Mastercard, Discover and Amex Ending Signature Requirement for Purchases Tomorrow, Visa to Follow Later This Month

[ersan191]

You Europeans are missing the point - no pin and no signature is even more convenient than chip and pin. No credit card terminals brought to the table at restaurants, no transitioning or forcing small businesses to buy new terminals, no PIN skimmers, no confused or irritated customers.

Not to mention chip and pin completely shifts liability of fraud from the merchant and issuer to you, the consumer. It is already extremely easy to dispute fraud in the US, and there is zero liability for those charges. If someone manages to get your card and pin in most of Europe you are screwed.

This is all overblown anyway since card-present fraud is such a tiny fraction of fraud to begin with. Having a massive country-wide infrastructure change to chip and pin in 2018, after EMV has all but eliminated cloned cards, would be incredibly stupid. What really needs to be tackled is card-not-present fraud.

Chip and pin is not the gold standard you all seem to think it is - I am very satisfied with this change and, in the US, moving to chip and pin at this point would be a step backwards.

 

[MacBH928]

I never understood the signature thing...
you can replicate a signature and you also can sign anything they will accept it. I heard one guy used to draw a Mickey Mouse face

 

[xpxp2002]

I have a feeling QR is ultimately going to win out in the US for mobile payments. Unlike elsewhere (where banks control the software on terminals and give merchants little choice in customization), NFC is artificially difficult* for American merchants to implement**; as a result, they aren't going to bother literally writing new code to support it unless the demand's there. Meanwhile, everyone has a barcode/QR code scanner already that's being used for scanning stuff--or at least a phone with a camera.

Of course, that depends on there being one consistent standard for QR. EMVco/Visa/UnionPay have one but who knows if that'll become more commonly accepted or if it stays confined to retailer-specific apps.

I don't think it will because it's all proprietary and retailers are still thinking about what motivates them to use this technology instead of what will motivate their customers to use this technology. From what I've seen, the general public is just as averse to it as they are to NFC. They either perceive it as "insecure" in the same way that they perceive NFC as insecure, or they just don't want to be bothered to set up a special account with every retailer to be able to mobile pay. And most don't find it any more convenient than dipping a card, aside from the few who gripe about the EMV transaction time.

I think it's just going to take longer in the US due to how much legacy POS hardware is still out there. The move to EMV helped expedite some of that, but I still see a lot of retailers here willing to assume the liability shift in favor of upgrading anything. As more old hardware fails or falls completely out of support, more new hardware is going to be NFC-ready and the certification backlog will (hopefully soon) be cleared. I think once those events have a chance to catch up to retailers' operations, NFC will "come with" EMV support, so to speak, and it will be a no-brainer to accept NFC by default.

Outside of a few behemoths like Walmart, who are using their size to bully the industry and customers into using a proprietary system that helps them avoid transaction fees and enables them to build a detailed profile on you and your shopping habits, there simply won't be a huge incentive for anyone else to dump resources into developing more proprietary QR systems and marketing the non-existent advantages to customers when the hardware already out on the checkout lane does NFC with little effort.

 

[dhershberger]

Never understood how signatures can secure the process

They don't, and it's not a security feature.

 

[Chupa Chupa]

I get that but that was 18 years ago. So it took around 16 years for the US to get a chip in their cards? It’s embarrassing and the reason why is because the CC companies didn’t want to make it harder on the people.

Luckily that whole Target thing happened and made them push the CC companies harder to get better security. There is no reason why we shouldn’t have had chip cards 10 or more years ago.

Yes, it was a simple cost:beneift consideration. The cost of the fraud in the U.S. up until the Target disaster was less than the cost of the U.S. updating laws, the CC companies updating it's merchant rules, and merchants updating terminals. And then you have to get all the stakeholder to come to some sort of consensus on the changes and timeline. Again you have to realize to make these changes in the U.S. is a much larger, costlier endeavor than other industrialized countries. Even when the U.S. did go to the chip it did not go with chip and pin because that system, while more secure, is also more expensive.

 

[ersan191]

I have a feeling QR is ultimately going to win out in the US for mobile payments. Unlike elsewhere (where banks control the software on terminals and give merchants little choice in customization), NFC is artificially difficult* for American merchants to implement**; as a result, they aren't going to bother literally writing new code to support it unless the demand's there. Meanwhile, everyone has a barcode/QR code scanner already that's being used for scanning stuff--or at least a phone with a camera.

Of course, that depends on there being one consistent standard for QR. EMVco/Visa/UnionPay have one but who knows if that'll become more commonly accepted or if it stays confined to retailer-specific apps.

QR is an awful system and I highly doubt it's going to win over anything. Credit card issuers in the US are obsessed with providing the simplest checkout procedure humanly possible because they are convinced (whether true or not) it affects how often people use credit cards over alternatives - they are absolutely not going to support QR. There is also little to no demand for QR versus NFC.
[doublepost=1523633552][/doublepost]

Yes, it was a simple cost:beneift consideration. The cost of the fraud in the U.S. up until the Target disaster was less than the cost of the U.S. updating laws, the CC companies updating it's merchant rules, and merchants updating terminals. And then you have to get all the stakeholder to come to some sort of consensus on the changes and timeline. Again you have to realize to make these changes in the U.S. is a much larger, costlier endeavor than other industrialized countries. Even when the U.S. did go to the chip it did not go with chip and pin because that system, while more secure, is also more expensive.

Exactly. Everyone seems to overlook how much it costs issuers to buy chips and replace the hundreds of millions of cards in the US (I think it was around $1.6 billion). Not to mention a lot of the banks that provide merchant services (and also issue cards) would have to spend a collective $4-5 billion replacing terminals. It was worth it to them to just pay for the fraud until the Target disaster happened.

 

[tmiw]

You Europeans are missing the point - no pin and no signature is even more convenient than chip and pin. No credit card terminals brought to the table at restaurants, no transitioning or forcing small businesses to buy new terminals, no PIN skimmers, no confused or irritated customers.

Not taking cards away at restaurants closes one loophole that allows card not present fraud by making it impossible for someone to copy the front and back and sell/use the details later. Chip and signature/nothing basically makes it harder to fight CNP fraud later, IMO (does anyone really think they're going to mandate 2FA for online transactions like other countries do?)

Also, smaller businesses have to buy new terminals for EMV anyway. Unless they brought something like Square that has no PIN pad, they likely can support PIN with just a software upgrade and additional training.

Speaking of training, a large enough marketing campaign and a transition period would prevent a lot of the problems you think will happen. Of course, the parties involved have shown little to no interest in that, so this may be a moot point.

Not to mention chip and pin completely shifts liability of fraud from the merchant and issuer to you, the consumer. It is already extremely easy to dispute fraud in the US, and there is zero liability for those charges. If someone manages to get your card and pin in most of Europe you are screwed.

US law guarantees that it will never shift to the consumer even if we got PIN en masse. As mentioned above, my PIN-preferring credit cards (UNFCU and Diners Club) have no language in the T&C that would move liability to me.

This is all overblown anyway since card-present fraud is such a tiny fraction of fraud to begin with. Having a massive country-wide infrastructure change to chip and pin in 2018, after EMV has all but eliminated cloned cards, would be incredibly stupid. What really needs to be tackled is card-not-present fraud.

Counterfeit card fraud was something like half of all card fraud in the US pre-EMV. If it was really as small as claimed, we wouldn't have bothered.

Also, something like 40% of merchants still don't support it. Still lots of opportunity to use cloned cards, unfortunately.

Chip and pin is not the gold standard you all seem to think it is - I am very satisfied with this change and, in the US, moving to chip and pin at this point would be a step backwards.

As I also mentioned before, I think not going with PIN significantly delayed NFC adoption (or quite possibly killed it entirely). For instance, I've seen so many places that continue to hide terminals from customers as a direct result of this that I really don't think the "true" merchant adoption figures for Apple Pay are anywhere near as high as Apple claims. Not to mention that combined with Quick Chip, there's almost no convenience advantage to using NFC anymore.

I don't think it will because it's all proprietary and retailers are still thinking about what motivates them to use this technology instead of what will motivate their customers to use this technology. From what I've seen, the general public is just as averse to it as they are to NFC. They either perceive it as "insecure" in the same way that they perceive NFC as insecure, or they just don't want to be bothered to set up a special account with every retailer to be able to mobile pay. And most don't find it any more convenient than dipping a card, aside from the few who gripe about the EMV transaction time.

I think the security fears could be worked through. In the extreme case, for instance, whatever QR service ends up becoming most popular may simply be a prepaid balance like what Starbucks does (sans auto-reload), meaning that any losses are limited to what's in there. In any case, it would need to be something supported by multiple retailers, and not something limited to one retailer.

As for transaction time, today's young people are tomorrow's consumers, and I've seen multiple posts from people in that category who now prefer to use cash for purchases due to EMV. If it wasn't an issue, Visa wouldn't have come out with Quick Chip to try to "fix" it. (Which I'm not sure helps as much as people think, but people seem to like it at e.g. Costco.)

I think it's just going to take longer in the US due to how much legacy POS hardware is still out there. The move to EMV helped expedite some of that, but I still see a lot of retailers here willing to assume the liability shift in favor of upgrading anything. As more old hardware fails or falls completely out of support, more new hardware is going to be NFC-ready and the certification backlog will (hopefully soon) be cleared. I think once those events have a chance to catch up to retailers' operations, NFC will "come with" EMV support, so to speak, and it will be a no-brainer to accept NFC by default.

Retailers still need to go through a separate certification (and possibly software development effort) for NFC, so that backlog might be there for a while to come. That's assuming they're actually doing it, though, which I'm not sure about considering the low demand from customers.

That's the advantage of just using the bank's software on terminals: the bank already did all of that, so there's no work involved for the retailer.

Outside of a few behemoths like Walmart, who are using their size to bully the industry and customers into using a proprietary system that helps them avoid transaction fees and enables them to build a detailed profile on you and your shopping habits, there simply won't be a huge incentive for anyone else to dump resources into developing more proprietary QR systems and marketing the non-existent advantages to customers when the hardware already out on the checkout lane does NFC with little effort.

Walmart's app is supposedly popular, not to mention Starbucks'. It probably helped that every one of their locations supported their respective apps from the start and that there are benefits/rewards for using it.

BTW, just because the hardware's there doesn't mean it's easy to enable.

QR is an awful system and I highly doubt it's going to win over anything. Credit card issuers in the US are obsessed with providing the simplest checkout procedure humanly possible because they are convinced (whether true or not) it affects how often people use credit cards over alternatives - they are absolutely not going to support QR.

Visa wouldn't have started supporting a QR standard if there wasn't anything to potentially gain from it. They likely saw what happened with China and Alipay/WeChat and didn't want that to repeat itself in the US.

Fun fact: Chase Pay basically uses that standard.

 

[nsayer]

I always thought that signatures weren't a security thing, but formed the legal basis for the agreement to pay later, kind of like the signature on a check (or cheque, if you insist). Thus, the words you often see "I agree to pay [etc]" nearby the signature line.
[doublepost=1523635616][/doublepost]

Not to mention that combined with Quick Chip, there's almost no convenience advantage to using NFC anymore.

Anybody who has ever used ApplePay on their watch would immediately disagree.

 

[timber]

I've seen this discussion before but never really understood it fully to be honest.

I'm from Europe and here we use PIN-codes. Is that replacing the signatures or will there be no verification at all?

I remember my mother signing credit card receipts (with those carbon copy machines) when I was a kid.

I am almost 40 and I have never used anything but PINs, first with swipe cards, latter with chip and now with NFC and chip.

 

[0924487]

Simple. Check the signature on the card versus the signature on the receipt before handing the card back. If they don't match, void the transaction and call someone in to question why the signatures don't match, or ask them to provide another form of payment.

BL.

Branch and Link as in ARM Assembly language? But to where?

 

[CarlJ]

WalMart Pay is an example of a QR-based payment solution. It’s goofy and REALLY slow as you have to open the app, wait for it to load the store info, authenticate with WalMart pay, and then scan the code. Really awful workflow.

It's very much a case of "Hey, we have this idea that's great for us and mediocre for consumers, so let's all do that instead of ApplePay/NFC, okay everybody? Everybody? Where'd everybody go?" Target and a few others where scheming similar schemes (look up "CurrentC"). They basically lie to consumers that "It's so easy to use" when it's actually harder, and the real point is that they'd make slightly more money if we all switched over to it.
[doublepost=1523650911][/doublepost]

In the US we only utilise PINs for debit cards. Even then, you can simply override entering a PIN by pressing, “enter,” or, “accept.” 100% fraud enabling. I’ve also never been asked for an ID to verify the name on a card. We’ve always been behind on security and verification.

To be clear, bypassing the PIN on a debit card on a payment terminal, is simply putting the card through as a credit card instead of as a debit card. That won't work in an ATM. We're behind on security because the companies that pay the lobbyists who sway the politicians who run the government, feel that putting up with a certain amount of fraud is outweighed by the idea that the less friction in the "I want something -> I've bought something" path, the more likely we are to spend. The signature is a leftover from earlier times.

I heard at some point, that payment decisions (whether a given transaction was approved or declined) wasn't a clear-cut yes/no, but rather a sliding scale, and many minor details went into the score for each decision, e.g. whether your address/zip-code was exactly correct, whether the card is physically present (think online sales), etc., and capturing a signature was just another one of the data points, and, further, the credit card companies would give slightly more favorable rates if a merchant was submitting transactions that had higher scores (makes sense, if you get more details right, the likelihood of fraud goes down).

 

[bradl]

To be clear, bypassing the PIN on a debit card on a payment terminal, is simply putting the card through as a credit card instead of as a debit card. That won't work in an ATM. We're behind on security because the companies that pay the lobbyists who sway the politicians who run the government, feel that putting up with a certain amount of fraud is outweighed by the idea that the less friction in the "I want something -> I've bought something" path, the more likely we are to spend. The signature is a leftover from earlier times.

I heard at some point, that payment decisions (whether a given transaction was approved or declined) wasn't a clear-cut yes/no, but rather a sliding scale, and many minor details went into the score for each decision, e.g. whether your address/zip-code was exactly correct, whether the card is physically present (think online sales), etc., and capturing a signature was just another one of the data points, and, further, the credit card companies would give slightly more favorable rates if a merchant was submitting transactions that had higher scores (makes sense, if you get more details right, the likelihood of fraud goes down).

The problem here is that most fraud does not happen at the ATM, as the pin is required there. Additionally, if the card gets stuck in the ATM, most cases (it has happened 4 times with me) the ATM will not return the card to the next person that comes up to that ATM. they have to wait until the bank opens the next day, go into that branch, and tell them that their ATM never returned their card. Only then will they shut down that ATM and get the cards out, by hand.

When it comes to processing at a terminal, that is where most fraud occurs. For work, I maintain a database that is used for payment card processing, let alone fraud alerting and analysis for about 2 dozen major banks, so I deal with PCI data on a daily basis. All of the fraud alerting for them happens either at the terminal where the PIN can be bypassed (and for some transactions, a signature is required if over a certain amount), or used as a credit card, where you must sign. Again, if more attention were paid to the signature, a lot of that fraud could be avoided. But it isn't, so it isn't.

BL.

 

[Dobbs2]

It's about time. No one checks for signatures anyway.

Thats not necessarily true. When I worked at Best Buy through College. I would sign with a smiley face instead of signature on every employee purchase for years. Amex called me when I used my real signature at work to make sure it was me. I used my real signature everywhere else, but my habits changed at work because I thought it was funny,

 

[Tech198]

Phew,,,, It's just as well

I never seem to sign correctly.

Thats not necessarily true. When I worked at Best Buy through College. I would sign with a smiley face instead of signature on every employee purchase for years. Amex called me when I used my real signature at work to make sure it was me. I used my real signature everywhere else, but my habits changed at work because I thought it was funny,

Ironically Banks are supposed to check the signature on the back of cards as well, but i've seen many that don't even do that.

If your gonna sign u may as well be happy about it.

 

[garylapointe]

I've seen this discussion before but never really understood it fully to be honest.

I'm from Europe and here we use PIN-codes. Is that replacing the signatures or will there be no verification at all?

We use PIN codes for our banking cards and I believe that is NOT changing.

There will be no verification from the cards (other than the computer verifying it's not reported as stolen).

Why we don't have a PIN for credit cards too...?
[doublepost=1523878053][/doublepost]

I can't believe this is the way Americans pay for stuff. Crazy.

Plastic cards? No signature? (What is "this"?)

 

[Tech198]

Its still a change.... What did we do when plastic didn't exist.... we used "cash"

We use PIN codes for our banking cards and I believe that is NOT changing.

There will be no verification from the cards (other than the computer verifying it's not reported as stolen).

Why we don't have a PIN for credit cards too...?

We have PINS for credit cards... (i thew mine away, since i never use it at store, or ATM)..

I always draw from savings... Why would i need another PIN when 90% of mys shopping in done online anyway.?

If you ask me, we may be "thinking" were moving to something better, but we really aren't.. The only thing your relying on is TouchID to authenticate now. And as we know that doesn't work all the time either.

At least with signature. while it too can be faked. you can "keep changing how you sign",, so in a way it will always be more private.

Keep the bad guessing longer.

 

[Apple Fritter]

I can't believe this is the way Americans pay for stuff. Crazy.

Actually, you'd be amazed how backwards the banking system really is. At least back when I checked, folks would use checks to pay for stuff. Checks. I think I've used a check on one or two occasions in my entire life, sometime back in the late 80's.

And they'll use checks even for recurring payments, such as rent, utilities, you name it. Sit down once a month, every month in order to write dozens of checks over and over again. That's what left my really speechless.