Chip and pin has arrived in the USA, or has it?

Chip and PINChip and PIN cards are here, almost.

On Thursday, October 1st, all merchants in the United States are supposed to be equipped with new credit card machines that accept Chip and PIN technology.

Likewise, all American credit card companies are due to have issued new chip-enabled credit cards to all their customers.

Sadly, this has not happened.

According to reports in both USA Today, and ComputerWorld, not only have most Americans failed to receive a new chip-enabled card, but it is believed that as many as half of the population doesn't even know what a Chip and PIN card is!

The American conversion to a Chip and PIN technology was announced in 2012, and was directed by the credit card companies as a self-imposed standard, with merchants and card issuers given until 1 October 2015 to upgrade to the new requirement.

As a little incentive to encourage Chip and PIN option, merchants who are not compliant with the new standard have been warned that they are liable for any credit card fraud.

Not only is America way behind on issuing the new cards, but many merchants have only adopted a chip and signature, rather than a Chip and PIN standard. This is considered a half-step by chip manufacturer Gemalto.

Card reader

Chip cards are not necessarily the answer to all card security problems either.

For instance, the experience in the UK - where Chip and PIN has been in place for ten years or more - saw many fraudsters switch from committing fraud face-to-face at the checkout tills of high street retailers to online criminal behaviour.

And last month, security blogger Brian Krebs reported that a chip skimmer (or shimmer) has already been manufactured and distributed in the wild.

Criminals can still use the usual methods of shoulder surfing or planting hidden cameras to capture a consumer's PIN code.

What has your experience been? Do you have a chip-enabled card, and has your local merchant migrated to the new system?

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

10 Responses

  1. Gary H.

    September 30, 2015 at 6:14 pm #

    Only two stores that I patronize have implemented the chip reader for my chip-enabled card. Neither of these has implemented the PIN.

    • Bob Covello in reply to Gary H..

      September 30, 2015 at 6:17 pm #

      Gary:
      Thanks for the comment. It is reports like yours that confirm the state of affairs. I truly hope the merchants act quickly, as their liability could result in their business shutting down.

  2. BC

    September 30, 2015 at 10:36 pm #

    All of my cards are now chip cards, but none of them have/require pins. As noted above, they're chip & signature, and when I called BoA to ask about the pin was told that there wasn't one and all that was needed was the signature.

  3. Andy Barratt

    September 30, 2015 at 10:55 pm #

    Hey Gary,

    It might not be the fault of the store for the lack of PIN. The card-issuer can choose which Customer Verification Methods (CVMs) – are available – in the UK we adopted Chip&PIN mainly for consumer protection purposes but the underlying EMV process is still superior on the wire in the sense it makes the data much more difficult to use.

    I'm not sure whether the issuing banks in the US will allow a cardholder to request that certain CVMs are disabled/enabled. In the UK for instance it is possible for the elderly to request the enabling of 'Chip and Sig' if they have a hard time remembering their PIN.

    Hopefully the US adoption of chip -with whatever verification mechanism is adopted means we can finally get rid of that horrible mag strip on the back!!

    Andy

  4. TMC

    October 1, 2015 at 2:57 am #

    Walmart only so far (Ace & True Value POS have the slots; they don't use them yet) chip and sign.

    The Pin part would be tough, mainly as I wasn't given one from Visa.

  5. Brenda Donovan

    October 1, 2015 at 10:38 am #

    Hi Gary,

    I run a small health store in a mountain town in New Mexico. I only heard about Chip&Pin a month ago! My local bank employees have not heard about it at all. At least at the teller level. It's amazing.

    Some of my friends have been issued Chip&Pin cards and say they use them when a store has the right machine for it. That would be in bigger towns from ours. We're lucky to have a bank up here.

    We, the store, haven't heard from our credit card processor on this either. Who is/was supposed to let us small stores about it?

  6. Spryte

    October 1, 2015 at 9:10 pm #

    I find it extremely odd that a country thats hails itself as one of the most technologicaly advanced in the world is so far behind in the implementation of this technology.

    Here in Canada we have had "Chip & PIN" for well over 10 years. We (well at least I ) had no choice. My banks sent me new cards and told me to go into a branch and set up a PIN.
    I have ***never*** been to an setablishment that took my Chip and asked for a signature as verification instead of the PIN.
    Even on my last visit to the U.S. only ONE person commented that I had one of those "new chip cards" but of course there was no way to use the technology.

    Also here there is only one strore I know of that does not have Chip & PIN technoloy, Lowe's (one must swipe the magnetic strip and enter a PIN). When I reproached the staff about this I was told it is too expensive of a technology to implement. (Even the smallest corner convenience store has Chip & PIN !?!?! and Three Letter Acronym).
    Perhaps they have impleneted it now… I do not know as I don't shop there anymore.

    Mind boggling.

    I sit as simple as I was told, that it too expensive and companies are more than willing to settle fraud issues by paying out settlements?
    Or is it that American society as a whole is ambivolent to the security of their finances so companies do not feel the need to go the extra mile to protect their customers?

    • Ian in reply to Spryte.

      October 1, 2015 at 11:33 pm #

      You can imagine my surprise then when I visited the US recently with a pocket full of Chip & PIN cards, and found that nobody could process them! The clerk in one store was vainly trying to swipe my card through their machine, not knowing that the magnetic strip on the card is blank and isn't used.

      The article mentions that many US retailers don't know about this technology, and in the meantime I have become so accustomed to Chip & PIN that I didn't realise there were any places left in the world that didn't use it!

      So I presume that in the US you can't use the NFC capability in your phone to make payments in stores either?

  7. Jeff

    October 2, 2015 at 2:56 pm #

    Wow … so much anti-US sentiment. The problem is that it is very expensive for retailers to implement a chip and pin system. Once the largest economy in the world rolls this out nationwide, the crooks will have a work-around the very next day. We’re back to square one again.

    • Pauline in reply to Jeff.

      October 7, 2015 at 12:20 pm #

      Jeff you are no longer the largest economy in the world, that mantle has been handed over to CHina and even they have chip and pin….mind you they have the hackers as well!

Leave a Reply