingly, Mariano’s, a grocery store chain in Chicago owned by Kroger’s, does not support NFC payments. (I assume Kroger’s stores proper don’t either.) You have to swipe, use the chip, or use the dedicated Kroger Pay app to scan a QR code to use your digital wallet. (Yes, really. Took them forever to even support chips instead of magstripes.)
I have absolutely no idea why they do this. Is there a higher interchange fee for contactless? Kroger’s isn’t some mom-and-pop convenience store—they’re the largest supermarket company by revenue.
Because these chains have decades old point of sales systems which no one wants to touch. It isn't simply a matter of swapping out one card reader for another.
They did swap out all of the payment terminals, though. Just for ones without that functionality. However, I could believe that they selected the hardware because they were stuck with choices that were compatible with other systems. Kroger is a big company with quite a lot of resources, though.
Kroger brand stores have terminals that support contactless. Their self checkout lanes get new hardware and/or software every couple of years.
I’ve worked with many payment gateways over the years and enabling contactless on a stack that already did EMV never required a code change on the POS system. The terminal just passes the same data along to the POS.
I’m convinced there’s some fees at play here. The standout to me is how they push Kroger Pay - that’s to save on processing fees.
I've been shopping at Kroger regularly for decades and my guess is that it might have something to do with the timing around their last major payment terminal upgrade. They upgraded before NFC payments were very popular but fairly close to when they really needed to support chip cards (my recollection was that the payment networks were saying they would no longer insure against fraud without a chip terminal), and it seems like for whatever reason they went with a terminal that didn't support it.
I remember being annoyed with seeing all of the seemingly brand-new hardware being installed at multiple locations that very obviously lacked NFC payment support.
The QFC (which is Kroger's AFAIK) near me finally started allowing NFC payments sometime in 2020. Part of me wonders if covid and wanting less contact motivated that because the actual terminals themselves didn't change but rather they just enabled the NFC functionality.
It's a security risk even if you don't use it. Someone just seeing your card briefly could copy it as the stripe has the same info that's printed on it.
Incidentally, this discussion is filled with people who have no idea how payments are authorized.
I'd prefer we just phase out MasterCard. I went to a restaurant the other day. QR code on the receipt. Scan that and it opens up Toast. Toast then connects to Apple Pay, which then connects to my credit card. No less than 3 middlemen to pay the restaurant, is absurd.
QRCode -> Wallet on my phone holding stablecoin on a L2 like polygon (which is collecting APY through DeFi) -> Restaurant
Does anyone actually pay the way you described? Honestly?
I either swipe my card or hand it to them to do it for me and call it a day.
I don't have to worry about some cryptojockey screwing up a DeFi contract scheme and all my money being stolen in a non-FDIC insured account. I have fraud protections against card theft.
It ain't perfect, but it's not the electronic equivalent of walking around with me lucky charms in my fanny pack, ripe for the mugging, either.
While your point is valid regarding a crazy number of middlemen, I've also paid via the QR code on the receipt at a number of restaurants recently and I love it!
No need to flag down a server when it's time to pay; I just scan it on my phone, click on apple pay, enter the tip, and I'm done!
Even in the US, I can't remember when I last had to use the magstrip. [1] I could probabbly degauss the magnetic strip and not have any issues. If you have a chip debit card that you never use... it probably isn't a bad idea to make the card chip only.
What I actually want is a specific bank alert if the card is used without the chip. Currently I just make any transaction over $20 send an email.
[1] I guess at resturants where they actually take the card for a minute, I don't know if it's chip or magstrip transaction.
> Prepaid cards in the U.S. and Canada are currently exempt from this change.
I'm telling you all, prepaid cards are a scam. Why? One of the reasons besides massive fees and shady tactics for most are because they're so far behind the times. Most don't even have a chip for example. Look at a Netspend card (using it as a prime example) and compare it to any bank card today.
324 comments
[ 4.5 ms ] story [ 238 ms ] threadI do have to do the mag-swipe maybe once a year, if the chip reader is acting up (still no signature, it asks for the PIN).
https://www.swedbank.lt/img/private/d2d/cards/3dSecure/816x2...
_edit_
They dropped the requirement in 2018
https://www.mastercard.com/news/press/2018/signing-off-maste...
In the US, the way we do tip on receipt is a lot more natural if you're asking for a signature. Without a signature, you're just handing someone a tip option, which is awkward with our current way of doing things.
Some merchants opt to keep signature enabled because it gives them a fuzzy feeling and it's a point of closure to a transaction.
I didn't trust that so I ended up just signing the receipt and adding the tip to the bottom and keeping my card in my wallet. Needless to say I think the bar staff got a lot of tips that night!
You generally tip based on percentage or the number of drinks, so it shouldn't matter too much unless you're doing it by percentage and rounding up the nearest dollar.
I understand what you're saying, and how its locally relevant, but from the outside looking in the US is a long way behind on keeping up with the tech in this space.
That is never going to work in the US. Very few people would be comfortable with that.
Since Canada and the US have basically the same tipping culture, these POS systems seem to be already tailored for adoption in the US market (or at least, being cloned by US POS mfgrs.) Not sure why they haven't been.
Most places I go now have a receipt option step that serves as a justification for the tip screen, rather than the signature. Tapping “No Receipt” for a $5 beer purchase is only a little faster and less ridiculous than signing for it.
American in Hungary. Here tipping isn't expected like it is in the US. But when you pay, they bring the terminal to your table with the check, then you tell them that you want to add a tip and how much, and they type the total into the terminal before you tap your phone or card. Perfectly natural.
> if you're asking for a signature.
Just so many merchants are accomplished to asking for it (or haven't updated their terminals to code for not asking for it) - which is why you still encounter it.
By 2029, no new Mastercard credit or debit cards will be issued with a magnetic stripe. Prepaid cards in the U.S. and Canada are currently exempt from this change."
Naw, we use checks, much more convenient than cheques.
I still have that check because it's literally worth nothing around here.
I have never in my live used a check or seen one outside of movies.
I actually can't think of a single place outside of a bank where you can use a cheque and even then it's a challenge to actually exchange it for cash. Most banks in Australia have trouble coming up with $10,000 - even busy branches in the CBD of a major city.
Now, granted I haven't been to America, but I do read things on the internet. From what I understand, your financial system is held together by a system of pneumatic tubes passing cheques around, though I hear there is some experiment with telegram machines.
Alas, I’m not sure which tubes you’re referring to. These days, banks use FTP to shuffle bank transfers around.
However, I do think checks have their uses. I’d rather write a check than use cash any day of the week. You can cancel a check, but you can’t cancel cash. Of course, I’d rather pay digitally. But sometimes that’s not an option.
Also: “cashing” a check usually just mean depositing it into your bank account. Not swapping it for cash, although you can do that, too.
In order of decreasing readability/communication reliability:
1. Magnetic stripe
2. NFC
3. EMV
The EMV ("chip") method is the least insecure, but lately all of my cards have been started oxidating. And it seems like the pogo pins in almost all readers also started wearing out too. Chip reader failures have become very common lately.
It's very common that I have to both clean the card before using it and also bend it while pushing it into the reader to counteract the worn out pogo pins in the in-store reader. Super annoying.
NFC has been a saver, but because of the banks security risk (it's cleartext, after all) you can't really use it all of the time.
The magnetic stripe seems like it never seems to stop working. I've assumed I can't use it outside of my native country, though, perhaps incorrectly.
I believe this is to help discourage downgrade attacks.
There was a form of contactless magstripe (MSD) that was not encrypted and has been phased out of usage as of like, late 2019 via card update bulletins.
Honestly curios: where (and when) did you make that observation?
(Sorry, this was unclear from the first iteration of the observation.)
Except for my exchange year in Texas.
So you can have never paid by swiping and be well over 30.
What do you mean by "cleartext" exactly ? When I pay using my card with NFC, it's not really cleartext.
It just isn’t a thing anymore.
You can flip it with a writer and use the magnet strip again if you want.
It’s quicker as one doesn’t have to wait for the Javacard OS on the chip to boot up and handshake. (Ie swipe and walk away vs insert, wait 4 seconds, remove).
Wouldn’t do this on my debit card but it’s fine on credit cards with chargeback protection.
Where I lived over the last years (two countries in Europe), I don’t even have to use the physical card. I just use contactless payments with the phone. Prior to that, it was contactless with card. Even ATMs work with contactless (not all, yet). Prior to that, it was chip. I honestly don’t even recall the time when the magnetic stripe was needed.
(edit) Think of this: I made an account with one of these neo banks, ordered the card too, and it took me over a year to activate it. I still don’t use it. I just installed the virtual card into the phone’s wallet and used the account like that.
Turns out infection from surfaces is basically a non-issue.
https://www.nytimes.com/2021/04/08/health/coronavirus-hygien...
You can bypass the paywall with scripts disabled, but the key excerpts are:
>But the era of “hygiene theater” may have come to an unofficial end this week, when the C.D.C. updated its surface cleaning guidelines (https://www.cdc.gov/coronavirus/2019-ncov/community/disinfec...) and noted that the risk of contracting the virus from touching a contaminated surface was less than 1 in 10,000 (https://www.cdc.gov/coronavirus/2019-ncov/more/science-and-r...).
>“People can be affected with the virus that causes Covid-19 through contact with contaminated surfaces and objects,” Dr. Rochelle Walensky, the director of the C.D.C., said at a White House briefing on Monday. “However, evidence has demonstrated that the risk by this route of infection of transmission is actually low.”
https://www.cdc.gov/norovirus/about/transmission.html
for when you fly over to the US and need to use your card
Are gas stations not a big target for skimmers? Why didn't they design it to avoid the magstripe-skimmers? have two inserts or something, I don't care. But now we're a FULL generation of gas station pumps away from being free'd from skimmers. I just don't understand.
Also, don't get me started on the audio/video ads at the pump these days. They're the worst. I'd rather have to pay inside than have "while you're pumping" ads.
Unlock your iPhone with Apple Watch when you're wearing a face mask
https://support.apple.com/en-us/HT212208
FWIW, Contactless is very hit-or-miss for me in the US; about 1/3 the time it just doesn't work at all (even with multiple retries), and that's when the terminal has one. Was picking up something at the corner store the other day, realized I didn't have my wallet and contactless just didn't work with the phone at all for some reason.
The overseas market has been saturated with chips for 10-15 years, and contact less for 5+, probably notably more.
Your groceries are all rung up and the POS terminal is waiting. You dig out your phone or contactless card and try to invoke the contactless payment system. Nothing's happening. You wave it around a little. Still nothing. Grocery cashier is looking at you like you're an idiot nerd, saying "That thing doesn't work. Just stick the card in the slot." Now I dig in my wallet looking for my chip card as the whole line behind me huffs about how much of a moron I am. Stick it in the POS terminal, and it waits... and waits... and waits... and finally, loudly proclaims BONK BONK BONK transaction approved. Everyone other than me is saying "Finally, we can move on".
Contrast that with mag swipe: Pull out the card. Swipe it (which takes 500ms). Done.
Or worse...it feels like you're just standing there. God, I hate that!
I switched to curb side pickup, I hope I never have to enter a grocery store again
vs my last 100 contactless payments: pull out the card, tap. Almost instant happy beep.
I once actually got stuck at La Guardia because of the chip/stripe divide. I hadn't thought to get enough US cash out in advance, and all I had was my Canadian CC and Debit cards. I'd used nothing but the chip on the CC for > a year and didn't realize the magnetic stripe was completely worn off!
I tried several money-changers and ATMs there, and even called my bank -- no options at all. I finally found $5 CAD in my backpack and changed it to USD for bus fare, then caught a local bus to a nearby actual bank, where they were finally able to use my ID and the card number to authorize an advance. It was a heck of a day.
Garbage bag? You mean one of those paper thin plastic bags that many big cities in the USA have all but banned?
Does that actually help with the mag strip being read or was that a joke regarding the cards being complete garbage?
https://old.reddit.com/r/explainlikeimfive/comments/1ycw61/e...
No idea if this explanation is legit, but I can anecdotally confirm that the trick has permitted a purchase in one case in my own direct experience.
It can be done, and is being successfully done in many places.
Now those are slow. But hey, this is back in the time when people would write checks at the checkout.
Besides, I don't see how your situation is an argument for mag swipe. Are you saying contactless fails more than mag swipes? Or that mag swipe is faster than contactless/chip? Absolutely not my experience in either way.
For me contactless is my phone or watch.
The latter is like 20 times more frequently used, and I speak as someone who does not use it to pay (at least not directly). Very odd premise, to me.
Since cards can have tap to pay, chip, and stripe all on the same card, I do not see the uncertainty in merchants supporting it to be an Achilles heel since you will have the card anyway. It might be an Achilles heel for Apple Pay/Google Pay, but not contactless/tap to pay in general.
That's a shockingly high number. I'm in Canada, and I'd take a rough guess that maybe 1-2% of taps fail on first try. Most of the time it works on a second try -- and I actually think that usually happens when the POS system is slow and you tap too early.
And in cases where it really is just not working, the fallback is chip + PIN, which is 100% success rate. I'm sure there's cases where a card gets damaged and it wouldn't work, but it's not like the magnetic strip will survive that.
I don't think I've used the actual magnetic strip in at least a decade, except when I've been travelling in the US.
In last year, I have bailed out quite a few people stuck in the checkout lines because whatever hi tech form of payment, they were using, didn’t work and had no cash.
When I lived in the states and worked retail, your cash wouldn't be accepted at a lot of stores if the power was out (or if internet/phone lines caused the registers to fail). To complicate things, I worked in a pharmacy, so accepting cash for the medicine without it going through the system might have actually been illegal.
Not to mention to use an ATM you need a card already to begin with, might as well just pay with that card directly?
Food stalls I agree are more hit or miss.
Merchants don't want to be responsible for the fraud, so they are incentivized to get rid of the mag stripe.
Also the rate of mag fraud is still pretty low, more Online Fraud which was ALWAYS liable to the merchant and did not see to do much ti incentivize any changes there.
Causing 90% of your customers pain to save less than 1% on fraud is likely going to cost merchants more than just paying for the fraud, which is also the math online merchants used. Online merchants that have huge fraud prevention lost more customers than the fraud....
Hell I remember one time a online merchant wanted me to submit more info after the sale for anti-fraud... I cancelled the order and bought from someone else
How painful could it possibly be to go and buy a new card reader? Why doesn't the payments provider offer them as part of the service? They are not so expensive.
It's not like this is an investment that will lead to more customers or new revenue, this is a big expense just to stay afloat. Getting financing for such an expenditure is extremely difficult. At least in a mixed ecosystem you might be able to recoup some of the cost selling your old equipment, but no one's going to buy it if it's going to stop working soon.
This seems to be universal in Australia. Even the mega store self serve integrated systems have a separate machine mounted on for processing card payments.
And even if you can hotswap a POS system, they're still expensive. A machine plus software is about $4000 per lane, and that's when you're not a captive market. Even small retailers typically have enough lanes that this is a significant expense. People in this thread are giving prices for Square readers which 1) are not at all sufficient for most businesses and 2) are sold at a loss while Square makes its money on transaction fees and subscription services (the same is true for the rest of the Square clones). It's like comparing a home projector to a movie theater projector.
But the bank doesn't pay me for my inconvenience in noticing and reporting the fraud, and then the time to move my recurring payments to a new card.
I wish contactless payments worked with my card more places, especially gas stations.
Not really. Anti-fraud measures by the banks usually amount to taking the hit themselves, unless they actually catch the culprit. And that's only in the case of actual fraud. In other instances, the banks' algorithm screws up and blocks your card for a legitimate transaction. Then there's the hassle of replacing your card.
In the U.S., the bank where I have my checking account can print cards in the branch, but many more make you wait for the ever-worsening postal service to deliver you a new one.
Every time I've been to the US it's still magnetic stripe in places like restaurants/bars where the wait staff whisk your card away and then 4 days later the charge ends up appearing on your card.
I saw chip and pin (or sometimes the odd chip and sign) appearing in the big shops/chains like walgreens though so I guess it's slowly changing.
It felt a bit like what the UK was like 15-20 years ago.
Also: it’s important to remember that running a debit card as credit isn’t the same thing as using debit. At most banks, your credit limit for debit cards (weird sentence, yeah) is very low: like $500 or so. If you call (and have sufficient funds), they’ll often temporarily raise it for you. (It’s how I paid for school on a debit card when the school could only run it as credit.)
https://www.autoplus.fr/securite-routiere/peages-le-paiement... - only 20 contactless toll gates in all of France in 2016 (gates, not tolls).
France was the earliest adopter for chip and chip+pin, but they have been somewhat late to the contactless party (for a EU country).
In the US, the card companies convinced merchants to adopt the EMV contact standard by implementing a liability shift that would make the merchants liable for card-present magstripe fraud after a certain date. For merchants using POS terminals, the liability shift happened in 2015, and for gas stations it happened a few months ago (after several delays). EMV contact coverage needs to be essentially 100% before they'll consider getting rid of magstripe completely.
Contactless is an entirely optional sideshow, and is not required by anyone anywhere. It has lots of issues (they somehow managed to make it less secure than magstripe(!), which is kind of appaling) and there are no plans to ever have it supersede EMV contact as the baseline standard.
You can't make a fake contactless card, because each card has a private key that you can't extract. But it's trivial to make a fake magnetic stripe card.
One type of fraud with EU credit cards works like this: Criminal collects credit card numbers and pins by adding a hidden magnetic stripe reader to an ATM and a video camera, then create a fake magnetic card, and then withdraw money with fake card + PIN somewhere abroad where magnetic stripes are still allowed.
For this reason, my bank disables withdrawals from abroad by default, and you need to manually enable world wide payments in the online banking app.
Most contactless cards can be asked to transmit the cardholder's name, credit card number, and expiration date, and the card will happily do so, wirelessly. This is often enough to make fraudulent online transactions.
It's trivially easy to build a device that does this using a microcontroller and a coil of wire. You don't need to have a payment processor's encryption key, you can just make one up and the card will reply. You can walk around in a crowded area with such a device and capture responses from hundreds of cards in under an hour.
Electronic devices that clone your contactless card are usually better, as they generally require some sort of interaction before they'll respond -- actual physical contactless cards might as well be a megaphone attached to your credit card number.
If you can capture a genuine transaction between a POS terminal and a contactless card, and if the transaction amount is below the card's floor limit, the transaction can often be replayed or relayed to a different terminal.
With a cheap amplifier, this can be done reliably from low single digit ft away. The floor limit is usually somewhere around $20-$100 below which the terminal doesn't ask for a PIN or go online.
You imply that it is possible to clone NFC cards with other means. Is that really possible? Crypto chips are usually hardened against all kinds of attacks, and I would assume that NFC cards are resistant to cloning even if you have physical access to the chip. I'd be curious to learn more about that if my assumption is incorrect.
Regarding replay attacks, do you have a source on that? I would assume that even offline POS terminals would use a nonce to prevent replay attacks. Is that assumption incorrect?
And finally, you can extract card holder name and card number from most cards just by looking at them. Claiming that NFC cards are somehow worse than mag stripe cards in that regard is just FUD.
I mean, sure, it's always possible, but probing a secure microcontroller with needles and an electron microscope isn't really what I meant.
I was referring to what the various mobile wallet applications do behind the scenes when they allow you to "import" a plastic card and then use it as a contactless payment source via your phone's NFC radio. They're not actually cloning the private key inside the card, they're using various banking APIs to ask for a new key that, for all intents and purposes, will act exactly like the key on the physical card.
They're supposed to ask for extra info so that they're super ultra sure the person importing the card is the legitimate cardholder, but this is not always very thorough. What kind of info do they typically ask for? Numbers printed on the card that you can acquire wirelessly by accidentally bumping into someone. If you're lucky, they'll try to do two-factor via SMS or email with information that they have on file, but I've seen some that don't bother.
> Regarding replay attacks, do you have a source on that? I would assume that even offline POS terminals would use a nonce to prevent replay attacks. Is that assumption incorrect?
I worked on an EMV contact + contactless implementation several years ago, and at the time contactless replay attacks were easy to demonstrate. Things may have improved since then, but the protocol was not very good (supposedly due to constraints from early NFC cards that were small and anemic), and I think they would need to redo most of it and kill backwards compatibility to mitigate the risk completely.
https://www.youtube.com/watch?v=e023wGfVaE0
https://www.cs.bham.ac.uk/~tpc/Relay/
https://www.hackster.io/news/this-tiny-10-device-can-perform...
https://link.springer.com/chapter/10.1007/978-3-319-39814-3_...
https://en.wikipedia.org/wiki/Contactless_payment#Security
From what I can tell, there was a lot of discourse around these problems around 2015-2018. There were demonstrations and exploits galore. But the standards were already out and none of the banks or card issuers wanted to change anything. Security researchers got bored and moved on. I don't see any evidence that replay and relay attack vectors have been fixed, or that they aren't exploited in the wild, just that the banks seem to consider the risk acceptable.
> And finally, you can extract card holder name and card number from most cards just by looking at them. Claiming that NFC cards are somehow worse than mag stripe cards in that regard is just FUD.
So you'll let me rifle through your wallet and write down the card numbers and expiration dates? Would the average person let me do this? Of course they wouldn't, because basically everybody knows that they need to prevent random people from seeing the various numbers printed on their payment cards.
Is the average person aware that I can capture these markings by "accidentally" bumping into their back pocket on the subway?
It's not FUD, it's a (subtly?) different issue, one that the public largely doesn't understand yet.
What's frustrating about contactless cards is that there isn't even a good solution once you do understand the ...
If you want to issue a new card today, it must have a chip, but it doesn't need to have contactless. There are currently no (public) plans to change this.
I still prefer my card for contactless payments though; using my phone is not really much more convenient since my phone case holds the card anyway and it at least works consistently.
Gas stations. The gas station industry has been avoiding upgrading pumps. It's expensive. Retail checkouts usually just need a replacement of the desktop unit, but gas pumps require actual modification. They got a 3-year delay, until October 2020. Then April 17, 2021. Then they got hit by the coronavirus epidemic.
The upgrade has to be done by a qualified installer; you don't want someone who doesn't know what each wire does mucking about with the electrical innards of a gasoline pump. There isn't a huge supply of trained gas pump upgraders. There are many pump variations, and some can't be upgraded at all. Gas pumps often don't have an Internet connection, just a 2-wire twisted pair running RS-422 or something. The chip card readers, inevitably, want full Internet connectivity. Which means getting CAT-5 out to the pump. Which sometimes runs into CAT-5 length limitations. The older systems sometimes worked over dial-up. Average cost per pump is about $6,000.
Gilbarco/Veeder-Root has a product which is basically a pair of DSL modems to allow using the existing 2-wire connection to carry the Internet out to the pump.[1] Amusingly, they'll give you this for free if you buy their product for running ads on the pump.
And, of course, it's all "cloud-enabled".
And that's why there's such a holdup.
[1] https://www.youtube.com/watch?v=RtMxhmJh8V0
It uses GPS, so when you open the app at a gas station it already knows where you are, and simply asks you which pump you want to unlock.
And almost without fail corporate one-off apps are bloated piles of contracted out and barely maintained garbage taking up too much space when a couple of forms and a few Mb of graphics/logos would do. Lastly very few actually work well or reliably, logging me out after needless updates seems to be a common pattern.
As for garbage apps, the one I use is well maintained, 53.7 MB binary, so not much on the side of tracking considering it contains ALL of their gas stations with pump details, paid parking lots and car washes. I had to check if it actually used an account, because I don’t remember ever signing in to it.
So good apps do exist.
https://arxiv.org/pdf/1904.10623.pdf
Next time I went back the reader just feigned ignorance.
We have had pay at the pump before, but they got rid of it, and even brand new stations don't have it so it's not just upgrading the pumps.
Damn, I think this is an idea. At least for developing countries, were labor is cheap, the runner is the expensive part of this concept.
I don't think it will really work outside of very specific demographics who a.) want to get coffee and read the paper/rss feeds, and b.) have 30 minutes to spend on a charge-centric event (as in you went there to charge, not to get coffee and croissant).
Recently one independent has built a few fuel only prepaid only fuel stops, no minimart and no staff.
Edit: Bad googling, sorry. 57 mpg was proposed for new cars.
US gallons happen to be smaller too, fwiw
NB: the above mpg numbers are computed using US gallons (3.785 litres)
I meant, for anyone that missed it, that commuting by bus/train/tram/metro is much more common in urban areas in Europe than in the USA.
</cynical>
Since the USA makes up fully half of global card payments, MC and Visa were never going to ditch mag stripe until there was 80% penetration.
†Many AFDs seem to be configured to reject international cards which may explain why they’re not well represented in my sample set.
I guess one reason is global compatibility. For a global system to hold its promise, a card issued in one country (including developing ones) should be serviceable anywhere else.
I would rather see MasterCard lower their fees, and take 100% liability for stolen numbers/information.
1. https://help.target.com/help/subcategoryarticle?childcat=Acc...
I wouldn't be surprised if, by 2033, people will be identified using biometrics everywhere, so you can pay with your hand print or face scan.
https://www.frbservices.org/financial-services/fednow/about....
Zelle can only be used by people who have banks that support Zelle, which many people do not (my bank for instance does not support Zelle, nor does my SO's - so we have no way of using Zelle to transfer money between each other.)
Zelle doesn't allow you to use credit card AFAIK. Zelle doesn't have QR code AFAIK.
https://www.zellepay.com/get-started
As far as I know, you do not have to do anything other than let your bank know the phone number/email to associate with the account you want to send/receive money to.
Yes, if your bank supports Zelle (which as I said, mine doesn't).
You can look at the numbers around this - way more people know about and use venmo than zelle.
Inserting the chip is a fallback, or for high-value transactions. Both use-cases are low-volume enough that a POS terminal's chip-slot reader should see relatively little use/wear.
The transition went really fucking fast after that =)
When I came back I kept pulling the card early.
And that’s not me being snippy, because perplexingly, Mariano’s, a grocery store chain in Chicago owned by Kroger’s, does not support NFC payments. (I assume Kroger’s stores proper don’t either.) You have to swipe, use the chip, or use the dedicated Kroger Pay app to scan a QR code to use your digital wallet. (Yes, really. Took them forever to even support chips instead of magstripes.)
I have absolutely no idea why they do this. Is there a higher interchange fee for contactless? Kroger’s isn’t some mom-and-pop convenience store—they’re the largest supermarket company by revenue.
I’ve worked with many payment gateways over the years and enabling contactless on a stack that already did EMV never required a code change on the POS system. The terminal just passes the same data along to the POS.
I’m convinced there’s some fees at play here. The standout to me is how they push Kroger Pay - that’s to save on processing fees.
I remember being annoyed with seeing all of the seemingly brand-new hardware being installed at multiple locations that very obviously lacked NFC payment support.
Incidentally, this discussion is filled with people who have no idea how payments are authorized.
QRCode -> Wallet on my phone holding stablecoin on a L2 like polygon (which is collecting APY through DeFi) -> Restaurant
Does anyone actually pay the way you described? Honestly?
I either swipe my card or hand it to them to do it for me and call it a day.
I don't have to worry about some cryptojockey screwing up a DeFi contract scheme and all my money being stolen in a non-FDIC insured account. I have fraud protections against card theft.
It ain't perfect, but it's not the electronic equivalent of walking around with me lucky charms in my fanny pack, ripe for the mugging, either.
https://twitter.com/postcultrev/status/1428584131835748359
What I actually want is a specific bank alert if the card is used without the chip. Currently I just make any transaction over $20 send an email.
[1] I guess at resturants where they actually take the card for a minute, I don't know if it's chip or magstrip transaction.
I'm telling you all, prepaid cards are a scam. Why? One of the reasons besides massive fees and shady tactics for most are because they're so far behind the times. Most don't even have a chip for example. Look at a Netspend card (using it as a prime example) and compare it to any bank card today.