Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security The Almighty Buck The Courts Businesses Communications Government Privacy The Internet United States News Technology

Judge Allows Small Businesses To Sue Credit Card Giants For Forcing Them To Adopt Chip Readers (computerworld.com) 311

An anonymous reader quotes a report from Computerworld: A federal judge has ruled it is plausible that four national credit-card companies improperly conspired "in lockstep" to set a deadline of Oct. 1, 2015 for requiring retailers to upgrade their technology to accept embedded chip cards for credit and debit card purchases. In an order issued Friday (Case number C 16-01150 WHA), U.S. District Court Judge William Alsup agreed with two small Florida businesses -- B and R Supermarket and Grove Liquors -- which brought the lawsuit in March. Alsup's ruling also allows the antitrust case against Visa, Mastercard, American Express and Discover Financial Services to move forward in federal court for the Northern District of California. The two retailers are seeking to create a class-action case involving millions of small retailers who have been required under the Oct. 1, 2015 deadline to assume liability for fraudulent card charges if they haven't upgraded to the more-secure chip card technology instead of magnetic-stripe cards. The retailers believe there was industry conspiracy over creation of the deadline that violates fair trade practices. In the same ruling, the judge allowed two other retailers -- Los Angeles-based gourmet food chain Monsieur Marcel and New York-based grocery story chain Fine Fare -- to intervene in the case. Lawyers for the retailers have said a class-action lawsuit could include 8 million U.S. small businesses. They would seek repayment of the cost of upgrading to chip card readers and related software, estimated at $6 billion. However, the National Retail Federation has recently estimated the total cost of the conversion in the U.S. at up to $35 billion.
This discussion has been archived. No new comments can be posted.

Judge Allows Small Businesses To Sue Credit Card Giants For Forcing Them To Adopt Chip Readers

Comments Filter:
  • Down the rabbit hole (Score:2, Interesting)

    by mattyj ( 18900 )

    The processing of nearly every credit card purchase in the US eventually trickles down to one firm, so perhaps it wasn't the 'big four' conspiring.

    I'm not really sure why them setting the same date for themselves affects anyone. Just upgrade your damn terminal already.

    • by m0hawk ( 3030287 )

      Any idea on who pays for the terminal upgrade, it wasn't mentioned in the article? If it is being forced on a business, then the credit card company should be sending them out free of charge (assuming that the terminal will be paid off with transaction fees). I'm guessing this is not the case.

      Otherwise, why is there are problem rolling out new terminals?

      • by ShanghaiBill ( 739463 ) on Wednesday October 05, 2016 @05:55PM (#53020841)

        Any idea on who pays for the terminal upgrade, it wasn't mentioned in the article?

        The terminal is owned by the merchant, so they pay for it.

        If it is being forced on a business, then the credit card company should be sending them out free of charge

        It isn't being forced on them. They have the alternative of not accepting CC transactions, which is something many businesses do. At some point we need to have progress, and magstripes need to die. Many technical standards have deadlines where old features stop being supported.

        The merchants have had plenty of time to upgrade, and plenty of warning that the end was coming. Most merchants support the change, since it is the merchants that pay the biggest price for fraud. That is why the plaintiffs are having problems organizing a class action. It is only a few whiners that are complaining.

        • by taustin ( 171655 ) on Wednesday October 05, 2016 @06:10PM (#53020923) Homepage Journal

          It isn't being forced on them. They have the alternative of not accepting CC transactions, which is something many businesses do.

          They also have the choice continuing to use the old equipment, but they then accept responsibility for fraudulent transactions that could have been prevented by using chip cards. Hell, as far as I know, they still have the option of imprinting paper slips and depositing them at the bank like checks, but the costs all end up on the merchant, as they should.

          At some point we need to have progress, and magstripes need to die. Many technical standards have deadlines where old features stop being supported.

          Mag stripes will be around for at least a decade, and probably two or three. But they'll be slowly phased out over the next few years for most people most of the time.

          The merchants have had plenty of time to upgrade,

          Sort of, but not really. Unless you're Walmart or Home Depot, you don't write your own processing software, you rely on your point of sale vendor, and very few point of sale vendors were ready by October of last year. Many small businesses simply did not have the option to start doing EMV by the deadline.

          and plenty of warning that the end was coming. Most merchants support the change, since it is the merchants that pay the biggest price for fraud. That is why the plaintiffs are having problems organizing a class action. It is only a few whiners that are complaining.

          Liability issues aside, any merchant complaining about EMV (with point of point encryption) is an idiot. EMV isn't about protecting consumers from fraud against their card (hence the chip & signature instead of chip & PIN), it's about protecting banks and merchant services from idiotic merchants who can't keep their network secure. Implement EMV with P2P encryption, and the merchant never sees the card in at all, and if someone breaks into their network, there's nothing to steal. Makes PCI compliance easier, and pretty much eliminates the chance of the merchant having to pay six figures to investigate a breach.

          • It isn't being forced on them. They have the alternative of not accepting CC transactions, which is something many businesses do.

            They also have the choice continuing to use the old equipment, but they then accept responsibility for fraudulent transactions that could have been prevented by using chip cards. Hell, as far as I know, they still have the option of imprinting paper slips and depositing them at the bank like checks, but the costs all end up on the merchant, as they should.

            At some point we need to have progress, and magstripes need to die. Many technical standards have deadlines where old features stop being supported.

            All of this is true and still tangential to the anti-trust case. Anti-trust collusion that forces actions that are in the interests of society are still illegal. The ends do not justify the means. The key point is that the change was indeed forced upon the retailers because they were denied the right to choose a competing supplier, a right that was illegally removed through collusion.

        • by peragrin ( 659227 ) on Wednesday October 05, 2016 @06:20PM (#53020971)

          Ah but that is half the issue. Chip readers once installed needed to be certified by the card companies. That certification. Is on average 12 months behind.

          So you see a terminal but do not use sticker? The software stack, connections, etc haven't been certified to use chips.

          Credit card companies failed to provide enough certifiers, and enough time to begin the change over. It has been mentioned by MasterCard executives that they never once talked about processing speed of the transactions, which is why Chip readers, take 30% longer to process after sending your card data.

          MasterCard Visa cared about their bottom line, and pushed responsibility to merchants, but didn't provide the tools for merchants to do it right.

          Lastly an October 1st deadline is irresponsible, as the slightest hiccup destroys holiday shopping, which is what happened last year. A Feb 1st deadline with a 6-12 month soft start 50% of fraud is paid both issues, and merchant would have been more successful,and less lawsuit prone.

          • by rickb928 ( 945187 ) on Wednesday October 05, 2016 @06:41PM (#53021111) Homepage Journal

            Terminal hardware is certified before they are shipped.

            Software is updated, and verified before deployment.

            Nobody ships untested terminals. That's disastrous.

          • Lastly an October 1st deadline is irresponsible, as the slightest hiccup destroys holiday shopping

            The obvious solution for a merchant is to upgrade before the deadline. The deadline is the last day to upgrade. Any merchant that waits until then to start the process deserves what they get.

            • by Anonymous Coward on Wednesday October 05, 2016 @08:39PM (#53021759)

              In many cases (our stores, for example) the hardware was not available (from our credit card processor).

              We got our first chip capable machine in January -and it did not work. I plugged it in, ran a transaction, and got an error. After a couple of software updates -nope still not working with chip cards. Swap the hardware -still not working. Swap the hardware again -finally everything works. Hey look, it's February, 2016!

              We were charged extra fees from October thru February for not having compliant hardware in place. Hardware which was not available -according to the company charging us the extra fees for not having it yet.

              Who paid for the equipment? We did. We paid the credit card processor the amount they chose to charge us for the equipment that they said we had to have in order to do business.

              I think the upgrades were worth doing, but the rollout was handled poorly, and the companies responsible for setting the timeline profited off of the merchants inability to meet the deadline.

        • Additionally, they can keep using the magstripe, they just have to take full responsibility for and false charges that may occur at the business as opposed to the credit card company taking that liability. So really, the merchants only have to upgrade if they want to accept CC and be free of any credit card fraud liability. Seems reasonable to me.

      • by youngone ( 975102 ) on Wednesday October 05, 2016 @06:42PM (#53021121)
        I'm not in the US, but where I live the merchant pays for the terminal. There are several suppliers and we have had chip and pin type cards for maybe 5 years.

        I can't remember the last time I saw a mag stripe machine, and if I did see one, I would pay cash.

      • by jrumney ( 197329 )
        If it doesn't make business sense, don't take credit cards. If you decide it is worthwhile for your business to take credit cards, then shell out for the equipment, and be prepared to update it every 10-20 years. Do you ask the central bank to supply you a cash register free of charge?
      • by plover ( 150551 )

        Any idea on who pays for the terminal upgrade, it wasn't mentioned in the article?

        The merchant pays for the terminal, but the upgrade is not being "forced" on them. If they don't want to upgrade to a secure terminal, they don't have to, but then they take on the risks of the customers' cards being stolen and misused.

        So if they think their shitty ancient card readers are secure from hacking, and they're willing to bet the cost of fraud that they're so great, they can keep them. Seems fair.

        • So if they think their shitty ancient card readers are secure from hacking, and they're willing to bet the cost of fraud that they're so great, they can keep them. Seems fair.

          The problem is that the shitty new card readers aren't secure either, because here in the USA we are chip and sign and not chip and PIN. All the same attacks against a stolen card will still work.

          • by plover ( 150551 ) on Wednesday October 05, 2016 @10:35PM (#53022307) Homepage Journal

            The problem is that the shitty new card readers aren't secure either, because here in the USA we are chip and sign and not chip and PIN. All the same attacks against a stolen card will still work.

            Federal law caps your liability at $50, but under the current PCI liability rules if your chip card is stolen and misused your bank is 100% liable for the fraud, because they could have put a PIN on the card but didn't. Neither you nor the retailer is responsible for a dime of the loss.

            The chip has all the anti-skimming technology, regardless of whether it requires PIN or signature authentication, and both are equally excellent at preventing cloning full card data.

            What all cards (both chip and mag stripe) still suffer from is the ability to steal the PAN and use it for online fraud. Mag stripes have the worst security, and are almost as easy to clone as pushing the green button on a copier machine. Europe's experience has proven that the effect of chips was to move the fraud online. But eliminating mag stripes is the next step in securing credit. None of the other measures can have much of a beneficial effect on security until that weakest link is removed.

            And if chip and signature bothers you that much, nothing is stopping you for applying for a MasterCard from a bank that requires PIN authentication. Your current bank may not offer one, but some of the major retail banks do. Take action instead of whining.

    • by EvilSS ( 557649 ) on Wednesday October 05, 2016 @05:44PM (#53020775)

      Just upgrade your damn terminal already.

      Many of them did. The problem is that the new terminals then need to be certified by each card company before they can be turned on, for each business (not just a hardware certification for the mfg, each deployment requires certification). The card companies have been dragging their feet getting them certified, particularly for small to mid sized businesses. However they did not extend the deadline for those companies that installed the terminals but can't yet use them. So these businesses did what they were supposed to do but they are in a bind now with liability shifted to them but they are unable to even accept chip cards because they can't get the big 4 to certify their installations.

      This happened to my local grocery chain. They have the new readers, had them well before the deadline, but they can't use them, even now almost a year after the deadline passed, because they are still in the queue for certification.

      • by taustin ( 171655 )

        You're smoking dope, and they're feeding you a line. The software has to be certified, but even then, not by deployment. And for a small business, that's handled by the point of sale vendor, not the merchant. If your local grocery chain is doing their own processing software, they're not pushing on getting their stuff certified, and that's entirely on them.

        There is a point about not extending the deadline - again - for those merchants who had the hardware but couldn't get the software from the POS vendors,

        • by DRJlaw ( 946416 ) on Wednesday October 05, 2016 @07:35PM (#53021445)

          You're smoking dope, and they're feeding you a line. The software has to be certified, but even then, not by deployment. And for a small business, that's handled by the point of sale vendor, not the merchant.

          Now explain why the POS vendors are losing revenue due to certification delays [digitaltransactions.net]. Is is your theory that they're tanking their business to support the line? Or selling the dope? My theory is that you simply don't understand that level 3 certification is literally by deployment [intuit.com] and too self-satisfied to consider that you might be wrong.

      • by jittles ( 1613415 ) on Wednesday October 05, 2016 @08:37PM (#53021747)

        Just upgrade your damn terminal already.

        Many of them did. The problem is that the new terminals then need to be certified by each card company before they can be turned on, for each business (not just a hardware certification for the mfg, each deployment requires certification).

        That is untrue. You do NOT have to certify each deployment with the card companies. You have to certify the terminal hardware, the kernel on the hardware (card brand specific), the communication from the card terminal to the gateway, and the communication from the gateway to the processor. The processor has to certify from them to the card brand. Most gateways are offering certified hardware + software deployments that only require you to certify with the processor if you develop against their software. If you just take a package that is already certified, you have to do nothing other than meet your PCI requirements that you're already obligated to do. I spend my life writing card terminal drivers and everything I do has to be certified from the terminal to the payment gateway. This is my every day life. You would only need to certify if you made your own software implementation somewhere in that chain. If you write software below the gateway then you may not even need to certify with the card brand, you may be able to just certify with the gateway, depending on what exactly you did.

        The card companies have been dragging their feet getting them certified, particularly for small to mid sized businesses. However they did not extend the deadline for those companies that installed the terminals but can't yet use them. So these businesses did what they were supposed to do but they are in a bind now with liability shifted to them but they are unable to even accept chip cards because they can't get the big 4 to certify their installations. This happened to my local grocery chain. They have the new readers, had them well before the deadline, but they can't use them, even now almost a year after the deadline passed, because they are still in the queue for certification.

        Which chain is this? Publix, for instance, chose to write their own card terminal application which requires all kinds of certifications with the card brands, terminal manufacturers, etc. That's a time consuming process. But I've personally had such a project go through certification in a matter of weeks. It's not the card brands holding things up.

    • by jrumney ( 197329 )
      This is one instance when conspiring is good for the market. If they didn't conspire, small retailers would be buying four different card readers instead of one, and they'd have four different deadlines to remember instead of one. A market getting together and deciding on standards are not really in the same league as price-fixing and other types of conspiracy that adversely affect consumers.
  • by Anonymous Coward on Wednesday October 05, 2016 @04:55PM (#53020429)

    They're just not happy about the liability shift strong-arming them into this. But honestly? They SHOULD be liable when they're the roadblocks preventing customers from having good security. They're dragging their feet on this because it's an externality--they don't care if their customers get screwed, as can be seen with, e.g. the Target hack, but they do see a cost for newer, more secure equipment.

    And I can tell you right now that they won't make proper upgrades unless someone holds a gun to their heads.

    • by Mitreya ( 579078 )

      They SHOULD be liable when they're the roadblocks preventing customers from having good security.

      Bah, security of the credit card itself was never an issue because customer is not liable anyway

      If credit cards issuers stopped granting credit based on address+birthday+SSN, that would be a bigger improvement.

      I'd much rather my credit card number leaked compared to hack losing address/SSN info. Credit card can be blocked and re-issued. Address/SSN info, not so much.

    • The problem from the credit card company PoV was that if they were the only one to implement the liability measure the shops would simply start refusing their cards and the competitors would get their customers.

    • by taustin ( 171655 ) on Wednesday October 05, 2016 @06:18PM (#53020961) Homepage Journal

      They're just not happy about the liability shift strong-arming them into this. But honestly? They SHOULD be liable when they're the roadblocks preventing customers from having good security. They're dragging their feet on this because it's an externality--they don't care if their customers get screwed, as can be seen with, e.g. the Target hack, but they do see a cost for newer, more secure equipment.

      EMV has nothing to do with protecting consumers, and has zero effect on security for the consumer. Steal the card, and you can use it, same as before (since it's almost entirely chip & signature rather than chip & PIN) The consumer isn't protected buy the technology, the consumer is protected by the law, with a $50 limit on liability on a stolen card.

      EMV is about protecting the banks and processing companies, who have nearly all the liability for fraud, and secondarily protecting merchants, because when fully implemented, EMV with P2P encryption means the merchant never sees the card info at all, and has nothing on their network to steal. All the worst breaches in recent years have been of retailers' networks, stealing millions (or 100 million+) card numbers at a time. And if the retailer is PCI compliant (as Target was, apparently), the banks eat the loss. EMV/P2P encryption eliminates that vector. That is the point of it.

      And the upgrade is very, very much in the merchants' best interests because of that.

      • I don't know about you, but I hate it when I'm forced to change credit card numbers due to fraud being detected on the old number.

        Getting to the state where cards can't be skimmed is a good thing for consumers. It should also reduce the costs of goods marginally where there are only card present sales as the merchant fees should be reduced.

        You can't get to a state where cards can't be skimmed until all the point of sale equipment has been upgraded to support chips. This takes time and the US is at the end

  • Not Sure if... (Score:5, Insightful)

    by jittles ( 1613415 ) on Wednesday October 05, 2016 @04:55PM (#53020441)

    I'm not sure if I have any sympathy for these retailers. The card industry did not force them to accept chip transactions, they forced them to accept liability if they refused to accept chip transactions. You can still, to this day, accept magnetic stripe data instead of chip data. You can also choose to take cash at any time. They also gave the warning more than a year in advance and even basically extended the deadline past October 2015.

    Disclosure: I do make money off the chip card transition. However, I make money off of magnetic stripe implementations also.

    • Re:Not Sure if... (Score:5, Interesting)

      by cayenne8 ( 626475 ) on Wednesday October 05, 2016 @05:21PM (#53020605) Homepage Journal
      I hate the fucking chip things....

      I keep almost leaving my fucking card in the slot and walking away.

      With no PIN, I can't see how it is really any safer to me.

      And these days, half the time I get it wrong, if I plug it in, they say "no..still need to swipe", or vice versa.

      • Re:Not Sure if... (Score:5, Insightful)

        by markdavis ( 642305 ) on Wednesday October 05, 2016 @05:28PM (#53020641)

        I would +1 you if I had points.

        The chip thing is a disaster as far as I am concerned:

        * It is slow as molasses. Just unreal!
        * It encourages you to forget your card.
        * The other day it took 5 MINUTES for it to finally work at a store, the stupid contacts on my card are already corroded and the card is only 4 months old. Guess what, if it doesn't read, they wouldn't allow me any other way to use the card (key it in or swipe it). So it is NOT RELIABLE.
        * There is still no PIN, so it doesn't prevent anyone from picking up my card and using it.
        * It doesn't protect anything with online purchases.

        Fail for consumers
        Fail for stores
        Fail for security
        Fail for convenience
        Fail for economy

        *FAIL*

        • Re: Not Sure if... (Score:3, Informative)

          by Anonymous Coward

          Maybe this is an American problem, who knows. In Canada, we have been using Chip and Pin exclusively for 5 years now. No swipe. We have even moved past chip and pin to a new technology called Tap, where we can just tap our card on the reader for any purchase under $50, or $75 at gas stations and grocery stores.

          Both are safer because they use rolling codes built in to the chip. If someone skims your card the data they get is only valid for a few minutes after its used .

          You get used to it. You don't forget yo

          • Re: Not Sure if... (Score:5, Informative)

            by Opportunist ( 166417 ) on Wednesday October 05, 2016 @05:48PM (#53020797)

            Europe here, same deal. I can't remember when I actually used that magstrip of my card outside of the US. Even third world countries have had chip readers in operation for years now, only in the US this seems to be a huge issue.

          • Time to join the modern era America.

            You're talking about the country that still fears the metric system

            • The difference is that there are actually benefits to the metric system, which is superior to imperial measurements in every way except perhaps for using Celsius in weather reports instead of Fahrenheit. Yeah, I know the freezing and boiling points of water make a lot of sense from a scientific point of view. But for the weather: 0 degrees being a horribly bone-chillingly frigid day, 100 degrees being an insanely and sweltering scorchingly hot day, and 50 degrees being a nice and normal comfortably mild

          • by nnull ( 1148259 )
            It is mostly an US problem because it's been very poorly implemented in the United States. And since a lot of fraud is moving online, it does nothing to prevent that.
        • Comment removed based on user account deletion
        • by ADRA ( 37398 )

          From a Canadian, you'll get used to it.. eventually.

          I'd say the lack of PIN requirement was your country's fuck up, but *shrugs*.

          Slowness depends entirely on your retailer's merchant broker. Some big box companies like (Walmart Canada) has responses back within a second or two. Others require a frigging dial-up connection before issuing the chip challenge. Ultimately, if you're sick of waiting, poorly performing retailers will suffer and you'll visit their services less. The better responding retailers will

        • Re: (Score:3, Insightful)

          Comment removed based on user account deletion
          • Re: (Score:3, Informative)

            by markdavis ( 642305 )

            >The only fail I agree with is that you do not use your PIN.

            We don't HAVE a PIN, so there is nothing was and choose to use or not use. There is no choice. No PIN.

            >It takes about 15 seconds for the payment. Due to postings here, I have tested it and also looked at other people trying it out.

            15 seconds is about 10 times longer than it used to take.

            >I have NEVER forgotten my card, ever. I put it in, type my PIN and take it out while I have my wallet in my other hand. Almost everybody does it like th

        • I would +1 you if I had points.

          The chip thing is a disaster as far as I am concerned:

          * It is slow as molasses. Just unreal!

          That's an implementation problem - one I see all the time. This has to do with the way they set up their AID Candidate list, most likely. An EMV transaction should take 1-2 seconds.

          * It encourages you to forget your card. * The other day it took 5 MINUTES for it to finally work at a store, the stupid contacts on my card are already corroded and the card is only 4 months old. Guess what, if it doesn't read, they wouldn't allow me any other way to use the card (key it in or swipe it). So it is NOT RELIABLE.

          The US region still has what they call technical fallback. They're not supposed to decline to accept your card if it fails to read 3 times then they are supposed to proceed with it as magnetic stripe. There is no fraud liability shift in this case, at least for now.

          * There is still no PIN, so it doesn't prevent anyone from picking up my card and using it.

          It protects your card from cloning, which is the most common

      • by taustin ( 171655 )

        I hate the fucking chip things....

        I keep almost leaving my fucking card in the slot and walking away.

        That says far more about your than it does about chip cards.

        With no PIN, I can't see how it is really any safer to me.

        It's not intended to be. It's safer for the banks, and indirectly, for the merchants. You're not protected by the technology, you're protected by the law.

  • There is no reason to upgrade to chip cards except to benefit the card cartels. Forcing a small business owner to eat the fraudulent card charges is a big middle finger to these businesses, you can still fraudulently charge a chip card and the cost-benefit is just too insane for a business. Chip card transactions often not only cost more, but the readers and associated systems are a magnitude more expensive than their mag-stripe counterparts, for no good reason, I can get a Chinese chip card reader for $25,

    • There is no reason to upgrade to chip cards except to benefit the card cartels.

      Yeah. There's also no reason to upgrade my 80s muscle car because it's only 1985. What it's not 1985? The rest of the world has adopted chip+pin for the added security? Some countries have outright banned swiping even as a fallback?

      We often joke about the USA being a backwards country, but we were only poking fun at you guys, we didn't mean it. You don't need to actually be backwards too.

      • Banking is based on trust, not absolute security. The Chip+PIN combo i have been subjected to is incredibly inconvenient only to push the liability to my side of the table. It is not any more secure. The only one benefiting from this whole thing is the credit card companies.
        • The Chip+PIN combo i have been subjected to is incredibly inconvenient only to push the liability to my side of the table. It is not any more secure

          Except for everywhere in the world where chip+pin has been implemented where the liability has not changed, the transaction is processed at a MUCH faster rate and the added security has decimated credit card fraud.

          But other these little things your post was ... errr.... grammatically correct?

    • by tlhIngan ( 30335 )

      There is no reason to upgrade to chip cards except to benefit the card cartels. Forcing a small business owner to eat the fraudulent card charges is a big middle finger to these businesses, you can still fraudulently charge a chip card and the cost-benefit is just too insane for a business. Chip card transactions often not only cost more, but the readers and associated systems are a magnitude more expensive than their mag-stripe counterparts, for no good reason, I can get a Chinese chip card reader for $25,

      • The chip machines shift the liability to whoever is least secure - if your bank still gave you a swipe card and the retailer can take chip, the liability shifts to the bank

        What i've always wondered is what happens if a criminal clones a chip card onto a magstripe only card.

        Is there some mechanism to warn the merchant in this case or does the merchant get screwed for doing a magstripe transaction on a clone of a chipped card?

        • The mag stripe says this is a chip card and the terminal will request that you use the chip reader.

          You need to modify the data when cloning.

          The next step will be to not accept swipes once the pos terminals are upgraded.

    • "There is no reason to upgrade to chip cards except to benefit the card cartels."

      Are you high? Chip and Pin, the standard for most of the world, works perfectly fine and the reason it is implemented is to protect the merchants! Right now if i go to USA and swipe my card, a fucking signature(!!!) is all the authentication that you need!

      This isn't the 1970s, my god. I couldn't even believe how much fraud I could have done with basically zero effort down there. I can't believe that there isn't massive credit c

      • by lgw ( 121541 )

        Chip and signature is not chip and PIN. Nothing you said is relevant to the US. This "upgrade" has downsides and no upside for the consumer.

        But do go on about the entirely unrelated system you like.

    • There is no reason to upgrade to chip cards except to benefit the card cartels.

      Do you realize that most of the rest of the world, including places like Africa, Latin America, and the Caribbean, has been using this since 2005? Hell, France was doing it in 1992. The only reason the US switched at all is because credit card fraud had finally reached the tipping point around 2012 when banks finally figured out that it was going to be cheaper to switch everything than it would to cover the increasing cost of the fraud.

      Here you go: [creditcards.com]

      Most card fraud occurs in the United States. In fact, a 2015 research note from Barclays stated that the U.S. is responsible for 47 percent of the world’s card fraud despite only accounting for 24 percent of total worldwide card volume.

      The high level of debit and credit card fraud in the United States also impacts other countries. Among U.K.-issued cards in 2015, 35 percent of fraud-related losses occurred in the United States, compared to 10 percent in France and Australia, 9 percent in Canada and 6 percent in Germany.

      Cross-border fraud occurs when criminals use a consumer's credit or debit card data in one country to make fraudulent transactions in another country. In 2014, 47 percent of fraudulent cross-border transactions on U.K. credit cards took place in the United States.

      U.S. credit card fraud is on the rise, too. About 31.8 million U.S. consumers had their credit cards breached in 2014, more than three times the number affected in 2013.

      That fraud isn't cheap. Nearly 90 percent of card breach victims in 2014 received replacement credit cards, costing issuers as much as $12.75 per card.

      Most experts believe that the reason the U.S. has a disproportionately high amount of fraud is because it has been slow to adopt EMV, a global standard in which credit cards carry computer chips that cut down on counterfeiting by dynamically authenticating card transactions. Countries that have deployed EMV have enjoyed a decrease in counterfeit fraud as a result -- 70 percent in the U.K., for example, between 2005 and 2013.

      • by guruevi ( 827432 )

        Although I agree that 'something has to be done', the chip cards in the US at least are no more secure than mag stripes. If you ever have the chance to hook a chip reader to a computer, you can read most of the data from a chip, unencrypted, the same way you do from a mag stripe (primarily for compatibility reasons). Hell, I have a fully encrypted card and it's useless at many large retailers in the US, my parents came here from Europe with their non-magstripe card which was completely useless even though i

    • I realize this is indirect, and not directly related to switching to chip cards.. The new readers ALSO allow (if the business has the functionality turned on) NFC based payment (e.g. Apple Pay, etc.). With that, the business gets the lower fee version due to lower fraud possibility PLUS it's faster than the insert-chip-card-and-wait, or even the swipe method (due to not having to take out your card).

  • Good (Score:5, Insightful)

    by somenickname ( 1270442 ) on Wednesday October 05, 2016 @05:01PM (#53020497)

    This "upgrade" is a complete farce. If they had moved to chip and pin then, yes, it would make sense for all businesses to adopt it. As it is, they moved from a "something you have" model to a slower "something you have" model. Without a "something you have and something you know" model, the upgrade is mostly just an inconvenience to all involved parties (except the credit card companies who can now defer more blame).

    • by Xenx ( 2211586 )
      While chip alone may not be as secure as chip and pin, it is still more difficult to skim than the magnetic stripe. Further, the hardware change to chip is still required for chip and pin. It can always be implemented at a future point when the hardware migration is complete.
      • While chip alone may not be as secure as chip and pin, it is still more difficult to skim than the magnetic stripe.

        I don't doubt that it's "more difficult" but, after a few years, will it prove to be "less frequent"? Probably not. If someone is determined to commit credit card fraud, the security that the chip provides is just a new technology to adapt to.

        Further, the hardware change to chip is still required for chip and pin. It can always be implemented at a future point when the hardware migration is complete.

        That's reasonable. But, they made the switch without adding the security part. If you are going to the trouble to redo the infrastructure of credit card processing, why not, I dunno, make it more secure while you do it? It's not like entering a PIN number is a for

        • by Xenx ( 2211586 )

          That's reasonable. But, they made the switch without adding the security part. If you are going to the trouble to redo the infrastructure of credit card processing, why not, I dunno, make it more secure while you do it? It's not like entering a PIN number is a foreign concept to people.

          Honestly, because people hate change. It's going to be easier to force one change on people than two. I don't know what other reasons were involved, but that can be a big one. We want things to just work, and work like they always have. For most people, credit card fraud is someone else's problem. People only want security as long as it doesn't inconvenience them.

    • I have a (apparently rare) US issued chip and pin card - I didn't even ask for the pin, the bank offered me the one time option of setting it, which I did. If I use it in any of these terminals, or anywhere in Canada, it actually prompts for the PIN. So while chip and signature is the "norm" with these new readers, the only roadblock for chip and pin is now the card issuer thanks to the mandate that the readers be upgraded.

      • Who issued it? I've been trying for years to get one.
        • First Niagara... which is about to be eaten by Key Bank, so I don't know if they'll still offer it (I know they do not for their own customers). Those of us 'grandfathered in' will get to keep it though until the card expires. I have no idea if I'll be able to change the pin, either.

          It was the only credit card that worked in the machines to refill my Opal card [transit pass] in Sydney... so I'd much rather keep it working.

        • Sorry for the second reply, but here is the article about First Niagara choosing pin over signature [post-gazette.com] as well as their press release [firstniagara.com].

          Apparently it is unique in the US in that it will *only* do PIN if you use the chip. Swiping still works for signature, of course.

          Chase was almost going to but backed down at the last minute. Almost all other chip and pin are chip+signature+pin ones from my research, and it will choose signature over pin.

    • by taustin ( 171655 )

      The part that isn't talked about much, and not yet a mandatory part of the system, is the point of point encryption that goes hand in hand with EMV. When fully implemented, the store never sees any card information at all, it's all tokenized. That means that when somebody breaks into their network, there's nothing there to steal.

      That is the point of EMV. It's got nothing to do with protecting the consumer. It's about reducing losses for the banks.

    • It also does nothing to stop the clerk or anyone from writing down your number, exp, and cvv2 and going on to amazon. I don't know how to fix that without requiring computers have chip readers too, which honestly would be a good move and open people up for chip based authentication/login... Or otherwise coming up with another way with an authentication token and an api provided by the card companies or something, in conjunction with a TOTP or HOTP physical device.

    • because their laws allow them to shift liability onto the consumer when your pin gets compromised. It's sorta like if someone breaks into a bank they get to take your money instead of the banks.

      In the United States every single credit card swipe is a loan. And you can't enter into a loan without consent. That's why it's so easy to dispute things. But it's also the only way Americans would swallow credit cards. Chip & Pin wasn't worth the extra effort because you don't get a full liability shift to t
  • ... to accept the business of a company that doesn't want to do things the way the CC company requires?
    • Re: (Score:2, Informative)

      by PopeRatzo ( 965947 )

      How can a judge force a CC company to accept the business of a company that doesn't want to do things the way the CC company requires?

      Because they are a federally subsidized and insured bank with monopolistic allowances.

      If you want to be able to borrow money at 0% and lend it at 20%, then fuck you, do as you are told.

      • by mark-t ( 151149 )
        Let's say I'm a CC company, and I notice that I'm taking a substantial hit on my profits because of fraudulent transactions traceable to not securing transactions in a certain way, If I decide that I'm going to try and secure my transactions that way to avoid the loss, while still being willing to take hits for fraudulent transactions that occur with the new method, why should I continue to take the financial hit for companies that don't want to use the newer system?
      • by Holi ( 250190 )
        In what way are VISA Master Card or AMEX subsidized?
        • by Holi ( 250190 )
          They are responsible for fraudulent purchases over $50 by law, so why do we deny them the opportunity to secure their payment system. Or should they just stop their business?
  • by um... Lucas ( 13147 ) on Wednesday October 05, 2016 @05:10PM (#53020539) Journal

    I can't figure out why retailers would refuse new terminals, unless they were being asked/demanded to pay for them.

    If these new terminals are trully going to save the credit card companies so much money, it ought to have been a no brainer to provide them to retails on their own dime and see the return on investment come over time, rather than, essentially, demand the retails make investments solely for the credit card companies benefit (with the exception that if the cc co's are going to turn liability over to the retailers, then, yes, they would stand to save their own money, but only because of a change in business dynamics)

    Again, I could just be shooting in the dark as I didn't read the article, just chiming in with an opinion and nothing to back it up, which is what slashdots all about, right? :)

  • by thegarbz ( 1787294 ) on Wednesday October 05, 2016 @05:18PM (#53020595)

    I mean it's high time that the USA got dragged kicking and screaming into the 2000s, but to sue the banks over it as well? I mean the USA has the current second highest amount of credit card fraud in the world behind Mexico who are also still in an age where they are marvelling about this fancy new thing called the internet.

    Being forced to upgrade to something which in every other country in the world has caused a significant drop in credit card fraud is a damn good thing, not a sueable offence.

    • by stephanruby ( 542433 ) on Wednesday October 05, 2016 @06:29PM (#53021033)

      Being forced to upgrade to something which in every other country in the world has caused a significant drop in credit card fraud is a damn good thing, not a sueable offence.

      The new chip system in the US works differently than the chip system in Europe, so no, the US isn't being forced to adopt what the rest of the world is already using.

      For instance, in France I can use a European chip card in a restaurant in the middle of nowhere where there is no cell phone reception (or no landlines), and the transaction gets reconciled later when the transactions get uploaded. In the US, under the new system, no one is allowed to keep the data around for later reconciliation, even in an encrypted form, so that means that the multitudes of authentication handshakes must occur correctly before the transactions get authorised (even if the amounts in question are tiny).

      This is why using smartcards in Europe takes no time at all to get authorized, they're actually faster than magnetic debit/credit cards. But this is also why the current smartcards in US (when used through the chip) are so slow, although in theory they're supposed to be more secure than the European smartcards.

      • by jittles ( 1613415 ) on Wednesday October 05, 2016 @08:51PM (#53021823)

        Being forced to upgrade to something which in every other country in the world has caused a significant drop in credit card fraud is a damn good thing, not a sueable offence.

        The new chip system in the US works differently than the chip system in Europe, so no, the US isn't being forced to adopt what the rest of the world is already using.

        For instance, in France I can use a European chip card in a restaurant in the middle of nowhere where there is no cell phone reception (or no landlines), and the transaction gets reconciled later when the transactions get uploaded. In the US, under the new system, no one is allowed to keep the data around for later reconciliation, even in an encrypted form, so that means that the multitudes of authentication handshakes must occur correctly before the transactions get authorised (even if the amounts in question are tiny).

        This is incorrect. The US requirement for "Online Only" is strictly for fraud liability. You can use offline PIN in the US (though it can be attacked). Furthermore, all EMV cards, including those issued in France have what is called a velocity limit on the card. When this limit is hit, the card itself requires the next transaction to go online no matter what. If the terminal tells the card that it cannot go online, then the card itself will either reverse a pending ARQC (online request) or will just immediately return an AAC (decline). This is true in all regions where EMV has been implemented.

        This is why using smartcards in Europe takes no time at all to get authorized, they're actually faster than magnetic debit/credit cards. But this is also why the current smartcards in US (when used through the chip) are so slow, although in theory they're supposed to be more secure than the European smartcards.

        This is also incorrect. The chip transactions in the US are slow because most banks have insisted on implementing EMV incorrectly. A properly configured terminal will process an EMV request in 1-2 seconds in the US. That's not (noticeably) slower than an offline approval. It is literally a few hundred milliseconds longer.

  • by labnet ( 457441 ) on Wednesday October 05, 2016 @05:32PM (#53020669)

    I wonder what makes Americans so resistant to change, and when they implement change, it has so many compromises to be unworkable?

    Whether it be.
    - Adoption of the metric system
    - More sensible gun management
    - Universal basic health care
    - Writing dates mm-dd-yy
    - Reform of you court/prison system

    Australia has changed completely to chip cards. Mag swipe is no longer accepted.
    For most merchants, transactions below $100, contact-less is used.
    For over $100, a pin is required (and for some cards like amex, you need to insert the card for a chip read).
    The transactions take around 2 seconds.

    It works great. The $100 threshold is a good compromise for convenience vs fraud risk.

    I assume you are complaining because your banks have stuffed up the implementation???

    • by jrumney ( 197329 )
      While we're trolling Americans...
      • - adoption of different size and color banknotes to make them more easily distinguished.
    • Australia has changed completely to chip cards. Mag swipe is no longer accepted.

      Not strictly true; it does still exist as a fallback if chip and contactless fail, and there are still cards out there that lack chips. Australian cards that lack chips are getting much rarer, but I still see a fair few foreign cards that are mag swipe only.

  • There's a million and one reasons small businesses SHOULD sue credit card companies. This is one is stupid garbage.
  • ... when the credit card companies moved from carbon paper card impressions to magnetic stripes? Technology moves on and so must you.

    Not a small business operator, but I was under the impression that mag stripe readers and yes, even carbon paper imprints are still acceptable. You've just got to pay additional per transaction fees applicable to each non preferred method. To cover added processing costs and risk.

  • There is no country on Earth more stubbornly refusing to modernise than the US.

Beware of all enterprises that require new clothes, and not rather a new wearer of clothes. -- Henry David Thoreau

Working...