Judge Allows Small Businesses To Sue Credit Card Giants For Forcing Them To Adopt Chip Readers (computerworld.com) 311
An anonymous reader quotes a report from Computerworld: A federal judge has ruled it is plausible that four national credit-card companies improperly conspired "in lockstep" to set a deadline of Oct. 1, 2015 for requiring retailers to upgrade their technology to accept embedded chip cards for credit and debit card purchases. In an order issued Friday (Case number C 16-01150 WHA), U.S. District Court Judge William Alsup agreed with two small Florida businesses -- B and R Supermarket and Grove Liquors -- which brought the lawsuit in March. Alsup's ruling also allows the antitrust case against Visa, Mastercard, American Express and Discover Financial Services to move forward in federal court for the Northern District of California. The two retailers are seeking to create a class-action case involving millions of small retailers who have been required under the Oct. 1, 2015 deadline to assume liability for fraudulent card charges if they haven't upgraded to the more-secure chip card technology instead of magnetic-stripe cards. The retailers believe there was industry conspiracy over creation of the deadline that violates fair trade practices. In the same ruling, the judge allowed two other retailers -- Los Angeles-based gourmet food chain Monsieur Marcel and New York-based grocery story chain Fine Fare -- to intervene in the case. Lawyers for the retailers have said a class-action lawsuit could include 8 million U.S. small businesses. They would seek repayment of the cost of upgrading to chip card readers and related software, estimated at $6 billion. However, the National Retail Federation has recently estimated the total cost of the conversion in the U.S. at up to $35 billion.
Down the rabbit hole (Score:2, Interesting)
The processing of nearly every credit card purchase in the US eventually trickles down to one firm, so perhaps it wasn't the 'big four' conspiring.
I'm not really sure why them setting the same date for themselves affects anyone. Just upgrade your damn terminal already.
Re: (Score:2)
Any idea on who pays for the terminal upgrade, it wasn't mentioned in the article? If it is being forced on a business, then the credit card company should be sending them out free of charge (assuming that the terminal will be paid off with transaction fees). I'm guessing this is not the case.
Otherwise, why is there are problem rolling out new terminals?
Re:Down the rabbit hole (Score:5, Insightful)
Any idea on who pays for the terminal upgrade, it wasn't mentioned in the article?
The terminal is owned by the merchant, so they pay for it.
If it is being forced on a business, then the credit card company should be sending them out free of charge
It isn't being forced on them. They have the alternative of not accepting CC transactions, which is something many businesses do. At some point we need to have progress, and magstripes need to die. Many technical standards have deadlines where old features stop being supported.
The merchants have had plenty of time to upgrade, and plenty of warning that the end was coming. Most merchants support the change, since it is the merchants that pay the biggest price for fraud. That is why the plaintiffs are having problems organizing a class action. It is only a few whiners that are complaining.
Re:Down the rabbit hole (Score:5, Informative)
It isn't being forced on them. They have the alternative of not accepting CC transactions, which is something many businesses do.
They also have the choice continuing to use the old equipment, but they then accept responsibility for fraudulent transactions that could have been prevented by using chip cards. Hell, as far as I know, they still have the option of imprinting paper slips and depositing them at the bank like checks, but the costs all end up on the merchant, as they should.
At some point we need to have progress, and magstripes need to die. Many technical standards have deadlines where old features stop being supported.
Mag stripes will be around for at least a decade, and probably two or three. But they'll be slowly phased out over the next few years for most people most of the time.
The merchants have had plenty of time to upgrade,
Sort of, but not really. Unless you're Walmart or Home Depot, you don't write your own processing software, you rely on your point of sale vendor, and very few point of sale vendors were ready by October of last year. Many small businesses simply did not have the option to start doing EMV by the deadline.
and plenty of warning that the end was coming. Most merchants support the change, since it is the merchants that pay the biggest price for fraud. That is why the plaintiffs are having problems organizing a class action. It is only a few whiners that are complaining.
Liability issues aside, any merchant complaining about EMV (with point of point encryption) is an idiot. EMV isn't about protecting consumers from fraud against their card (hence the chip & signature instead of chip & PIN), it's about protecting banks and merchant services from idiotic merchants who can't keep their network secure. Implement EMV with P2P encryption, and the merchant never sees the card in at all, and if someone breaks into their network, there's nothing to steal. Makes PCI compliance easier, and pretty much eliminates the chance of the merchant having to pay six figures to investigate a breach.
Re: (Score:3)
It isn't being forced on them. They have the alternative of not accepting CC transactions, which is something many businesses do.
They also have the choice continuing to use the old equipment, but they then accept responsibility for fraudulent transactions that could have been prevented by using chip cards. Hell, as far as I know, they still have the option of imprinting paper slips and depositing them at the bank like checks, but the costs all end up on the merchant, as they should.
At some point we need to have progress, and magstripes need to die. Many technical standards have deadlines where old features stop being supported.
All of this is true and still tangential to the anti-trust case. Anti-trust collusion that forces actions that are in the interests of society are still illegal. The ends do not justify the means. The key point is that the change was indeed forced upon the retailers because they were denied the right to choose a competing supplier, a right that was illegally removed through collusion.
Re:Down the rabbit hole (Score:5, Interesting)
Ah but that is half the issue. Chip readers once installed needed to be certified by the card companies. That certification. Is on average 12 months behind.
So you see a terminal but do not use sticker? The software stack, connections, etc haven't been certified to use chips.
Credit card companies failed to provide enough certifiers, and enough time to begin the change over. It has been mentioned by MasterCard executives that they never once talked about processing speed of the transactions, which is why Chip readers, take 30% longer to process after sending your card data.
MasterCard Visa cared about their bottom line, and pushed responsibility to merchants, but didn't provide the tools for merchants to do it right.
Lastly an October 1st deadline is irresponsible, as the slightest hiccup destroys holiday shopping, which is what happened last year. A Feb 1st deadline with a 6-12 month soft start 50% of fraud is paid both issues, and merchant would have been more successful,and less lawsuit prone.
Re: Down the rabbit hole (Score:4, Interesting)
Terminal hardware is certified before they are shipped.
Software is updated, and verified before deployment.
Nobody ships untested terminals. That's disastrous.
Re: (Score:2)
Lastly an October 1st deadline is irresponsible, as the slightest hiccup destroys holiday shopping
The obvious solution for a merchant is to upgrade before the deadline. The deadline is the last day to upgrade. Any merchant that waits until then to start the process deserves what they get.
Re:Down the rabbit hole (Score:4, Interesting)
In many cases (our stores, for example) the hardware was not available (from our credit card processor).
We got our first chip capable machine in January -and it did not work. I plugged it in, ran a transaction, and got an error. After a couple of software updates -nope still not working with chip cards. Swap the hardware -still not working. Swap the hardware again -finally everything works. Hey look, it's February, 2016!
We were charged extra fees from October thru February for not having compliant hardware in place. Hardware which was not available -according to the company charging us the extra fees for not having it yet.
Who paid for the equipment? We did. We paid the credit card processor the amount they chose to charge us for the equipment that they said we had to have in order to do business.
I think the upgrades were worth doing, but the rollout was handled poorly, and the companies responsible for setting the timeline profited off of the merchants inability to meet the deadline.
Re: (Score:2)
Additionally, they can keep using the magstripe, they just have to take full responsibility for and false charges that may occur at the business as opposed to the credit card company taking that liability. So really, the merchants only have to upgrade if they want to accept CC and be free of any credit card fraud liability. Seems reasonable to me.
Re:Down the rabbit hole (Score:4, Informative)
I can't remember the last time I saw a mag stripe machine, and if I did see one, I would pay cash.
Re: (Score:3)
Re: (Score:2)
Any idea on who pays for the terminal upgrade, it wasn't mentioned in the article?
The merchant pays for the terminal, but the upgrade is not being "forced" on them. If they don't want to upgrade to a secure terminal, they don't have to, but then they take on the risks of the customers' cards being stolen and misused.
So if they think their shitty ancient card readers are secure from hacking, and they're willing to bet the cost of fraud that they're so great, they can keep them. Seems fair.
Re: (Score:2)
So if they think their shitty ancient card readers are secure from hacking, and they're willing to bet the cost of fraud that they're so great, they can keep them. Seems fair.
The problem is that the shitty new card readers aren't secure either, because here in the USA we are chip and sign and not chip and PIN. All the same attacks against a stolen card will still work.
Re:Down the rabbit hole (Score:4, Insightful)
The problem is that the shitty new card readers aren't secure either, because here in the USA we are chip and sign and not chip and PIN. All the same attacks against a stolen card will still work.
Federal law caps your liability at $50, but under the current PCI liability rules if your chip card is stolen and misused your bank is 100% liable for the fraud, because they could have put a PIN on the card but didn't. Neither you nor the retailer is responsible for a dime of the loss.
The chip has all the anti-skimming technology, regardless of whether it requires PIN or signature authentication, and both are equally excellent at preventing cloning full card data.
What all cards (both chip and mag stripe) still suffer from is the ability to steal the PAN and use it for online fraud. Mag stripes have the worst security, and are almost as easy to clone as pushing the green button on a copier machine. Europe's experience has proven that the effect of chips was to move the fraud online. But eliminating mag stripes is the next step in securing credit. None of the other measures can have much of a beneficial effect on security until that weakest link is removed.
And if chip and signature bothers you that much, nothing is stopping you for applying for a MasterCard from a bank that requires PIN authentication. Your current bank may not offer one, but some of the major retail banks do. Take action instead of whining.
Re: (Score:2)
Physical stolen credit cards are rare to the point of being not an issue.
I wouldn't call 14% of all credit card fraud "not an issue".
With mag stripe you can be sure that the card wasn't cloned.
What? Who told you that?
Cloned cards where someone makes a fake credit card with you number encoded onto it are actually a bigger problem than physical stolen cards.
Yeah, and EMV actually has inadequate protection against cloning, because it has inadequate standards for the use of the chip [arxiv.org], and "some EMV implementers have merely used counters, timestamps or home-grown algorithms to supply" the nonce for the transaction. That does require a compromised reader, but you don't have to compromise the reader itself, only its communications channel. This can often be done from outside a buildi
Re: (Score:2)
And if you don’t trust your logistics chain
Re:Down the rabbit hole (Score:5, Informative)
Just upgrade your damn terminal already.
Many of them did. The problem is that the new terminals then need to be certified by each card company before they can be turned on, for each business (not just a hardware certification for the mfg, each deployment requires certification). The card companies have been dragging their feet getting them certified, particularly for small to mid sized businesses. However they did not extend the deadline for those companies that installed the terminals but can't yet use them. So these businesses did what they were supposed to do but they are in a bind now with liability shifted to them but they are unable to even accept chip cards because they can't get the big 4 to certify their installations.
This happened to my local grocery chain. They have the new readers, had them well before the deadline, but they can't use them, even now almost a year after the deadline passed, because they are still in the queue for certification.
Re: (Score:2)
You're smoking dope, and they're feeding you a line. The software has to be certified, but even then, not by deployment. And for a small business, that's handled by the point of sale vendor, not the merchant. If your local grocery chain is doing their own processing software, they're not pushing on getting their stuff certified, and that's entirely on them.
There is a point about not extending the deadline - again - for those merchants who had the hardware but couldn't get the software from the POS vendors,
Re:Down the rabbit hole (Score:4, Informative)
Now explain why the POS vendors are losing revenue due to certification delays [digitaltransactions.net]. Is is your theory that they're tanking their business to support the line? Or selling the dope? My theory is that you simply don't understand that level 3 certification is literally by deployment [intuit.com] and too self-satisfied to consider that you might be wrong.
Re: (Score:3)
Re:Down the rabbit hole (Score:5, Interesting)
Just upgrade your damn terminal already.
Many of them did. The problem is that the new terminals then need to be certified by each card company before they can be turned on, for each business (not just a hardware certification for the mfg, each deployment requires certification).
That is untrue. You do NOT have to certify each deployment with the card companies. You have to certify the terminal hardware, the kernel on the hardware (card brand specific), the communication from the card terminal to the gateway, and the communication from the gateway to the processor. The processor has to certify from them to the card brand. Most gateways are offering certified hardware + software deployments that only require you to certify with the processor if you develop against their software. If you just take a package that is already certified, you have to do nothing other than meet your PCI requirements that you're already obligated to do. I spend my life writing card terminal drivers and everything I do has to be certified from the terminal to the payment gateway. This is my every day life. You would only need to certify if you made your own software implementation somewhere in that chain. If you write software below the gateway then you may not even need to certify with the card brand, you may be able to just certify with the gateway, depending on what exactly you did.
The card companies have been dragging their feet getting them certified, particularly for small to mid sized businesses. However they did not extend the deadline for those companies that installed the terminals but can't yet use them. So these businesses did what they were supposed to do but they are in a bind now with liability shifted to them but they are unable to even accept chip cards because they can't get the big 4 to certify their installations. This happened to my local grocery chain. They have the new readers, had them well before the deadline, but they can't use them, even now almost a year after the deadline passed, because they are still in the queue for certification.
Which chain is this? Publix, for instance, chose to write their own card terminal application which requires all kinds of certifications with the card brands, terminal manufacturers, etc. That's a time consuming process. But I've personally had such a project go through certification in a matter of weeks. It's not the card brands holding things up.
Re: (Score:2)
Retailers are holding us in the stone age (Score:5, Insightful)
They're just not happy about the liability shift strong-arming them into this. But honestly? They SHOULD be liable when they're the roadblocks preventing customers from having good security. They're dragging their feet on this because it's an externality--they don't care if their customers get screwed, as can be seen with, e.g. the Target hack, but they do see a cost for newer, more secure equipment.
And I can tell you right now that they won't make proper upgrades unless someone holds a gun to their heads.
Re: (Score:3)
They SHOULD be liable when they're the roadblocks preventing customers from having good security.
Bah, security of the credit card itself was never an issue because customer is not liable anyway
If credit cards issuers stopped granting credit based on address+birthday+SSN, that would be a bigger improvement.
I'd much rather my credit card number leaked compared to hack losing address/SSN info. Credit card can be blocked and re-issued. Address/SSN info, not so much.
Re: (Score:2)
Chip and PIN works.
Pity virtually no US chip cards are chip and PIN.
Re: (Score:2)
Chip and PIN works.
Pity virtually no US chip cards are chip and PIN.
This is what the US card issuers should be sued for. How is Chip-and-Sign any more secure than mag strips?
Is this yet another way that the powers-that-be discourage Americans from international travel so that they can't see that much of the rest of the world has the same freedoms that America has?
Cloning vs. theft vs. frustration (Score:2)
It depends on the attack model.
Re: (Score:3)
..That fraud adds up and, though not normally visible to the consumer,..
Yeah, it adds up to about 1 in 1000 transactions and about $7 in $10,000 of credit spend. THATs why it is normally not visible to the consumer.
Other fraud & costs that consumers pay for:
Theft by Employee > 0.5% of sales
Shoplifting > 0.5% of sales
Spoilage Losses > 8%
So in comparison... we are wasting a lot of money on this whole PIN & Chip crap. If it stopped 1/1000 fraud transactions, but due to the added inconvenience we lose 1/100 transactions... its basically a net loss even without t
Re: (Score:2)
The problem from the credit card company PoV was that if they were the only one to implement the liability measure the shops would simply start refusing their cards and the competitors would get their customers.
Re:Retailers are holding us in the stone age (Score:5, Informative)
They're just not happy about the liability shift strong-arming them into this. But honestly? They SHOULD be liable when they're the roadblocks preventing customers from having good security. They're dragging their feet on this because it's an externality--they don't care if their customers get screwed, as can be seen with, e.g. the Target hack, but they do see a cost for newer, more secure equipment.
EMV has nothing to do with protecting consumers, and has zero effect on security for the consumer. Steal the card, and you can use it, same as before (since it's almost entirely chip & signature rather than chip & PIN) The consumer isn't protected buy the technology, the consumer is protected by the law, with a $50 limit on liability on a stolen card.
EMV is about protecting the banks and processing companies, who have nearly all the liability for fraud, and secondarily protecting merchants, because when fully implemented, EMV with P2P encryption means the merchant never sees the card info at all, and has nothing on their network to steal. All the worst breaches in recent years have been of retailers' networks, stealing millions (or 100 million+) card numbers at a time. And if the retailer is PCI compliant (as Target was, apparently), the banks eat the loss. EMV/P2P encryption eliminates that vector. That is the point of it.
And the upgrade is very, very much in the merchants' best interests because of that.
Re: (Score:2)
I don't know about you, but I hate it when I'm forced to change credit card numbers due to fraud being detected on the old number.
Getting to the state where cards can't be skimmed is a good thing for consumers. It should also reduce the costs of goods marginally where there are only card present sales as the merchant fees should be reduced.
You can't get to a state where cards can't be skimmed until all the point of sale equipment has been upgraded to support chips. This takes time and the US is at the end
Not Sure if... (Score:5, Insightful)
I'm not sure if I have any sympathy for these retailers. The card industry did not force them to accept chip transactions, they forced them to accept liability if they refused to accept chip transactions. You can still, to this day, accept magnetic stripe data instead of chip data. You can also choose to take cash at any time. They also gave the warning more than a year in advance and even basically extended the deadline past October 2015.
Disclosure: I do make money off the chip card transition. However, I make money off of magnetic stripe implementations also.
Re:Not Sure if... (Score:5, Interesting)
I keep almost leaving my fucking card in the slot and walking away.
With no PIN, I can't see how it is really any safer to me.
And these days, half the time I get it wrong, if I plug it in, they say "no..still need to swipe", or vice versa.
Re:Not Sure if... (Score:5, Insightful)
I would +1 you if I had points.
The chip thing is a disaster as far as I am concerned:
* It is slow as molasses. Just unreal!
* It encourages you to forget your card.
* The other day it took 5 MINUTES for it to finally work at a store, the stupid contacts on my card are already corroded and the card is only 4 months old. Guess what, if it doesn't read, they wouldn't allow me any other way to use the card (key it in or swipe it). So it is NOT RELIABLE.
* There is still no PIN, so it doesn't prevent anyone from picking up my card and using it.
* It doesn't protect anything with online purchases.
Fail for consumers
Fail for stores
Fail for security
Fail for convenience
Fail for economy
*FAIL*
Re: Not Sure if... (Score:3, Informative)
Maybe this is an American problem, who knows. In Canada, we have been using Chip and Pin exclusively for 5 years now. No swipe. We have even moved past chip and pin to a new technology called Tap, where we can just tap our card on the reader for any purchase under $50, or $75 at gas stations and grocery stores.
Both are safer because they use rolling codes built in to the chip. If someone skims your card the data they get is only valid for a few minutes after its used .
You get used to it. You don't forget yo
Re: Not Sure if... (Score:5, Informative)
Europe here, same deal. I can't remember when I actually used that magstrip of my card outside of the US. Even third world countries have had chip readers in operation for years now, only in the US this seems to be a huge issue.
Re: (Score:3)
Time to join the modern era America.
You're talking about the country that still fears the metric system
Re: (Score:2)
The difference is that there are actually benefits to the metric system, which is superior to imperial measurements in every way except perhaps for using Celsius in weather reports instead of Fahrenheit. Yeah, I know the freezing and boiling points of water make a lot of sense from a scientific point of view. But for the weather: 0 degrees being a horribly bone-chillingly frigid day, 100 degrees being an insanely and sweltering scorchingly hot day, and 50 degrees being a nice and normal comfortably mild
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
From a Canadian, you'll get used to it.. eventually.
I'd say the lack of PIN requirement was your country's fuck up, but *shrugs*.
Slowness depends entirely on your retailer's merchant broker. Some big box companies like (Walmart Canada) has responses back within a second or two. Others require a frigging dial-up connection before issuing the chip challenge. Ultimately, if you're sick of waiting, poorly performing retailers will suffer and you'll visit their services less. The better responding retailers will
Re: (Score:3, Insightful)
Re: (Score:3, Informative)
>The only fail I agree with is that you do not use your PIN.
We don't HAVE a PIN, so there is nothing was and choose to use or not use. There is no choice. No PIN.
>It takes about 15 seconds for the payment. Due to postings here, I have tested it and also looked at other people trying it out.
15 seconds is about 10 times longer than it used to take.
>I have NEVER forgotten my card, ever. I put it in, type my PIN and take it out while I have my wallet in my other hand. Almost everybody does it like th
Re: (Score:2)
I would +1 you if I had points.
The chip thing is a disaster as far as I am concerned:
* It is slow as molasses. Just unreal!
That's an implementation problem - one I see all the time. This has to do with the way they set up their AID Candidate list, most likely. An EMV transaction should take 1-2 seconds.
* It encourages you to forget your card. * The other day it took 5 MINUTES for it to finally work at a store, the stupid contacts on my card are already corroded and the card is only 4 months old. Guess what, if it doesn't read, they wouldn't allow me any other way to use the card (key it in or swipe it). So it is NOT RELIABLE.
The US region still has what they call technical fallback. They're not supposed to decline to accept your card if it fails to read 3 times then they are supposed to proceed with it as magnetic stripe. There is no fraud liability shift in this case, at least for now.
* There is still no PIN, so it doesn't prevent anyone from picking up my card and using it.
It protects your card from cloning, which is the most common
Re: (Score:2)
I hate the fucking chip things....
I keep almost leaving my fucking card in the slot and walking away.
That says far more about your than it does about chip cards.
With no PIN, I can't see how it is really any safer to me.
It's not intended to be. It's safer for the banks, and indirectly, for the merchants. You're not protected by the technology, you're protected by the law.
Re: (Score:2)
At least we aren't upside down, our toilet water circulates in the correct fashion when flushed, and we drive on the correct side of the road...
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
If you're a small business you could go back to cash only. Usually I pay cash at small businesses anyway since I know the 3% card fee is more painful to them than it is to McDonald's or Home Depot...
Hope they get fined big for this (Score:2, Interesting)
There is no reason to upgrade to chip cards except to benefit the card cartels. Forcing a small business owner to eat the fraudulent card charges is a big middle finger to these businesses, you can still fraudulently charge a chip card and the cost-benefit is just too insane for a business. Chip card transactions often not only cost more, but the readers and associated systems are a magnitude more expensive than their mag-stripe counterparts, for no good reason, I can get a Chinese chip card reader for $25,
Re: (Score:2)
There is no reason to upgrade to chip cards except to benefit the card cartels.
Yeah. There's also no reason to upgrade my 80s muscle car because it's only 1985. What it's not 1985? The rest of the world has adopted chip+pin for the added security? Some countries have outright banned swiping even as a fallback?
We often joke about the USA being a backwards country, but we were only poking fun at you guys, we didn't mean it. You don't need to actually be backwards too.
Re: (Score:2)
Re: (Score:3)
The Chip+PIN combo i have been subjected to is incredibly inconvenient only to push the liability to my side of the table. It is not any more secure
Except for everywhere in the world where chip+pin has been implemented where the liability has not changed, the transaction is processed at a MUCH faster rate and the added security has decimated credit card fraud.
But other these little things your post was ... errr.... grammatically correct?
Re: (Score:3)
Re: (Score:2)
The chip machines shift the liability to whoever is least secure - if your bank still gave you a swipe card and the retailer can take chip, the liability shifts to the bank
What i've always wondered is what happens if a criminal clones a chip card onto a magstripe only card.
Is there some mechanism to warn the merchant in this case or does the merchant get screwed for doing a magstripe transaction on a clone of a chipped card?
Re: (Score:2)
The mag stripe says this is a chip card and the terminal will request that you use the chip reader.
You need to modify the data when cloning.
The next step will be to not accept swipes once the pos terminals are upgraded.
Re: (Score:2)
Are you high? Chip and Pin, the standard for most of the world, works perfectly fine and the reason it is implemented is to protect the merchants! Right now if i go to USA and swipe my card, a fucking signature(!!!) is all the authentication that you need!
This isn't the 1970s, my god. I couldn't even believe how much fraud I could have done with basically zero effort down there. I can't believe that there isn't massive credit c
Re: (Score:3)
Chip and signature is not chip and PIN. Nothing you said is relevant to the US. This "upgrade" has downsides and no upside for the consumer.
But do go on about the entirely unrelated system you like.
Re: (Score:2)
There is no reason to upgrade to chip cards except to benefit the card cartels.
Do you realize that most of the rest of the world, including places like Africa, Latin America, and the Caribbean, has been using this since 2005? Hell, France was doing it in 1992. The only reason the US switched at all is because credit card fraud had finally reached the tipping point around 2012 when banks finally figured out that it was going to be cheaper to switch everything than it would to cover the increasing cost of the fraud.
Here you go: [creditcards.com]
Most card fraud occurs in the United States. In fact, a 2015 research note from Barclays stated that the U.S. is responsible for 47 percent of the world’s card fraud despite only accounting for 24 percent of total worldwide card volume.
The high level of debit and credit card fraud in the United States also impacts other countries. Among U.K.-issued cards in 2015, 35 percent of fraud-related losses occurred in the United States, compared to 10 percent in France and Australia, 9 percent in Canada and 6 percent in Germany.
Cross-border fraud occurs when criminals use a consumer's credit or debit card data in one country to make fraudulent transactions in another country. In 2014, 47 percent of fraudulent cross-border transactions on U.K. credit cards took place in the United States.
U.S. credit card fraud is on the rise, too. About 31.8 million U.S. consumers had their credit cards breached in 2014, more than three times the number affected in 2013.
That fraud isn't cheap. Nearly 90 percent of card breach victims in 2014 received replacement credit cards, costing issuers as much as $12.75 per card.
Most experts believe that the reason the U.S. has a disproportionately high amount of fraud is because it has been slow to adopt EMV, a global standard in which credit cards carry computer chips that cut down on counterfeiting by dynamically authenticating card transactions. Countries that have deployed EMV have enjoyed a decrease in counterfeit fraud as a result -- 70 percent in the U.K., for example, between 2005 and 2013.
Re: (Score:2)
Although I agree that 'something has to be done', the chip cards in the US at least are no more secure than mag stripes. If you ever have the chance to hook a chip reader to a computer, you can read most of the data from a chip, unencrypted, the same way you do from a mag stripe (primarily for compatibility reasons). Hell, I have a fully encrypted card and it's useless at many large retailers in the US, my parents came here from Europe with their non-magstripe card which was completely useless even though i
Re: (Score:2)
I realize this is indirect, and not directly related to switching to chip cards.. The new readers ALSO allow (if the business has the functionality turned on) NFC based payment (e.g. Apple Pay, etc.). With that, the business gets the lower fee version due to lower fraud possibility PLUS it's faster than the insert-chip-card-and-wait, or even the swipe method (due to not having to take out your card).
Good (Score:5, Insightful)
This "upgrade" is a complete farce. If they had moved to chip and pin then, yes, it would make sense for all businesses to adopt it. As it is, they moved from a "something you have" model to a slower "something you have" model. Without a "something you have and something you know" model, the upgrade is mostly just an inconvenience to all involved parties (except the credit card companies who can now defer more blame).
Re: (Score:3)
Re: (Score:2)
While chip alone may not be as secure as chip and pin, it is still more difficult to skim than the magnetic stripe.
I don't doubt that it's "more difficult" but, after a few years, will it prove to be "less frequent"? Probably not. If someone is determined to commit credit card fraud, the security that the chip provides is just a new technology to adapt to.
Further, the hardware change to chip is still required for chip and pin. It can always be implemented at a future point when the hardware migration is complete.
That's reasonable. But, they made the switch without adding the security part. If you are going to the trouble to redo the infrastructure of credit card processing, why not, I dunno, make it more secure while you do it? It's not like entering a PIN number is a for
Re: (Score:2)
That's reasonable. But, they made the switch without adding the security part. If you are going to the trouble to redo the infrastructure of credit card processing, why not, I dunno, make it more secure while you do it? It's not like entering a PIN number is a foreign concept to people.
Honestly, because people hate change. It's going to be easier to force one change on people than two. I don't know what other reasons were involved, but that can be a big one. We want things to just work, and work like they always have. For most people, credit card fraud is someone else's problem. People only want security as long as it doesn't inconvenience them.
Re: (Score:2)
And the next step is to just stop supporting swipe only transactions like some countries have already done.
Re: (Score:3)
I have a (apparently rare) US issued chip and pin card - I didn't even ask for the pin, the bank offered me the one time option of setting it, which I did. If I use it in any of these terminals, or anywhere in Canada, it actually prompts for the PIN. So while chip and signature is the "norm" with these new readers, the only roadblock for chip and pin is now the card issuer thanks to the mandate that the readers be upgraded.
Re: (Score:2)
Re: (Score:2)
First Niagara... which is about to be eaten by Key Bank, so I don't know if they'll still offer it (I know they do not for their own customers). Those of us 'grandfathered in' will get to keep it though until the card expires. I have no idea if I'll be able to change the pin, either.
It was the only credit card that worked in the machines to refill my Opal card [transit pass] in Sydney... so I'd much rather keep it working.
Re: (Score:2)
Sorry for the second reply, but here is the article about First Niagara choosing pin over signature [post-gazette.com] as well as their press release [firstniagara.com].
Apparently it is unique in the US in that it will *only* do PIN if you use the chip. Swiping still works for signature, of course.
Chase was almost going to but backed down at the last minute. Almost all other chip and pin are chip+signature+pin ones from my research, and it will choose signature over pin.
Re: (Score:2)
The part that isn't talked about much, and not yet a mandatory part of the system, is the point of point encryption that goes hand in hand with EMV. When fully implemented, the store never sees any card information at all, it's all tokenized. That means that when somebody breaks into their network, there's nothing there to steal.
That is the point of EMV. It's got nothing to do with protecting the consumer. It's about reducing losses for the banks.
Re: (Score:2)
It also does nothing to stop the clerk or anyone from writing down your number, exp, and cvv2 and going on to amazon. I don't know how to fix that without requiring computers have chip readers too, which honestly would be a good move and open people up for chip based authentication/login... Or otherwise coming up with another way with an authentication token and an api provided by the card companies or something, in conjunction with a TOTP or HOTP physical device.
Chip & Pin only works in Europe (Score:2)
In the United States every single credit card swipe is a loan. And you can't enter into a loan without consent. That's why it's so easy to dispute things. But it's also the only way Americans would swallow credit cards. Chip & Pin wasn't worth the extra effort because you don't get a full liability shift to t
Re: (Score:2)
The moved it to from a something that can be cloned to something that can't be cloned.
It would be better if they moved it to something that can't be cloned + something you know.
How can a judge force a CC company... (Score:2)
Re: (Score:2, Informative)
Because they are a federally subsidized and insured bank with monopolistic allowances.
If you want to be able to borrow money at 0% and lend it at 20%, then fuck you, do as you are told.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
was there a double dip? (Score:3)
I can't figure out why retailers would refuse new terminals, unless they were being asked/demanded to pay for them.
If these new terminals are trully going to save the credit card companies so much money, it ought to have been a no brainer to provide them to retails on their own dime and see the return on investment come over time, rather than, essentially, demand the retails make investments solely for the credit card companies benefit (with the exception that if the cc co's are going to turn liability over to the retailers, then, yes, they would stand to save their own money, but only because of a change in business dynamics)
Again, I could just be shooting in the dark as I didn't read the article, just chiming in with an opinion and nothing to back it up, which is what slashdots all about, right? :)
Re: (Score:2)
The retailers can just decide not to use them.
Enter the 21st century, get sued? (Score:5, Interesting)
I mean it's high time that the USA got dragged kicking and screaming into the 2000s, but to sue the banks over it as well? I mean the USA has the current second highest amount of credit card fraud in the world behind Mexico who are also still in an age where they are marvelling about this fancy new thing called the internet.
Being forced to upgrade to something which in every other country in the world has caused a significant drop in credit card fraud is a damn good thing, not a sueable offence.
Re:Enter the 21st century, get sued? (Score:4, Insightful)
Being forced to upgrade to something which in every other country in the world has caused a significant drop in credit card fraud is a damn good thing, not a sueable offence.
The new chip system in the US works differently than the chip system in Europe, so no, the US isn't being forced to adopt what the rest of the world is already using.
For instance, in France I can use a European chip card in a restaurant in the middle of nowhere where there is no cell phone reception (or no landlines), and the transaction gets reconciled later when the transactions get uploaded. In the US, under the new system, no one is allowed to keep the data around for later reconciliation, even in an encrypted form, so that means that the multitudes of authentication handshakes must occur correctly before the transactions get authorised (even if the amounts in question are tiny).
This is why using smartcards in Europe takes no time at all to get authorized, they're actually faster than magnetic debit/credit cards. But this is also why the current smartcards in US (when used through the chip) are so slow, although in theory they're supposed to be more secure than the European smartcards.
Re:Enter the 21st century, get sued? (Score:5, Informative)
Being forced to upgrade to something which in every other country in the world has caused a significant drop in credit card fraud is a damn good thing, not a sueable offence.
The new chip system in the US works differently than the chip system in Europe, so no, the US isn't being forced to adopt what the rest of the world is already using.
For instance, in France I can use a European chip card in a restaurant in the middle of nowhere where there is no cell phone reception (or no landlines), and the transaction gets reconciled later when the transactions get uploaded. In the US, under the new system, no one is allowed to keep the data around for later reconciliation, even in an encrypted form, so that means that the multitudes of authentication handshakes must occur correctly before the transactions get authorised (even if the amounts in question are tiny).
This is incorrect. The US requirement for "Online Only" is strictly for fraud liability. You can use offline PIN in the US (though it can be attacked). Furthermore, all EMV cards, including those issued in France have what is called a velocity limit on the card. When this limit is hit, the card itself requires the next transaction to go online no matter what. If the terminal tells the card that it cannot go online, then the card itself will either reverse a pending ARQC (online request) or will just immediately return an AAC (decline). This is true in all regions where EMV has been implemented.
This is why using smartcards in Europe takes no time at all to get authorized, they're actually faster than magnetic debit/credit cards. But this is also why the current smartcards in US (when used through the chip) are so slow, although in theory they're supposed to be more secure than the European smartcards.
This is also incorrect. The chip transactions in the US are slow because most banks have insisted on implementing EMV incorrectly. A properly configured terminal will process an EMV request in 1-2 seconds in the US. That's not (noticeably) slower than an offline approval. It is literally a few hundred milliseconds longer.
Re: (Score:3)
"They refuse to check ID"
Retailers are prohibited from checking ID, unless specifically requested by the bank.
"they refuse to check signatures"
The signatures on the card are not for authentication purposes. Also, there's no way a minimum wage clerk is going to be able to do handwriting recognition.
Resistant To Change? (Score:5, Insightful)
I wonder what makes Americans so resistant to change, and when they implement change, it has so many compromises to be unworkable?
Whether it be.
- Adoption of the metric system
- More sensible gun management
- Universal basic health care
- Writing dates mm-dd-yy
- Reform of you court/prison system
Australia has changed completely to chip cards. Mag swipe is no longer accepted.
For most merchants, transactions below $100, contact-less is used.
For over $100, a pin is required (and for some cards like amex, you need to insert the card for a chip read).
The transactions take around 2 seconds.
It works great. The $100 threshold is a good compromise for convenience vs fraud risk.
I assume you are complaining because your banks have stuffed up the implementation???
Re: (Score:2)
Re: (Score:2)
Australia has changed completely to chip cards. Mag swipe is no longer accepted.
Not strictly true; it does still exist as a fallback if chip and contactless fail, and there are still cards out there that lack chips. Australian cards that lack chips are getting much rarer, but I still see a fair few foreign cards that are mag swipe only.
Re: (Score:2)
Are you fucking kidding me? (Score:2)
Did they scream like this ... (Score:2)
Not a small business operator, but I was under the impression that mag stripe readers and yes, even carbon paper imprints are still acceptable. You've just got to pay additional per transaction fees applicable to each non preferred method. To cover added processing costs and risk.
America... (Score:2)
Re: (Score:2)
We're not getting Chip and PIN, just Chip. And the retailers are expected to foot the bill.
Re: (Score:2)
Actually, the infrastructure supports Chip and PIN. What makes the card Chip and Signature is something baked into the card by the issuers.
While the new terminals do support Chip and PIN, places like restaurants will need to buy wireless terminals to allow customers to enter a PIN at their table. I haven't seen any wireless credit card terminals in use in the USA.
Re: (Score:2)
A lot of diners and some chains (i.e. Denny's, IHOP) are set up such that you just bring your receipt to the hostess and they cash you out there. So, more places could move to that model.
Honestly waiting for the waitress to come pick up our cards, then bring them back with a pen is a pointless waste of everyone's time. "Just bring up your receipt when ready" works so much better...
Re: (Score:2)