Why new "chip-and-pin" cards won't protect you -- yet

[Fuerza]

http://www.cbsnews.com/news/why-new-chip-and-pin-cards-wont-protect-you-yet/

Bottom line up front, retailers are lazy! I have gone to Walmart and the terminal told me to insert my card. I thought that was pretty cool. I went to Albertsons inserted my card and was asked if I was on WIC?!? Lol. I told them it was a chip card and they told me their chip reader was only the WIC card.

 

[BuddyFunJet]

I was in line at Walmart and the lady in front was VERY confused when asked to insert her card rather than swipe. Besides not knowing which end to insert, she kept removing the card before the transaction was complete.

As more cards have chips and more stores have chip readers, lines will be slowed as the public is retrained to the new process.

 

[f0xx]

The issue I find is that when we finally go Chip&PIN vs Chip&Sign. The liability will be shifted to the customer vs the CC company.

Oh.... Someone stole your card and used it? How'd they know the PIN?!??!?! Claim denied.

 

[smittytabb]

The issue I find is that when we finally go Chip&PIN vs Chip&Sign. The liability will be shifted to the customer vs the CC company.

Oh.... Someone stole your card and used it? How'd they know the PIN?!??!?! Claim denied.

My understanding is that the "liability shift" is more about merchant vs. bank. See:blogs.wsj.com/corporate-intelligence/2014/02/06/october-2015-the-end-of-the-swipe-and-sign-credit-card/

Unless you are sure about federal laws that limit liability in unauthorized use of debit or credit cards being changed in the wake of these new cards, your claim is pure speculation.

 

[TheBOSman]

I was in line at Walmart and the lady in front was VERY confused when asked to insert her card rather than swipe. Besides not knowing which end to insert, she kept removing the card before the transaction was complete.

As more cards have chips and more stores have chip readers, lines will be slowed as the public is retrained to the new process.

How did it request this? My Arrival card claims it needs to be used at a Chip and Signature terminal before the PIN will be set, was trying to figure out how I would do this but if Walmart works then I'd be all set.

 

[BuddyFunJet]

How did it request this? My Arrival card claims it needs to be used at a Chip and Signature terminal before the PIN will be set, was trying to figure out how I would do this but if Walmart works then I'd be all set.

I can't say if all walmarts have the chip terminals but at mine, the lady swiped her card (didn't notice which card beyond being silver colored, not Arrival) and the clerk said she needed to insert the card for chip/sign rather than swipe/sign. I guess the system knew the card had a chip so would not accept swipe. I'd check your Walmart and see if they do chip. Also, I think many Target stores have chip terminals. OTOH, pin activation may need to done at a foreign location.

On the Arrival issue, I have used chip/signature many times in Europe which should have activated the pin but have never been asked for the pin. I haven't used the card at vending type machines though. I guess it defaults to chip/sig but will chip/pin if no sig available.

 

[BuddyFunJet]

Unless you are sure about federal laws that limit liability in unauthorized use of debit or credit cards being changed in the wake of these new cards, your claim is pure speculation.

While any discussion is speculation until the final rules are written and system is implemented, the news articles around the time of the Target hack discussed the liability issue between bank, merchant and consumer. The reports were that with chip/pin, the burden of proof shifts to the consumer to prove that any chip/pin usage is unauthorized. Without some VERY clear evidence like the card being used in China ten minutes after a US charge, the presumption will be that the charge is authorized.

My personal opinion is that people will be the losers in the game until there is hard proof that the chip/pin cards can be hacked without the consumer's participation.

 

[smittytabb]

How did it request this? My Arrival card claims it needs to be used at a Chip and Signature terminal before the PIN will be set, was trying to figure out how I would do this but if Walmart works then I'd be all set.

I have used my card in Italy, Turkey and France and it has not yet done anything but signature even with the pin set.

 

[smittytabb]

While any discussion is speculation until the final rules are written and system is implemented, the news articles around the time of the Target hack discussed the liability issue between bank, merchant and consumer. The reports were that with chip/pin, the burden of proof shifts to the consumer to prove that any chip/pin usage is unauthorized. Without some VERY clear evidence like the card being used in China ten minutes after a US charge, the presumption will be that the charge is authorized.

My personal opinion is that people will be the losers in the game until there is hard proof that the chip/pin cards can be hacked without the consumer's participation.

My point is that given there are federal laws in place, they would need to be changed in order to not have the protections that are already in place. I always find it amusing when I am called with fraud alerts "for my protection". My liability is $50 in most situations, if that. It is for the bank's protection that the fraud alerts happen.

 

[BuddyFunJet]

My point is that given there are federal laws in place, they would need to be changed in order to not have the protections that are already in place. I always find it amusing when I am called with fraud alerts "for my protection". My liability is $50 in most situations, if that. It is for the bank's protection that the fraud alerts happen.

While I am not a lawyer, the key word in the federal protection appears, to me, to be that it says you are not responsible for unauthorized charges. The articles said that chip/pin card process will shift the burden to the consumer to show that a chip/pin charge is unauthorized and that the presumption is that chip/pin charges are authorized.

 

[smittytabb]

While I am not a lawyer, the key word in the federal protection appears, to me, to be that it says you are not responsible for unauthorized charges. The articles said that chip/pin card process will shift the burden to the consumer to show that a chip/pin charge is unauthorized and that the presumption is that chip/pin charges are authorized.

I just think that speculation is fruitless. Things will change if the US goes to chip and pin from swipe, but it is impossible to predict the intended and unintended consequences. I am not a lawyer either, but I was raised by one, married to one and gave birth to one, so I at least have a working knowledge of the fact that when I see people speculating it is not a good idea.

 

[f0xx]

I just think that speculation is fruitless. Things will change if the US goes to chip and pin from swipe, but it is impossible to predict the intended and unintended consequences. I am not a lawyer either, but I was raised by one, married to one and gave birth to one, so I at least have a working knowledge of the fact that when I see people speculating it is not a good idea.

How is this fruitless?
This is exactly how things work overseas.
You don't think the same liability shift will happen here?

 

[smittytabb]

How is this fruitless?
This is exactly how things work overseas.
You don't think the same liability shift will happen here?

No, I think we have more robust consumer protection laws. But mostly, I think that unless you have a good reason to be certain that will happen, why post an alarm?

 

[Haley]

1) Chip and PIN cards can and have security flaws too.
http://securityaffairs.co/wordpress/25134/cyber-crime/chip-and-pin-cloning.html

The liability shift according toMasterCard:

Part of the October 2015 deadline in our roadmap is what’s known as the ‘liability shift.’ Whenever card fraud happens, we need to determine who is liable for the costs. When the liability shift happens, what will change is that if there is an incidence of card fraud, whichever party has the lesser technology will bear the liability.

So if a merchant is still using the old system, they can still run a transaction with a swipe and a signature. But they will be liable for any fraudulent transactions if the customer has a chip card. And the same goes the other way – if the merchant has a new terminal, but the bank hasn’t issued a chip and PIN card to the customer, the bank would be liable.
​

From krebsonsecurity post about one of the recent breeches.