The chip implementation in the US provides zero incremental security. It was done as part of a liability struggle between shops and credit card providers, not to improve your life.
I wouldn't say it provides NO incremental security, EMV defeats skimmers which is a pretty big issue - but until everywhere has it deployed and magstrips are no more we're still in a phase where the benefits are partial at best.
Sigh. You have to deploy the new stuff before getting rid of the old stuff. If everyone had this impatient attitude, instead of taking many years to improve credit card security it wouldn't happen at all.
I made a statement of fact. I'm making no normative claims, I'm describing reality. At this point in time, there is zero additional security provided by the implementation. Am I supposed to ignore reality and lie about it, because someday things will be better?
Saying "For now, there is zero incremental security" would be better. But it's not really zero since it protects against credit card cloning at a particular point of sale.
Eh. Humans don't generally qualify their statements that way when informally describing things. "Did Bob graduate college?" "His educational background may improve in the future." If you want me to sound like a PR-bot, you can pay me to write copy for you.
> protects against credit card cloning at a particular point of sale
A sieve stops water from streaming through at particular points in the mesh, too.
Applying for jobs my senior year of college was such a pain because of this. Why is there so often no degree option for "I will have my degree very soon".
I almost wish EMV-capable ATM's would stop holding the card captive until the magstrip is abolished, they're one of the best targets for skimmers so only inserting the card partially would help deal with magstripe readers attached to the machine. It's increasingly rare I go to a store that doesn't have the chip reader or NFC enabled, but every ATM I use still insists on eating my card.
ANZ bank in Australia has actually started rolling out Contactless ATMs.
Which is great, as even some chip ATMs you put the card in far enough to have a magstripe skimmer work on most cases (presumably so that they work with the magstripe cards also)
Not the case for contactless!
(Of course here in Australia, Chip+Pin is Universal and Contactless is near-universal... I can use Apple Pay almost everywhere even small shops and have been able to for several years.. different story to much of the world)
Now the one thing that annoys me, is that currently shops here despite having separate payment terminals customer facing (largely for pin numbers) still operate sometimes on you handing your card to them - which is totally not necessary - especially in drive throughs. This is getting less common with tap to pay using mobile phones as people are (somewhat amusingly to me, given the value potential) hesistent to hand their phone to someone versus their actual card. I really wish merchants would enforce hard not letting the shop assistants handle cards (at least, prompt to handle it, if someone really wants help I'm not against that, but I don't like the default expectation).
But I also realise this kind of thing is much more common in some places so your mileage and feelings may vary.
Even in Canada, where we’ve had the chip + pin for far longer, the ATM eats your card. After a certain amount of incorrect PIN attempts, or the bank flags the card, it will not release the card.
You can get the incremental security easily at home: swipe over your card with a strong magnet. Now card thieves (and you) can only use chip & PIN payments.
As a warning before trying this for real: most ATMs annoyingly check both the chip and magstripe, so you won't be able to get cash out even in countries where chip & PIN are the widely used in payment terminals. Found out by carrying my cards in a phone case with a snap-close magnet.
Eventually banks are going to stop issuing cards with magstripes on them. But this will take years, until everyone has both on their cards and both readers in their terminals.
Even if they have newer terminals, they are still going to accept signature, so essentially there's zero security. The only way forward is to stop accepting the magnetic strip + signature altogether.
Are you sure about this? In Canada we've had chip-and-PIN for almost a decade now (2009 I believe?), and almost all merchants have chip-capable POS terminals.
(Yes, really! I don't know what the delay is in the US.)
These terminals still have a mag stripe reader, and our cards have mag stripes as well. But they're just for compatibility: if you try to use the mag stripe of a chip-capable card on a chip-capable terminal, it beeps at your angrily and tells you to use the chip.
Yeah, and you just put some paint over the chip, it will beep 3 times and then let you use the signature, even for cards which are marked "electronic use only". It's a failsafe for situations when the chip is genuinely damaged, the terminal lets you sign for the transaction.
I have a Sams Club credit card that has the chip & PIN feature. They state that the PIN is required when using it at Walmart and Sams Club, but I have used it in other places and have had the transaction go through with or without a signature (the latter of which was for a purchase under $50).
Do the terminals have an order of preference in terms of what's required for payment. For instance, try chip+pin first, then try chip+signature, then try mag stripe+signature? If that's the case, then I don't see why all stores that have chip readers won't start using chip+PIN as a first preference for payments with chip enabled cards.
chips have just become another salvo in an arms race between merchants/consumers and fraudsters. A chip card is more prized than a non-chip card so the rewards for capturing one is higher so more work is justified in cracking into one.
