Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Businesses Security

Following Other Credit Cards, Visa Will Also Stop Requiring Signatures (siliconbeat.com) 171

An anonymous reader quotes SiliconBeat: Visa, the largest U.S. credit card issuer, became the last of the major credit card companies to announce its plan to make signatures optional... Visa joined American Express, Discover, and Mastercard in the phase-out. Mastercard was the first one to announce the move in October, and American Express and Discover followed suit in December... However, this change does not apply to every credit card in circulation; older credit cards without EMV chips will still require signatures for authentication... Since 2011, Visa has deployed more than 460 million EMV chip cards and EMV chip-enabled readers at more than 2.5 million locations.
"Businesses that accepted EMV cards reported a 66 percent decline in fraud in the first two years of EMV deployment," the article notes -- suggesting a future where fewer shoppers are signing their receipts.

"In Canada, Australia and most of Europe, credit cards have long abandoned the signature for the EMV chip and a PIN to authenticate the transaction, like one does with a debit card."
This discussion has been archived. No new comments can be posted.

Following Other Credit Cards, Visa Will Also Stop Requiring Signatures

Comments Filter:
  • by L. J. Beauregard ( 111334 ) on Sunday January 14, 2018 @12:41PM (#55927129)

    Does this also apply to merchants who won't turn on their damn chip readers?

    • I doubt it.

      It will only apply when the chip is used to authenticate the card.

      • I have an EMV MasterCard. Used it today, in fact, and was asked to sign. I don't think I have a PIN for the card.

        • by zifn4b ( 1040588 ) on Monday January 15, 2018 @07:15AM (#55930769)

          I have an EMV MasterCard. Used it today, in fact, and was asked to sign. I don't think I have a PIN for the card.

          You really don't seem to understand how credit/debit cards work. Unless you're getting a cash advance, credit transactions never require a PIN. Hence, why they all used to require a signature. That way if the cardholder disputed the charge, the merchant could represent the signature to the cardholder and say "is this your signature?" Debit cards, on the other hand, always require PIN's because it's a completely different type of network with different operating regulations. Visa/MasterCard use variants of the ISO 8583 specification whereas Cirrus/STAR/etc. use something completely different. And, by the way, if you have a debit card from a financial institution that is Visa or MasterCard this is why they tell you to always run it as credit. If you run it as credit, the merchant pays the interchange fees. If you run it as debit, the issuer does and in many cases passes the cost along to the cardholder.

          • by Wulf2k ( 4703573 )

            Speaking as a Canadian, credit card transactions always require a PIN unless they're small enough to go through with just the tap.

          • It can't be a "completely different type of network" when it's the same reader of the same chips on the same wires. Yes, it's different OPERATING REGULATIONS. And the biggest problem is that the US banks didn't set up PINs like the entire rest of the world, so they'll have to gradually phase them in and confuse people *again*.
            • by zifn4b ( 1040588 )

              It can't be a "completely different type of network" when it's the same reader of the same chips on the same wires.

              It is a completely different network. The first 6 digits of the card number are the BIN aka business identification number. What happens is at POS (Point of Sale) the information whether it was read off the magnetic strip or chip is sent to a payment processor. The payment processor then based on the BIN routes it to the correct issuing network (Visa, MasterCard, AMEX, STAR, Cirrus, etc.) What you may be quibbling about is the merchant payment processor vs. the issuer's processor. Yes, for a specific m

    • by Anonymous Coward on Sunday January 14, 2018 @12:54PM (#55927219)

      The signature isn't for verification. It's all about signing saying you agree to the charges and agree to pay. The signature doesn't even get sent to the clearing house. I've scribbled,signed heywood blowme, Dick Hertz, Mike Hunt,....and never heard a thing about it.
      The signature is just a stupid throwback to the days of the paper credit card slips.

      • by ShanghaiBill ( 739463 ) on Sunday January 14, 2018 @01:06PM (#55927297)

        Nobody, absolutely nobody, looks at the signature for anything. You can sign anything you want. You can just draw a horizontal line, or even just tap the pad. As long as at least one pixel is set, the card reader will accept the signature.

        • by fahrbot-bot ( 874524 ) on Sunday January 14, 2018 @02:30PM (#55927757)

          Nobody, absolutely nobody, looks at the signature for anything. You can sign anything you want.

          Many, many years ago, a friend asked me to buy something for him using his credit card, while he was at work. I signed the paper receipt "Eddie Van Halen". The cashier didn't look at or even care about the signature.

          For the record, I am NOT Eddie Van Halen (had to be said).

          • by zifn4b ( 1040588 )

            Nobody, absolutely nobody, looks at the signature for anything. You can sign anything you want.

            Many, many years ago, a friend asked me to buy something for him using his credit card, while he was at work. I signed the paper receipt "Eddie Van Halen". The cashier didn't look at or even care about the signature.

            For the record, I am NOT Eddie Van Halen (had to be said).

            That's because the signature is only relevant if the cardholder calls the issuer and disputes the charge. When the charge is disputed, the merchant will represent the signature to the cardholder. If the transaction settles and no one disputes, nobody cares.

      • They do get kept by the merchant

        If the charge is disputed and the merchant can't produce a signature (if that was used for authorisation) then the charge gets reversed.

        The person taking the signature doesn't care though, it's not their shop and not their money

        • by Bert64 ( 520050 )

          If the merchant hasn't got a signature on the card receipt they can just draw one on there themselves. It means absolutely nothing.

    • The merchants that won't turn on their chip readers are already penalized (since 2015) by being liable for in-person fraud [visa.com] against their terminals, if the card used was chip-capable. In other words, both issuers and acquirers are incentivized to adopt chip-card.

      For some merchants, however, the cost of a chip rollout might be more than the cost of eating the liability. The example that comes to mind is gas stations -- they have lots of readers, which are built directly into the pumps and not modular in any m

    • by DogDude ( 805747 )
      It has nothing to do with merchants. It has to do with particular software stacks not being "certified" as "PCI compliant". Visa/MC handled this very badly, and of course, we've got no real guidance or regulation from our federal government, so the transition has been a shitstorm in the US.
      • by Cederic ( 9623 )

        I was in Morocco 3-4 weeks ago and if you wanted to pay with a card, it had to be chip & pin.

        Are you telling me that the US is less sophisticated than Africa? I guess I can believe that.

    • Of all the places I shop only two stores have not adopted a chip reader. They're both liquor stores if that matters.

      I believe they're both of the mindset that swiping a card through their magnetic readers has always worked before so why should they change things?

      And perhaps they're wise to do that. There is a 3rd liquor store that I sometimes go to and they have an Apple POS (point of sale) system. It's incredible. I have never seen an Apple POS system other than that place.

      I don't know if i

    • Does this also apply to the US financial industry who insisted on NOT implementing the PIN requirement?
  • by whoever57 ( 658626 ) on Sunday January 14, 2018 @12:47PM (#55927163) Journal

    From TFA:

    "In Canada, Australia and most of Europe, credit cards have long abandoned the signature for the EMV chip and a PIN to authenticate the transaction, like one does with a debit card."

    That sentence is missing the word "require": "and require a PIN" . This changes the meaning, since in most of Europe the signature requirement has not been dropped, it has been (mostly) replaced with a PIN. I believe banks in Europe will still issue chip-and-signature cards to elderly people on request.

    [I now await the replies pointing out the grammar errors in my post. Also, my recent experience is limited to the UK -- perhaps it is different in other European countries, but I don't think so].

    • by PvtVoid ( 1252388 ) on Sunday January 14, 2018 @01:02PM (#55927275)

      This. Transaction verification is a long-solved problem that Americans refuse to adopt because we're too fucking stupid.

    • by batkiwi ( 137781 )

      In Australia anything under $100 doesn't require a PIN (and most people use tap-to-pay for years now)

    • I believe banks in Europe will still issue chip-and-signature cards to elderly people on request.

      That varies greatly by country and also varies greatly by utility. e.g. Public transport ticketing machines around here don't accept chip and signature cards.

    • by rhazz ( 2853871 )
      The sentence is also partially misleading. In Canada the contactless Tap & Go [globalnews.ca] method for purchases under $100 has been growing for years. You just tap your debit or credit card on the handset rather than inserting the chip. Not sure if mastercard owns this tech but I have it in both my mastercard and my bank's debit card. For $100+ you still have to do chip & PIN, but otherwise it's just super fucking fast. Most businesses with third-party card-scanners support them, whereas some larger retailers wi
  • Europe has this right: Any in-person transaction requires you to enter your chosen PIN. It's simple, it's fast, and it protects your card from unauthorized use if it's stolen.
    • Europe has this right: Any in-person transaction requires you to enter your chosen PIN.

      How can I use an American credit card in Europe?

      • by r1348 ( 2567295 )

        Most card readers in Europe still have the magnetic reader for legacy reasons, but some newer implementations (i.e. self-checkout stalls in supermarkets) are dropping it. Actually, most cards in Europe now are contactless.

        • Actually, most cards in Europe now are contactless.

          That is a bit of an exaggeration. About 40% of cards in the north European country where I live are contactless. And for purchases below a certain amount, typically 35 Euros, you don't need to enter a PIN. The limit varies between countries and some have no limit.

          • 35 should be 25.
            • by r1348 ( 2567295 )

              Same here, I live in Italy, both debit and credit cards issued by my bank are contactless and the no-PIN limit is 25€.

              • by Cederic ( 9623 )

                It varies by country - I'm not sure if it can vary by merchant too.

                What tends to happen is that a small percentage of contactless transactions are validated for funds available, and potentially some could be validated by PIN, but the rest are taken on faith and so the limits are kept low enough for the merchant and card provider exposure to be manageable.

                I'm not actually sure who takes the fraud hit for an unchecked contactless payment. I'll have to do some research.

      • by gaiageek ( 1070870 ) on Sunday January 14, 2018 @01:28PM (#55927419)
        If you use an American credit card in Europe you still sign (most U.S. cards). The card issuers decide the priority of authentication methods, i.e. signature vs PIN (which has sub-variants), and the vast majority of U.S. card issuers go with signature verification as the first priority. Europe has PIN as the first priority.

        Paying with a credit card at supermarkets in Europe is a great way to stand out as an American, as you hold up the checkout line that extra 10 seconds
        • by quetwo ( 1203948 )

          Last time I was in Germany (a few years ago), I was at a deli and I did the EVM thing. All of a sudden the register beeped and spit out a receipt for me to sign. I already had the pen in my hand by the cashier had no idea what was going on. It was the first time they had ever seen the receipt print out like that and ask for a signature.

          I think in the grocery store, they had at least seen it a few times. I couldn't use that card at all for the train since the PIN function had been blocked, and the termin

      • by swimboy ( 30943 )

        How can I use an American credit card in Europe?

        Some credit card issuers will assign a PIN to your credit card if you request it. That way, when you go to Europe, you can use your card just like everyone else.

        • Having a card with a PIN doesn't mean you can use it instead of signing. It all depends on the priority list of the CVM (card verification method) for that card. There's a good searchable database of U.S. cards here [spotterswiki.com]. Browse it and you'll see that most credit cards have signature verification at the top of the list.

          The result is that while you may have a PIN, you'll still be asked for a signature when you check out at the supermarket in Europe (unless the store doesn't offer it, but this would just create
          • by swimboy ( 30943 )

            Interesting. My bank isn't on that list, and I only used my card a few times the last time I traveled (ApplePay worked just about everywhere), but when I did use my card, I always validated with PIN and not signature.

      • The terminal tells the cashier to get a signature from you. There's no line on the receipt for it, but they'll ask you to sign.

        I had this exact answer when I was in the Paris airport a month or so ago, and that's what happened.

      • Europe has this right: Any in-person transaction requires you to enter your chosen PIN.

        How can I use an American credit card in Europe?

        Apple pay, Google Pay, Android Pay or some other semi proprietary payment conduit seems to work in some places. Hotels will accept everything. For everything else, carry cash.

    • Why is a PIN better protection than the ability to chargeback?

  • by Vektuz ( 886618 ) on Sunday January 14, 2018 @01:27PM (#55927409)
    From TFA, for those asking instead of reading, April 2018 is when the signature requirement will cease.

    Most supermarkets already have some sort of deal where signature is only required on purchases larger than $50 anyway.
  • Chip and pin is still around in Canada, but the vast majority of the time we just tap the card.

  • by markdavis ( 642305 ) on Sunday January 14, 2018 @02:10PM (#55927655)

    >"In Canada, Australia and most of Europe, credit cards have long abandoned the signature for the EMV chip and a PIN to authenticate the transaction, like one does with a debit card."

    We never needed a "chip" in the first place. Many millions of dollars wasted to overhaul everything- replacing readers, putting in chips, replacing all cards, updating interfaces and software- and still no PIN! A PIN code is a password. If required, without it, a card would be useless (at least in physical transactions, which is all we are really talking about anyway, since on-line can't use "chip readers"). Doesn't matter if it is a valid card, a stolen card, or a "made up" (cloned) card- put in the wrong PIN too many times and POOF, the account is frozen.

    A password/PIN is required for my phone, my Email, my work account, Slashdot, my bank card, voicemail, calling to discuss my cable TV account, just about everything.... except credit cards??? Do they REALLY think people can't handle at least a freaking 4 digit number password in 2018?

    >"Businesses that accepted EMV cards reported a 66 percent decline in fraud in the first two years of EMV deployment,"

    Add a PIN, and then get a 99% decline in in-person fraud. Again, chip security does NOTHING for online security. Develop a PIN for use online and watch fraud drop tremendously there, too.

    • Oh, followup to self- although we can't seem to manage a PIN code, nearly every gas pump asks for my 5-digit zip code as an effective security measure against lost/stolen cards. So someone, please tell me why this would be so difficult???????!

      • nearly every gas pump asks for my 5-digit zip code as an effective security measure against lost/stolen cards

        Effective ... I don't think you know what that word means.

        • It means when your card is lost or stolen, the perp often will have no idea what your zip code is and thus cannot use the card. I said it was effective, I didn't say it was 100% effective.

          • So not only do you not know how the PIN system works, but you also have no idea of the purpose of the zip code. The ZIP code does nothing to prevent someone buying something. All it does is settle assign fault between you and the merchant in the eyes of the bank.

            Just because you get refunded doesn't mean fraud hasn't taken place and that someone isn't out of pocket for stolen goods. the ZIP codes are precisely 0% effective at preventing fraudulent transactions.

            • This simply isn't true. When you buy gas at a gas pump, the ZIP is submitted along with the mag stripe data and, if it doesn't match, the transaction is declined. I can speak to this first hand as we recently moved and I accidentally (due to habit) entered my old zip code and wasn't able to get the pump to activate until I entered the correct ZIP.
              • This simply isn't true. When you buy gas at a gas pump, the ZIP is submitted along with the mag stripe data and, if it doesn't match, the transaction is declined.

                You found a rare edge case. I used to think it was done for marketing purposes so I entered random ones. Never been denied gas. Mind you if I went to the trouble of stealing a credit card, filling up my tank would be low on the list of expensive purchases, and filling up the tank is about the only time I've ever been asked for a zip code.

                Again worthless for fraud prevention.

      • by Cederic ( 9623 )

        I fucking hate filling a car in the US because of this. I don't have a fucking zip code, I can't enter one, and I don't know how much fucking fuel this shitty hire car needs so I can't easily tell the guy at the desk how much I want to prepay.

        Makes filling the car a seriously fucking stressful activity for me. Why the fuck can't I just put fuel in the car, walk in and pay? Works everywhere else in the fucking world.

    • a card would be useless

      The move away from mag stripes to chip in the US wasn't due to stolen cards, it was due to insecure card readers. True, patches had been released for the card readers that the merchants hadn't deployed, but still. Instead of another round of cat and mouse they finally decided to take the plunge and start deploying chip readers. A chip with no pin is more secure than a mag stripe with no pin, because now there's less of an attack area with the card reader.

      So stolen card remains an equal issue, but hacked car

      • by DarenN ( 411219 )

        You must be joking!

        The primary reason for the move is that mag-stripe skimming and cloning is so simple that it's costing the merchants and the card networks billions. The only people who don't care are the customers (because it doesn't affect them) and the acquiring banks (because they don't eat the charges). The delays in adopting are all about cost. The US was the first place to go with card payments, so you guys have the oldest infrastructure, and unlike most of Europe where the issuing banks also acqui

    • by ledow ( 319597 ) on Sunday January 14, 2018 @02:40PM (#55927807) Homepage

      Your PIN is your signing key. It encrypts the data to the bank such that only they can read it, think of it like that.

      Just transmitting card number + PIN is no more secure than just card number + expiry date, really.

      But transmitting card number + nonce generated a secure chip on the card, signed with the user PIN and an internal incrementing number from the chip itself and presented to the bank? Now replay attacks are useless and even knowing card number + the PIN itself doesn't help.

      You now have to physically have THAT card itself to make it work (worst you could do is a "cardholder not present" transaction otherwise, which doesn't need the PIN anyway). In the same way, your example of card number + postcode (also used in other countries) shouldn't be enough on its own either.

      Though I hate Chip And PIN for many reasons, yours aren't any of them, and it's undeniable that nobody bothers or is even capable of verifying signatures at all. And it has significantly reduced fraud.

      Until, that is, we went stupid and put NFC payments on the same card so any kind of temporary physical proximity is enough to charge, even without the user knowing. But that's another matter entirely.

      And I don't know about you, but my card provider has online challenges at online stores if I don't use the card very often there or if it's an unusual transaction - by way of asking for a password that I NEVER use at a cash machine or anywhere else - only online. Verified By Visa and/or Master SecureCode.

      Your problem is that you don't understand what the PIN is actually doing. Asking for a PIN doesn't work how you think - you use the PIN to unlock the chip on the card which is than able to sign a transaction and give a signature (AuthCode) that you then give to the vendor from where the bank can confirm the transaction came from your card itself.

      Because unless you want to give everyone on the planet a way to present data to the secure chip and read responses (probably not good for customer ease of use) by way of some kind of chip reader that plugs into every possible smartphone and every computer, then it's not useful to have every online transaction require a PIN any more than an expiry date or postcode. And, in fact, is why those online system exist with an ENTIRELY DIFFERENT code that only works online. Hell, they even present a custom challenge so you know you're not being tricked into entering your code online on a fake site (i.e. only Verified By Visa and I know what text it should be putting in the box that asks me to verify my code).

      Rather than complain about something you don't understand, use it and test it and investigate it. The reason Chip & PIN is there and works is because someone sat down, thought of all the use cases, thought of the attacks, and designed a single cheap chip that could solve most of them effectively enough for pennies-per-card (I've never been charged for a replacement credit card in my life, and chip-bearing smart-cards are so cheap as to be throwaway items if you have any dealings with them in access control / banking / code-signing / etc. applications).

      I haven't even signed my last four / five cards (all of which reached their expiry dates), because NOBODY uses the signature and nobody even queries it any more. That's how long other countries have been using Chip & PIN.

      Plus... you DO NOT want some cheap random bit of hardware interfacing with your card and just needing to send it a PIN that you type in plaintext onto it to unlock. You'd hope that such devices would at least have to have some kind of bank / merchant secure certificate to sign their part of the transaction to help you a) stop people just playing with credit cards using hobbyist electronics, b) require some form of device certification to be able to talk to your card, c) provide some security over the interface, d) provide some accountability should someone just start cloning a particular card reader that you issue out.

      Chip & PIN has many holes. But you don't see that because you don't even understand the purpose of the PIN in the first place.

      • Until, that is, we went stupid and put NFC payments on the same card so any kind of temporary physical proximity is enough to charge, even without the user knowing.

        You don't implement NFC + pin? My bank makes it opt in to not use the pin for NFC transactions below €25 with the explicit point that I would be liable for the €25 of fraud.

        Then there's the random asking for the pin periodically anyway, and asking for the chip periodically as a security measure too (I think it asks for the pin every 5 transactions even if they are below the pin threshold).

    • The PIN is typically verified on the card itself, not transmitted to the back end. The card has protection such that N={3 or 5} incorrect PIN entries will lock the chip, and it will not vend a signature over the transaction until it sees the correct PIN. That protection is implemented in the card software itself.

      [ Well, actually, there are both online-PIN and offline-PIN scenarios. But most of Europe is offline-PIN. US Debit transactions are online PIN, but that has its own issues.]

      Develop a PIN for use online and watch fraud drop tremendously there, too.

      Either that or the first

    • Develop a PIN for use online and watch fraud drop tremendously there, too.

      One of them is called "Verified by Visa"

    • by DogDude ( 805747 )
      Add a PIN, and then get a 99% decline in in-person fraud. Again, chip security does NOTHING for online security. Develop a PIN for use online and watch fraud drop tremendously there, too.

      Visa/Mastercard write the laws. The credit card laws in the US say that the merchants are responsible fro any and all fraud. Visa/MC simply don't care, and have no reason to.
  • Can't say I've had anyone ever check my signature before.
    Plus it changes on a daily basis.
    Zero security.

  • Does anybody know why? Why is the USA having such a hard time getting chip and PIN working? It seems very odd to me that the US is so far behind the rest of the world.
     
    We have had chip and PIN here for about 8 or 10 years. I think I saw my first American portable chip terminal last summer at the Minneapolis airport. Up till then the servers still walked away with your card (how sketchy is that!), and then brought a piece of paper for you to write your name on.

  • Welcome to the new millennium!

    Just wait *another* two decades and "tap" cards will totally blow your minds!

Genius is ten percent inspiration and fifty percent capital gains.

Working...