The Long, Slow Demise of Credit Card Signatures Starts Today (cnet.com) 114
Last year, all four major U.S. payment providers -- Mastercard, Visa, American Express and Discover -- announced plans to remove the requirement that merchants collect signatures for card transactions. Those plans officially go into effect today, or Saturday in the case of Visa. CNET reports: [D]on't despair if you actually like writing your signature at retail stores, because their ultimate demise will likely take a while. The change is only optional, with merchants, not customers, given the new power to decide whether to get rid of signatures. So, if asked to sign, please don't insist to your next cashier that you no longer need to -- it won't work. Also, plenty of retailers will likely want to keep signatures, particularly if their workers are paid based on a lot of tips, or they sell pricey items. Still, the change marks a clear awareness from payment providers that the signature doesn't really work as a strong protector against fraud.
The change is being handled a little differently by each payment provider. For instance, Mastercard, Discover and American Express said they'll let retailers make every kind of card payment optional for a signature, regardless of whether you've got a new chip card or you still swipe. Visa, meanwhile, isn't changing its requirements for payments using a swipe card, but it did relax its policy for chip card and contactless payments like Apple Pay. Visa noted that over 75 percent of face-to-face transactions using its cards in North America already don't require a signature, thanks to lower-value transactions.
The change is being handled a little differently by each payment provider. For instance, Mastercard, Discover and American Express said they'll let retailers make every kind of card payment optional for a signature, regardless of whether you've got a new chip card or you still swipe. Visa, meanwhile, isn't changing its requirements for payments using a swipe card, but it did relax its policy for chip card and contactless payments like Apple Pay. Visa noted that over 75 percent of face-to-face transactions using its cards in North America already don't require a signature, thanks to lower-value transactions.
Hey USians! (Score:3, Informative)
... welcome to the year 2000!
By the time the rest of us are authorizing credit purchases with telepathy, you'll probably *JUST* be introducing the "tap & go" LOL what a fucking backwater...
Re: (Score:3)
You're just wrong. We have the best internet, highest quality healthcare (and cheapest), and the best educational system ever.
Some people are so stupid they just don't know it.
Re: (Score:2)
Re: (Score:2)
Yes, but we effectively have zero consumer liability for fraud. Pick your poison; not sure I want EU-styled consumer liability based on a PIN code alone.
Re: (Score:3)
Yes, but we effectively have zero consumer liability for fraud.
That means little in reality. Plenty of fraud is for small amounts that slip by without the consumer bothering to inquiry about an $8 charge on their card. For big charges involving identity theft, the burden is on YOU to prove the transactions were fraudulent, and even if you are successful, you may spend hundreds of hours, and have your credit ruined for years.
Pick your poison; not sure I want EU-styled consumer liability based on a PIN code alone.
So here are the choices:
1. Security based on a PIN that is under my full control, and can be changed if compromised.
2. The American way: Secur
Re: (Score:2)
Re: (Score:2)
Yes, but we effectively have zero consumer liability for fraud.
That means little in reality. Plenty of fraud is for small amounts that slip by without the consumer bothering to inquiry about an $8 charge on their card. For big charges involving identity theft, the burden is on YOU to prove the transactions were fraudulent, and even if you are successful, you may spend hundreds of hours, and have your credit ruined for years.
Pick your poison; not sure I want EU-styled consumer liability based on a PIN code alone.
So here are the choices: 1. Security based on a PIN that is under my full control, and can be changed if compromised. 2. The American way: Security based on my SSN and DOB, which are unchangeable, and have already been compromised a dozen times.
Golly, that is a tough decision.
And in Europe all cards are Chip-and-PIN, and therefore cannot be skimmed. So a fraudster would have to have your actual card as well as your PIN.
Re: (Score:3)
My bad, i thought this was /. where people knew at least a tiny bit about the tech...
It's harder, but by no means impossible, to read and duplicate a chip card. You do also need the PIN but there are plenty of examples of that being compromised with cameras primarily but also with hacked keypads and other means.
It's significantly harder to skim a chip-and-pin vs mag stripe(mag stripes were never secure, only slightly obscure ... for a while) but it can, has, and will still be done fairly regularly.
Re: (Score:3)
; not sure I want EU-styled consumer liability based on a PIN code alone.
It would have been easier to say "I get my information about the EU from Fox News."
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Chip cards (Score:2)
Early 1980s already had chip cards, mostly used for phone booth (remember, back in the dinosaur era when your phone couldn't fit in your pocket and you needed to call from public ones). .
Wikipedia mentions in french the "Télécate" in France in 1983 as a first massive deployement beyond local tests
The patent itself dates back from 1974 [wikipedia.org].
The first chip payment system is the "Carte Bleure" in France, 1986 according to wikipedia (and by 1992 there were nothing else but chip cards)
Germany also had G
Re: (Score:1)
Re: (Score:2)
You think signatures are bad?
Americans still use cheques - sorry, checks, and they actually get physically moved around between banks, and eventually returned to the writer.
Another thing: Americans still have pennies in circulation. Worth less than a Euro-cent! Its insane.
Something costs 99c, you hand over a dollar (in paper money I tell you! not a coin), the clerk then says you need another ten cents because the 99c did not include tax, so you find a dime (almost worthless) and then get a penny in change.
Re: (Score:2)
Americans still use cheques - sorry, checks, and they actually get physically moved around between banks, and eventually returned to the writer.
That hasn't been true for over 15 years. Once it was allowed to pass around just the image of the check (back in 2001 or so), they got scanned and shredded early in the clearing process, and the monthly statement includes a few pages of the images of the front of the checks. The rear side (signatures and a lot of rubber stamping) is no longer available to mortals.
Re: (Score:2)
Ta hell with all four ... (Score:2)
Who signs their real name? (Score:4, Interesting)
In fact, I bought groceries from Von's today, signed Foo Bar with no issues
Then again, their Just 4 U program ties my phone # to my credit card so there's that.
Re: (Score:2)
These signing terminals have been a thing for a good 15-20 years now, yet I've never signed one. I sign either Foo Bar or Mickey Mouse, depending on my mood. All have gone through with 0 hassle.
There's one store near me that rejected my actual signature on two occasions (many years ago). In both instances, a block printed "BOB" fixed the issue.
Re: (Score:2)
Macys was doing this at one point about two years ago. I ran into it while christmas shopping. Unless the first letter of my signature was comprehensible as the first letter of my name it would reject the signature. I made several purchases one day there and kind of ... got to play with it. A block letter followed by a squiggle was fine. Anything that resembled my actual signature not so much.
Re: (Score:2)
partial security / insecurity -- what's the point (Score:5, Interesting)
All of Europe, rest of world can deal with using a PIN. What's so special about the US? Just do it, save us all from having to subsidize fraud.
Re: (Score:2)
I disagree. Americans will never learn a PIN number, and they'll be forced to just deal with the identify theft that occurs because of it.
What identity theft? With modern chip cards that are essentially impossible to clone will solve that issue almost entirely - fraud is already down dramatically because of chip cards, and many of them still support the old insecure mag stripe mode.
Re: (Score:3)
Re: (Score:2)
>> ....having their chip pulled off and replaced with the chip from a dummy card, ....., so that the customer receives their card and activates it
That happens only in the broken US system.
In EU you typically can only activate your card with the right PIN, and only on an TM which checks the chip.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
The chip signs a transaction to report "card present". The device does not get a copy of the keys held inside the chip.
The PIN is purported to indicate "user is present and accepts transaction". But a rogue device could capture it and then reuse it later if they happen to acquire the card again. That defeats the purpose of having a supposed second factor.
Once you recognize that large merchant chains have been hacked and will be hacked again, you should assume that there is a malicious network of point of
Re: (Score:2)
when it might be a replay attack using a stored PIN value obtained on a previous encounter with my card
Except your card is no longer present for that replay attack to work. It is my understanding that there is some sort of handshake between the card company and the chip to authenticate. There isn't a simple mag stripe account number that they can save and replay with your PIN.
nor allow the finance companies to shift liability to users when this useless extra ceremony is performed.
This is the root of the problem. Consumers have become too accustomed to the ease of reversing fraudulent charges, based on the ease of signature forgery. Losing a PIN implies some carelessness on the part of the consumer, so they end u
Re: (Score:2)
It is my understanding that there is some sort of handshake between the card company and the chip to authenticate
This is half true. The EMV protocol allows the bank to authenticate the card, but doesn't allow the card to authenticate the bank. This makes some forms of attack possible if you MITM the connection.
Re: (Score:1)
Also, I will never accept a system where I am forced to enter my supposedly sensitive, never-share-with-anyone PIN into random devices maintained by shopkeepers. A proper end-to-end secure transaction should consider the point of sale device to be adversarial.
Why? The PIN is useless without the attached card. As long as you can retain possession of the card immediately after you enter the PIN there is no possibility of fraud. You'll see the authorized amounts on the device.
You DO keep your receipts so you can correlate with what your issuer said happened right?
As many others have said, works for Europe just fine...
Re: (Score:2)
I'm perfectly happy using chip-only and stopping the pointless signatures. But, I shall retain the right to view my statement and dispute a fraudulent charge. I refuse to use a PIN when the banks try to bundle that with a shift in liability and a presumption that their little toys are invulnerable to fraud.
That's not how the liability shift worked, in the UK at least. If you use a contactless payment (which is limited in amount) or if you use a PIN, it's the bank's liability if it's fraudulent. If you use a signature, it's the merchant's liability. It's never the cardholder's liability (at least on paper - there have been a couple of cases where banks have tried to pretend it's impossible for the fraud to take place. Fortunately, those of my colleagues involved in demonstrating weaknesses in the EMV proto
Re: (Score:2)
I wish there would be a card-reader option for web browsers so we could have card-present transactions for online purchases and stop the frequent sharing of card numbers and CV codes. I'd be happy for it to be impossible for merchants to perform recurring charges after one encounter with a card, as well as stopping all the fraud that can happen when card numbers are stolen out of merchant systems.
About seven or eight years ago, a company produced credit cards that had a button on them that would generate a one-time code displayed on a small LCD on the card. The battery was good for a couple of years of normal use and the code could be used as the CVV for CNP payments - each generated code is good for one transaction and is then not generated again for at least a few hundred transactions. It was trialled in, as I recall, Singapore, but at the end of the trial banks decided that the more expensive c
Re: (Score:2)
Re: (Score:2)
"Americans will never learn a PIN number"
Americans use PINs for debit cards reasonably well.
Re: (Score:2)
All of my recent debit cards have chips. Merchants don't want to buy new machines and the credit card companies don't care because they pass most the cost of fraud to the merchants. It's seriously sickening how these payment providers make money on both ends without that much liability.
Re: (Score:2)
Then explain the merchants with the chip/contactless compatible terminals with signs saying “swipe only”. Card issuers are interested in limiting fraud... Chase called my wife today about fraudulent MSFT/XBox charges. They want to keep the consumers happy and feeling secure, and... not sure what they want to do with the merchants.
Re: (Score:2)
Then explain the merchants with the chip/contactless compatible terminals with signs saying “swipe only”
I'm not sure about this, but that could be due to older POS software that doesn't grok the new reader features.
Re: (Score:1)
Re: partial security / insecurity -- what's the po (Score:1)
Except of course that cards are used so frequently in Europe that people are talking about a cash less future...
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Replay wouldn’t work either since the transaction challenge contains a pseudo random number that is signed by the card along with payment information. The number is different for each transaction.
The second half of that is true. The first half is what the spec says, but a significant number of uses use an incrementing counter, so if you do two transactions in a shop you can predict the value. Oh, and I seem to remember that it's only a 16-bit value, so if you can trick the card into doing a bunch of retries (which isn't too difficult, because the protocol doesn't allow the card to authenticate the bank, only the bank to authenticate the card) then you can just get the card to generate all possible
Re:partial security / insecurity -- what's the poi (Score:5, Insightful)
The truly obnoxious thing is that without the PIN, the chip itself is worthless, but was forced on us anyway. So we got the slowdown at the registers for no reason. With a PIN, at least if I lose my card or my wallet is stolen, the card would be useless to the thief barring unbelievable luck in guessing. But with only the chip in play, the only place a thief couldn't use my card is the gas station, which was already the case with the stripe.
Pointless. Security. Theater.
Re: (Score:2)
Pointless. Security. Theater.
Otherwise known as the American Way.
Comment removed (Score:4, Informative)
It had less to do with learning to do it (Score:2)
Re: (Score:2)
getting businesses to buy all the hardware and software needed to do it
The chip hardware is here already. Adding a PIN just uses the (included) keyboard and some more software (which has a development cost but zero marginal cost to distribute).
Re: (Score:2)
You think that a chip+pin terminal was more expensive than the over sized complex terminals with large displays and touch / stylus which were implemented for chip+signature?
That is truly incredible.
USA is 20 years behind on tech (Score:2)
>> It was silly for the card networks and banks to chicken out on implementing Chip + PIN.
This. The USA is only 20 years behind on tech
Cursed writing (Score:1)
Re: (Score:3)
just a phone QR code paper printout stuck at counter
I don't understand how this works. The shop has the QR code. The customer scans it with his phone. 'Beep', the payment has been made. What stops someone from writing a 'Beep' app?
Re: (Score:2)
Walmart pay [walmart.com] does this. The trick is that the a unique QR code is displayed on the credit card reader for your transaction. When you scan the code with the Walmart app on your phone, it links you to the transaction and uses a stored credit card to make the payment. It also downloads a copy of the receipt into your walmart app.
Apparently, they implemented it to avoid fees charged by Apple, Google, Samsung and other mobile payment services.
Re: (Score:2)
Why not chip-and-pin? (Score:4, Interesting)
Australia has been using chip-and-pin credit cards for years now, as has Europe and many other places. What is it about the US that makes card companies (Visa, MasterCard etc), banks and merchants so reluctant to introduce chip-and-pin in the US?
Re: (Score:2)
You missed a far more interesting part of that: Australia has *mandated* pin for all transactions on Australian cards for the past 4 years. When you swipe a card in an Australian terminal it will identify Australian credit and debit cards and force a chip+PIN authorisation.
Re: Why not chip-and-pin? (Score:1)
Re: (Score:2)
We have chip-and-pin.
Every merchant supports it for debit transactions. It uses the same piece of hardware (card reader) whether you use pin or signature. It makes no difference to the merchant whether you punch in a pin, or scribble on the receipt, or wave your phone at the reader -we just want to get paid.
So, why don't we use chip-and-pin for credit transactions?
Because the card issuers/payment processors don't want us to.
Re: (Score:2)
Re: (Score:2)
actually, no, there are limits on liability.
so not brave, just insured
Re: (Score:2)
direct link to your bank account
Credit card. Issued by an entirely different bank.
But yeah. Why no PIN? Merchants around the rest of the world love PINs. Less deniability over credit charges.
signatures served no purpose (Score:3)
I can't write anything that looks like my signature on those silly tablets anyway, and a lot of people just make a wavy line..... how about some actual security instead? a pin? connect the dots on a grid in a pattern?
signatures always were silly, a thief can practice the one they make you put the the back of your card
Re: (Score:2)
We've all been ripped off by people, in different ways.
Pretty useless anyway. (Score:2)
Re: (Score:2)
Caught by a video ?
Tht will not happen.
You cannot be identified among 270 million other people (or 7 billion).
Re: (Score:2)
Whither Chase? (Score:2)
Chase has not provided me with a pin for my Chase Sapphire Preferred credit card. I have to sign.
There really isn't an excuse for not requiring pin authentication for a card present PoS credit card transaction.
Chip and pin was broken in 2007 (Score:2)
What about the rest of the world? (Score:1)
What a strange world (Score:1)