After years spent fighting pushes for more secure standards, the
payment card industry and retailers are moving quickly to abandon
magnetic stripe cards and embrace so-called ‘chip and pin’ technology.
Credit card firms MasterCard and Visa plan to have most customers on
the more secure chip and pin cards by October, 2015, according to a
report in the Wall Street Journal. The move comes in the wake of a
massive heist of account information for tens of millions of credit
card holders from the systems of U.S. retailers including Target,
Neiman Marcus and Michaels Stores.
In an interview with MasterCard’s Carolyn Balfany, the Journal notes
that company has set October, 2015 as the date for a “liability shift”
– a change in policy that will hold the party in a fraudulent
transaction liable for losses due to that transaction. The goal, said
Balfany, is to try to encourage merchants and card issuers (banks) to
move to the more secure chip and pin technology in concert.
Visa said that it also will institute a liability shift in October
2015. However, the shift to more secure cards will likely start much
earlier. Visa is requiring all ATMs that accept its cards to be EMV
compliant by April of next year.
According to the article in the Wall Street Journal, the liability
shift means that the party that uses the less-advanced technology in
the transaction will be held liable if the transaction turns out to be
fraudulent. So, if the merchant is still using the old system and
processes a transaction with a swipe and signature, the merchant would
be liable. If the merchant has a new terminal to accept the chip and
PIN cards, but the the bank hasn't issued a chip and PIN card to the
customer, the bank would would be liable.
And that means the banks are going to be pretty firm about replacing
magnetic stripe cards with chip and PIN cards.
We have had chipped cards in Europe for the past ten years.
Problem for USAians when they come here.
Not foolproof though. The crooks have found ways round them. Mostly
involving micro-cameras and fake fronts to cash machines.
But a lot more difficult for them.
In advance of our European vacation a little more than a year ago a
major US bank replaced our original card by one with a chip. Perhaps
many (all?) US banks already have the ability to issue such cards if
they are requested.
They do. They haven't wanted to, because it costs money. Now that the
Target data breach is costing them piles of money and making them look
incompetent or stupid as well (by choosing not to implement more
secure cards), they're willing to make the transition to the new cards.
The reason I posted this is because of last week's thread on RFID
chips in credit cards, with the paranoid saying they were gonna refuse
those cards. Well, it looks like by 2016 your choice will be a chipped
card, or no card at all.
You need to confirm that your card is Chip & Pin and not Chip & Signature.
Europe uses Chip & Pin, although mag stripe cards will work at most registers
but not kiosks or petrol pumps.
Chip & Signature was a half-arsed implementation done by a few card issuers in
the US and doesn't work at very many locations.
I've been confused about that very issue. My financial institution
issued a Pin and Chip credit card to me early this year that I've used
in 5 different countries on 2 continents. I've experienced 3 different
scenarios using the card. (1) I put the card into the reader, verified
the transaction and amount on the reader's screen, the merchant did his
thing on his keyboard, and the transaction was completed without a
request for a PIN OR a signature; (2) as above, except a receipt was
printed out which required my signature without any inquiry from the
merchant about a PIN or a signature; or (3) the merchant or the card
reader requested a PIN but gave the alternative to allow me to complete
the purchase by signing the receipt rather than entering the PIN. My
financial institution said that in general, I should not need to enter
the PIN unless I'm using the card at an ATM (which I would never do on
account of the punitive interest rates and fees that type of transaction
incurs.) Any insights why I've encountered these 3 different scenarios?
Which has absolutely nothing to do with the Target breach as the liability shift
deadline was established long before the Target incident. Furthermore, EMV (Chip
& Pin) would have NOT prevented the Target breach as it was caused by
penetrating the card readers and installing unauthorzed software. Nothing to do
with the mag stripe.
The card readers are just another keyboard. Most if them
load your information in clear text into known locations
in memory. The bad guys used a simple memory scrubber
to access it.
I love to show my customer just how easy it is. I open
a text editor (Notepad will do), then swipe my AAA club
card through their card reader. What shows up in the
text editor will amaze and astound. Scared the hell out
of them. It is that easy.
Target had non point of sale computers on the same network
leg as their point of sale computers (their HVAC [temperature]
monitoring computers got infected and it spread to their
point of sale computes.) Big mistake. Never ever, never
ever put anything unrelated on the point of sale leg.
They also used the cheaper clear text card swipers, instead
of encrypted card swipers.
No matter how you store the information on the card, if it
does not get loaded into the computer in an encrypted format
before it enters the computer, the bad guys can scrub it
from memory and/or copy it with a keystroke logger.
Think of it this way: data at rest needs to be encrypted;
data in motion also needs to be encrypted. The target
breach was data in motion.
As long as someone else has to pay the bill, the state of
credit card security will remain very, very lax. Be interesting
to see what happens if Target has to pick up the bill. Maybe
then they will get serious.
the riddle wrapped in an enigma wrapped
The data at a Target POS is read and immediately encrypted before sent.
The malware read the data at the POS terminals as it came off the cards.
(The second breach was data stored on Target computers.)
After Oct 1, 2015 any merchant that uses mag-strip swipe will be
responsible for cost of credit card fraud.
Target installed some of the card readers used in the European system
and hoped other merchants would also install them. Other merchants
didn't, and the transaction presumably takes longer, which was a
disadvantage to Target.
That is my point. That is why you want to use an encrypted
card swiper. That way the data is already encrypted before
it hits the computer. Not after plain text hits the
computer, get read by a POS program, and then gets encrypted.
It is very easy to intercept or scrub from memory before
that point. But encrypted card readers cost more.
To get merchants attention, I like to open a test editor
(Notepad will do fine), then swipe my AAA card through it.
What shows up will amaze and astound. And it is that easy.
What idiot(s) uses Windows on their POS systems anyway: okay
Target did. And a lot of others too. They just don't take
I wonder ...
Merchants better be careful, with this new PCI stuff, they
are going to be held responsible regardless. PCI is about
shifting liability back to the merchant. You pencil whip
it and you are dead meat. I only have one customer that
actually takes it seriously. The rest, one look at the
questionnaire, and "Hand me that, whip, whip, whip. Problem
Telling them PCI is about shifting liability back to them is
the only way I can get their attention. They don't care
about some lofty principle about security for something
they think will never happen to them, but when I tell them
they are in the cross hairs (liable), then suddenly they
I am surprised 10 times as many merchants are not breached.
And, I really, really hate turning my credit card over
to anyone these days. Occasionally, I ask if they are PCI
compliant and I get a blank stare, then a halting "yes".
the riddle wrapped in an enigma wrapped
That begs a question that I have never heard addressed - even by the
lunatic fringe: Why should there be any taxes at all on businesses
beyond those necessary to support local infrastructure?
Since the taxes get passed on down the chain to the consumer anyhow,
it's almost a wash between increasing income tax and not taxing
businesses and what we have now.
"Almost" because the diff is that some of those tax dollars get passed
on to offshore consumers and essentially we receiving foreign aid.
But the flip side of that is that our products are more expensive
offshore and the competitive position of our manufacturers is diminished
to the extent of that "aid".
Seems logical. So why isn't anybody raising it as an issue? What's
The constituency that likes government support and the politicos that represent
them likem like indirect taxes because it hides the fact that peoples pockets
are being picked.
It also plays to the people who like to use taxes to punish behaviors or
businesses they don't like instead of rasing funds to support the necessary
functions of government.
I would far rather see one federal government bill presented to citizens once a
year and get rid of withholding taxes, fuel taxes, social secirity taxes, etc.
You see an amazing rush to reduce the size of government. Like that will ever
HomeOwnersHub.com is a website for homeowners and building and maintenance pros. It is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.