US Credit Card System Begins Complete Overhaul

[CommanderFrank]

At long last, the United States will begin to play catch up with the rest of the world in credit card technology within the next 18 months. The full transition to chip technology is expected to take up to three years.

In addition to adding a chip to each of the 1.2 billion credit and debit cards circulating in the US, the overhaul requires upgrading card readers at retail locations, and there's plenty of incentive for businesses to hop on board with the change.

 

[Spidey329]

I think Target is one of the retailers that has had the newer readers for over a year.

 

[jschuricht]

I just hope with a chip and pin that the gas stations get red of their $100 limit per swipe at the pump. Tired of swiping a card, having the pump cut off, swiping again, cut off, swiping a different card, cut off, etc.

 

[roflmywaffle]

what are you filling up that needs hundreds of dollars in fuel? A big rig?

 

[jschuricht]

Just a slightly modded diesel pickup.

 

[goodcooper]

Just a slightly modded diesel pickup.

i don't know if that has anything to do with payment method...

around here it's $75... i used to hit it often filling up my hot rod minivan with premium...

 

[jschuricht]

It's mainly the stations trying to prevent getting screwed by a fraudulent transaction. The limit tends to vary some, I have never ran across one that limited at $75. Most of the ones I have seen are $99 or $100 but I have run one that set the limit at $150.

 

[Sufu]

Just a slightly modded diesel pickup.

Like a tank? Does it do gallons per mile instead?

 

[bman212121]

It's mainly the stations trying to prevent getting screwed by a fraudulent transaction. The limit tends to vary some, I have never ran across one that limited at $75. Most of the ones I have seen are $99 or $100 but I have run one that set the limit at $150.

Yes I'd have to guess it's up to the station to decide where they want to cut you off at.

At $4 a gallon for fuel you're only talking 25 gallons. Lots of 3/4 and 1 ton pickup trucks have tanks larger than that. I can go over that limit if I bring gas cans with me to fill up.

I'd guess jschuricht might have an auxillary tank on the back of his truck, at 50 or 100 gallons that it going to take a few transactions to fill up.

 

[bman212121]

Speaking of gas stations though I wonder how many places will make the change pump side or if you'll need to go in if you have the new card. I've traveled to many places where the cards seemed like they were connected to an analog line cause it would take up to a minute for the card to process.

 

[jschuricht]

Like a tank? Does it do gallons per mile instead?

Close, the bumper is made of 1/4" Prius resistant steel.

Yes I'd have to guess it's up to the station to decide where they want to cut you off at.

At $4 a gallon for fuel you're only talking 25 gallons. Lots of 3/4 and 1 ton pickup trucks have tanks larger than that. I can go over that limit if I bring gas cans with me to fill up.

I'd guess jschuricht might have an auxillary tank on the back of his truck, at 50 or 100 gallons that it going to take a few transactions to fill up.

Your exactly right. Many long bed trucks and large SUV's carry about 40ga stock and there are aftermarket tanks around 60ga. One of my trucks is a older dual tank design upgraded with a 40ga front and 45ga rear tank the other truck has a stock 40ga tank plus a 155ga tank in the bed.

 

[LOCO LAPTOP]

I just hope with a chip and pin that the gas stations get red of their $100 limit per swipe at the pump. Tired of swiping a card, having the pump cut off, swiping again, cut off, swiping a different card, cut off, etc.

Yeah... IDK about you but filling up 37 gallons of 93 octane can get expensive.

 

[dbu8554]

When I used to fuel up for race weekends with 100, it was around 600 dollars usually had to do 6 transactions for that.

 

[Jagger100]

I don't get it. A bunch of encrypted data on a chip is better than encrypted data on a magnetic strip?

 

[AFD]

I don't get it. A bunch of encrypted data on a chip is better than encrypted data on a magnetic strip?

Me neither. Magnetic cards can be susceptible to bogus skimmers, but wouldn't these cards likewise be vulnerable to other RFID readers in a similar fashion?

I really don't understand what part of the transaction they're trying to make more secure by moving to a chip & signature system. Isn't paying online or at-the-pump completely missing 1/2 of the verification?

 

[viscountalpha]

Encrypted chips are much harder to copy and mag strip reader/writer are way too easy to get a hold of.

Don't get me started on day to day wear and tear that magnetic strips have. They are awful.

 

[ChrisJohnson00TA]

Another hope for better gas station issues. I have a diesel excursion that always takes 2 swipes. $75 limit on almost every pump I've hit in Texas with pay at the pump.

 

[bastage]

At $4 a gallon for fuel you're only talking 25 gallons. Lots of 3/4 and 1 ton pickup trucks have tanks larger than that. I can go over that limit if I bring gas cans with me to fill up.

You get like a 36 gallon tank in an F150 with the Ecoboost.

https://media.ford.com/content/ford...on-2012-ford-f-150-ecoboost-4x4-lets-cus.html

So at 3 bucks a gallon that would still be over 100 bucks. And I ahvent seen 3 bucks a gallon in a long time.

 

[colinstu]

Me neither. Magnetic cards can be susceptible to bogus skimmers, but wouldn't these cards likewise be vulnerable to other RFID readers in a similar fashion?

I really don't understand what part of the transaction they're trying to make more secure by moving to a chip & signature system. Isn't paying online or at-the-pump completely missing 1/2 of the verification?

these chips aren't using RFID or EMV. they're using metal contacts similar to that of a SIM card. nothing wireless about it.

 

[Jagger100]

Encrypted chips are much harder to copy and mag strip reader/writer are way too easy to get a hold of.

Don't get me started on day to day wear and tear that magnetic strips have. They are awful.

Maybe 10-15 years ago when first introduced. But after cranking out hundreds of million (if not billions) of cards already and that many more for North America will effectively result in the same situation. Lots of equipment for production that have been lost track of.

Not to mention phone and internet purchases will not know the difference.

 

[AFD]

these chips aren't using RFID or EMV. they're using metal contacts similar to that of a SIM card. nothing wireless about it.

From everything I've read so far, the US roll-out is using EMV cards, and EMV defines standards for both contact and contactless chip cards. The current contactless cards being used in the US are all EMV-compliant, and all three use RFID. New US cards can either implement one method or the other, or both.

This post actually has a lot of good information about it..

http://www.flyertalk.com/forum/credit-card-programs/1304271-usa-emv-cards-available-today-chip-pin-chip-signature-247.html

 

[stm]

I spend a lot of time on FT as I'm a miles junkie, but it should be pointed out here that the system we are implementing is a half ass way of doing EMV - basically it doesn't always work overseas. Mainly because the US implementations are chip & signature versus chip & pin.

At the moment, basic card info can be read off a mag stripe or the chip on the card. Chip on the card is harder to clone, yes, but same info is read to start the transaction. Dual factor authentication is standard on C&S and C&P but I'd daresay that a pin is more secure than a scribble that noone hardly checks. So again, score for C&P.

The problem comes with offline transactions - when transactions are batched or not immediately verified online. In a real-time transaction, with a C&S card, you can use the pin set as your cash advance pin and it can verify that real-time, or you can just sign and that usually works too. Not 100% though and it depends on the country, I've had waiters in Europe keep insisting on a pin and look at me funny when their hand held machines ask for a signature.

Where it doesn't work, is if it's not a real-time transaction, the terminal will try and verify the pin that is set to your chip (which C&S doesn't have one) and since it can't pull one real-time, it will deny your charge. So, if you've ever been in a foreign country, trying to buy a subway/train ticket that requires a C&P card, and your POS C&S card won't verify, and it's after the ticket counter has closed.... you're in for a long walk.

Pretty disappointed in the "standard" that we have chosen for the US.

 

[Semantics]

btw what was the reason all those contactless cards in the US stuff back in the mid 00's. I see old card readers with those antennas on the top with cardboard put over them and new card readers don't impliment that.

 

[cashkennedy]

I believe the information encrypted in the magstripe is easily decipherable with keys that every terminal has and were cracked years ago. Before even connecting to phone / data line the terminal knows the digits / expiration / name of person after swipe. The chip on the other hand might have non decipherable data that is transmitted to the card company to authorize the transaction. Thus if someone visually sees your card or takes a picture of it hey can easily make a fake card and encrypt the card/exp/name into the fake cards mag stripe, while the 256 digit code on the chip would have to be read, which would require more access to the card.

There may even be more to it then that, perhaps your terminal has a second less secure merchant key that is sent to the chip then the chip on card is able to perform a basic hash with your mechant key salting the 256 bit key on the chip. then the hash is transmitted out of the chip. This way the chip never reveals its 256 bit key, it just reveals what the successful hash of terminal A + Card A would be. When you go to a second terminal and combine terminal B + Card A you get a completely different hash.< Bam I just discovered a ingenious way to make it infinitely secure to simple copying of a card after it being read by a compromised card reader.

 

[Rob94hawk]

With computers being everywhere there should be some sort of facial recognition or biometric identification. I've gotten 2 different cards skimmed already. One at my own bank!

This is what the NSA should be used for. Putting these scumbags away for a long time!

 

[Hulahoops]

We've had it a long while in the UK and in essence you stick you card in the card machine and when requested enter your pin and that is it. The fraud from this system comes mainly from people fiddling with the card machines, I believe an added incentive to use the chip & pin system was the way in which the retailers would become liable for any fraud if they didn't use them.

As for online a lot of places over here have started to use the Verified by Visa system.

 

[collegeboy69us]

Even though I hate my car -- when it comes times to fill up im glad I have a Kia rio. (10 gallon tank, cheapest fuel I can find works great) gas was 3.37 on the way into work this morning.

I do miss the gravy train days though - when I'd go to fill up my RX8 with premium and gas was 4-something a gallon (RX8 got crap gas milage too) never even cared because it was all work expense. Or filling up a 18 gallon tank in the C6Z06, premium all the time, and getting single digit MPG's on track days, ahh the good ole' days.

 

[BlueMeanie]

Another UK user here. The weirdest effect I noticed as we dropped signatures and swapped to Chip and Pin was that the store clerk doesn't handle the card any more. At least when there was a signature it meant the store clerk would hold the card and read what was on it. Which meant when the card said "Mrs K. Smith" and he saw an 18 year old male standing in front of him buying beer, he knew to reject the card. With chip and pin that is something that isn't picked up on. So anyone with kids - make sure little Johnny doesn't get to know your PIN otherwise he can spend on the card.

 

[cashkennedy]

There has been a lot of security issues with "chip and pin" because it was used to allow pins to be checked by storing the pin on the chip and thus not requiring any data connection to check if the pin was correct. This system is basically never going to be implemented in US.

Instead in US there is chip + signature, which 100% of the time will connect online to make sure the card is real / use the hash / cryptogram. This does not make sure the person hasn't stolen the card, just makes sure its the 100% original real card. So is more designed to prevent compromised readers / devices placed inbetween card and reader. It will not prevent someone from just stealing your wallet though and using the card.

 

[BlueMeanie]

Chip and PIN in the UK does do online checks. It is noticeable as you can tell the difference between a card machine that is using old dial-up vs one that uses the internet to check. (Really - there are many stores who maintain phone lines just so their older machines can make a slow dial-up check.... I often work with these machines when working with a Shop's IT needs as part of the day job)

This means stolen and fake cards are sifted out quickly. As well as those that have been used beyond their credit limits.

The chip is the all important part. As noted above, this works like your SIM card chips. No RFID \ NFC or anything here. As I understand it the PIN is checked when dialling the master computer at the bank. (Though I am not an expert). It is comical when there is a big outage at the bank and all the card machines go down!! If the line to the bank is down, there is no alternate method to take a payment. Certainly no PIN stored on the card.

The old mag Strip is also still available. This gives the retailer the choice of using the old "swipe the strip" method if something is wrong with the chip or the user forgets his PIN. Then the retailer has a choice to fall back to the Mag Strip and Signature method, but even then the mag strip is phoned in to the bank to be checked. The same reader that reads the CHIP can also read the mag stripe.

At least with this Chip and PIN method a stolen wallet full of cards is safe. Unless the mugger forces the PIN out of you at the same time. Which is where the Banks can use the excuse of "well, you revealed the PIN, so it is your loss..."


Oh - and note that card readers can still be cheated. There have been a few cases where a card reader in a lonely petrol station late at night has an extra reader attached to the front of it. Usually done by the scamming, underpaid, staff member stuck behind the till. So when you feed your card in, it goes through both the scam reader and the real one. This means you pay for your petrol as usual, but the scammer has picked up your card details in the process. BUT the only way for them to them make that fake card usable is to have a camera pointed at the card reader to watch you type the PIN.

Similar skimmers have been found on cash machines (ATM), but again they require something to separately record the PIN - either camera or fake number pad.



No matter how good you make the security, some scammer will find a way around it. Just like encryption on software licences/DVD/BluRay/etc - it all becomes a game to crack.

 

[cashkennedy]

Chip + pin was invented in 1995, I think the idea then / and what Wikipedia describes it as having an offline option that the card is programmed whether to allow or not. But yes it probably checks it online (or phone) the vast majority of the time now. The pin is also transmitted to the chip in the UK system which allows it to be nabbed in the middle (but now the terminal sends it to the chip encrypted generally). Pin could also be illegally captured with a fake keypad, or camera as you said.

And yes I know they can use dial / or offline. Ive ran my share of tranz 380's, Omni 3750s, and now ingenico ict250's. Dial is often easier because the terminals don't become forcibly obsolete every 5 years to force you to buy new ones.

I agree there's always the risk of the person stealing your card / viewing you enter pin / forcing you to tell them the pin. That basically can never be stopped, but that's only 1 card and the owner should report it immediately limiting the fraud. Chip + Pin and Chip + signature can both be stolen in this manner, just chip + pin being stolen is slightly less likely.

You can swipe if the chip fails, but the merchant is taking all the risk at that point, so why would they let you swipe unless they trusted you. The chip should stop all risk of people making fake cards , ASSUMING merchants don't stupidly accept transactions from swipe alone.

 

[cashkennedy]

http://en.wikipedia.org/wiki/EMV#Vulnerabilities

The section on the 2010 Cambridge discovery that you can use any number as the pin, shows that the pin is just checked against a stored pin on the card? Though it still connects to the bank to check for fund availability? In the US the pin is always transmitted to the bank to verify. Perhaps when chip + pin was invented they thought it was safer to send the pin to the chip, rather then use SHA-1 or whatever was around in 1995 to encrypt the pin and then to send it over unsecure phone / internet lines. (Which they would be partially correct since the encryptions used on PINs in those days are all now considered weak / and can be cracked.

 

[colinstu]

From everything I've read so far, the US roll-out is using EMV cards, and EMV defines standards for both contact and contactless chip cards. The current contactless cards being used in the US are all EMV-compliant, and all three use RFID. New US cards can either implement one method or the other, or both.

This post actually has a lot of good information about it..

http://www.flyertalk.com/forum/credit-card-programs/1304271-usa-emv-cards-available-today-chip-pin-chip-signature-247.html

I meant to say NFC, not EMV. Either way, there is no contactless tech with EMV.

 

[BlueMeanie]

The machines I have had some experience of have both telephone and Ethernet sockets. A call to the support guys will change the method that things are looked up. Like many companies, it takes a bit to fight through idiot call centre droids before you get someone with a brain to talk to. In the last few cases the support guy pointed out that the phone line may have been slower, but it was more secure as it was a dedicated line direct to the bank. Sending data over the web would rely on any encryption that was in use.

Plenty of hidden menus in the card readers we were walking through, which, of course, were all secured with a default password of 1111

And they have certainly upped the security on them, but I would not rely on some Wikipedia articles for accurate details. Of course entering "Any PIN" would not be acceptable. And certainly doesn't work on the standard card reader here in the UK. I know I make enough mistakes with my PINs that I am often needing to re-enter. Do three consecutive errors and you need to reset your PIN via the bank and\or ATM.

And yes - of course - if a card is swiped then the risk goes to the shop. But in many cases the shops will recognise their regulars and choose to take a risk or not.

 

[cashkennedy]

If the pin is stored in the card, and you make a fake version of the card, then the card could confirm the pin was correct regardless of what was entered. The Cambridge article mentions using 2 cards, the real one, and one that is programmed just to accept any pin. The real giveaway if the pin is truly stored in the chip would be if you have to insert your card into the ATM / or give it to a banker in order for them to program the new PIN in when you want to change it.

 

[AFD]

Either way, there is no contactless tech with EMV.

The EMV standard can use contact, contactless, or both. VISA's payWave, MC's PayPass, and AMEX's ExpressPay are all EMV compliant, and all 3 definitely use contactless RFID.

Everywhere else around the world using EMV is contact-only, but in the US, EMV will allow for contactless as well. Here's a good article discussing this..

http://paymentsviews.com/2011/08/22/emv-in-the-usa-a-mobile-commerce-jump-start-who%E2%80%99s-impacted-and-how/

 

[AVogel]

I just hope this new system is prohibitively expensive for the manufacture of the card; so much so that Discover stops sending me a new card every 4 months even though the expiration on the old one is 2+ years in the future.

 

[BlueMeanie]

I just hope this new system is prohibitively expensive for the manufacture of the card; so much so that Discover stops sending me a new card every 4 months even though the expiration on the old one is 2+ years in the future.

There is an easy solution to that... just give the spare cards to random people. Once you have lots of fraud entries on the account they will soon stop sending you new cards.

 

[Outamyhead]

My debit cards back in the UK had implanted chips since 2005, maybe earlier...almost 10 years late to the party American banks, I still love the excuse that "it costs too much to switch the technology", over having to recover hundreds of millions in customers stolen money.

 

[daglesj]

Buying gas in the US and Canada bothers me big time. When I turn up to a gas station I have to try to work out what the routine is at that particular station. Seems every station has it's own rules.

I pump, they pump, pay before pump, pay after pump, pay at the pump etc. etc.

Back home it's 98% of the time I pump and then pay. The other 2% is I pay at the pump and then I pump.