Chip and pin vs. Chip?

[pete6032]

I am confused about these new chip credit cards.

First of all, no places I go actually take the chip, they all still do manual swipe.

Secondly, I read somewhere that cards in the US are only chip, not chip and PIN. And that having chip only does not provide and additional fraud protection. The new chip cards I have gotten in the mail do not come with a PIN number. So what is the deal? Are US cards just chip, or chip and PIN? And do we need a PIN to fully benefit from chip cards? Thanks.

 

[MarkXIX]

Three factors of authentication:

1) Something you have (card with chip)
2) Something you know (PIN)
3) Something you are (biometrics)

Chip and PIN are more secure than just chip or mag stripe.

 

[MagnusTheBrewer]

I am confused about these new chip credit cards.

First of all, no places I go actually take the chip, they all still do manual swipe.

Secondly, I read somewhere that cards in the US are only chip, not chip and PIN. And that having chip only does not provide and additional fraud protection. The new chip cards I have gotten in the mail do not come with a PIN number. So what is the deal? Are US cards just chip, or chip and PIN? And do we need a PIN to fully benefit from chip cards? Thanks.

And why would you ask here instead of contacting the companies who issued the cards?

 

[pete6032]

And why would you ask here instead of contacting the companies who issued the cards?

Because you guys are awesome.

 

[IronWing]

I have a chip only card. I works by tapping the card on a reader. It also has a mag strip. I've tapped maybe three times in the years I've had it. No pin and no signature even where a signature is required for mag swipe. I guess the chip is more difficult to spoof than a mag stripe but does nothing to help if the card is stolen.

 

[Red Squirrel]

I have not seen a place without chip and pin in like forever. I'm surprised that some places actually still do swipe as the default method. Some machines will do swipe but only if the chip fails so many times.

 

[Captante]

Because you guys are awesome.

Tough to argue with that logic! :awe:

 

[mmntech]

We've been using chip and pin here in Canada for about a decade now. I guess all those security breaches have finally convinced US retailers to do the same.

I don't like the tap cards though. A lot of cards here have both now. Sort of defeats the purpose of two-factor authentication. I'll trade the convenience for added security.

 

[Red Squirrel]

Yeah the tap card technology is completely retarded. Anyone with half a brain can make a RFID reader and writer and replicate the card's RFID chip and use it at places that accept it. Never read much into it myself but from sounds of it it's pretty easy.

 

[edro]

Yeah the tap card technology is completely retarded. Anyone with half a brain can make a RFID reader and writer and replicate the card's RFID chip and use it at places that accept it. Never read much into it myself but from sounds of it it's pretty easy.

It can't be that easy or the credit card industry wouldn't allow it due to charge back increases.

Companies such as Chase (which issues the Blink card) and American Express (ExpressPay) claim that RFID chips are built with strong encryption -- 128-bit and Triple-DES (Data Encryption Standard) -- to protect information. Additionally, the chips are supposed to send unique, one-time use codes for each transaction -- codes that do not match the number printed on the card. Chase senior vice president Tom O'Donnell says the combination of unique tokens, switched-on readers and transaction processing is like "tumblers in a lock."

Although the last 2 credit cards I got didn't have the RFID chip in it, which sucks because I really like it.

 

[Scarpozzi]

I've used my chip a bunch on vending machines when I didn't have cash on me when traveling. Worked great.

At Disneyworld these days, you get a "Magic Band" that is a bracelet (looks like a wristwatch) with a NFC chip in it. Your park tickets, room key access, and CC info are on your account. You can have readers in the park scan the magic band and use a 4 digit pin to make purchases that get billed to you directly. It was great because I was able to walk around for a week when I was down there without having to carry a wallet or keys.

 

[KMFJD]

We've been using chip and pin here in Canada for about a decade now. I guess all those security breaches have finally convinced US retailers to do the same.

I don't like the tap cards though. A lot of cards here have both now. Sort of defeats the purpose of two-factor authentication. I'll trade the convenience for added security.

The tap cards have a preset limit per transaction, i believe mine is $50, they fail about 50% of the time anyways and make you insert the card.

 

[BarkingGhostar]

When I went on my three week vacation to the UK, I took with my my Barclaycard, which is chip and PIN. Only one place in all the places I went to prompted me for a PIN, which was an automated checkout at a grocery store in Marylebon.

Everywhere else I went while over there (west country, Edinburgh, etc.) all processed it as chip and signature. Inserted card at bottom of reader and then asked to sign printout. I'm guessing that is because it might not have been a true chip+PIN even though I have a PIN number (maybe for ATM use only?).

But there is a lot of lethargic movement in the USA even when trying to get a card advertised as chip+PIN to work as chip+PIN overseas.

 

[dullard]

First of all, no places I go actually take the chip, they all still do manual swipe.

Secondly, I read somewhere that cards in the US are only chip, not chip and PIN. And that having chip only does not provide and additional fraud protection. The new chip cards I have gotten in the mail do not come with a PIN number. So what is the deal? Are US cards just chip, or chip and PIN? And do we need a PIN to fully benefit from chip cards? Thanks.

Pretty much the rest of the world has moved on to chip cards (or chip and PIN). So US magnetic cards are basically useless in many locations (which is very frustrating for a frequent traveller like myself). Want a train/subway ticket? Tough, the machines won't work. You have to go find a long line for a teller who can swipe and accept a signature. If you can even find a teller that is.

The US will be going to the chip, it is just slow to catching up with the rest of the world. Stores (up until the Target disaster) felt it was cheaper to pay for the damagess from fraud than to replace their credit card terminals.

Chip and PIN is slightly safer from fraud than Chip only. But no US credit card company wants to be the first to go to Chip and PIN. Why? Since if one credit card just swipes and the other requires a PIN, which would you choose? Probably the easier to use one. Then the credit card companies lose billions of dollars in swipe fees to their competitors. So chip and PIN will not come to the US any time soon.

What about fraud? Chip and PIN is safer. That is true. But the vast, vast majority of fraud comes from stolen CC numbers or from a dual-swiped magnetic strip (one to charge you as normal, one to steal your information). Sure, there is a miniscule amount of fraud from a stolen credit card that a PIN would prevent. But that is just a drop in the bucket, solved by reporting a lost/stolen credit card. The vast, vast majority of fraud is prevented by the chip alone. Yes, chips can be duplicated. But now you need a sophisticated theif. When that day comes, we may see chip and PIN cards in the US, but more likely we'll have other forms of payment take hold by then.

That leaves us in an akward position. We will soon all have chips but no PINs to enter when asked. So far, I just make up a random PIN and it works every time.

 

[Paperdoc]

I live in Canada where chip & PIN have been normal for over a decade. Tap and Go is more recent. As far as I can tell, the cards are the same - both systems work on a RFID chip inside the card. What is different is the way they are scanned, and the way the card processing company handles the transaction. By the way, all such cards here also have the magnetic stripe as a backup if the other system fails.

For paying by Chip & PIN you must insert the card into the reader machine and leave it there until told to remove. You follow the instructions until you enter your PIN and receive a prompt to remove the card. This system uses two types of security - you must have the card with the chip, and you must enter the PIN associated with that card. No signature is required. The credit card issuer (VISA Mastercard, etc.) assumes significant liability if a stolen card is misused. Those companies put a lot of effort into monitoring card use to spot suspicious patterns and suspend a card quickly if the believe it is stolen.

A Tap and Go system usually uses a different reader device built into the same machine so you just tap your card on its exterior and enter nothing, and the transaction is processed. Obviously a stolen card is usable easily, and the card issuer still assumes liability. So they limit the max amount of any one transaction, PLUS they set their system to automatically stop you and require entry of your card PIN after every 10 (or whatever) transactions, or perhaps an accumulated dollar amount. This is a step to ensure that the card user is not a thief. Since it's the same card, it's the same PIN - you just do not have to enter on every Tap and Go transaction.

If those systems fail, the card can still be swiped through the magnetic reader. This type of transaction requires that you sign the slip as the second security measure. BUT that step is only useful if the merchant checks the signature against some other sample to verify that it matches. Merchants who fail to do that checking are risking causing you some trouble, but not usually some money. That is because if the signature obviously does not match, the merchant is the one who pays - not you or the card company.

Of the three systems (all can work with one card, as long as the card processing company and their equipment are set up), Chip & PIN is the most secure, and is relatively quick and very popular. We own a small clothing retail store where over 70% of payments are made with plastic, and I'd say the large majority are processed by Chip & PIN. Tap and Go is fastest but the least secure, which is why they limit amounts purchased that way. It's not REALLY widely used yet here, so our store does not have a terminal to do these - we just use Chip & PIN since it's the same card. Mag strip swipe and signature is medium security (not as good as PIN) because it depends on the merchant's sales clerk to check the signature, but it is reliable.

 

[Humpy]

And why would you ask here instead of contacting the companies who issued the cards?

Don't try and make it the OP's fault that you don't know the answer.

 

[Xonim]

I feel like I remember reading somewhere that either (A) Visa & MC can't collect as high of fees with chip & PIN as they can with chip/swipe & signature or (B) retailers are forced to pay higher fees with chip & PIN than they are with chip/swype & signature.

Depending on which of those it is, whatever article it was said that is the reason we're going to chip & signature instead of chip & PIN. As per usual, it's all about the money for either Visa & MC, or for the retailers.

 

[Exterous]

The US will be going to the chip, it is just slow to catching up with the rest of the world. Stores (up until the Target disaster) felt it was cheaper to pay for the damagess from fraud than to replace their credit card terminals.

Not to mention the cost of issuing chip enabled cards. Americans have more Credit Cards than any other country (5.6 Billion) and lose them at a faster rate (17% of cards per year). Given that C&P cards cost at least 13x more you are talking about over $1.4bn extra spent per year in credit card replacements alone. Not to mention the one time cost of almost $7bn just to replace the existing cards and this hasn't even gotten to infrastructure change costs yet.

http://www.reuters.com/article/2015/03/03/us-usa-cybersecurity-retail-insight-idUSKBN0LZ0GC20150303
http://www.washingtonpost.com/news/volokh-conspiracy/wp/2014/01/21/the-economics-of-credit-card-security/

Even then you are still reliant on the merchant having good security

“The current problem is that instead of having the random number generated by the bank, it’s generated by the merchant terminal,” said Ross Anderson, professor of security engineering at Cambridge, and an author of a paper being released this week titled, “Chip and Skim: Cloning EMV cards with the Pre-Play Attack.”

Anderson said that the failure to specify that merchant terminals should insist on truly *random* numbers, instead of merely non-repeating numbers — is at the crux of the problem.

“This leads to two potential failures: If the merchant terminal doesn’t a generate random number, you’re stuffed,” he said in an interview. “And the second is if there is some wicked interception device between the merchant terminal and the bank, such as malware on the merchant’s server, then you’re also stuffed.”

http://krebsonsecurity.com/2012/09/researchers-chip-and-pin-enables-chip-and-skim/

 

[who?]

When I went on my three week vacation to the UK, I took with my my Barclaycard, which is chip and PIN. Only one place in all the places I went to prompted me for a PIN, which was an automated checkout at a grocery store in Marylebon.

Everywhere else I went while over there (west country, Edinburgh, etc.) all processed it as chip and signature. Inserted card at bottom of reader and then asked to sign printout. I'm guessing that is because it might not have been a true chip+PIN even though I have a PIN number (maybe for ATM use only?).

But there is a lot of lethargic movement in the USA even when trying to get a card advertised as chip+PIN to work as chip+PIN overseas.

You being from overseas may be why it wanted more than just a PIN. Did they ask to see an ID with your signature already on it?