Why does the introduction of chip & pin appear to be so controversial in the United States?

Question

The past few weeks there have been many news articles about the introduction of chip & pin in the United States; most of these articles are against it and citing such 'issues' as:

"Some people are experiencing a 20 second wait times with these chips," said Avivah Litan, vice president and analyst at Gartner Research. "We're a more rushed society than anyone else. So me, I'm going to be a little mad when I have to wait longer at checkout. You have to wait until the very end to get your card."

We've had chip & pin in Europe for years and I noticed that the time taken to complete a card transaction is actually longer when I have to swipe & sign. The explanation behind the 20 second wait time could easily be that the system hasn't been fully adopted yet, and as such it can be slow.

"It's easy to forget your card in the reader," said Nick Leffler, another credit card user who has been using his card at retailers that have already installed the new terminals.

I've never heard of anyone forgetting their card in the reader, but then this might simply be down to the fact that it's 'new technology' in the U.S.

As it becomes more difficult to skim and copy physical cards, many experts actually predict an increase in online fraud.

Besides the chip & PIN, I don't see how it would increase the chance of fraud online, especially since most other countries already have the system.

Source: time.com

This is just from a single article, I used this Google search and there are many more results just from Time in regards to the risks of the chip & PIN system.

My question is, why exactly is the system so controversial in the United States? It's not like it's a brand new system.

Answer 1

The way credit and debit cards work in the US, all liability for unauthorized purchases is on the card issuer and/or merchant, not on the cardholder. Customers have no reason to want measures that increase evidence (and perceived certainty) that they authorized a purchase, and every reason not to want it. The same applies to "Verified by Visa" and similar systems for online card use - they protect the merchant and/or card issuer at the cardholder's expense.

Here's a great real-world example from another money.SE question: Dispute credit card transaction with merchant or credit card company? See in particular these comments:

Since merchant does not have my signature, can that be used as a proof that credit card transaction should not be honred? [sic]

I seriously doubt it. The proof of physical presence is the chip, not the signature.

Answer 2

An article describing the risks of "chip and pin", along with related economics and regulatory issues, appeared last year in Communications of the ACM. The ACM is one of the two major organizations for computing professionals in the U.S. See http://cacm.acm.org/magazines/2014/6/175170-emv/abstract

Two points the authors make in their conclusion are:

• The good news is that EMV systems have been deployed in Europe for 11 years now, and there is a lot of experience to build on. Almost everything that could go wrong, has gone wrong: several protocol flaws that allowed attacks nobody had anticipated; tamper-resistance that did not work; certification schemes that turned out to be a sham; and evidence-collection systems that were not fit for purpose.

• The bad news is that the interests of banks, merchants, vendors, cardholders, and regulators diverge in significant ways. In Europe, many failures were due to banks dumping liability on merchants and cardholders, who were in no position to defend themselves. In the U.S., the dynamic is different and more complex, with the main fight being over the interchange fees the merchants pay the banks for processing their transactions.

The article has an interesting discussion and comparison of the "chip and pin" and "chip and signature" schemes. I recommend reading it at your library, if it has a copy.

Answer 3

It isn't controversial, per se -- it's just expensive. We have a huge established base of magstripe -- or keypad! -- billing terminals, and of software to support them. The credit card companies don't want to have to pay to replace those, nor do the stores. Arguably it's recently become a bit worse with all the tablet/smartphone stripe readers now on the market.

Customers will need to start demanding chipcard support, I suspect, to make the cut-over happen.

Note that I'm not offering an opinion on the situation, just clarifying why it hasn't already happened.

(Note that this is the same reason the US is still primarily using land-line phones rather than switching over as thoroughly as some other countries to cellular. We had a huge existing investment in copper running to every house; it's easier to continue using that and to move to new technology comparatively slowly.)

Answer 4

As someone who has worked with merchants (in a cybersecurity and PCI compliance consulting role), and has often--alas, often unsuccessfully--advocated to one client or another that they move to EMV (ie. "chip"-card) compatible readers or terminals in a timely fashion I feel an irresistible impulse to offer some thoughts here. Why has EMV adoption in the U.S. has been slower to this point than one might have hoped? Well...

The most important reason--not the only reason, but the most important reason-- that the U.S. has been slow in adopting EMV is simply that regulatory authorities have taken much, much longer to require that merchants support chip-card transactions than they have in other parts of the world. In the U.S. the question of when merchants (and payment processors) must move to supporting EMV has been left to the Payment Card Industry's ("PCI') self-regulatory council. The PCI Council has been very slow in prodding U.S. retailers to buy new Point-of-Sale equipment that can handle chip-card transactions. Before that, the PCI Council was slow in compelling the payment processors who take card data from those merchants to update their equipment and software to handle the new transaction type. (Although that's now pretty much in place.) And when I say PCI has been slow, I mean slow. In fact, despite the degree of public attention that's come to the EMV adoption issue as merchants have been confronted by the deadline for liability shift that just this month passed here in the U.S., there is still no, actual firm, you-must-support--EMV--by--this-date PCI rule in place for merchants. In other words, if you're a merchant and you don't see any reason to use anything for card processing beyond a 10-year old magnetic stripe reader hooked up to your 8-year Point-of-Sale PC, as long as you're willing to bear the (hypothetical, potential) risk of liability for unauthorized charges in some circumstances there's still nothing from the PCI Council that says you aren't allowed to keep on going on like that. Will there be, someday? Yes. But not yet.

Sigh.

But now we're left with another question: why has the PCI Council been dragging its feet on requiring that merchants accept chip-card transactions? Well, we're kind of necessarily starting to go from fact territory to opinion & speculation territory here, so I won't dwell on this point. I'll just say that in my estimation the PCI decision-makers have been very, very, very sensitive to the concerns of merchants on this issue. Too sensitive. For merchants, buying and setting up new card readers or terminals that can handle chip-card transactions often looks like nothing more that a source of expense (and, potentially, some configuration pains here and there) that doesn't directly benefit them in any way. This perspective is wrong, mind you. (I won't go into the details of why here; suffice it to say PCI compliance & cybersecurity stuff). But the PCI Council, in the past, has proven very deferential to it. We will see if the numerous and awful credit/debit card info breaches that have occurred here in the U.S. the past couple years will lead to a lasting change in this attitude (ie. a shift in priorities to being more protective of the interests of consumers who have their card data stolen and of banks/card issuers who must still usually bear the financial consequences of unauthorized transactions). But for now the Payment Card Industry is still partly dragging its feet.

Oh, one final thing: you may be surprised to learn that even at U.S. retailers who have adopted chip-card compatible terminals use of the "chip-and-pin" procedure, as you folks in Europe know it, is still quite rare. Instead, "chip-and-signature" transactions are the norm. In these scenarios the chip is inserted into the reader/terminal in the way that you do it, but after the "dipping" of the chip into the reader is complete rather than enter a PIN a user merely needs to sign a paper receipt. This practice is not as secure as chip-and-pin, and everyone knows it isn't as secure as chip-and-pin. But, again, the Payment Card Industry decision-makers aren't in any urgent hurry. The speculation is that, say, 2-3 years down the road a rule requiring PINs instead of just signatures will be put into place. Maybe.

Anyway, just a perspective of someone who's worked on the ground to try to hasten EMV (and chip-and-pin) adoption where I could. YMMV.

Cheers.

PS: Typically, chip-card transactions do not take much longer than magnetic stripe transactions. By that I mean that, as things stand today, when everything's set-up correctly, on both the merchant's end and the payment processor's end, and working properly chip transactions should only take slightly longer than magnetic stripe transactions. (Meaning a few seconds, perhaps.) If a chip transaction is taking 20 seconds longer something is most definitely askew somewhere.

Answer 5

I develop point-of-sale software, and I'm not aware of any controversy. From my perspective, merchants are eager, consumers don't care, and processors are dragging their feet.

The real issue seems to be that the shift in liability does not create an economic incentive for payment processors to convert their systems. Once the processors are EMV-capable, they will briefly enjoy a transfer of liability to merchants who have not upgraded. But when the merchants upgrade, the liability will return to the processors. So it's only economical for the processors to convert to EMV if doing so will result in a significant long-term reduction in liability. According to some sources, that's questionable. Not only are there doubts (which may be FUD) about the security of EMV itself, but many merchants will still need to accept online or telephone payments, and criminals will likely shift their attention to those transactions.

Answer 6

I would have trouble saying this is controversial. I think that most people haven't even heard of it. I've had a chip in my cards for a while, but it's only in the last few weeks that it was even used. (In the most recent case, the system failed and the clerk had to swipe anyway.) The PIN, if we ever need one, seems like a hassle, but so far even with the chip, I need no PIN.

Most likely people who post online voluntarily are going to be the ones who are grumpy. In addition, this is the type of technology that's not going to excite consumers - Either you find a reason to dislike it or you just roll with it and don't care. Finally, there's the general factor that people don't like change. Overall, though, I think it's a blip in the news cycle and nothing more.

Answer 7

I work in the electronic banking department of a large multi-national bank; in a country where chip and PIN has been mandated for many years.

The normal scenario that you face when using a debit or credit card that is chip-and-PIN enabled is nothing like what was described by kape123, it goes like this:

1. You walk up to the counter and start unloading your groceries onto the conveyer belt.

2. The cashier starts scanning your groceries as you wait/see what is being scanned.

3. Once all the groceries are scanned, the cashier asks you how you like to pay. You say card.

4. Cashier asks for your card, inserts it into the POS machine, enters the amount and hands the POS terminal to you, where you verify the amount and enter the PIN; and you hand the terminal back to the merchant.

5. The transaction is posted and the terminal prints two receipts; one for you and one for the merchant.

6. Merchant hands you back your card with the receipt.

7. You pick your groceries and go on your merry way.

The entire process is 15 seconds if that. The majority delay is when the terminal is trying to connect to the payment network - which is the same delay that you would be facing with the swipe and sign method currently in the US.

I don't know where all this FUD is coming regarding fraud; what I can tell you in terms of reality is that the majority of fraud transactions happen in the US.

This is because only in the US does skimming/cloning pay off for fraudsters. Of course, not all is the fault of the US or their merchants; if the issuing bank chooses (or the acquirer bank) they can disable swipe transactions or otherwise limit their use (such as putting a financial limit on them); but then again, this is not something mandated by any regulation so it's up to each bank to decide their own policy on this.

Answer 8

TLDR: Within the US, retail point-of-sale systems accepting the new chip have done so with a user interface that makes transactions quite noticeably less convenient, with no visible benefit to the user.

--

As someone who lives in US and was recently forced to get a chip credit card, I may give you my personal observations about the recent roll-out.

To be sure, this is being blown out of proportion by popular media... as most everything is nowadays. This contributes to a toxic environment in which it's hard to get to the core of the problem, as evidenced by comments on this page that talk about "dumb Americans", "US is so behind in many many ways, they need to catch up", etc..

At its core this is simple "software is changing, it's natural to expect productivity drop at first" problem. Previously, here in US you had swipe and sign system. Terrible from security standpoint obviously... yet chip is not that much better.

But, terminals were fine tuned for swipe and sign, users knew how to use it and all of the "unauthorized transaction" burden was on companies who issue credit cards. Let me give you a concrete, personal example of my purchase in Walmart. Previously, here is how checkout process went:

1. Cashier starts scanning my groceries
2. I would swipe card while cashier is working on scanning and packing
3. Cashier is done, signature dialog pops up, I sign, done

When I first went to Walmart with my new card, here is what happened:

1. Cashier started scanning my groceries
2. I swiped the card... got a message that I need to insert the card instead
3. Luckily I had experience with chip technology so I knew how to insert card — if I didn't obviously I would need 10-20 seconds from cashier to explain
4. "DO NOT REMOVE CARD" dialog showed. Now, I could no longer see the list of groceries being scanned... meaning I had no idea if cashier inadvertently miss-scanned something.
5. I've removed card and "groceries scanned" list showed... I've started waiting for all groceries to be scanned
6. Once done with scanning cashier asked me to insert the card, which I did
7. She waited for dialog on register to allow her to process transaction
8. 5 seconds later terminal started beeping, "TRANSACTION DONE, REMOVE YOUR CARD"
9. I've started to walk away with my card and cart, but cashier told me to wait - I needed to sign
10. Went back to terminal and signed the dialog that popped up - finally done.

Obviously, my next checkout was a bit faster, but even a perfectly-trained customer would be unable to carry out the new procedure as fast as the old one. Even for transactions small enough to not require a signature, it forces the customer to wait about five seconds after the clerk is done before being able to remove the card; if it takes another four seconds for the customer to put the card away that's nine extra seconds added to the transaction. Technical improvements might reduce the five-second delay, but unless the customer can put away the card before the transaction is complete the extra four-second delay will be unavoidable.

Answer 9

From the consumer point of view (and that is all I am addressing in this answer), the change is pointless. People don't understand credit card security, what problems the chip solves, or that there's even a problem. The change to chips appears to bring them no value, just change and hassle. If people feel secure they will not value increasing security, even if they are told they are insecure.

People aren't aware just how easy it is to commit credit card fraud with a swipe card. If customers are aware of credit card fraud, they're vaguely aware of identity theft or something about using their card online.

All you need is a credit card number and you can create a swipe card that will work in any swipe reader. Nobody checks signatures. Credit card users don't think about this, same way they don't think about how easy it is to pick a lock in their home (or break a window). But credit card companies do, all the time, because they pay for it by law.

The consumer is kept unaware of this problem by throwing the liability onto the credit card processor, insurers and the merchant. This is by design, it's worth it to the credit card companies to keep consumer confidence. If the consumer were liable for fraudulent use of their card, people would use credit cards less and the credit card companies would make less money than they're making now just paying off fraud.

Now chips are introduced. It isn't obvious how this is any more secure to the consumer. The consumer hasn't been kept safe from this security problem, so they don't even know it exists. The consumer has no interest in change, they don't know why it changed. The old way seemed to work fine, why change it? Banks are already held in low regard, so the change is going to be attributed to something sinister, self-serving or incompetent. All they see is hassle to benefit the bank. Every single little change, whether for the good or bad, is seen as pointless.

Small merchants are in a similar boat. They have to change their procedures and change their equipment all to solve a problem they don't fully understand. However, merchants can be given financial incentive to switch by increasing the fees on swipe cards (or decreasing them for chip & pin). Consumers get no such incentives.

And there's a chip in it, so conspiracy theorists have something to get excited about.

Answer 10

I think the sentiment among many who have answered here (that there is not much incentive given the liability structure in the US) is certainly correct, and it explains why chip and signature has gained some traction while chip and pin has not, but I think there is an additional element at play here.

I think most consumers are looking forward to a future technology that allows all payments to be done with a mobile phone so that they can leave their wallets at home (or significantly reduce their holdings say with a drivers license holder in their phone case). Google Wallet and Apple Pay are already usable in many stores, so why use an old technology that never caught on?

I am personally looking forward to the day that I can fill up the cart and walk through a scanner on my way out the door. All the RFIDs on the items I purchased will allow for a receipt to be created on my way out the door, and my phone will provide the payment information. Why should I wait in a line at all?

Answer 11

RE Bob's point: "As it becomes more difficult to skim and copy physical cards, many experts actually predict an increase in online fraud."

The chip card enables each transaction to have a unique authorization code, not the card number. The gist is that the magnetic card can be easily duplicated. The chip card cannot be duplicated. So using a duplicate card in the store with a chip reader is theoretically impossible.

When you buy on-line from your computer there is no chip card reader. On-line purchases just use the card number and the PIN code printed on the back of the card. So anyone who has seen the card has all the necessary information to use the card on-line.

So the chip card is expected to greatly lower in store fraud. However it is anticipated that fraud will move from the store to on-line purchases.