For small, repeated transactions you just hold the card to the reader and are done in 1-3 seconds. The first transaction on each reader and random transactions every 20-50$ (and all transactions above a $20 limit) will require chip+PIN verification, which seems to cut down fraudulent transactions for now.
I suspect that America being so backwards in this respect has a lot to do with the power and influence wielded by corporate lobbyists in congress.
Chip-and-PIN was invented to make card transactions more secure at a time when most transactions were 'offline', i.e. there was no direct connection from the card terminal to the issuer, so it wasn't possible to ask the issuer whether a transaction should be allowed. To attempt to combat card skimming, the chip was added, and terminals upgraded to require the PIN to be entered if the card had a chip [1].
Nowadays almost all transactions happen 'online', so the bank is asked whether the transaction should be authorised first (this is why there is sometimes a delay on terminals as they connect to the issuer). This means the issuer can run their own fraud detection before the transaction takes place. In the US they took this a step further, and just used that instead of requiring a signature to be collected for most purchases. To the end user it's an even better experience than NFC provides.
[1] This also means you have no reason to give your card to anyone, when the card needs to be inserted above/below the PIN pad, so it prevents another opportunity for skimming.
Not necessarily. In the UK (at least, at the banks where my fiancée and I hold accounts), you need to enter your PIN:
1) On the first transaction after activating a new card
2) On transactions above £30 (~$45) starting 1st Sep 2015 (however apparently some terminals have the former £20 limit hard coded and require a firmware update to increase the limit)
3) On random transactions
In the case of the random PIN verification for contactless payments, the frequency with which these are required isn't entirely clear. I have spent ~£100 over numerous successive contactless transactions (local store then rounds of drinks at the bar) without requiring PIN verification. In fact, I've never needed to enter my PIN - every contactless transaction has been automatically approved.
Over a typical week, I do contact a good mix of contactless and Chip-and-PIN transactions, so my risk profile might be different from someone who has, for example, a 80/20 contactless-to-chip ratio.
I'm unsure whether the PIN verification requirement is triggered by the application running on the card or by the transaction processor. This might actually be covered in the EMV spec [1].
When I went to the MetroCentre the other week, I did about 5-6 contactless transactions in a day (probably somewhere around £100 spent total), by the end of the day my card got declined and I had to use Chip&Pin, so it does definitely happen in the UK, though the limits may be quite high (wonder if this may also vary based on the bank, I'm with a certain bank which refused to give me a contactless card until I had a credit check).
This is the first time since I got the card (quite a few months ago) that it was actually declined however, so it's quite a rare occurrence.
As for the EMV spec, It sounds like the terminal is the one that decides whether or not to request Chip&PIN:
During kernel processing, the kernel will determine from the acceptance environment and issuer settings in the card whether a cardholder verification is needed for the transaction. Methods that may be supported are online PIN and signature – offline PIN is not suitable due to the “card in field” timing issues.
what is the kernel?
The kernel contains interface routines, security and control functions, and logic to manage a set of commands and responses to retrieve the necessary data from a card to complete a transaction.
The same problems was raised when countries in the EU switched to chip but it was mostly vendors who was on old cash registers with no interfaces for the new card systems. That was solved through a manual total price entry into the EMV system, acting as it own system basically.
And as the parent comment mentioned, contactless payment is just really nice for smaller transactions. The ability to buy a coffee without opening your wallet (goods under $20) makes lines in stores so much faster since no signing/code entry is needed.
There was definitely a learning curve for figuring out the new terminals at first (some PoSes required both swiping and using the chip), but that only lasted about a year or two.
We are backwards as fuck.
If the big-box stores aren't getting it done there is little hope for the mom & pop type stores who will be forced to either stop taking cards or accept the liability for fraud since it's unlikely the acquiring banks will want to hold the bag for their customers once the card brands pass it downstream.
I work in this space, and while both the software and hardware have been ready for some time, retailers are just really slow to change. When you're talking about potentially hundreds to thousands of new card readers at nearly $1k each, followed by many hours of testing new software versions, piloting and rolling it out, etc., it is a significant investment for them to add support for EMV. That said, it's not like this was on short notice. They've had plenty of time (and incentive) to get this done.
Weirdly a couple months ago my local 7-11 upgraded to readers which have the physical EMV slot but those slots are non-functional.
* I dipped my card and then was told to reinsert the card and leave it in for the duration of the transaction. I wonder how long it will take for me to insert/leave by default instead of dipping.
* The machine mechanically locked my card into the slot until I had taken my cash, I wonder how more frequently people are going to leave their cards in the ATM now. Also, what happens if the power goes out or the machine crashes?
* It seems that some EMV cards have multiple "Applications" on them and it's impossible to tell which one should be used in which context. When I inserted my card, the ATM presented me with a menu asking be to select between "US DEBT" and "VISA DEBT" I had no idea which one to choose, and had to pick one, try to make a withdrawal, fail, and then choose the other one to take out cash. I don't remember which one worked, and if that's the one I should use in other locations.
I've never seen a "Application" choice, so I can't really comment on that. Is that US specific?
Overall, I've found the UX on new cards to be a big improvement on magstripes.
2. Machines in Europe has been doing this for a long time and it's never been an issue. I guess in the rare case power goes out (aren't these machines on UPS?) it you just call the provider hotline, cancel that card and get a new one in the mail the day after.
3. I have never seen this but i agree this is an issue. That is a unnecessary UX roadblock.
2) In the UK, most machines make you take the card out before dispensing the banknotes. Bank-owned (non-corner-shop) ATMs "spit out" the card and beep until you take the card. Only then do they dispense the cash.
3) I don't think many UK card issuers use multiple applications for the same context. That is to say, if you put your card into an ATM, only one application is likely to be compatible with that profile. There may be other applications for travel (ITSO, for example, is a travel card standard built on Global Platform). I think every EMV terminal has support for application selection menus (usually in the form of little buttons along the side of the screen) but they're virtually never used in the UK.
In my experience while travelling, US payment terminals are the most unusual.
> Also, what happens if the power goes out or the machine crashes?
Seriously? Where do you live where the grid is this unstable?
Living in Canada, I can tell you that using my cards in the US where there are no EMV/chip readers feels tremendously insecure to me now. It's just a matter of getting used to things.
It is a big problem for stores. Credit cards have both so stores have to force only those transactions to the EMV.
The machines need to be smart enough to figure out if the card has both and not allow the stripe transaction.
My experience in Europe has been with Chip and PIN, I wonder why we're gravitating toward Chip and Signature.
I don't know who is liable in Europe for fraud (shop or bank), but, about the article, I find it odd, the chips should be more secure, so why are banks giving the responsibility of fraud to merchants while not for the insecure magstripes? The banks should be able to trust their own chips right?
The specifications are all available online too [1] and make for an interesting, if involved, read.
EMV are responsibly for a number of specifications, including "Chip and PIN" style payment, contactless (NFC) and CAP (Chip Authentication Program - a two factor system where users are given self-contained challenge/response card readers with which virtually every EMV card is compatible).
