Death Hovers Politely For Americans' Swipe-and-Sign Credit Cards 731
schwit1 writes "U.S. banks and merchants are shifting to a more secure way of authorizing credit card transactions in which customers will enter a personal identification number (PIN) at checkout instead of signing a receipt. The US is the last major market in the world using the signature system, which is part of the reason why a disproportionate amount of credit card fraud happens here. The change is especially relevant given the massive fraud perpetrated against customers of Target in the fall. During a Congressional hearing last week, Target CFO John Mulligan said the company is accelerating the $100 million effort to switch to the so-called "chip and pin" system.
The change won't happen all at once. Banks must issue cards with microprocessors and merchants need the right equipment to process the chip and PIN transactions, which is likely to happen gradually. But Visa, American Express, and MasterCard have announced that banks and merchants that have not adopted the technology for face-to-face transactions by October 2015 will be liable for fraudulent purchases. That's a strong incentive to get up to date. The new system will also prepare merchants and banks to transition to contactless payments in the near future."
Better late.... (Score:4, Interesting)
Increased expenditures for new card readers and technology has been rebuffed universally because the retailers aren't typically the ones out of the cash when a fraudulent credit card is used.
The Target breach was a large enough embarrassment to light the fuel under the motivational bonfire.
Umm.. just as Europe moves beyond chip and pin... (Score:5, Interesting)
In all the time I've spent in America I don't believe I've ever seen anyone really check the signature against the card.. always amazed me how lax and open to fraud that system was. In the UK we switched to chip and pin about 10 years ago.. and we were generally lagging the rest of the EU on that matter.
But why would the US move to chip and pin when it could leapfrog ahead to biometrics.. you're already seeing fingerprint scanners and suchlike appear in mainland Europe (http://www.bbc.co.uk/news/technology-21085738) and surely enough of the initial results are in to guide the decision making there.
Re:It's about time. (Score:4, Interesting)
And what good does this do you when you buy online?
Buying online - at least when its physical goods - requires a shipping address. That's a big risk for a thief to take as even if they're using an address they don't live at, if the fraud is discovered while the item is in transit the address may be being monitored by authorities.
Re:Umm.. just as Europe moves beyond chip and pin. (Score:2, Interesting)
Most times I don't even sign my cards. Yes, I know I'm supposed to, but I've gone for years without signing it. It always seemed odd to me to give a potential credit card thief a copy of my signature along with my card. Maybe once did someone even look for the signature and even then it was more of a "Oh, you didn't sign it" than a "We can't accept that card unsigned."
Sorry, it's horribly insecure, (Score:5, Interesting)
Ross [cam.ac.uk]is a security researcher at University of Cambridge.
In practice, it is far more secure to use a written signature than a 4-digit password that is exposed to eavesdroppers, video cameras, interception devices and a plethora of other attacks. That's secure for the person, you understand: it prevents the bank from saying "you must have lost your pin".
Re:Umm.. just as Europe moves beyond chip and pin. (Score:2, Interesting)
Economic viability is the reason (Score:4, Interesting)
That's because the outdated infrastructure had been economically viable to use, so there had been no reason to update it, until now, that is.
Many ways of the US rely on an honor system. There used to be unattended shops where you take the goods and put money in a box. The box didn't use to require a lock. This might be possible in a small town where everyone trusted each other, but in a city where crime is rampant, this business model is simply not economically viable. Public transportation used to allow monthly or weekly pass holders to board from the rear doors without verifying their passes, but they don't allow that anymore because nowadays enough non-paying passengers take advantage of that such that the honor system is no longer economically viable.
The honor system is always able to absorb a small percentage of fraud cases and remain economically viable. It's only when the fraud rate rises past a certain threshold when the system breaks down.
When a merchant displays a credit card logo, you trust the merchant. When the merchant hands you a receipt and you sign it, the merchant trusts you to pay. Again, this is an honor system. The rest of the world also started off with a complete "out of date" manual-imprint or swipe-card honor system. They were forced to upgrade the infrastructure because they suffered enough fraud such that the old system was no longer economically viable. The new smart card system is designed to enforce contractual agreement so that you don't need to rely on the honor system anymore, making credit payments economically viable again.
The US simply held off this long because the honor system had worked until now. Economic viability is the reason. The bad news is that the US has morally declined to the level of the rest of the world. The good news is that the US upheld its morals longer, being the last to abandon the honor system.