Mastercard's Plans to Fully Eliminate Signature Requirement Next Year Will Speed Up Apple Pay

[Wowereit]

The process is supposed to involve the cashier verifying the signature on the receipt matches the one on the back of the card

Yeah, right. Because signatures always look exactly the same and a layman could decide in seconds if a signature is genuine or not. Good riddance.

 

[DCJ001]

Mastercard removing the signature requirement won't speed up Apple Pay in Canada, however, as contactless payments aren't generally permitted for purchases above $100. Above this limit, customers must use chip-and-PIN.

Sure will! Even if it is by five seconds, it will still be quicker.

 

[kdarling]

So they finally figured out that Apple Pay really is secure.

They're dropping the requirement for ANY kind of purchase method. Including a physical card.

But if a store specifically supports Apple Pay then there is no limit.

That's not about supporting Apple Pay. It's about supporting a standard transaction flag that says the cardholder has been verified on device.

 

[sinsin07]

snip...The issue is Americans resistance to the chip and pin.. I don't get it what's so difficult. The chip alone was like world war 3... ridiculous.

snip...No, it's the U.S. banks who resist chip and PIN. Not sure why, but I think it puts more onus on the banks to guarantee the transition and prevent fraud.

Some other insight as to the possible causes:
UK’s Lessons For US Mobile Payments Adoption
The above discusses UK, Austrailia and Canada as compared to the US.

From above link:
...OK, you say, so all we need to do now is hustle up and get contactless POS terminals out there in massive force.

If it were only that easy.

In the U.S., there simply aren’t the same dynamics in play.

Two million contactless terminals today sounds like a great start — until you do the math. There are something like 13 million POS terminals across a massive geography that is the United States, not including mPOS devices.
The U.S. is also a market in which there are 1.2 billion payments cards in circulation, more than 47 billion debit card transactions, more than 26 billion credit card transactions and 209 million adults over the age of 18.
Oh, and something like 14k financial institutions that issue those cards and countless merchant acquirers and ISOs all hawking merchants to deploy new terminals.
It’s a whole lot harder to wrangle this ecosystem to the ground given the diversity of merchants and the engrained plastic card habits honed by consumers over the last 50 or so years.

EMV: America, What Took You So Long?
"As an example, and traditionally, card fraud in the United Kingdom has always been considerably higher than here in the U.S., primarily because the U.K. previously used offline card authorization as opposed to the online card methodology used here. As losses due to fraud rose steadily in U.K., despite the best efforts of global law enforcement agencies to reduce it, the pressure to find a solution built around some alternative authentication strategy mounted. From this concern, EMV was born." ...

"So why has the U.S. not embraced EMV sooner? Part of the reason is because our fraud problem, while significant, has typically been among the lowest rates among highly-developed economically-mature countries. Much of that is due to the online authentication methods at work here. In England’s old offline authentication method, credit card transactions were gathered together at specific times – typically, at the end of the business day – and then batched over to the card issuers for authorization. It’s a method that gave those committing fraud a significant time lag between the transaction and the authorization, and this time lag contributed greatly to the higher levels of fraudulent activities in England. Here at home, our online authentication methodology permits authorizations to be done in real-time, thus thwarting a significant percentage of the fraudulent attempts at the point of sale, the best place to stop fraud. Our online authentication methods also incorporate multiple fraud and risk parameters as well as advanced neural networks that are ‘built-in’ to the approval process. It’s been a highly effective system that works well when compared to most alternatives."

Why is the US a decade behind Europe on 'chip and pin' cards?

 

[profets]

Banks have no control over who is using your phone's passcode, which is also all that is needed to register a finger. So they have no way of knowing or proving that it was you doing the transaction.

OTOH, a signature or PIN at least can be somewhat tied back as your responsibility.



Fingerprint readers are easy to fool. But they're considered "secure enough" for this case because few criminals would go to the trouble.



That does nothing except make it possible for a merchant to refuse you. Your card contract says the card is not valid until it's signed.

How is that any different than the 4 digit pin you have with your credit card? The 4 digit pin on my CC and 6 digit passcode on my iPhone should both be my responsibility no?

 

[jarman92]

The whole system is still hopelessly antiquated, even after the intro of EMV in the US. Still the vast majority of cards don't require a PIN (which is literally half of "chip-and-PIN"), and the majority of those aren't even able to require a PIN. The signature provides exactly zero security, since nobody looks at them and they get tossed at most retailers. And banks refuse to recognize that the fingerprint I'm required to use in Apple Pay is far more secure than signature or PIN, and still require me to use one or the other. It's so infuriating and there's no hope on the horizon.

 

[jayducharme]

Good news. As others have stated, the signature never made sense. I've had an increasing number of instances with ApplePay where I've had to enter my debit card PIN number on the terminal after a transaction. That also made no sense to me.

 

[MacOrNot]

This is true if a place just takes NFC but doesn't specifically support Apple Pay. Then Apple Pay transactions are treated as regular NFC and have upper limit of CA$100. But if a store specifically supports Apple Pay then there is no limit. However, such stores seem to be very few. I think the only time I was able to use Apple Pay for something over CA$100 was at an Apple Store. And even the Apple sales guy was surprised and tried to tell me it won't work over $100. It did work but it means people very rarely use it even at Apple Stores.

This was pretty much exactly my question. We have (generally speaking) tap or insert (chip and pin). Tap provides no authentication other than the presence of the card itself. Insert requires the physical card, chip reader and a pin for authentication. Without the secondary authentication of the PIN, tap transactions are generally limited to a fairly low dollar value. Is the assumption here that when the tap transaction is authorized, the bank sees the Device Account Number instead of an actual CC number, can therefore recognize an Apple Pay transaction which, by definition, has a secondary bio metric authentication and will authorize the transaction using normal chip and PIN limits?

 

[chriscrowlee]

Because we still don’t have chip and pin.

Sure. We have the chip. But no PIN. And now soon no signature?

The only form of security seems to be my bank occasionally texting me to ask
If I really bought those things.

I guess that counts?

yeah when they went to chip cards I didn't really get the point... sure it makes it harder to clone a mag stripe, but I'd be willing to bet 90% of cards used have been stolen from walets\purses, etc. And going chip does nothing to prevent that. If chip and pin, the only ones who'd be able to use the cards are those who steal cards with people's pins written on them (yeah, shocking how many people write their pin on the signature line of their cards)

 

[iGeek2014]

I used to work in a gas station here in the U.K. and our merchant acquirer often lost its DSL connection so we had to resort to the old “ironing board” imprint machines.

Although it’s the best part of 10/11 years since Chip & PIN became the norm and signatures were only allowed for those couldn’t use PINs or the card fell back because the Chip was worn you’d be amazed at how many people never signed the back of theirs.

 

[Ntombi]

I just shopped at a medical supply place/pharmacy, and they had brand new POS terminals. They accepted contactless payments and SWIPED cards.

Here’s the kicker: I had to sign the terminal before I could use Apple Pay.

I was all the way confused.

 

[nostresshere]

yeah when they went to chip cards I didn't really get the point... sure it makes it harder to clone a mag stripe, but I'd be willing to bet 90% of cards used have been stolen from walets\purses, etc. And going chip does nothing to prevent that. If chip and pin, the only ones who'd be able to use the cards are those who steal cards with people's pins written on them (yeah, shocking how many people write their pin on the signature line of their cards)

VERY GOOD POINT. - not that many here - LOL!

A stolen card still works just fine. We read about in the local paper daily.

 

[reclusive46]

In Australia they do. Was one of the things that blew my mind when I moved to Canada. In North America nobody looks.

It's because in Australia the store is responsible for the fraud if the signature does not match. In North America the credit card company is. Guess where the stores carefully train their employees in security practices?

The other thing that blew my mind is restaurants where they take the card away from you to swipe it through a machine. Um... what!!!!

Actually thats not even true (Just a common myth). An Australian merchant or European merchant isn't liable if the signature doesn't match either (as long as a signature is actually taken). The only time a merchant is liable for fraud is when they swipe the magnetic stripe on a chip card (which 99% of terminals won't let you do as the magnetic stripe has a code on it to tell the terminal it has a chip). Even if a transaction fallsback (I.e. you try to use the chip and it fails and prompts you to swipe) it will tell the bank that a technical fallback has taken place and if the bank approves the transaction, the merchant still isn't liable for fraud. So as long as you have a correctly programmed chip terminal, you can never be liable for swiped, chipped or tapped transactions). The card verification method (PIN,Signature, NO CVM) is irrelevant.
[doublepost=1508456957][/doublepost]

I used to work in a gas station here in the U.K. and our merchant acquirer often lost its DSL connection so we had to resort to the old “ironing board” imprint machines.

Although it’s the best part of 10/11 years since Chip & PIN became the norm and signatures were only allowed for those couldn’t use PINs or the card fell back because the Chip was worn you’d be amazed at how many people never signed the back of theirs.

It's funny though as you could go to any self service machine (Or any manned terminal as long as the merchant isn't paying attention) in Sainsburys (Or many other places) insert your card backwards 3 times and the terminal will let you swipe and sign.

 

[s1m]

I am still shocked that people have to use Chip and PIN for transactions over a certain value. I use Tap and PIN (via my Watch) for anything over $100 - including over $1,000 spent at Costco last week.
[doublepost=1508457021][/doublepost]

yeah when they went to chip cards I didn't really get the point... sure it makes it harder to clone a mag stripe, but I'd be willing to bet 90% of cards used have been stolen from walets\purses, etc. And going chip does nothing to prevent that. If chip and pin, the only ones who'd be able to use the cards are those who steal cards with people's pins written on them (yeah, shocking how many people write their pin on the signature line of their cards)

I think the stolen cards come from mass theft rather than taken out of wallets.

 

[chriscrowlee]

I think the stolen cards come from mass theft rather than taken out of wallets.

I think that's the media's spew on it, but not reality. I'd bet 90% are stolen wallets. I've had my card stolen in a restaurant before. Never had it stolen online. And I use it online a LOT... But then again I know how to differentiate between a legit and non-legit website... so I don't go keying in my card number on bedazzleyourphone.com or anything haha.

 

[reclusive46]

Lol. Ok. How do you know?

Before the switch I remember having to resign a couple of times because the checkout chick/dude thought it didn’t match. So it’s true, in Australia they checked.

Now I wonder why they still have a signature space on the card when nobody needs to sign it.

Many reasons really, especially on on Australian cards. One its just to say you agree to the card terms and conditions. Two, your card could fall back to a signature transaction (This is more likely to happen on Australian cards, as Australian banks don't store the PIN on the chip, so if the terminal can't contact the bank (I.e. on a plane for example), then the signature is the only authorization method is available). Many card machines in Canada, the UK and France also don't support the pin used on Australian cards (Called online PIN), as all cards in the UK, CAN and France use offline PIN (PIN encrypted onto the chip), so Aussie cards will fallback to signature. And finally there are still a ton of terminals around the world that don't support chip.
[doublepost=1508457419][/doublepost]

I think that's the media's spew on it, but not reality. I'd bet 90% are stolen wallets. I've had my card stolen in a restaurant before. Never had it stolen online. And I use it online a LOT... But then again I know how to differentiate between a legit and non-legit website... so I don't go keying in my card number on bedazzleyourphone.com or anything haha.

As someone who works in card fraud prevention, fraud from theft/loss of a card is very low (even in the United States).

 

[chriscrowlee]

As someone who works in card fraud prevention, fraud from theft/loss of a card is very low (even in the United States).

If you say so. Not sure what the issue is here though... my comment is that going to a chip-based card does nothing for someone stealing the card out of your wallet and going to Walmart and using it. Your response about most being stolen online is irrelevant to my comment. Bottom line, going from mag strip to chip card without a pin was a basically pointless change but for it weeding out a few people using cloned mag strip cards. Most people who had their info stolen online didn't have the perp then go and make a card and use it, they just used the card info online.

 

[JohnApples]

The long-existing "signature required" clause is intended to verify that customers own the debit or credit card they are attempting to use. The process is supposed to involve the cashier verifying the signature on the receipt matches the one on the back of the card, but in reality, this process is often skipped.

Understatement of the century. I have never once- not a single time- had a cashier check the signature on any of my 4 cards. I also have not signed any of my cards.

Definitely an outdated form of "security" that needs to go, and I'm excited for the signature requirement to be phased out.

 

[s1m]

I think that's the media's spew on it, but not reality. I'd bet 90% are stolen wallets. I've had my card stolen in a restaurant before. Never had it stolen online. And I use it online a LOT... But then again I know how to differentiate between a legit and non-legit website... so I don't go keying in my card number on bedazzleyourphone.com or anything haha.

No it is the reality and it is why companies who deal with credit cards should comply with the PCIDSS (Payment Card Industry Data Security Standards) or you end up like these bozos:

http://www.bbc.com/news/technology-25681013 - 70 million cards

https://www.finder.com.au/the-sony-playstation-hack-what-it-means-outside-the-gaming-world - 77 million cards

http://www.abc.net.au/news/2013-07-...-ever-credit-card-fraud-in-us-history/4844814 130 million cards

 

[HiVolt]

I haven't signed a credit card receipt in 6-7 or more years here in Canada, since we've been using Chip+Pin for a long time. You can't even swipe a credit card that has a chip in it, its only for fallback or outside of country use.

And of course NFC in recent years, even before Apple Pay become available.

 

[cenetti]

hmm.. using mastercard with apple pay all the time. I dont ever remember signing...?? But then my purchases are usually grocery store purchases/coffee etc under $100

 

[69650]

First used a chip and pin card in 1990 when I was living in Paris. Can’t even remember the last time I had to sign a payment slip.

 

[Ntombi]

hmm.. using mastercard with apple pay all the time. I dont ever remember signing...?? But then my purchases are usually grocery store purchases/coffee etc under $100

I just today used mine at two stores via Apple Pay. Both purchases were <$60. Both times required a signature.

 

[curmudgeonette]

The long-existing "signature required" clause is intended to verify that customers own the debit or credit card they are attempting to use. The process is supposed to involve the cashier verifying the signature on the receipt matches the one on the back of the card, but in reality, this process is often skipped.

That's what the card companies want you to believe...

In reality, the signature protects the card companies from their own customers! Consider this: A customer calls in claiming their card was stolen and used to buy a TV at Best Buy. The CC company can check the signature, see that it is the same squiggle as the previous 30 purchases, and start a fraud investigation against their own customer. If the signature was different than usual, then they can believe the customer.

 

[cenetti]

I just today used mine at two stores via Apple Pay. Both purchases were <$60. Both times required a signature.

interesting. Today I did grocery shopping for 50 some dollars. Payed with apple pay (mastercard capital one, no signature.