Home Depot Sues Visa, MasterCard As PIN Battle Looms

[HardOCP News]

You know, these guys are eventually going to have to work together. I'm not sure suing each other is the best way to make a relationship work.

Among a bevy of grievances, the do-it-yourself retailer posits that Visa and MasterCard sought to block the adoption of chip-and-PIN on credit card transactions following the migration to EMV payment security standards last October. Additionally, the retailer argues that chip-and-signature is simply less secure than its chip-and-PIN counterpart.

 

[OregonLAN]

Until chip-and-PIN is 100% enforced by all, it's no more secure now than it was before. If a chip-and-PIN card is cloned, you can simply change a couple bits of information and make the card reader think that it doesn't have a chip. Therefore, you can simply swipe the card as normal.

 

[Quartz-1]

What is America's major malfunction here? In the UK we've been using Chip & Pin for many years.

 

[Bowman15]

What is America's major malfunction here? In the UK we've been using Chip & Pin for many years.

Money is the answer - Visa and MasterCard sought to block the adoption of chip-and-PIN

 

[Semantics]

Until chip-and-PIN is 100% enforced by all, it's no more secure now than it was before. If a chip-and-PIN card is cloned, you can simply change a couple bits of information and make the card reader think that it doesn't have a chip. Therefore, you can simply swipe the card as normal.

It's easier than that, most in the US have a 3 tries, just put a fake chip or w.e put it in, it wont work, do it 3 times then the machine will prompt for swipe. You can try it, insert your card 3 times backwards without the chip in the slot, it fail 3 times then prompt for the swipe.

 

[SGTGimpy]

Money is the answer - Visa and MasterCard sought to block the adoption of chip-and-PIN

Yep, it would cost Visa and MasterCard a ton to revamp everything again to Chip-N-Pin in the US. Also it would shift more of fraud accountability onto them as well since they would have to hold not only the token keys but pins as well.
As it is now, chip and sign is just as useless as swipe and sign at this point because no one checks to see if you are the owner of the card. So whether you swipe it or hold it in reader then sign it. It is the same on security front. Chip -n- PIN fixes this issue since you would have to know the owners PIN to even use the card if you stole it.

On all my cards I have CHECK ID in the signature line and once in a blue moon do get some one to ask me for my ID. Last person was about a month ago, a waitress. I was so shocked that she asked that I left her a $20 tip on a $15 bill and wrote on the receipt "Good Job and Thank You for checking my ID"

 

[Krab]

What is America's major malfunction here? In the UK we've been using Chip & Pin for many years.

Purely a case of the big credit card companies not wanting to spend the money to upgrade.

 

[Term-X]

Purely a case of the big credit card companies not wanting to spend the money to upgrade.

I don't get it, what is there to upgrade? Retailers AFAIK need to buy the hardware terminals. All cards here in Canada already put it to use (Visa, Mastercard, AMEX, etc etc). So if it's a software/DB thing, I mean, the template is already there.

 

[SGTGimpy]

I don't get it, what is there to upgrade? Retailers AFAIK need to buy the hardware terminals. All cards here in Canada already put it to use (Visa, Mastercard, AMEX, etc etc). So if it's a software/DB thing, I mean, the template is already there.

The backend software and security systems to allow for token and PIN verification. It really isn't that much big of a change code wise but the cost to R&D, train and certify it does add up to be quite a lot. Then there would be the upgrading of the banking systems interface to VISA and MS databases, that the banks most likely won't want to pay for as well and it keeps trickling down hill. One thing most people don't know that I found out from our merchant services rep is that most EMV readers out there can't support the chip n pin and will have to be replaced again which vendors are not going to like either. (FYI chip-n-pin and Debit card and pin are two totally different techs. Not the same and thought I would mention this before someone started screaming on it)

 

[Dead Parrot]

Part of the problem is credit cards are charged one processing fee and debit a different fee. Same for signature vs PIN. Depending on the agreement a store has with its network provider, there is often a significant price bias toward one type of handling. Further, the agreements have shifted liability for fraud to retailers that don't have a working chip setup. Many retailers have a system ready to go but can't use it until it passes certification by the network provider. This puts the providers in the odd position of benefiting from a slow certification process since retailer with a working chip system shifts fraud liability back to the network or bank.

 

[[21CW]killerofall]

On all my cards I have CHECK ID in the signature line and once in a blue moon do get some one to ask me for my ID. Last person was about a month ago, a waitress. I was so shocked that she asked that I left her a $20 tip on a $15 bill and wrote on the receipt "Good Job and Thank You for checking my ID"

Here is the problem with writing "See ID" Should you write 'See ID,' not sign, back of credit cards?

Also remember that you are (usually) not liable for fraudulent charges so if your credit card is stolen and you promptly report it you will be out $0 (unless your card doesn't have that policy, then you would be out $50 max). If someone steals your card and doesn't use it you will still have to go through the same hassle as if they had used it.

 

[Tawnos]

What is America's major malfunction here? In the UK we've been using Chip & Pin for many years.

Short version as far as I know the history: the US adopted credit cards much sooner than most of the world, retailers bought millions of magstripe readers & POS software, now the cost to upgrade all of those systems is substantial.

 

[Trimlock]

What is America's major malfunction here? In the UK we've been using Chip & Pin for many years.

Infrastructure.

When a company actually buys into system and goes to fullest of the standard (Home Depot) and they (Visa) try to cheapen the process by requiring stupid shit like a dumb signature (that has never stopped anyone) they are bound to get pissed (Home Depot).

BTW I only shop at Home Depot because they were the first to require the chip thingy.

 

[SvenBent]

What is America's major malfunction here? In the UK we've been using Chip & Pin for many years.

The huge panic of governmental control had cost America its control to corporations. companies don't care for citizens but solely for money. so progress is halted in the name of squeezing money out of ppl.
The entire moneyand/IT infrastructure is a joke in the states. it feels like dropping 30+ years back in time. people still use fax and checks as a normal thing..
Govermenen papers are dealt with physically.. Thats around 15-20 years behind modern societies.
I can deal with goverments around the globe from my chair much faster than i can deal with the US government of where i live.

Short version as far as I know the history: the US adopted credit cards much sooner than most of the world, retailers bought millions of magstripe readers & POS software, now the cost to upgrade all of those systems is substantial.

Bigger infra structure but more ppl/companies to pay = same cost per person/company. Do you also think it takes longer for 10 men to dig 10 holes than 1 man to dig 1 hole ? same principle.

 

[mdburkey]

Based on how the full chip & pin system works, then IF it does a fully authenticated transaction, it is relatively secure (which is NOT happening with chip & signature). That said, there are some areas that still ridiculously inadequate -- due largely to requirements for backwards compatibility.

This is especially true for NFC cards based on the EMV standards. Using a cell phone or similar contactless payment wallet is SLIGHTLY more secure than an NFC capable card, as they only present the data to a reader when you run the app and trigger the payment. With NFC enabled credit cards, the amount of data that can be read from the card, at a reasonable distance, that is stored UNENCRYPTED for track 2 backwards compatibility, is ludicrous (and some even have much more data than what would conventionally have been available on track 2).

PS...I was actually responsible for writing the processing firmware for a commercial NFC/EMV credit card reader, so when I say I don't trust them, this should tell you something.

 

[Tawnos]

Bigger infra structure but more ppl/companies to pay = same cost per person/company. Do you also think it takes longer for 10 men to dig 10 holes than 1 man to dig 1 hole ? same principle.

Bullshit. Cost isn't an absolute thing, but is relative to many variables. Think about when companies started switching from the old carbon paper credit card presses to the mag swipe readers. Smaller shops took the longest, because a small store with 2-3 employees doesn't have the same cash capacity for infrastructure upgrades that a larger store might. Plus, many of the POS systems haven't been upgraded yet. Even if the reader is cheap, a POS upgrade can be a massive cost.

Taking your holes example - if you have two employees, it's going to be much harder to find someone to cover a shift if one gets sick while the other is on vacation. If you have one hundred employees, that is much less difficult.

 

[Devilpup]

Cost isn't the major factor, it's consumer adoption and the architecture behind the system. Point-of-sale (POS) systems are still vulnerable to credit card skimming unless you use point-to-point encryption, so all the EMV chip does is make the card itself harder to clone. Cloning a mag stripe is trivial, cloning the chip is not. And yes, chip & signature is probably less secure than the old swipe because now I never get asked for an ID when making a purchase, and anything under $25-ish just goes right through without a signature.

FWIW - The retail and banking industries decided to roll with a chip & signature solution because they believe that other payment options (i.e. mobile payment like Apple pay) are going to make cards in general obsolete, so they see this as a stop-gap between the old mag stripes and the next gen of technology. I say this working deep in the bowels of a major retailer and dealing with this shit on a daily basis. For better or worse, the industry in general is just putting a band aid on the situation until the dust settles and the next big thing comes along.

 

[ZLoth]

You want to know the real reason? The mentality of American business is to "maximize profits, minimize costs". Part of the reason why the United States was so slow in adopting chipped cards was the argument as to who was going to pay for the upgrade. Merchant says their financial institution and/or credit card processor should pay for the upgrade if they want to have the business. Credit card processor says that being able to process their credit cards is a privilege, and that the merchant should pay for the the upgrade. Meanwhile, the consumer suffers.

Oh yeah, also, anything that poses a barrier to using a particular card is best avoided, as the consumer could switch easily.

Oh yeah, increased profits and reduced costs always trumps over security.

 

[likeman]

It's easier than that, most in the US have a 3 tries, just put a fake chip or w.e put it in, it wont work, do it 3 times then the machine will prompt for swipe. You can try it, insert your card 3 times backwards without the chip in the slot, it fail 3 times then prompt for the swipe.

then the merchant rejects the card and asks for a valid Chip and Pin card or customer gives cash or goes elsewhere if the shop does not know the customer and it's a large amount (how it works in the UK, as swiping requires some times a call to the bank if you don't provide the correct information the card reader asks for)

but that can't happen in the USA for another 5-6 years until after chip and pin has been implemented,, as that is the time it takes for everyone to get a new card that have chip and pin when there old one expires and when merchants get new card readers even though there currant card readers already support Chip and pin, (if it supports Tap and pay/fast pay and apple pay/google pay it 100% already supports Chip and pin they may not be aware it is even enabled for it)

i am stupid why chip and sign is prefered at all as it offers no protection for the merchants or customers (personally it's so the card reader company can charge for the digital sign pad that have to be replaced often due to damage + other fees)

 

[Koolthulu]

And yes, chip & signature is probably less secure than the old swipe because now I never get asked for an ID when making a purchase, and anything under $25-ish just goes right through without a signature.

So people actually regularly asked for ID from you before? In the 20+ years I've had credit cards, I can't remember ever being asked for ID.

 

[Zepher]

Yep, it would cost Visa and MasterCard a ton to revamp everything again to Chip-N-Pin in the US. Also it would shift more of fraud accountability onto them as well since they would have to hold not only the token keys but pins as well.
As it is now, chip and sign is just as useless as swipe and sign at this point because no one checks to see if you are the owner of the card. So whether you swipe it or hold it in reader then sign it. It is the same on security front. Chip -n- PIN fixes this issue since you would have to know the owners PIN to even use the card if you stole it.

On all my cards I have CHECK ID in the signature line and once in a blue moon do get some one to ask me for my ID. Last person was about a month ago, a waitress. I was so shocked that she asked that I left her a $20 tip on a $15 bill and wrote on the receipt "Good Job and Thank You for checking my ID"

I had one of my cards unsigned and the cashier said it's not valid unless it is signed so I signed it in front of her. When I got the receipt and signed that, she looked at my card and the receipt to see if the signatures matched. Now, think about that for a second.

 

[DogChainX]

I'm sorry, I have very little empathy for "cost of upgrade" for the credit card companies. They make money hand over fist with america's debt (which is astronomical). Mastercard alone made about $3.8 BILLION last year, with revenues of almost $10 BILLION in 2015. World's smallest fiddle....

 

[Alti]

i am stupid why chip and sign is prefered at all as it offers no protection for the merchants or customers (personally it's so the card reader company can charge for the digital sign pad that have to be replaced often due to damage + other fees)

Few years back (2012) when Chip and Signature cards started rolling out in the US I asked how come they don't support pin especially when the same bank supports it already in other countries. It doesn't really make it any easier to use the card overseas and I was hoping the chip would simplify and normalize things across the global.

The answer is actually money (disguised as convenience for the customer), if you forgot your pin you won't be paying with the card. Then the bank and the card network don't get their money if you end up using cash or another card who's pin you remember. Just think about that, what can be worse than paying in cash? Nothing. It provides 0 security to you because you have to carry cash (bank should be keeping it safe for ya), you pay it off immediately so the bank has no chance of charging you interest. No swipe fees for either the bank or the payment network. Nothing scarier in the world than that, I can assure you.

So far my UK chip and pin card worked at any EMV reader I tried in the US today. It was faster too than all my other cards with Chip and sign. Now in reverse using a chip and signature card in Europe means I have to sign on the receipt itself pretty much all the time. Worse case of that is when using self checkout. The card reader touchscreen doesn't have a place for me to sign. So I have to wait for an assistant to come and then that assistant needs to run around looking for a pen so I could sign the receipt which they then need to keep somewhere. It must not be a common occurrence seeing how no one has a pen. A few times I had them just give up and tell me it's fine, I walked away without signing. But most cashiers follow the rules that the terminal spits out for chip and signature cards.

 

[Jagger100]

Purely a case of the big credit card companies not wanting to spend the money to upgrade.

More than that. The Credit card companies wanted to force retailers to update in hopes that would stop the card-reader breaches, but they wanted no part of putting out money themselves.

The chip technology is over 20 years old. Not so sure it is as secure as it was 20 years ago. Its definitely not as convenient as it should be. This was an impulse push by government cronies in the credit card companies. This is why the PIN was not part of the update. They didn't want to spend any money from their side. Even though the PIN would work against the breaches and electronic credit card theft. Swipe and PIN would have been better. It should have been Updated Chip technology & PIN.

Its bad we're run by government cronies, but they are stupid and short sighed on top of it is the real kicker.

 

[likeman]

More than that. The Credit card companies wanted to force retailers to update in hopes that would stop the card-reader breaches, but they wanted no part of putting out money themselves.

The chip technology is over 20 years old. Not so sure it is as secure as it was 20 years ago. Its definitely not as convenient as it should be. This was an impulse push by government cronies in the credit card companies. This is why the PIN was not part of the update. They didn't want to spend any money from their side. Even though the PIN would work against the breaches and electronic credit card theft. Swipe and PIN would have been better. It should have been Updated Chip technology & PIN.

Its bad we're run by government cronies, but they are stupid and short sighed on top of it is the real kicker.

but there is mostly nothing to spend (unless you got a POS system from 20 years ago and even then it can be bolted on as Lidl have shown that when they did not replace there extremely old POS systems at the time)

as its taken over 15 years for USA to Roll out chip and pin readers that do support it, as almost all card readers are chip and pin in the USA and some of them are actually enabled for it even if the merchant is not aware of it (the ones that are dont understand why card must be inserted until customer shows them lol, or they hide the card reader or just deny its use)

i believe that the problem home depot has with Visa and mastercard is not with Chip and pin but Visa and mastercard i beave are trying to Force a PCI compliance that you MUST support insecure chip and sign as well as Chip and pin (home depot does not want to support Chip and sign as it does not protect them from fraud and they get charged more for Chip and sign)

 

[nomu]

Purely a case of the big credit card companies not wanting to spend the money to upgrade.

What upgrade.

"
Home Depot also contends that Visa and MasterCard chose to enforce the less-secure chip-and-signature standard because the networks collect higher merchant fees for routing signature-based card transactions as opposed to PIN.

According to data compiled by the U.S. Federal Reserve, transactions routed over Visa's or MasterCard's signature debit networks cost more than twice as much as transactions routed over PIN networks."

So it's Walmart and Home Depot vs. Visa and Mastercard. Discover is on Walmart's side apparently. Wouldn't be surprised to see some more retailers dogpile (Target?)

 

[nutzo]

FWIW - The retail and banking industries decided to roll with a chip & signature solution because they believe that other payment options (i.e. mobile payment like Apple pay) are going to make cards in general obsolete, so they see this as a stop-gap between the old mag stripes and the next gen of technology. I say this working deep in the bowels of a major retailer and dealing with this shit on a daily basis. For better or worse, the industry in general is just putting a band aid on the situation until the dust settles and the next big thing comes along.

Then they are being fools. I have no plans to ever start paying for stuff with my phone. I figure I'll be using credit cards for at least another 30 years.

There are a lot of people who don't have smart phones and will likely never have one. How are they supposed to pay? My mom still uses checks most the time.

 

[ZLoth]

Home Depot also contends that Visa and MasterCard chose to enforce the less-secure chip-and-signature standard because the networks collect higher merchant fees for routing signature-based card transactions as opposed to PIN.

FWIW.... WalMart hates Visa so much that it will stop accepting Visa in their stores in Canada, and developed the CurrentC system to use the cheaper ACH transfers rather than ApplePay/AndroidPay (which uses Visa). Former Walmart CEO Lee Scott reportedly once said “I don’t know that MCX will succeed, and I don’t care. As long as Visa suffers.”

But wait.... wasn't it Home Depot who declined to do the necessary upgrades? When IT sought new software and training, managers came back with the same response: “We sell hammers.”.

 

[Foxhack]

Down here, only Walmart, Food4Less (Kroger), and 7-11 have adopted the chip. Other stores still use the older swipe terminals (especially the locally owned supermarkets that don't even want to spend the money to upgrade their 30 year old light fixtures and refrigerators.)

And the only place that has ever asked me for my ID in the 15+ years I've used cards has been Gamestop. Go figure.

 

[sfsuphysics]

Yeah I dont care about security, Im not liable if someone clones my card or commits any sort of fraud. sure its inconvenient to tell your credit card company "no I didnt make those purchases" and quite frankly Id rather not have another password/pin I need to remember.

 

[nomu]

FWIW.... WalMart hates Visa so much that it will stop accepting Visa in their stores in Canada, and developed the CurrentC system to use the cheaper ACH transfers rather than ApplePay/AndroidPay (which uses Visa). Former Walmart CEO Lee Scott reportedly once said “I don’t know that MCX will succeed, and I don’t care. As long as Visa suffers.”

But wait.... wasn't it Home Depot who declined to do the necessary upgrades? When IT sought new software and training, managers came back with the same response: “We sell hammers.”.

It's the same situation as Target. They found Security Jesus. They can no longer tolerate any risk to their brand from inferior technology. I'm sure they'd rather pay Visa less, but that's not as big a deal for Home Depot transactions as it is for Walmart transactions.

 

[Devilpup]

So people actually regularly asked for ID from you before? In the 20+ years I've had credit cards, I can't remember ever being asked for ID.

About 50/50 if the price was over ~30-ish and required a signature, the higher the purchase the more likely it was. I haven't been asked for an ID at all with the switch to chip cards, there's just a sense that they are more secure so people don't have to worry about IDs. Really, the threat was never that someone is going to steal YOUR card and use it to make purchases, the threat was that they are going to steal the INFO from your card and drop that info on another mag stripe card to make a duplicate. The chip does make that attack less feasible, so in some ways it is more secure.

Still, in simple terms chip & pin = 2 factor, while chip & signature = single factor since the signature is never verified anywhere.